Willamette University recovering from cyberattack that followed its Tech Day

The day ahead at Willamette University was packed as students, faculty and employees gathered in the morning for Tech Day.

Presenters at the daylong campus event on Tuesday, Feb. 20, explained digital platforms students use, explored the future of artificial intelligence and more.

“This conference is a unique opportunity for our academic community to explore the dynamic intersection of technology and higher education,” according to the program.

In the afternoon, Dan Lohrmann, a cybersecurity expert with the New York company Presidio, was to present a workshop called “Elevating Your Security Awareness.”

The session, according to the program, “will provide a comprehensive overview of emerging digital threats and advancements, discussing their implications for personal and institutional safety.”

That evening, university officials discovered suspicious network activity that subsequently turned out to be a major cyberattack.

The university’s website was down. Phones didn’t work. The wifi network went off. Its Portland campus, the Pacific Northwest College of Art, also was impacted.

More than a week later, many systems have been restored but university officials say more work remains.

“Recovering from a cyber incident is a time-intensive process that requires the attention of many campus resources,” according to a statement from Lauren Mulligan, the university’s director of communications. “Our teams continue to make positive progress on our recovery efforts.”

The Portland FBI said in a statement that “we are aware of the attack on Willamette University and we are assisting. We cannot discuss the details beyond that.”

Mulligan said the university would release no details of the cyberattack, but it appears similar to one that struck Lewis & Clark College in Portland last March.

So-called “threat actors” invaded the college’s technical infrastructure, encrypting it to block any access. The invaders also took an unspecified amount of personal data – and demanded payment to restore the system.

The Portland attack was “perpetrated by a group known for similar attacks against educational institutions. Following the advice of law enforcement and our external cybersecurity experts, the college chose not to pay any ransom,” according to a statement from Lois Leveen, the Lewis & Clark director of public relations.

Operations returned to normal in days.

“We had excellent, encrypted backup, which allowed us to restore operations relatively quickly,” Leveen said. “We also had proactively secured supports that allowed us to access outside cybersecurity experts very, very quickly, and working with a cybersecurity forensic firm so early in the process guided us well.”


According to the FBI, institutions and businesses reported 44 ransomware attacks in Oregon in 2023, but not all are reported.

The agency’s Internet Crime Complaint Center reported handling 800,944 complaints about cyberattacks and incidents nationally in 2022 with a potential total loss of $10.2 billion. That year, the center received 2,385 reports of ransomware attacks.

“Ransomware remains a serious threat to the public and to our economy, and the FBI and our partners will remain focused on disrupting ransomware actors and increasing the risks of engaging in this activity,” according to the FBI’s 2022 Internet Crime Report.

“Today’s cyber landscape has provided ample opportunities for criminals and adversaries to target U.S. networks, attack our critical infrastructure, hold our money and data for ransom, facilitate large-scale fraud schemes, and threaten our national security,” the report said.

Yaqub Prowell is a supervisory special agent in the Portland FBI office who works on cybercrimes. In an interview with Salem Reporter, he talked generally about such attacks, avoiding any reference to the Willamette University incident.

Prowell said “threat actors” have shifted from attacking large entities to focusing on smaller organizations such as schools, hospitals and county governments “which don’t always have the resources to be wholly prepared.”

He said the threat actors make two-pronged attacks. They intrude into an IT system and encrypt it, locking out the owner. They also steal data.

What happens next can vary, but Prowell said that generally threat actors will send a message to the owner, demanding ransom. They promise an electronic key to unlock the system once payment is made, often demanded in the form of bitcoin. They also threaten to publish on the so-called “dark web” data stolen from the system if the ransom isn’t delivered.

“At the end of the day, they want money and they want to be paid,” Prowell said. “The FBI does not condone paying it.”

He said a sophisticated network of forensic specialists, insurers and lawyers now respond to cyberattacks. The work, which can be expensive and time consuming, can be covered by cyber insurance that is becoming more prevalent, Prowell said.

Prowell said cyberattacks can also hit businesses and individuals.

He has one primary recommendation to those using the internet: “Stop clicking on things.”

He said links opened that are sent by threat actors in emails mimicking established accounts or legitimate-looking contacts provide a way for them to install electronic malicious commands. That can lead to a hijacking of the system and a subsequent ransom demand.

Prowell said the FBI has responded to the universe of threat actors “in an extremely assertive manner.” He said anyone who suspects their system has been attacked should report immediately to the FBI through the Internet Crime Complaint Center.


Students and employees learned of the network outage in an email sent just before 5:30 a.m. on Wednesday, Feb. 21.

“We didn’t know it was a cyberattack at the time,” said Mira Karthik, a senior who is president of Associated Students of Willamette University.

In the immediate days after the outage, the university grappled with ways to work in the digital darkness. Some class assignments and tests were delayed, Karthik said.

She said some classes moved off campus into Salem locations with good wifi connections.

Karthik is a teaching assistant in The Conversation Project with courses intended to teach students how to “engage in bridge-building across groups keeping principles of equity and inclusion.”

The class moved to space in the Reed Opera House in downtown Salem.

“It was awesome,” she said.

Through the outage, “Willamette students and the community have found ways to get around that.”

She said university officials did a “phenomenal job” keeping students updated regularly. The university has about 2,000 students.

“We all just had to adjust,” Karthik said.

Ransomware attacks have hit institutions and organizations in all parts of Oregon in recent years. The FBI reports 44 known instances in the state in 2023. Authorities are investigating the nature of a cyberattack that struck Willamette University on Feb. 20, 2024. (Portland FBI map)

STORY TIP OR IDEA? Send an email to Salem Reporter’s news team: [email protected].

SUPPORT OUR WORK We depend on subscribers for resources to report on Salem with care and depth, fairness and accuracy. Subscribe today to get our daily newsletters and more. Click I want to subscribe!

Les Zaitz is editor and CEO of Salem Reporter. He co-founded the news organization in 2018. He has been a journalist in Oregon for nearly 50 years in both daily and community newspapers and digital news services. He is nationally recognized for his commitment to local journalism. He also is editor and publisher of the Malheur Enterprise in Vale, Oregon.