Blacksuit Ransomware Strikes Edwood Schools, Disrupting Operations and Data Integrity

Incident Date:

June 25, 2024

World map

Overview

Title

Blacksuit Ransomware Strikes Edwood Schools, Disrupting Operations and Data Integrity

Victim

Edwood Schools

Attacker

Black Suit

Location

Ellettsville, USA

Indiana, USA

First Reported

June 25, 2024

Blacksuit Ransomware Group Targets Edwood Schools

Overview of Edwood Schools

Edwood Schools, part of the Richland-Bean Blossom Community School Corporation (RBBCSC), is located in Ellettsville, Indiana. Serving a diverse student population across elementary, middle, and high school levels, the institution is committed to fostering intellectual, social, and emotional development through a comprehensive curriculum and various extracurricular activities. With a mission of "Caring. Daring. Preparing.", Edwood Schools aims to empower learners to reach their fullest potential. The district employs between 51-100 people and has an annual revenue of $1M-$5M. Known for its commitment to student well-being, the school provides support services such as counseling, special education, and health services.

Details of the Ransomware Attack

Recently, Edwood Schools became a victim of a ransomware attack by the Blacksuit ransomware group. Blacksuit publicly claimed responsibility on their dark web leak site, listing Edwood Schools as a victim. The group encrypted critical data, appending the .blacksuit extension to affected files, and left a ransom note named README.BlackSuit.txt in each compromised directory. The note directed victims to a Tor chat site for further communication. While the exact ransom demand and deadline remain undisclosed, the attack has significantly impacted the school's operations and data integrity, given the sensitive nature of the information handled by educational institutions.

About the Blacksuit Ransomware Group

Blacksuit is a new ransomware family that emerged in 2023, closely related to the notorious Royal ransomware group. Experts have noted significant similarities in code and functionality between the two. Blacksuit targets both Windows and Linux systems, including VMware ESXi servers, making it a versatile and potent threat. Researchers suggest that Blacksuit could be a new variant developed by the same authors as Royal, a copycat using similar code, or an affiliate of the Royal ransomware gang. The emergence of Blacksuit indicates that the threat actors behind Royal may have inspired other cybercriminals to develop similar ransomware families.

Potential Vulnerabilities and Attack Vectors

Educational institutions like Edwood Schools are often targeted by ransomware groups due to several vulnerabilities, including outdated software, insufficient cybersecurity measures, and the high value of the data they hold. Schools manage a vast amount of sensitive information, making them lucrative targets for cybercriminals. In the case of Edwood Schools, the attack could have been facilitated by exploiting vulnerabilities in their IT infrastructure, such as unpatched software, weak passwords, or phishing attacks. The ransomware group may have gained initial access through compromised credentials or by exploiting known vulnerabilities in the school's network.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.