The decision by the University of Hawaii to pay the hackers responsible for a ransomware attack on Hawaii Community College was the first such payment in state history, according to the governor’s office.
The attack was first noticed on June 13 and impacted roughly 28,000 current and former HCC staff and students.
The payment was handled by UH, which can be reimbursed through the state’s cyber insurance, James Gonser, senior communications manager for the Office of Enterprise Technology Services, said in an email.
The decision to pay the hackers was made after discussions with several UH administrators and tech experts to protect the 65 gigabytes of data that may have been compromised.
“After consultation with the Office of General Counsel and privacy counsel, the administration, including president and vice president for IT, ultimately approved payment,” a UH official said via email. “The criminal threat actor has a documented history of publicly posting the stolen personal information of individuals when the institution decides not to engage with the threat actor.
“While the university has received a log file indicating the files were removed, the university is providing monitoring and identity theft protection services to the impacted individuals.”
According to a July 26 letter from HCC’s Interim Chancellor Susan Kazama that was sent to those potentially compromised by the attack, “impacted files may have contained (individuals) first and last name and Social Security number” as well as “information related to any financial aid packages” received while attending HCC.
Those impacted will have until Oct. 19 to register for free credit monitoring, identity restoration and theft insurance protection provided by Experian Identity Works.
The UH official also confirmed the group responsible for the attack was named “NoEscape,” also stylized as “N0_Esc4pe.”
The group has been cited by several online technology and cybersecurity media outlets as a new gang of hackers targeting Windows, Linux and VMware ESXi servers. Outlets have also claimed the threat actors have demanded ransoms as high as $10 million in the past, but UH confirmed the payout was below $250,000.
Ransomware analyst Allan Liska told one outlet that the hacking group was spotted advertising its services on the cybercriminal forum RAMP.
“Despite being relatively new, they have already hit at least half a dozen victims,” Liska told TheRecord. “Including a hospital in Belgium, a manufacturing company in the U.S. and another manufacturing company in the Netherlands.”
UH confirmed work on HCC’s IT infrastructure remains underway, and full restoration of the wired network is expected to be completed next week.
NOIRLab, the U.S. center for ground-based optical-infrared astronomy, also confirmed that on Aug. 1 it detected its own “cyber incident,” forcing the suspension of observations at Gemini North on Maunakea and its computer systems.
NOIRLab opted to isolate the Gemini Observatory computer by shutting the system down, and it remains offline as of Wednesday.
While a statement from NOIRLab confirmed there is no suspected impact on other infrastructure, a representative declined to comment whether the incident was a ransomware attack or when the system would return online.
An investigation and recovery plan with cyber specialists is currently underway, according to the NOIRLab statement.
Email Grant Phillips at firstname.lastname@example.org.