Ryshida Ransonware Attack and Remediation Activity for Schools

Last week Enfield Council received notification that one of the schools in the borough had suffered a Ransomware attack that has caused significant loss of data and negative impact on IT services within the school.

A summary of the incident is as follows:

  • The hacker group associated with the attack has been identified and goes by the name “Ryshida”
  • They have also been associated with a previous ransomware attack on a school called Thomas Hardye in Dorset, some details can be found here:

https://www.dorsetecho.co.uk/news/23566430.thomas-hardye-school-cyberattack-may-wiped-vital-exam-work/

  • The attack methodology used was by exploiting a known vulnerability in a printing application called PaperCut:

PaperCut in Education

There has now been a third suspected Ransomware attack today by the same group against another school in SE England (not LBE area) using the same attack methodology (exploitation of the vulnerability in the PaperCut application).

Recommendation: The Council now advises that all schools that use the PaperCut application, should immediately upgrade their versions to ensure the known vulnerability is removed to reduce the risk of a directed ransomware attack by the Ryshida hacker group.

The details of the vulnerability and remediation required are at the following link:

https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

Summary of remediation – Upgrade of the application to versions not containing the vulnerability as follows:

  • Important: Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix

While this will not definitively provide assurance against attack it does close one known attack vector for this group that now seem to be focusing on schools in SE England.  Two other suspected methods of attack for this group are Targetted Phishing and use of an attack vector known as a Cobalt Strike which utilises/misuses a legitimate security tool.  Defending against these attack vectors requires significant sophistication and are outside the remit of this email.

If you would like to discuss your school ICT provision, please contact sts@enfield.govuk and the EN Digital team will get in touch with you.