Minneapolis Public Schools still investigating what caused ‘encryption event’

Students in Minneapolis returned to school on Monday after a ransomware attack crippled the school district's systems all of last week. 

Minneapolis Public Schools officials did not respond to requests for comment but said in an email to parents as well as a public statement on Friday that the district began experiencing technical difficulties on February 20, when schools were closed for Presidents Day.

School internet, phones, cameras, badge access, copiers/printers, and building alarms were all down due to the cyberattack. The school district serves about 34,500 students.

“MPS experienced technical difficulties affecting the operability of certain computer systems related to what we now know is an encryption event,” they said. 

“MPS IT staff and external IT specialists have been working around the clock to investigate the source of this disruption and to confirm its impact on our systems.”

They urged all students, teachers and parents to change all passwords for any online personal accounts that were accessed on school-provided devices. 

No school days were missed because parent-teacher conferences were scheduled for February 21 and a winter storm prompted the closure of school buildings the remainder of the week. 

The Sahan Journal, which first reported the ransomware attack, said the school system was able to hold “E-learning” days February 22-24 in spite of the incident. MPS did cancel parent-teacher conferences.

By Friday, many systems were fully restored and the school said students would be walked through the password reset process on Monday. 

Investigations are still being conducted, and the school system said it was taking a range of measures to improve its security, including deploying endpoint detection response tools, updating passwords, implementing multi-factor authentication and hiring cybersecurity firms to monitor the network. 

MPS said last Tuesday that it was largely able to restore the encrypted data from backups. 

The district claimed there was “no evidence that personal information was compromised,” but officials did not respond to requests for comment about how they made that determination. 

No ransomware group has taken credit for the attack.

K-12 headaches

The Cybersecurity and Infrastructure Security Agency said the number of K-12 cyber incidents reported between 2018 and 2021 rose each year, from 400 to more than 1,300. According to Emsisoft ransomware expert Brett Callow, 45 school districts with nearly 2,000 schools were impacted by ransomware in 2022. 

CISA Director Jen Easterly told The Record on Monday that the agency is working closely with K-12 schools across the country in an effort to lay out the basic measures they can take to protect themselves.

“As the mom of a student in high school, to be watching these hacks that have happened across the country — many of which we find out about, some of which we don’t — it's one of the reasons why we have made K-12 school districts a priority this year, to work with them closely to help drive down risk,” she said.

“We have put out a guide to educators to help them understand the basic things they need to do, recognizing that they are among the target rich-cyber poor population of entities.”


Last week, the mental health records of thousands of Los Angeles K-12 students were found leaked across the internet after a ransomware attack last year by the Vice Society ransomware group. 

Berkeley County Schools in West Virginia was forced to cancel classes three weeks ago after a cyberattack. Not long before, schools in Tucson, Arizona, and Nantucket, Massachusetts dealt with a range of issues related to cyberattacks and ransomware incidents. 

Des Moines Public Schools in Iowa also had to cancel classes last month due to a ransomware attack. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.