Royal attacks Penncrest School District
Incident Date:
June 10, 2023
Overview
Title
Royal attacks Penncrest School District
Victim
Penncrest School District
Attacker
Royal
Location
First Reported
June 10, 2023
Royal Ransomware Gang Targets Penncrest School District
The Royal ransomware gang has allegedly attacked the Penncrest School District. Penncrest School District is a medium-sized public school district situated primarily in Crawford County, located in Northwest Pennsylvania. It also serves a small portion of Venango County, adjacent to its primary service area. The district covers multiple rural townships and boroughs.
Royal claims to have stolen 164GB of data, including the personal information of students and employees and financial data. Royal has been active since September 2022 but has quickly become one of the more concerning ransomware operations. Royal is somewhat unique in that they prefer only partial encryption for larger files to evade detection before they choose to reveal the attack.
Royal's Increasing Threat
Royal increased attack activity in late 2022 (and early 2023), prompting CISA and the FBI to issue alerts to critical infrastructure providers like the healthcare, communications, and education sectors. Royal uses its own custom-made file encryption program and leverages tools like Cobalt Strike or malware like Ursnif/Gozi. Evidence indicates they continue to invest heavily in development, expanding their operations and capabilities.
The RaaS (Ransomware-as-a-Service) platform includes advanced security evasion and anti-analysis capabilities that can hinder both detection and investigation in emulated environments. Royal tends to target critical infrastructure sectors, including the Manufacturing, Communications, Healthcare, and Education sectors.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.