As Lincoln College closes doors, president looks back on crippling ransomware attack

It was the morning of Sunday, December 19, 2021, when employees of Lincoln College came in to wrap up the semester before the school went on a two-week holiday break.

As they walked in and turned to their printers, they found multiple poorly worded ransom notes already printed out, waiting to be found. The notes were the work of hackers thousands of miles away.

Those ransom notes set off a chain of events that culminated on Friday, when the central Illinois school named after one of the country’s most memorable presidents officially ended its 157-year run as an educational institution.

Lincoln College was already in trouble before that Sunday in December. Enrollment had been dipping due to the long tail of economic consequences from the COVID-19 pandemic, according to college president David Gerlach.

“The cyberattack was only adding insult to injury,” Gerlach said. 

Like hundreds of other educational institutions around the world, Lincoln was the victim of one of the ransomware groups who have viewed the pandemic as an opportunity to lock up organizations' data and bully them into paying big money to get it back. 

Emsisoft threat analyst Brett Callow, a ransomware expert tracking attacks on schools and colleges in the U.S., said 13 such institutions have been attacked in 2022 alone. In 10 of those attacks, the school's networks weren't just crippled — the crooks also exfiltrated data, he noted. 

Last week, Michigan’s Kellogg Community College was attacked, throwing final exams into limbo for its nearly 7,000 students. 

The week before that, Austin Peay State University sent out frantic messages on Twitter begging everyone on campus to shut down their computers as soon as possible due to a ransomware attack. 

Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, National University College, North Carolina A&T University, Florida International University, Stratford University are just a few of the U.S. schools attacked with ransomware this year.

Many of these institutions, like Lincoln College, serve majority Black and Latino student populations. Few, if any, historically black colleges and universities can afford the kind of network downtime caused by a ransomware attack — much less the prospect of paying a costly ransom. 

Gerlach said in the fall of 2019, Lincoln College reached its highest full-time enrollment since the school opened in 1865, with 756 students.

The bad luck began in the fall of 2019, when Chicago Public school teachers went on the largest strike the city had seen in decades. Lincoln is one of only seven rural predominantly Black institutions in the country, and outreach to cities is key. Most students come from the Chicago or St. Louis areas. 

The strike meant that the college's enrollment officers couldn't get into schools to recruit new students for the following year, according to Gerlach. Months later, the COVID-19 pandemic kicked off — by the fall of 2020, enrollment fell to about 630 students. 

Those numbers held for the fall of 2021, but concerns had already percolated as the school still struggled to get in front of another class of potential students finishing high school remotely. 

'Cyber Marines'

Gerlach set up an enrollment management committee to address the issue in December. But on that last Sunday before Christmas, employees came in to find the printers spitting out ransom notes. A ransomware group had attacked the school's network, encrypting almost all of their operation systems.

“All of our registration systems, our academic files, our finance, our admissions, our fundraising. It was all impacted and shut down,” Gerlach said. 

He immediately contacted the school’s network support company and cyber insurer, who brought in a team of lawyers and what Gerlach called “cyber marines.”

For the next month and a half, the teams navigated through the fraught process of negotiating with the ransomware group, making arrangements to pay the ransom in the hopes of receiving a decryption key that could end their misery. 

“We were fortunate. If it was a higher dollar or bitcoin amount, if it was after January, if the threat actor wasn't communicating. There's a whole number of things that could have gone bad for us.”

— Lincoln College President David Gerlach

Gerlach was told the ransomware group was from Iran but declined to give more details to The Record. Iran-linked ransomware groups include Moses Staff, Pay2Key and Project Signal, according to Recorded Future ransomware expert Allan Liska. Of them, Pay2Key “operates the most like a cybercriminal ransomware group,” Liska said.

“We're fortunate that they were the junior varsity squad versus varsity squad and it was significantly less than $100,000,” Gerlach said. 

After Lincoln made the decision to pay the ransom, the first decryption key sent by the hackers did not work. The group sent a second one that eventually allowed for the recovery of some of the locked data. 

Cyber insurance to the rescue

Gerlach said the school was fortunate the attack happened when it did. 

“The cyberattack could have been dramatically devastating. I pushed the spring semester off by a week because the coronavirus was heating back up but mainly because of the cyberattack. I wasn't actually sure we were going to be able to open for the spring,” Gerlach explained. 

The school's cyber insurance also was set to lapse in January, he said.

"So if this happened on January 2nd instead of December 19th, that would have been hugely tragic. My IT director assured me maybe four months before the attack — because there was another local college that was attacked — that we were all protected,” Gerlach said.  

He noted that the school's previous cyber insurer was getting out of the business because of the spate of cyberattacks affecting companies and organizations of all sizes. This forced the school to turn to another firm that asked Lincoln to institute multi-factor authentication and several other measures before agreeing to offer a policy.

“We were fortunate. If it was a higher dollar or bitcoin amount, if it was after January, if the threat actor wasn't communicating. There's a whole number of things that could have gone bad for us.”

The school's cyber insurance plan had coverage for up to $1 million, making the ransom payment manageable.

Enrollment peril

When everything was settled and back to normal, Gerlach was finally able to convene his strategic enrollment management committee on March 14. Unfortunately, once the officials had all of the data and projections for the next year, they realized the peril the school was facing. 

“Those projections would have come, probably the second or third week of January and we would have probably made the same announcement,” he said.

“It stopped everything we did. It's all we could focus on for a month and a half."

— Lincoln College President David Gerlach

When asked explicitly whether the ransomware attack caused the school to close — something several news outlets and reporters have erroneously tried to assert — Gerlach was resolute in saying the incident simply delayed the inevitable.

While the cyberattack may have hindered Lincoln's ability to enroll students and may have affected its ability to deposit funds, Gerlach said there are “plenty of other factors at play.”

“We’re a small college with a small endowment. The college population will be in decline until 2029. When you add inflation and the ability for young people to get $15-$20 dollar an hour jobs, that will keep them out of going to college,” he said. 

“And then the final piece is the students that we serve — low-income, first-generation, urban minority students — their college-going has been even more dramatically impacted by the coronavirus.”

Reflecting on the ransomware attack, Gerlach was measured in his condemnation of the group behind the incident. 

For him, it was more a question of priorities. The damage done to people and businesses that have tried to work hard to serve people and change lives for good is incredibly harmful, Gerlach explained. 

“It stopped everything we did. It's all we could focus on for a month and a half. Why not use that great knowledge to help people?” he asked of the college’s attackers.  

“Use that knowledge that you have to help people instead of hurt people. The world is a hard enough place as it is, but to have people prey with their expertise on vulnerable people and companies. It just makes me sad.” 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.