It’s becoming a common story. Experienced hacking groups use vulnerabilities in widely used third-party software to gain entrance to an enterprise’s network. In the most recent case, the Clop ransomware gang leveraged a zero-day vulnerability in a widely used file transfer program from Accellion to penetrate university networks, as well as a number of other enterprises. Interestingly, even though this group is known for its ransomware exploits, it is not using that angle in these attacks.
Originally, a ransomware attack relied on getting victims to pay for decrypting files that the criminals had encrypted. Then, the criminals took this to a new level. If the victim did not pay the ransom within a prescribed time, they would raise the ransom demand and begin leaking samples of the stolen data online. Now, they seem to be relying on pure extortion… or maybe not. There is no reason to exclude the possibility that this is a double-tap attack. The extortion angle may be employed to find which enterprises are willing to pay up. Those that did so could be announcing themselves as prime targets for a subsequent ransomware attack.
This may already be happening at the University of California San Francisco. They were the victims of a ransomware attack last year, and, despite the advice from law enforcement, they paid up. Here is part of that negotiation that the BBC was invited to view.
In the end, the university agreed to pay the criminals $1.14 million. Maybe they felt this was a bargain as the initial demand was for $3 million. But what they didn’t know is that with this payment they were placed on a ‘suckers list’. This is a list of victims that is circulated among hackers and which identifies people or organizations which caved in to ransom demands. What’s worse is that they, in effect, placed the entire University of California group on the same list, so it is little wonder that the criminals came back for a second helping of cash. In fact, criminals have been known to keep a backdoor secretly in place after they have promised to remove ransomware from the victim’s computer or network. This enables them to easily access the device or network if they decide to return in the future. Last year, the University of Utah paid a ransom of $457,000. It will be interesting to see if they are attacked again. That said, Utah State University recently received a warning from the F.B.I. that they may be targeted with a ransomware attack.
So, which of the schools recently hacked have paid a ransom? What, exactly, have the hackers exposed? Here is where the situation stands at the moment.
University of California
It seems the University of California has learned its lesson. As of this writing, they have not paid any ransom to the attackers. For not doing so, the hackers have released some samples as screenshots and multi-gigabytes of files to download. Here are some screenshots that show what the hackers have. (I have obscured important information. The hackers have not.)
Keep in mind that these are financial hackers. With such information they could construct an effective spearphishing attack on any student or employee at the university. They could also sell this information to other hacking groups or get credit cards in the victims’ names. Does this mean that everyone at the university needs to change all of their personal information, such as their Social Security Number? Maybe.
University of Colorado
The University of Colorado at Boulder has not paid a ransom. However, if they do, they may jeopardize other schools in their university network. Not paying, though, still means that other universities in their group could be hit with spearphishing attacks that apparently emanated from trusted sources.
So, basically, the hackers have all of this biographical information on every student. They also have their academic records. It is not clear how much banking information they have.
University of Maryland
Just like the schools above, the criminals have all the personal information on UMD’s students and employees, including their Social Security Numbers and Tax Payer Identification Numbers. They also have access to any documents that students may have supplied when they were admitted to the school, such as passports, certificates, or drivers licenses. Nonetheless, UMD has not yet paid a ransom.
University of Miami
Much the same as above. The hackers have shown that they have all the students’ personal information: names, addresses, email addresses, phone numbers, and SSNs. They also appear to have some medical records. No ransom appears to have been paid. No information about this attack appears on the university’s website.
It seems that the medical school was the main victim, though the criminals could easily use this access as a springboard to the rest of the university. In addition to personal data, the hackers have apparently stolen tax information as seen below.
Universities will always attract hackers. Universities have a treasury of personal information which can be monetized. They have research which can be useful to nation-states. And, unlike private companies, they have to release information about a hack within a day, although that is still disputed. In other words, hackers realize they can pressure universities more easily than other enterprises. But not to worry. In a recent Vice post, a cybersecurity researcher claims she received this notice from the Clop hacking group when they got her personal information from a hack.
“We inform you that information about you and your purchases, as well as your payment details, will be published on the darknet if the company does not contact us. Call or write to this store and ask to protect your privacy.”
In other words, the hackers are cutting out the middleman and hoping the people caught up in the hack will work with them to put pressure on the hacked enterprise. It’s an interesting maneuver. It would be more interesting if they offered some cash incentive to people who helped them in this way. Who knows? That may be next.