ETHS Ransomware Recovery Changes Back-to-School Operations Aug. 17

Evanston Township High School District 202 expects back-to-school operations to look different when classes resume on Monday, August 17, after a June 7 ransomware attack forced the district into a long-running technology recovery effort that is still limiting access to systems and services.
Superintendent Marcus Campbell told families on July 16 that ETHS is ready to welcome students, but warned that familiar tools, processes and timelines will not yet “look or function” as they did before the incident. Reporting by the Evanston RoundTable first detailed the district’s fall-readiness message, while ETHS’s own cybersecurity incident page confirms that recovery work remains ongoing and that normal access to district systems has no firm restoration date.
For families, the immediate message is deliberately restrained: no re-enrollment is required, and the district says it will communicate new back-to-school procedures and technology tools through normal school-start materials. For IT administrators, however, the announcement describes a more consequential reality: a ransomware event that began as a sudden operational outage has become a summer-long rebuild with a fixed academic deadline.

A university campus scene blends students, cybersecurity analysts, secure networks, laptops, and digital warning displays.A Two-Day Closure Became a Systems Recovery Project​

The June 7 attack disrupted district systems, internet services and computer infrastructure. ETHS closed campus operations on June 8 and June 9, cancelling summer school, sports camps and other on-site activities because it could not safely operate key services. CBS Chicago and ABC7 Chicago reported at the time that the incident also affected phone systems, emergency communications and other technology needed for regular campus operations.
ETHS subsequently resumed campus activity, but the district’s recovery guidance made clear that reopening buildings did not mean the environment was restored. Staff were told that some systems would remain unavailable, that access to email and online services would be limited, and that certain student and family tools could be inaccessible while recovery continued.
The distinction matters. A school can reopen classrooms with manual workarounds; it cannot credibly declare a cyber recovery complete until its identity, endpoints, connectivity, communications, records systems and security controls have been examined and brought back under management. Campbell’s July 16 message suggests ETHS is now planning the new school year around that constraint rather than promising a return to the pre-attack experience on day one.
That is often the least disruptive honest option. A rushed restoration may preserve a familiar login screen or portal, but it can also reintroduce compromised devices, stale credentials, unsafe integrations or unverified data into a newly cleaned environment.

Every District-Issued Endpoint Is Part of the Incident​

ETHS’s published recovery instructions provide unusually concrete evidence of the scope of its endpoint work. The district directed staff not to use desktop workstations unless authorized, and said district-issued Windows and Mac laptops and devices must be reviewed and cleared by its Information and Instructional Technology team before use.
Employees were also asked to turn in devices for review, reimaging and clearance, with temporary devices issued while assigned hardware was processed. That approach is disruptive, especially in a school district where staff devices are central to teaching, student records, communication and daily administration. But it is consistent with a recovery model that treats endpoint trust as something to be re-established, not assumed.
For Windows administrators, the practical lesson is familiar: ransomware recovery is not simply about restoring file shares or rebuilding a domain controller. A laptop that appears functional can still retain risky browser sessions, stored credentials, remote-management agents, persistence mechanisms or configuration drift. Reimaging and re-enrollment cost time, but they create a known starting point.
ETHS also reset staff Google account passwords as a precaution and instructed employees not to reuse their previous passwords. Two-step verification remains required, according to the district. Those controls do not identify the original intrusion path, which ETHS has not disclosed, but they show that the district is treating identity systems as part of the containment and recovery boundary.
The result is a recognizable post-incident tension: every device and account that is withheld from normal use slows operations, yet every shortcut taken to accelerate use can undermine the reason for the rebuild.

The Fall Rollout Will Be a Service Transition, Not a Switch Flip​

Campbell’s email anticipates new technology platforms, updated back-to-school procedures and phased restoration of regular services. District spokesperson Reine Hanna told the Evanston RoundTable that families will see updated processes and new tools for daily operations and school functions, with details to be included in back-to-school communications.
That wording leaves many operational questions unanswered. ETHS has not identified which platforms are changing, whether the district is replacing specific systems or simply moving users through interim workflows, and whether the new tools are permanent components of its post-incident architecture. It has also not publicly stated whether its most visible family-facing services will all be available before classes begin.
The uncertainty is not necessarily a sign of poor preparation. During recovery, communication teams often have to avoid promising dates for services that still depend on security validation, vendor work, data reconciliation or endpoint readiness. But August is a harsh deadline for any district, because the back-to-school period concentrates account activation, schedule distribution, transportation details, parent communication, fee processing and student support into a short window.
ETHS is trying to make the change manageable by telling families early that some routines will differ. That is better than allowing parents and students to discover a modified workflow at registration or on the first day. Still, the district will need its upcoming communications to be specific: which platforms are changing, what credentials people need, what is temporarily unavailable, where support is available and what alternatives exist when a digital process fails.
A technically sound replacement process can still produce a difficult first week if users do not know it is coming. In K-12 environments, operational clarity is a security control in its own right: clear instructions reduce help-desk overload, prevent staff from reverting to unsafe workarounds and limit phishing opportunities aimed at confused parents and employees.

The Data Investigation Has Not Reached a Public Conclusion​

The district says it continues to work with external cybersecurity experts to determine whether attackers accessed information. Hanna told the Evanston RoundTable there are no definite findings yet, and that affected individuals will be notified as required by applicable law if the investigation determines that personal information was involved.
ETHS had previously said it engaged external cyber-breach attorneys and forensic specialists and was cooperating with the FBI. Early local reporting also described a ransomware attack, not merely a generic network outage. Yet the district has not publicly named an alleged threat group, described the initial intrusion method, confirmed data theft, disclosed a ransom demand, or said whether any payment was made.
Those omissions are significant, but they should not be filled with speculation. An encryption event, an extortion demand and confirmed data exfiltration are related but distinct facts. Until ETHS or its investigators establish what occurred, parents and staff should treat the possibility of a notification as unresolved rather than assume either that data was stolen or that it was not.
The district also has not released a running cost for the attack and restoration work. That bill can extend well beyond outside incident-response firms: it may include replacement hardware, temporary devices, forensic review, legal counsel, new security services, communications support, staff overtime, insurance deductibles and the cost of operating with reduced automation.

What ETHS’s Recovery Signals to Other School IT Teams​

The ETHS case is a compact example of why education ransomware incidents cannot be measured only by the number of days a school is closed. The campus closure lasted two days, but the operational impact spans summer programs, endpoints, credentials, family-facing services and fall planning more than a month later.
Other districts watching the recovery should note several choices ETHS has publicly made:
  • The district isolated and restricted use of workstations rather than treating on-site computers as automatically safe once buildings reopened.
  • It required review and clearance of both Windows and Mac devices, indicating a response built around trusted endpoints rather than a single operating system.
  • It reset staff cloud-account passwords and maintained multi-factor authentication while systems were being restored.
  • It told families ahead of the school year that familiar processes may change, reducing the risk that a partial recovery is mistaken for business as usual.
None of those steps eliminates the friction of recovery. They do, however, acknowledge its reality. The goal is not to recreate June 6 as quickly as possible; it is to establish a dependable environment for August 17 without carrying the incident’s uncertainty forward.
ETHS now faces the difficult final stretch: translating its internal recovery work into reliable, understandable services for students, families and staff. The first day of class will be the visible milestone, but the more meaningful test will be whether the district can launch those new or altered systems without sacrificing the security checks that kept recovery from becoming reinfection.

References​

  1. Primary source: Evanston RoundTable
    Published: 2026-07-16T21:32:37+00:00
 

Back
Top