Cyberattacks targeting educational institutions have surged in recent weeks, with the Coweta County School System in Georgia and Western New Mexico University (WNMU) among the latest victims. The incidents, attributed to the Russian-speaking ransomware group Qilin, disrupted critical operations, including payroll systems, campus Wi-Fi, and student testing schedules1. These attacks highlight the growing trend of threat actors exploiting underfunded IT infrastructure in schools and universities during high-pressure academic periods.
Summary for Security Leaders
The attacks on Coweta County and WNMU follow a pattern of ransomware groups targeting educational institutions during critical academic deadlines. Qilin, a ransomware-as-a-service (RaaS) operator, employed double extortion tactics—encrypting systems while threatening to leak sensitive data unless ransoms were paid2. Below is a high-level overview:
- Coweta County School System (GA): Attack on May 3, 2025, forced systems offline for 23,000 students. AP testing proceeded despite disruptions1.
- WNMU (NM): Attack began April 13, 2025, crippling payroll and Wi-Fi. Qilin leaked employee SSNs and network maps after ransom demands ($50K–$800K) were ignored2.
- Broader Impact: Over 300 school cyberattacks documented in the past five years, with ransomware gangs increasingly timing attacks during finals or state testing4.
Technical Analysis of the Attacks
The Qilin group’s attack on WNMU involved exfiltrating 150GB of data, including financial records and network maps, before deploying ransomware3. The group’s ransomware-as-a-service model allows affiliates to customize payloads, often leveraging phishing or unpatched vulnerabilities for initial access. Notably, Qilin’s payloads:
| Target | Tactics | Impact |
|---|---|---|
| WNMU | Data exfiltration + encryption | Delayed payroll, student protests |
| Cobb County (GA) | Leaked autopsy photos, SSNs | County refused ransom, offered credit monitoring |
Qilin’s infrastructure overlaps with past attacks on London hospitals and Lee Enterprises, suggesting a focus on high-impact, low-resilience targets2.
Relevance to Security Teams
For defenders, these attacks underscore the need for:
- Enhanced monitoring during academic deadlines, when attackers are most active.
- Data segmentation to limit lateral movement post-breach.
- Transparent incident response to maintain stakeholder trust—WNMU faced backlash for delayed disclosures2.
Remediation and Future Outlook
The U.S. Department of Homeland Security has allocated $4M to New Mexico for cybersecurity upgrades4. Schools are advised to:
- Implement multi-factor authentication (MFA) for all critical systems.
- Conduct ransomware readiness assessments, focusing on backup integrity and restoration processes.
- Share threat indicators with ISACs (e.g., K-12 Security Exchange) to improve collective defense.
As ransomware groups continue to target education, proactive measures like network segmentation and user training will be critical to mitigating future incidents.
References
- “Hackers launch ‘serious’ attacks against Georgia school district, New Mexico university,” The Record, 2025.
- “Infamous group of Russian-linked hackers appears to have launched crippling cyberattack on WNMU,” Searchlight New Mexico, 2025.
- “Cyber security expert explains depth of Cobb County ransomware hack,” FOX 5 Atlanta, 2025.
- “Kept in the Dark: How ransomware gangs exploit school IT gaps,” The 74 Million, 2025.
