DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Avos Locker starts leaking student data from Bluefield College; claims to still have access

Posted on May 7, 2023 by Dissent

The situation with the ransomware attack on Bluefield University continues to escalate. The attack by Avos Locker occurred on April 30. On May 1, the attackers used the college’s RAMAlert emergency system to blast messages to all students informing them of the breach and threatening to leak their data if the college didn’t pay them. Avos added to the pressure by posting a sample of student files with personal information on their leak site. The sample appeared to contain more than two dozen student records from 2018 and 2019. DataBreaches verified a sample of the records and confirmed by a Google search that people with those names lived in the West Virginia and Virginia areas. DataBreaches did not attempt to contact the former students directly at this time.

Gone and Then Back

Earlier yesterday, DataBreaches noticed that the Bluefield listing on the Avos Locker leak had disappeared. DataBreaches commented on that on infosec.exchange because removing a listing may indicate that the victim has either paid or is negotiating something. By last night, however, the listing had reappeared, and a new user joined infosec.exchange to tell us that the leak had been republished and why:

We republished the leak because they’re not paying us. 10 minutes after we texted their students, they opened the negotiation chat, send no messages, then disappeared for 5 days. They write “hello, can you help us get our data back?” then stop replying so we don’t care anymore.

the leak post is live and will remain published. Appears they were instructed by FBI to send false messages

When DataBreaches inquired whether they still had access to the RAMAlert system, they answered:

they locked us out from RamAlert still have valid access to other systems

In a subsequent chat on Tox, the affiliate involved in the Bluefield attack told DataBreaches that Bluefield University had seen their ransom demand on the negotiation page. Instead of communicating about decryption or data deletion, however, they remained silent for four days. On May 5, they allegedly wrote, “Hello, can you help us get our data back?”

The affiliate claims that after they replied to Bluefield, Bluefield read their reply but then didn’t respond again. “This tactic is common with organizations not intending to pay. Even with cyberinsurance and ransomware coverage, they don’t take this event seriously,” the affiliate told DataBreaches.

[The affiliate’s statements quoted in this post have been lightly edited to correct typos and for clarity.]

Expanding on their previous reply that they had been locked out of access to RAMAlert but still had access to other systems, the affiliate commented, “They’re unable to revoke our access. This is a byproduct of terrible network security and hygiene. They’ll likely never revoke every entry point we have. We’re considering blasting the leak post link through their communication channels other than RamAlert. :)”

In response to a comment by DataBreaches that it would be good to avoid emergency broadcast systems in these days of shooter events when emergency systems could be needed to save lives, the affiliate replied, “Understandable, this was the easiest efficient method to reach students at the time. Everyone is aware of the attack so they can’t hide much now. Unfortunately, they are (intentionally?) misleading media about the initial breach.”

The affiliate clarified that they were referring to a statement made by a university official that the attack started with the email system.

“This did not happen,” the affiliate told DataBreaches. “We used their email system to send ransom notes to staff members immediately after deploying the locker. Maybe this is what they’re speaking about, but we were already deep in AD [Active Directory] before sending emails.”

“They’re clueless even with ‘professional cyber security experts,’ the affiliate added. “An organization with bad IT practices, no MFA, old passwords, shared accounts, etc., will likely remain vulnerable to attacks at all times. If they pay us, we’re glad to share the initial access method. Otherwise, they’ll remain vulnerable to attacks.”

DataBreaches emailed an inquiry to Bluefield quoting the above criticism and asking them if they wished to comment, but no reply was immediately available.

The college’s most recent update was on May 1, after they discovered that the threat actors were blasting out messages to students via the RAMAlert system. They have yet to disclose or confirm the apparent leak of some student data. When asked whether they had exfiltrated any sensitive data on employees or students, like medical or counseling records, the affiliate replied that they hadn’t looked specifically for those types of data, but it might be present in the archive.

 

Category: Education SectorHackU.S.

Post navigation

← Murfreesboro Medical Clinic reopens some, but not all, services. Attack appears to be work of BianLian.
Roskomnadzor’s structure was fined for improperly divulging employee information →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.