Michigan K-12 School System Blocks Unknown Ransomware Before a Single File Was Encrypted

At a Glance

• Industry: SLED / K-12 Education
• Location: Michigan, USA
• Environment: 500 IT endpoints
• Existing stack: MDR + EDR (existing vendor)
• Deployment: Critical servers, legacy OS, admin environment
• Product used: RansomSnare by SecuritySnares
• Time to deploy: 2 weeks
• District size: 15 facilities, 7,500 students
• Zero-day strains tested: 6 strains tested; 4 missed by existing EDR

Background

This Michigan school district operates 15 facilities and 7,500 students across 500 IT endpoints. Like most districts, it relied on Managed Detection and Response (MDR) and Endpoint Detection & Response (EDR) to protect its environment. When a zero-day ransomware variant hit, neither caught it.

The Challenge

The attack was unknown, no signature existed for it, and it slipped through existing defenses. The adversaries targeted the district's file servers, legacy operating systems, and administrative workstations. Beyond containing the immediate threat, the district's security team now had to reckon with a gap they hadn't known was there. Three factors made their exposure especially acute:

• Learning continuity: Any system downtime directly impacts students and staff.
• Legacy OS coverage: Parts of the environment ran on unsupported operating systems, platforms most EDR vendors don't protect.
• Limited IT resources: The district needed a solution that wouldn't require ongoing maintenance or specialized staff to run.

Evaluating the Gap

Before deploying anything, SecuritySnares ran their ZeroDay Ransomware Simulation Test, subjecting the district's systems to mock zero-day scenarios to surface exactly where coverage ended. The results confirmed meaningful gaps, particularly around novel variants and legacy OS environments, and gave the security team documented evidence to act on.

The Solution

SecuritySnares deployed RansomSnare sensors across the district's highest-risk surfaces: critical servers, systems running unsupported operating systems, and the administrative user environment. The existing MDR and EDR stack stayed in place. RansomSnare was added as a reinforcing layer to catch what signature-based tools miss.

RansomSnare detects ransomware behavior at the moment it attempts to encrypt a file, stopping the attack before any data is affected. No signatures, no internet connectivity, no update cycles, and less than 50 MB of RAM and 1% CPU per device.

Results

• Zero-day ransomware blocked: SecuritySnares tested six different zero-day ransomware strains in a lab environment, 4 of which were missed by their EDR. RansomSnare stopped unknown variants the existing EDR missed, before a single file was encrypted.
• No data loss: No student records, financial data, or operational systems were compromised.
• No downtime: RansomSnare stops attacks without isolating devices, so staff and students experienced no disruption.
• Legacy systems covered: Endpoints on unsupported OS (previously unprotected) were secured for the first time.
• Endpoints deployed: 500
• Time to deploy: 2 weeks

"In the face of increased cybersecurity threats to schools across the country, maintaining continuity of learning is our top priority. SecuritySnares was quick and easy to implement and provides the reinforcement to our EDR system we needed to protect our data and our community."



— IT Director, Michigan K-12 School District

Why SecuritySnares?

• No disruption to operations. Unlike MDR/EDR responses that isolate devices and take systems offline, RansomSnare stops the attack while the device keeps running.
• Variant-agnostic. Detects ransomware behavior, not known signatures, so it catches new and unknown zero-day variants by design.
• Lightweight, zero-maintenance. No internet required. No updates. <50 MB RAM, <1% CPU per device.
• Legacy OS support. Full Windows support back to XP/2008 R2, covering infrastructure most EDR vendors leave unprotected.

About SecuritySnares

SecuritySnares develops RansomSnare, a microsensor that reinforces existing endpoint protection to stop zero-day ransomware before it encrypts a single file. RansomSnare works alongside any EDR or XDR, requires no internet connectivity, and supports legacy and modern operating systems across public sector, education, healthcare, and critical infrastructure.

See how RansomSnare would protect your environment. Request a live demo or run the ZeroDay Ransomware Simulation Test against your own systems.