Cyber Incident Victim: Haywood County Schools
Date:
Aug 2020
Location:
United States of America
Summary
A North Carolina school district experienced a ransomware attack by SunCrypt operators, leading to network shutdowns and temporary suspension of remote learning. Attackers stole unencrypted data before deploying encryption across devices via a PowerShell script distributed from the domain controller, compromising sensitive staff and student information. Following the victim's refusal to pay, the threat actors leaked a 5GB archive containing personal and institutional data. Forensic investigations confirmed the breach but could not fully ascertain the scope of exfiltrated data. The ransomware's encryption proved irreversible without payment, leaving systems partially disrupted even after remote instruction resumed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 24, 2020, the Haywood County School District in North Carolina experienced a ransomware attack that disrupted its network infrastructure and forced an immediate shutdown of all systems. The incident occurred one week after the district had initiated remote learning for the academic year on August 17. District officials publicly acknowledged the cyberattack but initially withheld details about the specific ransomware variant involved. Network outages disabled critical services including internet access, telephone communications, and centralized servers, significantly impair administrative operations and internal communications. This infrastructure collapse necessitated the suspension of remote instruction, with district leadership citing uncertainty about the security of staff computers as the primary reason for delaying educational continuity. Forensic investigators were engaged to assess the scope of compromise while the district issued periodic updates to parents via alternative communication channels, acknowledging limitations in their ability to provide timely information due to persistent technical disruptions. Remote learning partially resumed on August 31 following initial containment measures, though technology services remained partially impaired during recovery efforts.
Subsequent forensic analysis confirmed threat actors exfiltrated unencrypted data prior to deploying ransomware across the network, constituting a confirmed data breach. The district publicly disclosed this breach development while noting investigators had not yet determined the full scope of stolen information, advising staff, students, and parents to monitor for suspicious activity stemming from potential data exposure. Cybersecurity researchers identified the SunCrypt ransomware operation as responsible for the attack, with attackers employing a multi-stage compromise strategy. Adversaries planted a custom PowerShell script ("haywood.ps1") on the district's Windows domain controller and distributed batch files to propagate encryption payloads across networked devices simultaneously. This operational tactic enabled rapid network-wide encryption after attackers completed data theft operations. SunCrypt operators subsequently published approximately 5GB of stolen district data containing sensitive documents and personal information belonging to students and staff, following the district's apparent refusal to pay ransom demands. Encrypted files were marked with a ".suncrypt" extension and accompanied by ransom notes directing victims to a Tor-based payment portal, though no decryption method was publicly available at the time of reporting. The incident caused sustained operational disruption to educational services, exposed confidential information, and required ongoing forensic investigation to determine complete breach parameters.