On May 1st, a group of cyber criminals hacked into and gained control over a U.S. university’s emergency alert system. Students at Bluefield University received the following unexpected message:

“Hello students of Bluefield University! We’re Avoslocker Ransomwar. We hacked the university network to exfiltrate 1.2 TB files…We have admissions data from thousands of students. Your personal information is at risk…”

The ransomware group then threatened to continue disrupting the institution if the university’s president refused to pay a ransom.

What else happened…

The day before this incident, Bluefield University experienced a ‘typical’ cyber attack that involved data theft. Bluefield quickly notified students and faculty of the attack, stating that it hadn’t yet seen evidence of “financial fraud or identity theft.” At that point, the cyber attackers escalated the situation…

Further incident information

The final cyber criminal message delivered via the hijacked emergency alert system encouraged students to freely share information about the attack with media outlets. It also threatened the release of sensitive data.

Later in the day, the ransomware gang published a limited quantity of stolen data, including a W-2 tax form belonging to the university’s president and a document related to the school’s insurance policy.

The aftermath

Following the incident, Bluefield shared a statement acknowledging that AvosLocker had indeed impacted the campus’s mass alert system, which was designed to function as an emergency communication tool in the event of an on-campus crisis.

The hijacking of the emergency alert system by AvosLocker could have been an attempt to prevent administrators from underplaying the cyber attack or denying data theft. In so doing, attackers may have intended to force the university’s hand in paying a ransom fee.

What the attack means

Some analysts contend that this dramatic cyber attack is part of a broader pattern. Ransomware attackers are growing bolder and more creative with their attack efforts. An increasing number of ransomware gangs appear to be zeroing in on new ways to intimidate victims.

AvosLocker ransomware 

AvosLocker, the ransomware gang that attacked Bluefield University, speaks Russian in underground forums. On such forums, a user known as “Avos” has been observed attempting to recruit hackers, many of whom end up working for the group as affiliates.

The group has been in operation for several years and the group’s leak site lists victim entities from around the world. In the U.S., the Federal Bureau of Investigation has published an advisory about the AvosLocker threat. Details include information about how the group has previously operated and attack mitigation recommendations.

Ransomware prevention resources

Take forward-looking measures to prevent ransomware attacks from occurring within your organization. See our ransomware prevention resources:

Ensure that your and your teams are prepared to respond to the most sophisticated of ransomware threats.

Further information is available here. Lastly, to receive cutting-edge cyber security news stories, best practices, expert interviews, whitepapers and more, please sign up for the CyberTalk.org newsletter.