The Royal ransomware gang rebrands and lays claim to an early November cyberattack still disrupting the Henry County School system in Central Georgia.
The week of November 6th, 2023, Henry County Schools (HCS) said it became aware of suspicious activity impacting its network operations.
On November 9th, HCS officials revealed “an unauthorized user had gained access to a certain environment on our network.“
On the advice of law enforcement and cyber experts, the school was forced to restrict access to its network, completely shutting down internet access across the entire school district, including for both students and administrative offices.
Online classes and some phone services were also disrupted, HSC said.
The public county school system encompasses over 50 schools, including elementary, middle, and high schools, serving over 42,000 students, 4,000 faculty, and more than 2,500 teachers.
Vital services such as such as school bus transport, lunch service, intercom, fire alarms, and buzzer entrance/access control had remained operational.
Monday, the Royal ransomware group, now rebranded as BlackSuit, posted the school on its victim leak site.
It's not clear why the gang chose to claim the school now, but since the attack, the Henry County Schools Superintendent Mary Elizabeth Davis has been posting videos on the HSC website regularly with updates.
On the last update, dated November 30th, Davis said authorities had verified over the Thanksgiving break that the suspicious activity was “a ransomware attack initiated by a group of criminals operating outside of the United States.”
The BlackSuit gang also provided a download link to a 135GB ZIP Archive file labeled “henry.k12.ga.us.zip,” but no sample files were posted.
Davis said that the HCS student information systems, financial and HR systems, as well as email systems, remain “secure and clean,” but that a file storage area containing mostly historical and procedural documents was compromised.
External data mining teams will be brought in to determine what else may have been accessed, she said, adding that “if any personally identifiable information is found compromised,” those persons will be notified.
The school continues to restore more services, including access to student Chrome books, and that it plans to undergo a district wide password reset this coming week.
Besides cybersecurity experts, the FBI, Department of Homeland Security, and Georgia Emergency Management Agency were also brought in to investigate, the school said.
BlackSuit and its Royal past
The BlackSuit ransomware group – as of this November, formally known as Royal – has a sordid past linked to a bevy of other ransomware gangs.
Royal broke on the ransom scene sometime in 2022 and, in certain months, outpaced the number of attacks by more infamous ransom outfits such as LockBit, BlackCat, and Vice Society.
A Cybersecurity and Infrastructure Security Agency (CISA) advisory about the group released in March said Royal ransom demands can range from approximately $1 million to $11 million in Bitcoin.
The group is said to be made up of a hodge podge of former threat actors from other Russian-linked cyber gangs, including the Conti group, and before creating their own Royal ransomware, would utilize third-party BlackCat and Zeon variants.
The gang is known to specifically target critical infrastructure with the Royal variant, “which uses a custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader," according to CISA
The group first made a name for itself after hacking the UK’s Silverstone Formula One motor racing circuit in November 2022.
Since then, the group infamously hacked the City of Dallas, Texas, shutting down the municipality for weeks, affecting the Dallas Police and Fire Departments and making it the 7th US city to have been targeted by the group.
The Henry County School district is not the first of its kind to fall victim to Royal-linked cartel.
This spring, Royal also claimed to have hacked and stolen gigabytes of data from the Lake Dallas Independent School District, including the social security numbers and passport information of students and district staff.
According to Ransomlooker by Cybernews, the last activity of Royal was observed in July 2023, when the criminal syndicate added its last victim.
In comparison, Royal added 38 victims in March, while BlackSuit has added 1-2 victims each month.
Your email address will not be published. Required fields are markedmarked