Ransom gang claims attack on Prince George County school district

The newly established Rhysida ransomware group is claiming responsibility for the August 14th attack on Maryland’s Prince George's County school systems, one of the largest school districts in the US.

The ransom group added the Maryland school district to its dark leak site Friday, just three days before students are set to return to classes for the 2023-24 school year.

The Prince George's County Public School System (PGCPS), one of the nation's 20th largest school districts, was hit by a cyberattack in the early hours of August 14th.

The district claims only about 4,500 user accounts out of 180,000 were impacted, most of them staff accounts. But now, it seems sensitive data from those compromised user accounts have been put up for sale on Rhysida’s leak site – all for 15 Bitcoin or roughly $390,000 US dollars.

Rhysida appears to be auctioning off a sizable amount of stolen data from the breach, including passports, driver's licenses, and other sensitive information but has not posted a specific amount.

The auction is set to expire six days from Friday, according to the countdown clock listed for PGCPS.

Prince George School District ransom Rhysida attack
Rhysida dark leak site

The district has been posting updates about the network outage on its website, the latest from August 18th, before the ransomware gang claimed the district as its latest victim.

“Prince George’s County Public Schools (PGCPS), with the assistance of cybersecurity experts, continues to thoroughly investigate the cyber attack that disrupted our servers……We are now focused on completely restoring our technology environment and analyzing the scope of the event to determine any current and future data loss,” the district stated in its latest update.

“While we are currently unaware of any specific misuse of information, cyber-attacks of this nature typically result in a breach of data. We will provide updates as needed," it said.

Meantime, on its dark leak site, Rhysida posted this alongside the PGCPS data samples: “With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data.”

“We sell only to one hand, no reselling, you will be the only owner!” the group said.

PGCPS Rhysida samples
Rhysida dark leak site

Almost immediately after becoming aware of the breach, PGCPS said it had all system users rest their passwords out of caution.

Students will also be forced to reset their passwords during the first week of school, starting August 28th, although the district said its main business and student information systems did not appear impacted by the incident.

PGCPS also said it would be reaching out to any impacted victims in the upcoming days.

Located in the Washington DC Corridor, the Prince George County school district has over 200 schools and centers, more than 133,000 students and nearly 20,000 employees, according to its website.

Cybernews has reached out to PGCPS for comment on the latest developments and is awaiting a response.

Rhysida strikes again

The lesser-known threat actor has only been on the ransomware scene since late May, according to the US government officials, who profiled the group earlier this month.

Earlier this week, the group claimed responsibility for a debilitating attack on the California-based healthcare conglomerate Prospect Medical Holdings (PMH).

Rhysida ranson group logo
Rhysida dark leak site

The August 3rd PMH ransom attack forced several hospitals and medical facilities in Connecticut and Pennsylvania to suspend services and divert patients for days.

PMH subsidiaries include 17 hospitals and 165 outpatient facilities across five states, including Rhode Island and New Jersey.

Besides posting PMH as a victim on their dark leak site Thursday, the threat actor also set up a live auction, offering up more than 2.3T of sensitive data allegedly stolen in that attack, including an entire SQL database.

Another victim, Washington State’s Pierce College, has also suffered the same fate. The gang is allegedly selling the school’s stolen data starting at 10 BTC to the highest bidder. That auction will end on Monday.

There are 40 other victims listed on Rhysida’s leak site, almost triple the number of victims listed by US officials in its August 4th warning bulletin on the group.

Rhysida is thought to have ties to the Vice Society ransom gang, notorious for its attacks on the education sector, primarily in the US, Canada, and the UK.