Full Report
Meanwhile, 13 schools in Wales affected by separate attack
Analysis Summary
# Incident Report: Dual Ransomware/Cyberattacks on Educational Institutions
## Executive Summary
In early June 2026, educational institutions in both Illinois, USA, and Wales, UK, were targeted by cyberattacks. Evanston Township High School (ETHS) suffered a ransomware attack that resulted in a total campus closure and system-wide outages, while 13 schools in Powys, Wales, experienced a data breach involving staff and pupil information. Both incidents highlight the continued vulnerability of the education sector to financially motivated cybercrime.
## Incident Details
- **Discovery Date:** June 4, 2026 (Powys); June 7, 2026 (ETHS)
- **Incident Date:** June 2026
- **Affected Organization:** Evanston Township High School (ETHS); Powys Council (13 schools)
- **Sector:** Education
- **Geography:** Evanston, Illinois, USA; Powys, Wales, UK
## Timeline of Events
### Initial Access
- **Date/Time:** Sunday, June 7, 2026 (ETHS); Prior to June 4, 2026 (Powys)
- **Vector:** Unknown (General sector trends suggest stolen credentials/phishing)
- **Details:** Attackers breached ETHS systems over the weekend, leading to a proactive shutdown of all on-campus activities by Monday.
### Lateral Movement
- **Details:** In the ETHS incident, attackers successfully moved from initial entry points to critical infrastructure including Google Workspace accounts, eSchool, and phone systems.
### Data Exfiltration/Impact
- **ETHS:** Total loss of access to network systems; phone systems offline; closure of school facilities and cancellation of summer programs.
- **Powys:** Personal data belonging to staff and pupils from at least one of the 13 schools was accessed and acquired.
### Detection & Response
- **Discovery:** ETHS staff discovered the ransomware on June 7. Powys Council disclosed their incident on June 4.
- **Response Actions:** ETHS engaged external cyber breach attorneys and forensic experts; notified the FBI; shut down all non-essential operations. Powys Council engaged external specialists and set up a dedicated status page.
## Attack Methodology
- **Initial Access:** Likely stolen login credentials (based on ICO sector trends).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Stolen credentials (suspected).
- **Discovery:** System-wide reconnaissance led to the compromise of eSchool and Home Access Center (ETHS).
- **Lateral Movement:** Movement across network systems and cloud-based Google accounts.
- **Collection:** Personal data of pupils and staff (Powys).
- **Exfiltration:** Confirmed data acquisition in the Powys incident.
- **Impact:** Encryption (Ransomware) at ETHS; Data breach at Powys.
## Impact Assessment
- **Financial:** Significant costs expected for forensic recovery, legal counsel, and potential remediation at both sites.
- **Data Breach:** Confirmed access to staff/pupil personal data in Wales; investigation ongoing for ETHS.
- **Operational:** ETHS campus closed for multiple days; phone lines down; summer school and sports canceled.
- **Reputational:** High public visibility due to school closures and potential exposure of sensitive safeguarding data (Powys).
## Indicators of Compromise
- **Network indicators:** unreachable[.]powys[.]gov[.]uk (defanged info page)
- **File indicators:** Not disclosed (Ransomware variant currently unknown).
- **Behavioral indicators:** Mass lockout of Google Workspace accounts; inability to access eSchool and PowerSchool systems.
## Response Actions
- **Containment:** ETHS disabled network access and revoked Google account permissions; moved staff to a work-from-home model (with limited capabilities).
- **Eradication:** Forensic investigations are currently underway to identify the root cause.
- **Recovery:** Restoration of phone systems and "Home Access Center" is a priority for ETHS.
## Lessons Learned
- **System Interdependence:** The outage of the phone system alongside the network highlights a lack of redundancy for critical communications.
- **Cloud Vulnerability:** Ransomware in a school environment can successfully lock users out of managed cloud services like Google Workspace.
- **Seasonal Sensitivity:** Attacks during the transition to summer school maximize disruption for specific administrative and athletic programs.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure MFA is strictly enforced for all staff and student accounts to mitigate the risk of stolen credentials.
- **Network Segmentation:** Isolate critical administrative systems (like eSchool and phone systems) from general-purpose student networks.
- **Offline Backups:** Maintain immutable, offline backups of student data and system configurations to accelerate recovery without paying ransoms.
- **Incident Response Planning:** Develop out-of-band communication plans (e.g., secondary phone lines/SMS alerts) for use when the primary network is compromised.