ThreatSTOP Blog

3 US Universities Hit with Ransomware in Same Week

Written by Ofir Ashman | July 6, 2020

The beginning of June saw a sudden surge in University-targeting ransomware attacks. Michigan State University, UCSF and Colombia College were all hit with ransomware from the NetWalker family within the same week. While each institution dealt with their network’s compromise differently, this “University Ransomware Week” was certainly eye-opening for higher education institutions who may need to rethink the security solutions and measures they have implemented.

Michigan State University

The first of these three attacks was deployed on the U.S. Memorial Day holiday, compromising MSU’s computer systems and encrypting some of the University’s files – data from the Department of Physics and Astronomy, university financial information, student passport scans, and more. The threat actors then asked for an undisclosed ransom, or else they would leak the University’s data online. MSU quickly contacted law enforcement, and working with the MSU Police Department and Michigan State Police, has decided not to pay the ransom. Not much information has been released about the extent of the damage done to the university, whether sensitive files were leaked, or whether MSU has been able to recover the encrypted files.

 

University of California, San Francisco

Security researchers speculate that UCSF was a cyber attack target due to its centrality to American antibody testing and clinical trials for possible coronavirus treatments. With the urgency of finding a cure for Covid-19 inclining every day, threat actors are searching for any opportunity to exploit the current global situation to make a profit. Backing this theory is the fact that the hackers in this NetWalker attack targeted and encrypted servers inside the UCSF School of Medicine. With heavy hearts, the university paid the attackers $1.14 million to decrypt and return the stolen data.

 

Columbia College

The NetWalker hackers hit once again, this time targeting a Chicago college. The attackers claimed on their blog that they had exfiltrated "very highly sensitive data like social security numbers and other private information" from Columbia College. Colombia’s Chief of Staff, Laurent Pernot, has stated that some college, employee and student data had been accessed, though the most critical parts of their systems have been restored. So far, it has not been publicized if Colombia has given over the ransom, which they were initially given only 6 days to pay.

 

So what is NetWalker Ransomware?

NetWalker, also known as Mailto, was first observed in September 2019 as an updated version of Kokoklock ransomware. The ransomware compromises a network and all Windows devices connected to it, proceeding to encrypt data and rename files on the system. The hacker group behind these NetWalker attacks is one of twelve ransomware groups that use leak sites to publish stolen data and perform threats against victims, in order to get them to pay ransom. Two other recent big-name NetWalker attacks targeted the Australian transportation and logistics company Toll Group, and the Illinois Champaign-Urbana Public-Health District website.

 

If you’re already a ThreatSTOP user, you’re protected against NetWalker in our TS Originated - Ransomware - IPs and TS Originated - Ransomware - Domains targets.

 

If you’re interested in learning more about how ThreatSTOP protects you against NetWalker and other ransomware variants, check us out below.