AvosLocker Ransomware Gang Blasts Messages to Bluefield University Victims


May 3, 2023

World map

The AvosLocker ransomware gang has claimed responsibility for an attack that has crippled internet and other services at Bluefield University. The attackers also appear to be in control of the university's “RamAlert” emergency notification system, blasting messages to the impacted students and staff that claim they have exfiltrated sensitive data.

Messages state the attackers have “hacked the university network to exfiltrate 1.2 terabytes of files,” and that they “will continue attacking if BU’s president does not pay,” but did not say how much they are demanding for ransom.

The FBI issued an alert about AvosLocker activity back in March 2022 indicating that the group has “targeted victims across multiple critical infrastructure sectors in the U.S. Including...The financial services, critical manufacturing, and government facilities sectors.”

“As you know, on Sunday, April 30, 2023, Bluefield University discovered a cybersecurity attack that impacted our systems. Upon learning of this issue, we immediately engaged independent third-party cybersecurity experts to assist in our review and remediation efforts, but it may be a few days before full functionality can be restored,” a statement from BU school officials said.  

“We are working through the investigation to determine the nature and extent of the incident. However, as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft.”

Takeaway: "What’s unprecedented in this attack is that the AvosLocker operators are communicating directly with the impacted population whose data is at risk and whose daily lives have been disrupted by the attack," Jon Miller, CEO and Co-founder of the Halcyon, told the CyberWire.

We have seen cases of double and triple extortion where the attacks reach out to a victim’s clients or partners in an effort to put more pressure on the victim to pay. But I don’t think we have seen an attacker actively communicate and basically lobby the secondary victims of a ransomware attack in this manner."

"While the disruption to services is always a concern, the real threat here in the long-term is the theft of sensitive, personal, and financial data. This is where we see the potential for some lasting damage. The attack can be remediated, and systems respond, but once the data is in the hands of the threat actors, even if a ransom is paid there is no guarantee the data will be exploited in further crimes," Miller continued.

"Ransomware attacks that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain."

"To protect themselves and their students, education organizations must seriously reevaluate what kinds of data they collect and store, and for how long. Eliminating the unnecessary storage of sensitive data will make EDU organizations a less attractive target to attackers and help reduce overall risk."

"Ransomware groups continue to victimize the education sector simply because they are easy targets. CISA recently warned about the growing risk to the education sector from ransomware attacks, noting that some gangs disproportionately target the education sector." 

"CISA released updated guidelines for K-12 organizations, but guidelines don’t protect systems and they don’t pay for security boots on the ground. The education sector needs more resources and more skilled personnel, or they will keep being victimized in this manner."

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.