Ransomware Attack on Wichita State University Campus of Applied Sciences and Technology by Fog Group

Overview of the Victim

Wichita State University Campus of Applied Sciences and Technology, commonly known as WSU Tech, is a public community college located in Wichita, Kansas. The institution, previously known as Wichita Area Technical College, became affiliated with Wichita State University in 2018. WSU Tech operates multiple campuses in the Wichita metropolitan area, with its primary campus being the National Center for Aviation Training. The college offers over 100 degree and certificate programs across various fields, including business, healthcare, engineering, and technology. WSU Tech is particularly noted for its focus on applied sciences and technical education, providing students with practical skills that are directly applicable in the workforce.

Attack Details

The ransomware attack on WSU Tech was discovered on July 23, 2024, and has resulted in a data leak of approximately 10GB. The institution is currently assessing the extent of the breach and working on mitigation strategies to secure its systems and protect sensitive information. The attack has disrupted the college's operations, affecting both students and faculty. The ransomware group Fog has claimed responsibility for the attack via their dark web leak site.

About the Ransomware Group

Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," informing victims that their files have been encrypted and urging them to contact the attackers for file recovery. Fog ransomware has been particularly disruptive, with a significant focus on the education sector, where 80% of its victims are located.

Penetration and Impact

Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration. Once inside, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. Currently, there is no known decryptor available for Fog ransomware, meaning that paying the ransom does not guarantee file restoration. The ransom demands are usually made in Bitcoin, and the threat actors may provide a link and a code for communication within the ransom note.

Vulnerabilities and Targeting

WSU Tech's focus on applied sciences and technical education makes it a valuable target for ransomware groups like Fog. The institution's reliance on digital infrastructure for educational delivery and administrative functions increases its vulnerability to cyberattacks. Additionally, the open admissions policy and diverse student body may contribute to a broader attack surface, making it easier for threat actors to exploit potential weaknesses in the system.

Sources

• WSU Tech Official Website
• PCRisk: Fog Ransomware
• WatchGuard: Fog Ransomware Tracker
• BeforeCrypt: Fog Ransomware
• Dark Reading: Fog Ransomware