Ransomware Attack on Qualifications Evaluation Council of Ontario (QECO)

The Qualifications Evaluation Council of Ontario (QECO), an organization dedicated to evaluating the qualifications of teachers in Ontario, Canada, has fallen victim to a ransomware attack by the Rhysida ransomware group. The attackers have claimed responsibility for breaching QECO's systems and have threatened to publish the organization's data within 6–7 days unless a ransom of 10 BTC, approximately $570,000, is paid by September 17th.

About QECO

QECO operates within the education sector, providing essential evaluation services to certified teachers in Ontario. The organization assists teachers in understanding their qualification status and the requirements for advancement to different teaching categories. QECO's evaluations are crucial for determining a teacher's salary category placement, which ranges from Category A to Category A4. The organization employs between 20 to 49 employees and generates an estimated annual revenue of $1 million to $5 million.

What Makes QECO Stand Out

QECO is distinguished by its specialized focus on the education sector, particularly in evaluating qualifications for teachers. The organization offers unique services such as course approval, recognition of alternative upgrading routes, and personalized assistance for teachers seeking to change their evaluation category. QECO's role is strictly evaluative, emphasizing its commitment to supporting educators' professional development without administering qualifications or communicating with third parties.

Attack Overview

The Rhysida ransomware group has claimed responsibility for the attack on QECO. The group has threatened to publish the organization's data unless the ransom is paid. Rhysida is known for its double extortion technique, where they steal data before encrypting it and then threaten to publish the data on the dark web if the ransom is not paid. The ransomware is written in C++ and targets the Windows Operating System, using the ChaCha20 encryption algorithm.

About Rhysida Ransomware Group

Rhysida is a relatively new player in the cybercrime arena, first sighted in May 2023. The group targets various sectors, including education, healthcare, manufacturing, information technology, and government. Rhysida employs diverse methods for deploying ransomware, including phishing campaigns. They leverage valid credentials and establish network connections through VPN for initial access. The group uses tools like Advance IP/Port Scanner and Sysinternals PsExec for lateral movement within the victim's network.

Potential Vulnerabilities

QECO's focus on handling sensitive educational data makes it a prime target for ransomware groups like Rhysida. The organization's reliance on digital systems for evaluating and storing teacher qualifications could have exposed vulnerabilities that the attackers exploited. The use of phishing campaigns and leveraging valid credentials are common methods employed by Rhysida to penetrate systems, which may have been factors in this attack.

Sources

• QECO Official Website
• SOCRadar - Rhysida Ransomware Profile
• Logpoint - Uncovering Rhysida
• Cyfirma - Weekly Intelligence Report