AvosLocker ransomware group has claimed the Bluefield University ransomware attack, hijacking the university’s mass alert system to display its own messages.
According to a statement released by Bluefield University, their alert system, RAMAlert was hacked to display the ransomware group’s warnings. The university detected the ransomware attack on April 30, 2023.
Message on the RAMAlert post the Bluefield University ransomware attack
It read, “Hello students of Bluefield University!… DO NOT Allow the university to lie about severity of the attack! As proof we leak sample Monday 1 May 2023 18:00 GMT.”
The group claimed to leak sensitive student data on the dark web blog as proof to convince the students that they hacked their university.
The alert titled, “Cyber Attack Update” further stated that they have stolen 1.2 TB files from the network via the Bluefield University ransomware attack.
They also claim to have admission data belonging to thousands of students. The group posted a link to download the Tor Browser to see and download their own stolen data.
The group also asked the readers of the RAMAlert to spread the news to the local media that they will post all the stolen data if the ransom was not paid.
While the group claimed to post the data on May 1, an investigation by Data Breaches.Net stated that the they did not find the Bluefield University listed on the leak site. However, the report added that the ransomware group may upload the data with a proof pack.
It is not clear how much ransom the group has demanded.
AvosLocker hacking the network in the Bluefield University ransomware attack, hijacking their mass alert system, and speaking with the students directly points towards the need to upgrade the security and protect data that could gravely impact students and the educational sector.
Students speak up about the Bluefield ransomware attack
A news report by WVVA featured recorded statements from two students who spoke about the Bluefield University ransomware attack on the condition of anonymity.
One of them said, “I think they’re doing the best they can with the circumstances. It kind of came out of nowhere. I could see how it would be difficult to… kind of prepare for something like this. I believe that they’ll get through it. It’s just a little bump in the road, but they’ll get through it.”
The student’s response showed hope and faith in the university’s approach to handling the ransomware attack.
Meanwhile, the officials from the university confirmed to the students that they can give their final exams despite the delay of one day. And the myBU and Canvas websites were safe to be used by them.
Ransomware gangs and education sector
The education sector has been in the crosshairs of cybercriminals for years. If anything, it is getting worse. According to a study by Comparitech, almost 1000 schools were affected by ransomware in 2021, impacting about a million students.
The estimates of the cost to education institutions is around $3.5 billion in downtime alone, not to mention the ransomware payments themselves, according to cybersecurity company Syxsense.
In many cases, the ransom is paid. Otherwise, schools and colleges face days or weeks of shutdowns, often at critical periods such as during exam or enrollment for the new year.
In some cases, these attacks are fatal. Lincoln College, attacked in late 2021 has now permanently closed its doors due to fallout from the attack that led to a lack of enrollments. To make matters worse, the college paid the ransom.
Ransomware payouts from educational institutions vary widely. They range from $100,000 to as much as $40 million.
Hackers typically do their homework in advance and have become skilled in knowing the means of the institution and the business impact of being shut out of systems, noted Syxsense. They set their ransoms accordingly.
Vice Society is a ransomware gang that has been involved in high-profile activity against schools recently.
Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces, noted cybersecurity company Palo Alto networks.
These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware as opposed to Vice Society developing their own custom payload.
