LockBit 3.0 Ransomware Attack on EVW School District

Incident Date:

May 9, 2024

World map

Overview

Title

LockBit 3.0 Ransomware Attack on EVW School District

Victim

Eden Valley-Watkins Independent School District #463

Attacker

Lockbit3

Location

Eden Valley, USA

Minnesota, USA

First Reported

May 9, 2024

Ransomware Attack on EVW School District by LockBit 3.0

Victim Profile

The Eden Valley-Watkins Independent School District #463, located in Eden Valley, Minnesota, is a public school district serving students in Eden Valley, Watkins, and surrounding areas. The district operates one elementary school and one secondary school, offering a wide range of educational programs and extracurricular activities to support student development.

Company Size and Industry Standing

The school district is a prominent educational institution known for its high standards and rigorous academic, arts, and athletic programs. The district's commitment to personalized learning opportunities, mental health programs, and community engagement sets it apart in the education sector.

Attack and Vulnerabilities

The LockBit 3.0 cybercrime group targeted the EVW School District in a ransomware attack, exfiltrating 19 GB of data, including invoices, financial records, and other documents. While no specific ransom demand was issued, the attackers leaked a sample of the exfiltrated data, highlighting the severity of the breach. The district's reliance on digital systems for administrative and educational purposes could have made it vulnerable to ransomware attacks like the one carried out by LockBit 3.0.

Ransomware Group Distinction

LockBit 3.0, also known as LockBit Black, is a sophisticated ransomware group that has evolved from previous iterations to become more modular, evasive, and dangerous. The group's use of obfuscation techniques, lateral movement capabilities, and Ransomware-as-a-Service model make it a significant threat to organizations across various industries, including education.

LockBit May Attacks

This is part of the May 2024 attacks by LockBit 3.0, a cybercriminal group that resurfaced with vigor following the disruption of its infrastructure in February during "Operation Cronos." Despite arrests and the dismantling of its data leak site, LockBit swiftly returned, targeting over 50 victims within hours of reactivating its platform. The recent activities of LockBit targeted diverse industries globally, with manufacturing companies, professional services, and the ICT sector being the most affected.

Sources:

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.