According to The Arizona Republic and Tucson-based KOLD News 13 , that incident was a ransomware attack. Ransomware group Royal claimed credit for the attack in a letter that staff found in their printers Monday morning, per KOLD.
The newspaper obtained a copy of the ransom note, in which Royal said it had stolen and encrypted school district data and demanded payment.
“Your critical data … can be published online,” the letter threatens. “Then anyone on the Internet from the darknet and even your employees will be able to see your internal documentation.”
Royal’s activities were first observed in September 2022, according to a December 2022 alert from the U.S. Department of Health and Human Services (HHS).
The group seems to be profit-focused and its “requested demand for payment has been seen to range anywhere from $250,000 U.S. Dollars (USD) to over $2 million USD,” per the HHS alert. Royal “appears to consist of experienced actors from other groups” and does not seem to use affiliates.
TUSD is the largest school district in Arizona. Administrative staff were largely working from home on Tuesday as the situation remained unresolved, per The Arizona Republic. Despite the cyber incident, TUSD asserted in its email that “schools are fully functioning and students have access to the tools they need to continue their learning and stay on track.”
TUSD is also working with “national external cybersecurity experts” to analyze the incident and a forensic investigation is “in its early stages and ongoing,” it said.
A 2018 performance audit of TUSD found security weaknesses, including lack of a contingency plan should systems or equipment be disrupted, per The Arizona Republic. The district said in an August 2018 response that it would make improvements, including finalizing a disaster recovery plan, removing system access for employees no longer with the district and bolstering password strength requirements.
