Ransomware gang claims it breached Tennessee school district, disrupted internet access

Ransomware gang Rhysida this week claimed responsibility for a cyber attack on Henry County Schools in Tennessee. The group posted samples of what it says are confidential documents stolen from the school district.

Henry County Schools has not verified Rhysida’s claim. The district posted a notice on its website about a “cybersecurity issue” on August 26, 2024:

“Our School System is aware of a cybersecurity issue today that is currently limiting access to the internet. Our first priority is to help coordinate efforts to avoid disruption to the school day. We are in contact with our IT Department to better understand the nature of the impact and to ensure an effective response. Since we have limited access to the internet and school platforms, you will need to contact your teacher or administrator by phone instead of email.”

Henry County Schools has not responded to Comparitech’s request for comment. We do not know if any student or staff personal data was compromised, or if the district paid a ransom. We will update this article if the district replies.

Note: This attack is unrelated to that on another school district with the same name. In November 2023, Henry County Schools in Georgia was hit by a separate ransomware attack.

Who is Rhysida?

Rhysida is a ransomware group that first emerged in May 2023. It often extorts victims twice: once for a decryption key to restore attacked systems, and again in exchange for not selling or publishing stolen data. Its initial attack vectors include phishing and exploiting software vulnerabilities.

Comparitech researchers logged 58 confirmed attacks claimed by Rhysida since it came on the scene, compromising about 3.5 million records. Its average ransom demand is $1.3 million.

Rhysida’s other recent targets include the Bayhealth Medical center, the Port of Seattle/Seattle-Tacoma International Airport, Maryville Academy, and Axis Health.

Rhysida claimed responsibility for an attack this year on New Jersey City University, for which it demanded a $700,000 ransom. The University says it did not pay the ransom.

In 2024 alone, we tracked 17 confirmed attacks claimed by Rhysida, and 53 unconfirmed claims that haven’t been acknowledged by targets.

Ransomware attacks on US education

Ransomware attacks on schools can lock down computer systems and steal confidential information stored on them. The attackers then demand a ransom in exchange for a key to unlock the infected systems and for not selling or publishing the stolen data. If they don’t comply, schools lose their data, spend months restoring their systems, and put their staff and students at risk of identity theft. The ransomware can affect access to student grades, staff payroll, library loans, lunch payments, and internet access in general.

Comparitech tracked 44 confirmed ransomware attacks on the US education sector in 2024 so far, affecting 246,000 records. Overall, this year’s figures are on track to be lower than last year: 122 attacks affected 2.7 million records in 2023.

The average ransom for an attack on a school or university is $511,000.

Other recent confirmed ransomware attacks on schools include Joliet Public Schools District 86, Albany College of Pharmacy and Health Sciences (NY), Providence Public Schools (RI), Richmond Community Schools (IN), and Highline Public Schools (WA).

About Henry County Schools, TN

Henry County Schools is a public school district based in Paris, Tennessee. It enrolls 3,014 students from pre-school through high school, according to external sources.