Occasionally, more than one ransomware team or affiliate may hit the same target. But could three different groups or affiliates have hit Stratford University this year, or is there some other explanation?
Stratford University has several accreditation and certification credentials. It also offers several academic programs, with two campuses in Virginia, one in Maryland, and one in New Delhi, India. Stratford also offers online programs.
In April, what appeared to be a second version of the REvil group added Stratford University to their dedicated leak site.
REvil did not seem to follow up with any more data, and DataBreaches could not download the first data pack as the URL returned a “disconnected message.”
In mid-August, Snatch Team added Stratford University to their leak site.
Although their listing did not indicate how many GB of data they claimed to have, they informed DataBreaches that their incident was unrelated to REvil’s listing.
Snatch Team dumped 53 GB of files from Stratford University on their site yesterday. DataBreaches has been unable to download that leak, as their leak site returns a secure connection failure that could not be bypassed. If the data become available, DataBreaches will attempt to inspect it.
And as if two groups of threat actors claiming to have your data were not enough, Avos Locker added Stratford University to their leak site this week. They inform DataBreaches that their listing has nothing to do with the REvil listing or the Snatch Team listing and that they have approximately 25 GB of data in more than 30,000 files.
Avos has provided a “proof pack” but has not leaked much data yet. The files in the proof pack are not current, making it difficult to determine whether Avos Locker had access to Stratford at any time after April or August when the other groups added Stratford to their leak sites.
According to statements made to DataBreaches, neither Snatch Team nor Avos Locker attempted to encrypt any files; they exfiltrated files and tried to ransom them. DataBreaches does not know if REvil deployed any ransomware in their claimed attack.
Initial attempts to reach Stratford U. via email failed. The university has only a handful of email addresses that are publicly shared on their website, and three of them bounced back mailbox full. Email inquiries were sent to other email addresses earlier today, but no reply has been received.
Was Stratford University attacked by one ransomware affiliate who has divvied up the data among three groups? It’s possible, but uncertain at this point.
DataBreaches could find no statement on Stratford’s website about any breach.
This post will be updated when more information becomes available.