Ransomware Group Threatens End-Users Like It’s the Wild West
Ransomware perpetrators are continually devising innovative strategies to coerce their victims into meeting their demands. But, in most cases, threats are aimed at those who can pay: the organization’s senior management – or even their shareholders.
End-users, the people who use the organization’s IT on an everyday basis, don’t usually come into the firing line. Yet, in May 2023, we witnessed the first time that a ransomware group used an emergency broadcast system to directly threaten end-users, with the aim of getting the target organization to pay up.
It’s really becoming like the wild west out there, and it doesn’t help that some victims are so hapless in how they respond to a ransomware attack. Let’s see what happened a couple of weeks back at Bluefield University.
Attack on an Educational Institution
On April 30, sysadmins discovered that a ransomware group named Avos infiltrated Bluefield University, a private university in Virginia that accommodates about 900 students.
The ransomware infection started in late April, and was severe enough for the university to temporarily defer all examinations. The university asserted at the time that the culprits did not carry out financial fraud or identity theft. Bluefield University announced the attack as follows:
“As you know, on Sunday, April 30, 2023, Bluefield University discovered a cybersecurity attack that impacted our systems. Upon learning of this issue, we immediately engaged independent third-party cybersecurity experts to assist in our review and remediation efforts… as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft.”
Who is Avos? Well, the Federal Bureau of Investigation (FBI) identifies Avos or (AvosLocker) as an affiliate-based group providing ransomware-as-a-service, and as a group that specifically targeted various critical infrastructure sectors within the United States. These sectors include, but are not limited to, financial services, critical manufacturing, and government facilities.
Presumably, Avos didn’t get what they wanted fast enough, because the group took an escalating step. In most instances, threat actors tend to communicate with those in power at an organization – the people who can pay a ransomware demand. In this instance, Avos – for whatever reason – decided to threaten the university’s students directly, through the university’s emergency notification system.
Early in May, just before noon on a Monday, the ransomware group messaged all the university’s students through the university’s RamAlert emergency messaging service, which delivers critical messages over SMS. The message said:
“We’re the Avoslocker ransomware. We hacked the university network to exfiltrate 1.2 TB of files. We have admissions data from thousands of students. Your personal information is at risk to be leaked on the dark web blog. Do not allow the university to lie about the severity of the attack.”
Avos were able to do that because the RamAlert system was one of just many of Bluefield University’s systems that they managed to take control of.
It’s a bold move from the ransomware group and was presumably done to put more pressure on the university’s administrators to pay up. It’s hard to know what that felt like for students – but it couldn’t have been a good feeling getting informed in such a visceral way that your personal data is at risk of being exposed.
A Hapless Victim?
As Avos was communicating directly with the students, the university’s communication with the students was somewhat lacking, to say the least. At first, the university said that they did not see any evidence of any “identify theft,” but never warned students that there was a very real risk of that happening.
By March 13, reports surfaced suggesting that, unsurprisingly, identity theft is a concern in this instance. According to reports on DataBreaches.net, the university did not alert its students to the ongoing vulnerability of their system, which enables the malicious cyber actor to access and procure files.
DataBreaches.net received a message from the hacking group containing the personal details of a tuition grant applicant. Just the day before, the student in question filled out a Virginia Tuition Assistance Grant application containing their full Social Security number, date of birth, and other personal details – and Avos delivered the full details.
Whether the reports from DataBreaches.net are accurate or not is hard to tell, but the situation is reminiscent of the gratuitous sharing of personal data in the breach of the Minneapolis public school system in March. In that instance, hackers published personal data, including birthdays, social security numbers, and worse – leaking the sensitive information of hundreds of children that attended the school with special needs.
On and On It Goes
This incident is part of a larger trend of ransomware attacks targeting schools, companies, and government bodies across the US. Ransomware hackers often use various methods to coerce their victims, including encrypting computer files, publishing stolen information on their websites, and promoting their crimes. However, this seems to be the first time that an emergency alert system was used to pressure a victim.
The hacker group responsible for this attack is primarily Russian-speaking, according to information found in underground forums. Such groups are typically difficult for U.S. law enforcement to reach directly.
This incident illustrates two things: yes, protect your system against ransomware every which way you can. But even if you have a world-class cybersecurity posture, hackers can still get in. What you do next really matters.
Worried about a ransomware attack – or have you already fallen victim? Read our guide on reacting to ransomware to see how your organization can respond confidently and communicate clearly when a ransomware attack happens.