The attack methodology used was by exploiting a known vulnerability in PaperCut. Other schools have reportedly suffered the same attack from the group.
The details of the vulnerability and remediation required are at the following link:
https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
Summary of remediation – Upgrade of the application to versions not containing the vulnerability as follows:
- Important: Both of these vulnerabilities have been fixed in PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9 and later. We highly recommend upgrading to one of these versions containing the fix
Source of information: Enfield Council
Rhysida
Rhysida is a Ransomware-as-a-Serve (RassS) group that uses phishing and hacking tools to deploy a Windows ransomware application, also called Rhysida, to breach ransomware trends. They threaten to expose stolen data unless ransom is paid publicly. The group also operates a dark web portal, where they label themselves a 'cyber security team'. The portal showcases ongoing autction of stolen data and the number of affected victims.
A distinct feature of Rhysida’s approach is including a ransom note in PDF format. This choice hints at a strategic targeting of systems capable of handling document-based formats, potentially excluding those reliant on command-line operating systems prevalent in network devices and servers. Once the ransomware is executed and the victim’s data is encrypted, this PDF ransom note is presented, providing detailed instructions on establishing contact with the ransomware operators for payment, typically in the form of cryptocurrency like Bitcoin.
There is a concentration of confirmed cases in the UK, which stands as the second-highest affected country. In addition, the education sector is the most prominently hit by the ransomware group.
Source of Information: Cyber and Fraud Centre Scotland