Cressex Community School Hit by RansomHouse Ransomware Attack

Incident Date:

May 22, 2024

World map

Overview

Title

Cressex Community School Hit by RansomHouse Ransomware Attack

Victim

Cressex Community School

Attacker

Ransomhouse

Location

High Wycombe, United Kingdom

, United Kingdom

First Reported

May 22, 2024

Cressex Community School Hit by RansomHouse Ransomware Attack

Overview of the Attack

On March 22, 2024, Cressex Community School, a secondary school located in High Wycombe, Buckinghamshire, suffered a significant ransomware attack. The notorious data extortion group RansomHouse claimed responsibility, posting evidence of the breach on their dark web leak site. Approximately 300GB of data was compromised, significantly impacting the school's IT systems.

About Cressex Community School

Cressex Community School is known for its commitment to high educational achievement and fostering positive attitudes towards learning. The school has around 762 students with a student-teacher ratio of 17:1. It has been rated "Good" by Ofsted in various categories, including leadership, management, and the quality of teaching. Although it does not generate revenue, it is a publicly funded institution dedicated to providing quality education under the guidance of the local authority and the UK government.

Details of the Attack

The ransomware attack by RansomHouse led to the encryption of critical data on March 25, 2024. Despite the severity of the attack, the school managed to continue operations without interruption, thanks to its Cyber Response Plan. The incident was promptly reported to the Information Commissioner’s Office (ICO) and is currently under investigation by relevant authorities.

The attackers posted evidence of the breach, which attracted significant attention online, although a full data dump has not yet been made available. The school's data, including sensitive information, is being held ransom, with the exact demands and negotiation details yet to be disclosed publicly.

About RansomHouse

RansomHouse is a data extortion group that differentiates itself by not encrypting files but rather exfiltrating sensitive data and threatening to release it unless a ransom is paid. Emerging in late 2021, the group claims to be "professional mediators" shining a light on companies with inadequate security measures. They have been linked to other ransomware groups such as White Rabbit and Hive and are known for using Tor-based communication methods and accepting ransom payments in Bitcoin.

RansomHouse’s approach involves a deep infiltration into the target's network to exfiltrate data stealthily. This method allows them to maintain a presence in the victim’s system for extended periods before detection, increasing the potential impact of their attacks.

Impact and Response

The attack on Cressex Community School highlights the vulnerabilities educational institutions face in the current cybersecurity landscape. Despite its public funding and educational focus, the school's substantial data holdings made it an attractive target for cybercriminals. The school's proactive response and the community's resilience have been crucial in managing the crisis and mitigating further damage.

The ongoing investigation and collaboration with cybersecurity specialists aim to enhance the school's defenses against future attacks. The incident underscores the importance of robust cybersecurity measures and the need for constant vigilance against evolving threats.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.