Ransomware Attack on Conference USA Exposes 1 TB of Sensitive Data

Incident Date:

June 27, 2024

World map

Overview

Title

Ransomware Attack on Conference USA Exposes 1 TB of Sensitive Data

Victim

Conference USA (CUSA)

Attacker

Abyss

Location

Dallas, USA

Texas, USA

First Reported

June 27, 2024

Ransomware Attack on Conference USA by Abyss Group

Overview of Conference USA

Conference USA (CUSA) is a prominent intercollegiate athletic conference that competes in NCAA Division I. Established in 1995 and headquartered in Dallas, Texas, CUSA oversees athletic competitions among its member institutions, which are spread across the Southern and Western United States. The conference currently has 10 member institutions, with plans to expand to 12 teams by 2025. CUSA's primary functions include organizing regular-season games, coordinating championship tournaments, and ensuring compliance with NCAA regulations. The conference also focuses on the academic and personal development of student-athletes, providing resources and programs aimed at promoting academic excellence, leadership skills, and community involvement.

Attack Overview

On May 7th, 2024, the Abyss ransomware group claimed responsibility for a cyberattack on Conference USA. The group listed CUSA as a victim on their dark web leak site, reporting the exfiltration of 1 TB of data. The attack has raised significant concerns about the security measures in place at CUSA, given the sensitive nature of the data involved, which likely includes personal information of student-athletes, staff, and possibly financial records.

Details of the Ransomware Group

The Abyss ransomware group is a multi-extortion operation that emerged in March 2023, primarily targeting VMware ESXi environments. The group is known for hosting a TOR-based website where they list victims along with exfiltrated data if the victims fail to comply with their demands. Abyss Locker ransomware campaigns have targeted various industries, including finance, manufacturing, information technology, and healthcare, with a primary focus on the United States. The group's operations are believed to have started many months prior to the posting of their TOR-based blog, with previous variations of Abyss, including a Windows variant, observed as far back as 2019.

Penetration and Vulnerabilities

The Abyss ransomware group typically gains initial access through weak SSH configurations, employing SSH brute force attacks to establish entry to exposed servers. For Linux systems, Abyss Locker payloads are derived from the Babuk codebase and function similarly. The ransomware has a standard command line interface, requiring the threat actor to define a targeted path for encryption. Encrypted files are noted with the ".crypt" extension, and any folder containing encrypted files will also contain Abyss Locker ransom notes with the .README_TO_RESTORE extension.

In the case of Conference USA, the specific vulnerabilities exploited by the Abyss group have not been disclosed. However, given the group's known methods, it is likely that weak SSH configurations or unpatched systems may have been the entry points. The exfiltration of 1 TB of data suggests that the attackers had significant access to CUSA's systems, potentially compromising a wide range of sensitive information.

Impact on Conference USA

The ransomware attack on Conference USA has significant implications for the organization. As a governing body that facilitates athletic competition, promotes academic and personal growth, manages media relations, and enhances the overall brand of its member institutions, CUSA's reputation and operational integrity are at stake. The exfiltration of 1 TB of data could lead to severe consequences, including financial losses, legal ramifications, and damage to the trust and confidence of student-athletes, staff, and member institutions.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.