Cyber Incident Victim: Greensville County Public Schools
Date:
Sep 2021
Location:
United States of America
Summary
Greensville County Public Schools experienced a cyberattack attributed to the Grief threat actor group, leading to operational disruptions including telephone system outages that were subsequently restored. The attackers exfiltrated and publicly leaked over 4,600 sensitive documents related to special education students, containing personal identifiers, medical histories, psychological evaluations, and individualized education plans, though no employee data was confirmed compromised. Grief, associated with the sanctioned Russian group Evil Corp, threatened further data destruction if victims involved law enforcement or recovery firms, mirroring tactics used against other K-12 districts. The incident exposed vulnerabilities in safeguarding highly confidential student records tied to federally mandated disability services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 15, 2021, Greensville County Public Schools in Emporia, Virginia, disclosed it was responding to a cyberattack. The district, comprising four schools—Belfield Elementary, Greensfield Elementary, Edward W. Wyatt Middle School, and Greensville County High School—restored telephone systems across all buildings by September 16 but provided no further updates beyond that date. On September 21, the Grief threat actor group listed the district on its dark web leak site, indicating a refusal to pay ransom demands. Grief subsequently released 4,604 exfiltrated PDF files containing sensitive records related to special education processes for students across the district’s schools. These files, dated from 2017 and 2018, included student names, addresses, phone numbers, parent or guardian names, medical or social histories, educational or psychological testing results, and documentation of individualized education plans (IEPs) or district decisions denying services. The records pertained to federally mandated evaluations and services under the Individuals with Disabilities Education Act (IDEA), with no employee personal information identified in the initial leak.
Grief, described as a potential rebranding of the DoppelPaymer ransomware group and linked to the sanctioned Russian entity Evil Corp, employed a pattern of escalating leaks to pressure victims. The group publicly endorsed threats by other actors like Ragnar_Locker to destroy data entirely if victims involved law enforcement or recovery firms. Greensville County Public Schools did not respond to inquiries about whether employee data was compromised. The incident mirrored Grief’s prior attacks on K-12 districts, including Clover Park School District in Washington, Lancaster Independent School District in Texas, and Booneville School District in Mississippi. The breach exposed highly confidential student disability and service records, creating significant privacy risks for affected families while disrupting district communications during recovery efforts.