When the network alarms tipped off staff in the late hours between June 1 and 2 at Des Moines Area Community College, the information technology department’s quick actions might have prevented an overseas ransomware attack from diving any deeper into the network servers.

“When we talked to the FBI, they said it was pretty much like hand-to-hand combat,” DMACC President Rob Denson told the Business Record. “We were in at the same time dealing with issues as they arose.”

Cybersecurity consultants attribute the attack to yet-unidentified “offshore threat actors,” Denson said. At this time, staff members believe the attackers were unable to access the college’s key programs, including its learning management, human resources and financial aid systems.

DMACC has not paid a ransom, and the college’s insurance company has made contact with attackers to identify what they might have accessed, Denson said.

“Their primary objective is to find out exactly what the threat actor thinks they’ve got, to prove there’s something that we would want to [pay] ransom. We don’t think there is anything,” Denson said.

Despite quick interference, the short attack caused three weeks of disruption. To stop the attack’s internal spread, DMACC staff voluntarily shut down the entire college network on June 4, affecting between 6,000 and 7,000 summer term students, plus staff and faculty, right as classes began. The FBI joined DMACC staff and third-party cybersecurity analysts in the investigation on June 8.

Ten staff members have since reconfigured more than 6,000 computers on campus property out of 8,000 owned by the community college; most of those computers that remain have not been turned on in the year since the COVID-19 pandemic shut down spring term classes in early 2020, Denson said.

During a fall or spring semester, “it probably would have been at least four times worse. We would have had a lot of high school programming in place and our concurrent enrollment programs. It would have been a much bigger scale,” Denson said.

The IT staff has daily meetings with DMACC leadership to prioritize the next network recovery phase, and DMACC brought up systems quickly enough to meet June’s payroll deadlines and distribute federal COVID-19 relief funds to students.

DMACC is still in the process of bringing minor systems back online. Campuses opened for in-person classes early this week, and online-only classes will begin meeting Thursday, June 17; students and staff must change their network passwords before accessing the Blackboard learning management system. Campus internet is still offline, and many faculty members and students are using home internet to access class materials. DMACC’s homepage on the website will likely continue hosting class updates until next week, and return to normal when classes are on schedule.

“We can’t open up without knowing what we’re opening is secure,” Denson said. “We’re not rushing anything. We hated the fact that we’ve not been able to go on and open online until now, but we are not going to hurry this and make a mistake.”

DMACC will begin reviewing the college’s response to the attack once systems are fully opened. The college expects a rise in in-person classes again this fall as more students are vaccinated against COVID-19, but DMACC does expect a rise in virtual classes after students and faculty had to adjust through 2020-21.

“It’s well known that everyone has either been hacked or is going to get hacked. Every business person I know talks about the number of attempted intrusions on a daily basis that their company has,” Denson said. “DMACC has had various consultants and internal individuals working for years just to make sure our systems are as secure as they can be. We got the early alert, and we were able to act on it.

“We’re not across the goal line yet, but we can see it.”