Lincoln College: A Ransomware Casualty

Often security researchers will state rather bluntly that a ransomware attack can be financially devastating for an organization. So much in fact that the organization may be forced to shut its doors for good. These extreme cases are often met with the standard response of “it will never happen to me or my business.” Lincoln College is yet another of these extreme cases turned into reality.

Lincoln College, a liberal arts college in Illinois that has been serving the greater community for 157 years, following both the COVID-19 pandemic and a recent ransomware attack has been forced to close its doors.

Lincoln College: A Ransomware Casualty

To put things into perspective the college has survived several disasters including a major fire in 1912, the Spanish flu, the Great Depression, the World Wars, and the 2008 global financial crisis.

The ransomware attack which happened in December 2021 seems to be the final straw that broke the education institution’s back. The college is set to close on May 13, 2022.

In an announcement to the public, it was stated that,

“Lincoln College was a victim of a cyberattack in December 2021 that thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections…All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”

The closure of the college was also reported by NBC who also spoke to Kim Milford, the director of the Research and Education Networks Information Sharing and Analysis Center (ISAC), a nonprofit industry group that helps member colleges to pool and share information about cyberthreats. Milford noted,

“I feel really bad for Lincoln College and wish there was some way we could help, but it can be a very expensive proposition when you’re hit by ransomware,”

The problem education institutions have encountered with ransomware will be discussed below and does not make for happy reading.

That being said in this particular instance David Gerlach, president of Lincoln College, summarised the tragedy of this event by stating,

“Lincoln College has been serving students from across the globe for more than 157 years. The loss of history, careers, and a community of students and alumni is immense.”

Impact of Ransomware on Education

According to Emisoft’s research, 1043 schools suffered ransomware related incidents in 2021. Further breaking down this number eighty-eight education organizations were directly impacted by ransomware last year per Emsisoft, including 62 school districts and the campuses of 26 colleges and universities across the country.

These incidents resulted in disrupting learning at 1,043 individual schools. Estimating what this cost the US education sector is a herculean task. Luckily, we have some data that estimates what a single incident could cost an organization.

Towards the end of 2019, the Baltimore County Public Schools was hit by a ransomware attack. To recover from the attack the school board spent 8.1 million USD.

According to Fox Baltimore and the Executive Director of BCPS Physical Services, George Sarris, the potential cost to an organization could be broken down as follows,

“It’s $2 million in direct costs, which are the type of costs we have here and then there’s $3 million dollars of liability coverage…So if a third party were to have been damaged by the losses in our system, for instance if we were unable to pay people or unable to pay vendors, those type of claims would come under that liability portion of the insurance coverage.”

If we take the figure of 2 million USD as a direct cost suffered, many small to medium enterprises would struggle to absorb that cost and keep employees on the payroll or at the worst close the doors for good.

The danger posed to education institutions has been well-documentes by both government agencies and private security firms.

In 2020, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory warning schools that they are prime targets for ransomware gangs. The advisory states regarding ransomware,

“The FBI, CISA, and MS-ISAC have received numerous reports of ransomware attacks against K-12 educational institutions. In these attacks, malicious cyber actors target school computer systems, slowing access, and—in some instances—rendering the systems inaccessible for basic functions, including distance learning. Adopting tactics previously leveraged against business and industry, ransomware actors have also stolen—and threatened to leak—confidential student data to the public unless institutions pay a ransom.


“According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year. In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July.”

The following year one ransomware gang dratisitcally increased attacks on education intitiutions. The gang operated the Pysa strain. Along with a 400% increase in attacks on government agencies, the FBI noted that schools and their governing bodies were also been targeted by the ransomware gang.

Unfortunately, many of the reasons why schools are targeted still exist meaning that they will still be targeted by ransomware gangs now, and into the near future.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal