Full Report
On June 7, 2026, a ransomware attack disrupted access to district systems, internet services, and computer infrastructure. Due to this incident, Evanston Township High School will be closed on Monday, June 8 and Tuesday, June 9, 2026. All Summer School classes, sports camps, and other on-campus activities scheduled during this time are canceled. We will provide further updates regarding the schedule for the remainder of the week. Upon discovering the incident, we immediately activated our incident response procedures and engaged external cyber breach attorneys and cybersecurity forensic experts to assist with the investigation and recovery process. We are working with these specialists to determine precisely what information may have been accessed or acquired and to restore normal systems operations as quickly as possible. The district is cooperating with the Federal Bureau of Investigations (FBI) as part of the ongoing investigation. In the meantime, please be aware that phone systems are unavailable, and staff may have limited access to email. Families may not be able to access certain online tools, accounts, or school resources during this time, including Home Access Center.
Analysis Summary
# Incident Report: Ransomware Attack on Evanston Township High School (ETHS)
## Executive Summary
On June 7, 2026, Evanston Township High School District 202 experienced a ransomware attack that resulted in a total shutdown of district computer infrastructure, internet services, and phone systems. The incident forced a two-day campus closure and the cancellation of all summer programs while forensic experts and the FBI began recovery efforts. The district is currently investigating the extent of data exfiltration while working to restore critical educational and administrative systems.
## Incident Details
- **Discovery Date:** June 7, 2026
- **Incident Date:** June 7, 2026 (Ongoing)
- **Affected Organization:** Evanston Township High School District 202
- **Sector:** Education (K-12)
- **Geography:** Evanston, Illinois, USA
## Timeline of Events
### Initial Access
- **Date/Time:** June 7, 2026
- **Vector:** Not disclosed (Investigation ongoing)
- **Details:** Attackers gained access to district-wide systems, leading to the deployment of ransomware.
### Lateral Movement
- **Details:** The threat actor successfully moved across the network to impact critical infrastructure, including the Home Access Center, Google Workspace accounts, eSchool, and the VoIP phone system.
### Data Exfiltration/Impact
- **Details:** System-wide encryption disrupted all digital operations. Forensic teams are currently investigating whether sensitive student or staff data was exfiltrated prior to encryption.
### Detection & Response
- **June 7, 2026:** Incident discovered; IR procedures activated.
- **June 8-9, 2026:** Campus closed; all summer activities canceled.
- **Immediate Action:** External forensic experts and cyber attorneys engaged; FBI notified.
- **Recovery Step:** District-wide forced password reset for Google accounts initiated.
## Attack Methodology
*Note: Specific technical details are currently limited as the investigation is in the early stages.*
- **Initial Access:** Unknown (Commonly Phishing or RDP exploitation in this sector).
- **Persistence:** Required district-wide password resets suggest account compromise.
- **Lateral Movement:** Movement from initial entry point to primary servers and communication systems.
- **Impact:** Data Encryption (Data Destruction/Denial of Service).
## Impact Assessment
- **Financial:** Significant costs expected for forensic services, legal counsel, and hardware restoration.
- **Data Breach:** Under investigation; potential PII (Personally Identifiable Information) exposure for students and staff.
- **Operational:** Total cessation of on-campus activities; loss of email, phone systems, and educational tools (Home Access Center, eSchool).
- **Reputational:** High public visibility due to school closures and cancellation of community sports camps.
## Indicators of Compromise
- **Network indicators:** Unavailable district domains and internal services.
- **File indicators:** Encrypted files (extension not specified).
- **Behavioral indicators:** Unusual administrative account activity leading to a district-wide lockout.
## Response Actions
- **Containment measures:** Isolation of district network and suspension of internet services.
- **Eradication steps:** Deployment of forensic tools to identify and remove malicious artifacts.
- **Recovery actions:** Immediate reset of all staff Google passwords; partial remote work for safety/ops personnel; ongoing restoration of system backups.
## Lessons Learned
- **Redundancy:** Heavy reliance on a single unified network for both educational and operational (phone/safety) systems created a single point of failure.
- **Communication:** Traditional communication channels (phone/email) were the first to fail, requiring the use of external websites for public updates.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure MFA is enforced on all district accounts, especially Google Workspace and eSchool.
- **Network Segmentation:** Separate administrative and phone systems from student-facing networks to prevent lateral movement.
- **Offline Backups:** Ensure "immutable" or air-gapped backups are maintained to facilitate faster recovery without paying ransoms.
- **Endpoint Detection & Response (EDR):** Deploy EDR tools across all district-managed devices to detect early signs of lateral movement.
---
*Reference: eths202[.]org/CybersecurityIncident*