A ransomware gang has hijacked an alert system used by a university and used it to issue threats to staff and students to pressure the university into paying the ransom. The attack was conducted by the Avos ransomware gang on Bluefield University in Virginia. Like many universities, Bluefield has an emergency alert system that sends SMS messages and emails to staff and students to warn them about emergencies and threats, such as active shooter alerts. The RamAlert system was hijacked by the Avos group and was used to send alerts to staff and students warning them that their personal data has been stolen and would soon be published online if the ransom was not paid.
Ransomware gangs have been adopting more aggressive tactics to pile pressure on victims to pay ransoms, and it has become increasingly common for ransomware actors to target individuals whose data has been stolen and issue threats and attempt to extort the victims, as well as the organizations targeted in the attack. In this attack, the aim was to get staff and students to pressure the university into paying the ransom to prevent the exposure of their data.
The attack was identified by the university in late April, and staff and students were notified about the attack on April 30, 2023. The attack crippled IT systems and caused major disruption, resulting in the postponement of examinations. Then, on May 1, 2023, staff and students started receiving emails and SMS messages via the RamAlert system. A series of alerts were sent that informed staff and students about the attack, the amount of data stolen, and the types of information that would be released.
“We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog,” wrote the Avos group in one of the alerts, and “DO NOT ALLOW the University to lie about severity of the attack! As proof we leak sample Monday May 1st 2023 18:00:00 GMT (2:00:00 PM)” in a follow up message. Alerts were also sent that directed the recipients to the group’s data leak site, where a sample of the stolen data had been uploaded, and urged staff and students to report the attack to the media in an apparent effort to prevent the university from downplaying the attack.
The University confirmed in a follow up announcement that it has identified no misuse of stolen data. “We are working through the investigation to determine the nature and extent of the incident. However, as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft.” The university also confirmed that its emergency alert system had been hijacked and urged staff and students not to click any of the links in the messages and to ignore the alerts. There are no indications that the Avos ransomware gang’s ploy has worked.
This is a novel tactic that has not been seen in previous attacks, but it is a tactic that will no doubt be repeated. Ransomware gangs are adopting a range of new tactics to increase the pressure on victims to pay the ransom, as increasing numbers are refusing to do so, even when faced with data exposure.