Ransomware Attack on NJCU by Rhysida Group: Key Details
Incident Date:
July 27, 2024
Overview
Title
Ransomware Attack on NJCU by Rhysida Group: Key Details
Victim
New Jersey City University
Attacker
Rhysida
Location
First Reported
July 27, 2024
Ransomware Attack on New Jersey City University by Rhysida Group
Overview of New Jersey City University
New Jersey City University (NJCU) is a public university located in Jersey City, New Jersey. Established in 1927, NJCU serves over 8,500 students and offers a wide range of undergraduate and graduate programs, including two doctoral programs. The university is known for its commitment to equity-driven education and strong ties to the local community. NJCU provides a comprehensive college experience that extends beyond academics, focusing on holistic student development and engagement.
Details of the Ransomware Attack
Between June 4 and June 10, NJCU fell victim to a ransomware attack orchestrated by the Rhysida Ransomware Group. The attackers demanded a ransom of $700,000 in Bitcoin, with a payment deadline set for August 3. The breach compromised sensitive information, including Social Security numbers, driver's license numbers, and financial account details. Despite the attack, NJCU delayed notifying its students and staff for nearly seven weeks. Upon discovering the unauthorized access, NJCU reported the incident to law enforcement and initiated efforts to secure its network and assess the breach's impact.
About the Rhysida Ransomware Group
The Rhysida Ransomware Group is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf”.
Potential Vulnerabilities and Penetration Methods
Rhysida typically leverages phishing campaigns to deploy their ransomware. They rely on valid credentials and establish network connections through VPN for initial access. Upon infiltrating a victim's network, the group employs net commands and tools like Advance IP/Port Scanner to gather critical information about domains. They also use Sysinternals tools like PsExec for lateral movement. NJCU's delay in notifying affected individuals and potential gaps in cybersecurity measures may have contributed to the success of the attack.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.