Ransomware Attack on Conference USA by Abyss Group

Overview of Conference USA

Conference USA (CUSA) is a prominent intercollegiate athletic conference that competes in NCAA Division I. Established in 1995 and headquartered in Dallas, Texas, CUSA oversees athletic competitions among its member institutions, which are spread across the Southern and Western United States. The conference currently has 10 member institutions, with plans to expand to 12 teams by 2025. CUSA's primary functions include organizing regular-season games, coordinating championship tournaments, and ensuring compliance with NCAA regulations. The conference also focuses on the academic and personal development of student-athletes, providing resources and programs aimed at promoting academic excellence, leadership skills, and community involvement.

Attack Overview

On May 7th, 2024, the Abyss ransomware group claimed responsibility for a cyberattack on Conference USA. The group listed CUSA as a victim on their dark web leak site, reporting the exfiltration of 1 TB of data. The attack has raised significant concerns about the security measures in place at CUSA, given the sensitive nature of the data involved, which likely includes personal information of student-athletes, staff, and possibly financial records.

Details of the Ransomware Group

The Abyss ransomware group is a multi-extortion operation that emerged in March 2023, primarily targeting VMware ESXi environments. The group is known for hosting a TOR-based website where they list victims along with exfiltrated data if the victims fail to comply with their demands. Abyss Locker ransomware campaigns have targeted various industries, including finance, manufacturing, information technology, and healthcare, with a primary focus on the United States. The group's operations are believed to have started many months prior to the posting of their TOR-based blog, with previous variations of Abyss, including a Windows variant, observed as far back as 2019.

Penetration and Vulnerabilities

The Abyss ransomware group typically gains initial access through weak SSH configurations, employing SSH brute force attacks to establish entry to exposed servers. For Linux systems, Abyss Locker payloads are derived from the Babuk codebase and function similarly. The ransomware has a standard command line interface, requiring the threat actor to define a targeted path for encryption. Encrypted files are noted with the ".crypt" extension, and any folder containing encrypted files will also contain Abyss Locker ransom notes with the .README_TO_RESTORE extension.

In the case of Conference USA, the specific vulnerabilities exploited by the Abyss group have not been disclosed. However, given the group's known methods, it is likely that weak SSH configurations or unpatched systems may have been the entry points. The exfiltration of 1 TB of data suggests that the attackers had significant access to CUSA's systems, potentially compromising a wide range of sensitive information.

Impact on Conference USA

The ransomware attack on Conference USA has significant implications for the organization. As a governing body that facilitates athletic competition, promotes academic and personal growth, manages media relations, and enhances the overall brand of its member institutions, CUSA's reputation and operational integrity are at stake. The exfiltration of 1 TB of data could lead to severe consequences, including financial losses, legal ramifications, and damage to the trust and confidence of student-athletes, staff, and member institutions.

Sources

• Conference USA Official Website
• PCRisk: Abyss Ransomware
• Dark Reading: Abyss Locker Ransomware