Royal Ransomware Gang Targets Penncrest School District

The Royal ransomware gang has allegedly attacked the Penncrest School District. Penncrest School District is a medium-sized public school district situated primarily in Crawford County, located in Northwest Pennsylvania. It also serves a small portion of Venango County, adjacent to its primary service area. The district covers multiple rural townships and boroughs.

Royal claims to have stolen 164GB of data, including the personal information of students and employees and financial data. Royal has been active since September 2022 but has quickly become one of the more concerning ransomware operations. Royal is somewhat unique in that they prefer only partial encryption for larger files to evade detection before they choose to reveal the attack.

Royal's Increasing Threat

Royal increased attack activity in late 2022 (and early 2023), prompting CISA and the FBI to issue alerts to critical infrastructure providers like the healthcare, communications, and education sectors. Royal uses its own custom-made file encryption program and leverages tools like Cobalt Strike or malware like Ursnif/Gozi. Evidence indicates they continue to invest heavily in development, expanding their operations and capabilities.

The RaaS (Ransomware-as-a-Service) platform includes advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments. Royal tends to target critical infrastructure sectors, including the Manufacturing, Communications, Healthcare, and Education sectors.