Georgia county school district claimed by BlackSuit ransom gang

The Royal ransomware gang rebrands and lays claim to an early November cyberattack still disrupting the Henry County School system in Central Georgia.

The week of November 6th, 2023, Henry County Schools (HCS) said it became aware of suspicious activity impacting its network operations.

On November 9th, HCS officials revealed “an unauthorized user had gained access to a certain environment on our network.“

On the advice of law enforcement and cyber experts, the school was forced to restrict access to its network, completely shutting down internet access across the entire school district, including for both students and administrative offices.

Online classes and some phone services were also disrupted, HSC said.

The public county school system encompasses over 50 schools, including elementary, middle, and high schools, serving over 42,000 students, 4,000 faculty, and more than 2,500 teachers.

Vital services such as such as school bus transport, lunch service, intercom, fire alarms, and buzzer entrance/access control had remained operational.

Monday, the Royal ransomware group, now rebranded as BlackSuit, posted the school on its victim leak site.

Royal BlackSuit Henry County Schools
BlackSuit leak site, Image by Cybernews.

It's not clear why the gang chose to claim the school now, but since the attack, the Henry County Schools Superintendent Mary Elizabeth Davis has been posting videos on the HSC website regularly with updates.

On the last update, dated November 30th, Davis said authorities had verified over the Thanksgiving break that the suspicious activity was “a ransomware attack initiated by a group of criminals operating outside of the United States.”

The BlackSuit gang also provided a download link to a 135GB ZIP Archive file labeled “,” but no sample files were posted.

Royal BlackSuit Henry County Schools GB
BlackSuit leak site, Image by Cybernews.

Davis said that the HCS student information systems, financial and HR systems, as well as email systems, remain “secure and clean,” but that a file storage area containing mostly historical and procedural documents was compromised.

External data mining teams will be brought in to determine what else may have been accessed, she said, adding that “if any personally identifiable information is found compromised,” those persons will be notified.

The school continues to restore more services, including access to student Chrome books, and that it plans to undergo a district wide password reset this coming week.

Besides cybersecurity experts, the FBI, Department of Homeland Security, and Georgia Emergency Management Agency were also brought in to investigate, the school said.

BlackSuit and its Royal past

The BlackSuit ransomware group – as of this November, formally known as Royal – has a sordid past linked to a bevy of other ransomware gangs.

Royal broke on the ransom scene sometime in 2022 and, in certain months, outpaced the number of attacks by more infamous ransom outfits such as LockBit, BlackCat, and Vice Society.

A Cybersecurity and Infrastructure Security Agency (CISA) advisory about the group released in March said Royal ransom demands can range from approximately $1 million to $11 million in Bitcoin.

The group is said to be made up of a hodge podge of former threat actors from other Russian-linked cyber gangs, including the Conti group, and before creating their own Royal ransomware, would utilize third-party BlackCat and Zeon variants.

Royal contact page
Royal leak site. Image by Cybernews

The gang is known to specifically target critical infrastructure with the Royal variant, “which uses a custom-made file encryption program, evolved from earlier iterations that used “Zeon” as a loader," according to CISA

The group first made a name for itself after hacking the UK’s Silverstone Formula One motor racing circuit in November 2022.

Since then, the group infamously hacked the City of Dallas, Texas, shutting down the municipality for weeks, affecting the Dallas Police and Fire Departments and making it the 7th US city to have been targeted by the group.

Dallas Ransom Attack Statement
City of Dallas ransomware attack. Image by Cybernews

The Henry County School district is not the first of its kind to fall victim to Royal-linked cartel.

This spring, Royal also claimed to have hacked and stolen gigabytes of data from the Lake Dallas Independent School District, including the social security numbers and passport information of students and district staff.

According to Ransomlooker by Cybernews, the last activity of Royal was observed in July 2023, when the criminal syndicate added its last victim.

In comparison, Royal added 38 victims in March, while BlackSuit has added 1-2 victims each month.

More from Cybernews:

Britain says no evidence of Sellafield nuclear site hacking

The future of phone scams: bots that sound like your loved ones

Study: young people would pay to have everyone delete TikTok and Instagram

Spot the Artist: a robot dog takeover at NGV Triennial in Melbourne

Book review: “A City on Mars”

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked