Data supposedly stolen from the University of Western Scotland (UWS) in a ransomware attack has been put up for sale on the dark web by a newly emergent ransomware gang going by the name of Rhysida, which is asking approximately £450,000 in Bitcoin, with plans to sell it to the highest bidder in the next few days.
According to the BBC, the incident began earlier in July and caused a brief period of downtime across some of UWS’s key systems, including its public-facing website.
The data on “offer” supposedly includes the personal details of staff members, including financial and National Insurance data, and a number of internal university documents.
A UWS spokesperson told Computer Weekly that the organisation had been the victim of a cyber crime affecting a number of digital systems.
“All appropriate steps continue to be taken to manage the situation,” they said. “The incident remains an ongoing criminal investigation and we continue to work closely with the relevant authorities, such as Police Scotland, the National Cyber Security Centre [NCSC] and the Scottish Government, who are providing support and advice. We have also reported the incident to the Information Commissioner.
“Working alongside these agencies, we are following a controlled process to work towards a resolution. We have been briefing colleagues and students since the start of this incident, and have advised colleagues that some staff data has been accessed. Staff continue to be contacted directly and provided with information and support. Our priority remains to ensure our university community and partners continue to be informed and supported at all times, while we work with law enforcement agencies as part of the ongoing criminal investigation.”
UWS said it was not able to address additional questions this time, and nor did it confirm whether or not the data dump was genuine or not.
The Rhysida ransomware gang – which draws its name from a family of large centipedes found across Africa, Central and South America, and South and Southeast Asia – is a relatively new operation which has yet to accumulate victims at scale, and about which little is known, although in June 2023, it was behind the leak of a tranche of documents stolen from the Chilean Army, according to Bleeping Computer.
According to analysts at SentinelOne, who have been able to probe the group’s modus operandi, Rhysida exhibits a number of traits shared by other ransomware gangs, including the delusion that it is a group of penetration testers who are doing their victims a favour, and the use of double extortion tactics as exhibited in the UWS attack.
It is deployed via fairly standard methods, including the use of phishing campaigns and via legitimate testing frameworks such as Cobalt Strike.
SentinelOne said the locker itself is likely in the early stages of its development cycle, as the payloads lack many commodity features synonymous with more widely used ransomwares, such as VSS removal.
Its ransom notes appear as PDF documents in affected folders on targeted drives, and instruct victims to contact the gang via its Tor-based portal using a unique identifier provided in the note. It takes payment in Bitcoin only.
Powerhouses of data
SonicWall EMEA vice-president Spencer Starkey said: “Schools and universities are huge powerhouses of data which hold incredibly sensitive information, making them a likely target for hackers. Educational institutions often have relatively weaker cyber security measures compared to other sectors because they have limited budgets and resources allocated to cyber security. The education sector is a vital institution which sits at the very centre of our society. Students, teachers and parents alike need to be able to trust that their sensitive information is being kept safe.”
Pointing to data compiled by SonicWall in its mid-year threat report that seems to suggest ransomware attacks are down in general, Starkey said that improved law enforcement focus on the issue and better cyber security practice appeared to be paying off.
“[But] these lowered numbers do not mean education institutions can breathe a sigh of relief,” he said. “In fact, it’s much the opposite, despite the drop in ransomware, attacks of all other varieties have risen, as criminals are searching elsewhere for a quicker payday.”
Another study produced by Sophos and released this week found that sector by sector, education reported the highest rate of ransomware attacks during 2022, with up to 79% of higher educational organisations saying they had been hit, and 80% of schools, up from 64% and 56% in 2021 respectively.
Unfortunately, the sector also reported one of the highest rates of ransom payment, with 56% of universities and colleges paying up, and 47% of schools doing so, resulting in significantly increased recovery costs running into the millions.
“Most schools are not cash-rich, [but] they are very highly visible targets with immediate widespread impact in their communities,” said Sophos field chief technology officer Chester Wisniewski. “The pressure to keep the doors open and respond to calls from parents to ‘do something’ likely leads to pressure to solve the problem as quickly as possible without regard for cost.”