When threat actors gave Greenville Technical College in South Carolina until September 4 to respond to their ransomware demands, the college didn’t worry. They had decided not to pay because they were able to recover from the attack without paying for a decryption key. But there was a second part to the ransomware attack — the threat actors had claimed to have successfully exfiltrated personal information of staff and students. And today, the threat actors are claiming that the college has lied to its staff, its students, and the public in claiming that it successfully dealt with the attack.
In a statement to Greenville News, a college spokesperson acknowledged that the attackers had been able to breach three servers and storage for three workstations by exploiting a vulnerability in the college’s virtual private network.
Although the spokesperson did not name the type of ransomware or the amount of the ransom demands, the Avaddon threat actors had listed the college on their site as one of their victims. Of note, the attackers claimed to have exfiltrated more than 600 GB of data “including Social Security numbers, driver’s license numbers, medical information, bank information, applications, of students and employees.” As proof, the threat actors had posted a few financial documents relating to the college president, his wife, and the vice president for finance.
DataBreaches.net had reached out to the college after that listing and proof, but had received no response. But the school’s statement to Greenville News appears to contradict the threat actors’ claim about exfiltrated data:
“we were able to delete the encrypted data and reload it from clean backups,” Mann said in her email. “No personal information was affected. The public was not affected in any way.
The threat actors respond that that’s false, quoting the college’s statement and responding to it on their leak site:
“Greenville Technical College thwarted a data breach by hackers without paying a ransom demand, a spokesperson said Friday night.” False, you did not thwart a data breach if we stole 600GB sensitive data
“No personal information was affected. The public was not affected in any way.” FALSE
They then dumped more financial documents from employees as proof, adding:
Check the sample folder of compromised data, ALL OF YOUR STAFF AND STUDENTS ARE IMPACTED!
You believe we did not steal your data when we compromised the entire network? Do not lie to your staff and students!
So it appears that this incident may not be as successfully resolved as the college’s statement indicated.
DataBreaches.net has reached out to the college again to ask them if they are revising the statement or claims they made to the Greenville News.
This post will be updated if a response is received, but for now, it appears that the threat actors are in possession of at least some employee financial documents. What else they may have acquired or its scope remains to be determined. But it seems clear that this story is still developing.
Update Sept. 8: The spokesperson responds that they have no update.