Ransomware Attack on Ranney School by Rhysida Group

Ranney School, an independent, coeducational, college preparatory day school located in Tinton Falls, New Jersey, has recently fallen victim to a ransomware attack orchestrated by the Rhysida Ransomware Group. The attack has compromised the school's data and potentially disrupted its operations.

About Ranney School

Founded in 1960 by Russell G. Ranney, Ranney School serves students from age 3 through twelfth grade, making it the only secular, independent day school for this age range in Monmouth and Ocean Counties. As of the 2021-22 school year, the school had an enrollment of 686 students, plus 37 in PreK, with a student-teacher ratio of 9:1. The school is known for its rigorous academic programs and a strong emphasis on developing leadership, creativity, and meaningful contributions to society.

Ranney School's comprehensive curriculum is divided into Early Childhood, Lower School, Middle School, and Upper School, each designed to challenge students and prepare them for college. The school also offers a wide range of extracurricular activities, including over 20 sports, more than 40 clubs, and 10+ Honor Societies. Additionally, the school places a strong emphasis on the arts, offering programs in both visual and performing arts.

Attack Overview

The Rhysida Ransomware Group has claimed responsibility for the attack on Ranney School via their dark web leak site. The extent of the damage and the specific demands made by Rhysida remain unclear at this time. However, the incident highlights the growing threat of ransomware attacks on educational institutions, which often have valuable data and may lack the advanced cybersecurity measures found in other sectors.

About Rhysida Ransomware Group

Rhysida is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and specifically targets the Windows Operating System. The group employs a double extortion technique, stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid.

Rhysida's ransomware is deployed through diverse methods, including phishing campaigns. Once executed, the ransomware encrypts files using the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf.” Victims are instructed to reach out to the attackers through a TOR-based portal and make payments exclusively in Bitcoin.

Penetration and Vulnerabilities

Rhysida primarily relies on leveraging valid credentials and establishing network connections through VPN for initial access. The group employs tools like Advance IP/Port Scanner to enumerate victim environments and gather critical information about domains. They also use Sysinternals tools like PsExec for lateral movement within the network. The specific vulnerabilities that allowed Rhysida to penetrate Ranney School's systems are still being determined, but the attack underscores the importance of advanced cybersecurity measures in educational institutions.

Sources

• Ranney School
• Ranney School - Wikipedia
• Threat Profile: Rhysida Ransomware
• Uncovering Rhysida and Their Activities