Last updated on August 1st, 2023 at 02:03 am
After adding a Massachusetts school district to their dark web leak site last Wednesday, the Royal ransomware gang appears to have had a change of heart. In a lengthy statement shared by security researcher Dominic Alvieri on Twitter, the gang claimed they were no longer planning to release the stolen data and had instead deleted it without payment.
In their missive, the cybercriminal group claimed they “respect” the school district’s commitment to academic excellence and “as a result made an executive decision to not publish [the school district’s] data and entirely delete it.” The gang admitted to “temporarily” publishing some data, but asked anyone who downloaded it “to immediately delete it.”
While claims the data has been deleted should be viewed with suspicion, the fact that the gang is not publishing the stolen files is a positive development. That’s because schools hold highly sensitive information, which can be extremely damaging to students and teachers if leaked. For example, information from the Minneapolis School District published by the Medusa ransomware gang included reports of abuse, rape and mental health breakdowns, as well as student names, addresses and dates of birth.
In the rest of their statement, Royal made over-the-top and, frankly, bizarre claims about their values that contradict their past behaviors. For example, the gang wrote, “we respect the sanctity of educational and healthcare services. Unlike our competitors which have no ethical boundaries […], we believe that the potential harm to students that could result from data publishing, is an unwanted risk that we refuse to take.”
The criminal group also stressed their “commitment to trust, respect, and transparency,” declaring these to be “the bedrock principles upon which Royal Data Services operates.” They further added their decision not to release the stolen data “embodies our ethical charter, highlighting our firm belief in the value of privacy and trust.”
However, according to data from threat intelligence service ecrime.ch, Royal has named 13 educational institutions and 11 healthcare organizations as victims this year. The gang ultimately went on to publish data from one school district, one school and eight healthcare facilities. These are not the actions of a group that respects educational institutions and healthcare facilities or that values privacy and trust.
So what should we make of this? Perhaps Royal truly intends to turn over a new leaf and will avoid targeting schools in the future. Or perhaps their statement was written as a joke. But even if Royal’s claims are genuine, schools still face a real and rising threat from ransomware and need to take steps to protect their sensitive data.