Cyber Incident Victim: Coventry Local School District

The Coventry Local School District in Ohio experienced a disruptive malware incident in May 2019, first detected on Friday, May 17, though initial infections occurred earlier that week. The malware was identified as Trickbot, a banking trojan repurposed into a multi-purpose malware platform capable of facilitating secondary attacks. Infection spread rapidly through the district’s network, with one of the first compromised devices located in the treasurer’s office. Superintendent Lisa Blough described the escalation as exponential, noting that after one machine was infected, "10 more were right behind it," leading to a complete network failure. Critical systems became inoperable, including administrative computers, phone systems, and HVAC infrastructure. The district’s IT team initiated recovery efforts immediately upon discovery but could not fully restore systems over the weekend, prompting the cancellation of classes and staff operations on Monday, May 20, to prioritize student safety and allow continued remediation.

Approximately 2,000 students were affected by the closure. The FBI provided technical assistance during the response, consistent with broader federal warnings about increased Trickbot activity issued by the Department of Homeland Security in March 2019. Recovery required the reinstallation of operating systems on over 1,000 district computers. Classes resumed on a normal schedule by Tuesday, May 21, though district officials declined to disclose additional attack specifics. No evidence suggested deliberate student involvement in the infection, which aligned with typical Trickbot infection vectors such as spam email campaigns. The incident underscored operational vulnerabilities to malware traditionally associated with financial theft but increasingly leveraged as an entry point for broader network compromises.