Ransomware Attack on Alabama Department of Education by Incransom: Key Details

Incident Date:

July 13, 2024

World map

Overview

Title

Ransomware Attack on Alabama Department of Education by Incransom: Key Details

Victim

State of Alabama - Alabama Department Of Education

Attacker

Inc Ransom

Location

Montgomery, USA

Alabama, USA

First Reported

July 13, 2024

Ransomware Attack on Alabama Department of Education by Incransom

Overview of the Alabama Department of Education

The Alabama Department of Education (ALSDE) is a pivotal state agency responsible for overseeing public education from kindergarten through 12th grade. With an annual revenue of $20.61 billion and employing 664 people, the department ensures that educational standards are met and provides leadership and support for schools, educators, and students. The ALSDE's mission is to foster a learning environment that promotes academic success through initiatives like the Alabama Learning Exchange (ALEX) and the Alabama Math, Science, and Technology Initiative (AMSTI).

Details of the Ransomware Attack

On June 17, the ransomware group Incransom targeted the Alabama Department of Education. Although the department managed to prevent a complete system lockdown, hackers accessed some data and disrupted services. The compromised data potentially includes personal information of students and employees. Federal and state authorities, including the FBI and the Alabama Attorney General, are actively investigating the breach. The department has since enhanced its cybersecurity measures, restored affected systems from clean backups, and refused to negotiate with the attackers.

About Incransom

Incransom is a sophisticated cybercriminal group known for its targeted ransomware attacks on various sectors, including education, healthcare, and government entities. The group employs advanced techniques such as spear-phishing campaigns and exploiting vulnerabilities like CVE-2023-3519 in Citrix NetScaler. Incransom's attacks involve double extortion, where they not only encrypt data but also steal it and threaten to release it publicly to increase pressure on victims to comply with ransom demands.

Penetration and Vulnerabilities

Incransom likely penetrated the ALSDE's systems through a combination of spear-phishing and exploiting existing vulnerabilities. The department's extensive use of digital platforms and resources, while beneficial for educational purposes, also makes it a lucrative target for cybercriminals. The attack underscores the importance of robust cybersecurity measures, especially for organizations handling sensitive data.

Response and Current Status

In response to the attack, the ALSDE has taken significant steps to bolster its cybersecurity framework. The department has restored affected systems from clean backups and continues to provide updates on their dedicated webpage. Despite the disruption, the department remains committed to its mission of supporting Alabama's educational landscape.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.