Pennsylvania Education Union Hit by $1.14M Rhysida Ransomware Attack
Incident Date:
September 9, 2024
Overview
Title
Pennsylvania Education Union Hit by $1.14M Rhysida Ransomware Attack
Victim
Pennsylvania State Education Association
Attacker
Rhysida
Location
First Reported
September 9, 2024
Ransomware Attack on Pennsylvania State Education Association by Rhysida
The Pennsylvania State Education Association (PSEA), a prominent labor union representing over 178,000 education professionals in Pennsylvania, has fallen victim to a ransomware attack orchestrated by the Rhysida ransomware group. The breach was discovered on September 10, with Rhysida demanding a ransom of 20 Bitcoin, approximately $1,140,000, with a deadline set for September 17.
About PSEA
PSEA is a nonprofit organization dedicated to advocating for the interests of education professionals across Pennsylvania. With a membership base of approximately 178,000 individuals, including teachers, educational support professionals, and higher education faculty, PSEA plays a crucial role in shaping educational policy and ensuring that educators have the necessary resources and support to effectively teach and serve their students. The organization is known for its extensive advocacy efforts, collective bargaining, and professional development opportunities.
Attack Overview
The ransomware attack on PSEA was discovered on September 10, 2023. Rhysida, the group behind the attack, has demanded a ransom of 20 Bitcoin, equivalent to around $1,140,000. The exact size of the data leak remains unknown, but the implications for PSEA are significant, given its role in the education sector and the sensitive nature of the data it holds.
About Rhysida Ransomware Group
Rhysida is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets Windows operating systems. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid.
Penetration Methods
Rhysida typically leverages phishing campaigns to deploy their ransomware. Once executed, the ransomware scans and encrypts files using the ChaCha20 encryption algorithm. The group also uses valid credentials and VPNs for initial access, employing tools like Advance IP/Port Scanner and Sysinternals PsExec for lateral movement within the network. The ransom notes are generated as PDF documents named “CriticalBreachDetected.pdf” and saved within the affected folders.
Implications for PSEA
The attack on PSEA highlights the vulnerabilities that even well-established organizations face in the current cyber threat landscape. Given PSEA's role in advocating for education professionals and its extensive membership base, the breach could have far-reaching consequences, affecting not only the organization but also its members and the broader educational community in Pennsylvania.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.