A 4,200-student district. A Tuesday morning. A ransom note.

9:42 AM — Discovery

The district IT director sees the same Slack message from three buildings within four minutes: "Gradebook won't load." Within ten minutes the help-desk queue surfaces a ransom note on three staff workstations. The first decision is not technical — it is instructional.

10:02 AM — Continuity decision

Following the Ransomware mid-school-day playbook, the superintendent holds normal classes on paper. HVAC, transportation, and access control are unaffected, so sending students home is not warranted. Three buildings switch to paper attendance within fifteen minutes.

10:18 AM — Regulator hand-offs

K-12 MS-ISAC and the cyber-insurance carrier are paged before any family notification goes out. Because the district is in Illinois, the SOPPA 30-day notification clock starts and the ISBE Information Security contact is added to the incident channel.

11:30 AM — First family notice

One paragraph. No speculation. A commitment to follow-up within 24 hours. The district uses the family-communication template from the playbook and is in front of the story before the local TV station picks it up at noon.

Day 3 — Board briefing

A two-page briefing for the school board. What happened, what was disrupted, what is restored, what the district is doing differently. The board chair has talking points for the public session.

Day 28 — SOPPA notification

Letters to the families of affected students go out two days before the 30-day SOPPA window closes. ISBE receives the same packet. No AG referral is required because the affected count is under the 500-resident threshold.