The situation with the ransomware attack on Bluefield University continues to escalate. The attack by Avos Locker occurred on April 30. On May 1, the attackers used the college’s RAMAlert emergency system to blast messages to all students informing them of the breach and threatening to leak their data if the college didn’t pay them. Avos added to the pressure by posting a sample of student files with personal information on their leak site. The sample appeared to contain more than two dozen student records from 2018 and 2019. DataBreaches verified a sample of the records and confirmed by a Google search that people with those names lived in the West Virginia and Virginia areas. DataBreaches did not attempt to contact the former students directly at this time.
Gone and Then Back
Earlier yesterday, DataBreaches noticed that the Bluefield listing on the Avos Locker leak had disappeared. DataBreaches commented on that on infosec.exchange because removing a listing may indicate that the victim has either paid or is negotiating something. By last night, however, the listing had reappeared, and a new user joined infosec.exchange to tell us that the leak had been republished and why:
We republished the leak because they’re not paying us. 10 minutes after we texted their students, they opened the negotiation chat, send no messages, then disappeared for 5 days. They write “hello, can you help us get our data back?” then stop replying so we don’t care anymore.
the leak post is live and will remain published. Appears they were instructed by FBI to send false messages
When DataBreaches inquired whether they still had access to the RAMAlert system, they answered:
they locked us out from RamAlert still have valid access to other systems
In a subsequent chat on Tox, the affiliate involved in the Bluefield attack told DataBreaches that Bluefield University had seen their ransom demand on the negotiation page. Instead of communicating about decryption or data deletion, however, they remained silent for four days. On May 5, they allegedly wrote, “Hello, can you help us get our data back?”
The affiliate claims that after they replied to Bluefield, Bluefield read their reply but then didn’t respond again. “This tactic is common with organizations not intending to pay. Even with cyberinsurance and ransomware coverage, they don’t take this event seriously,” the affiliate told DataBreaches.
[The affiliate’s statements quoted in this post have been lightly edited to correct typos and for clarity.]
Expanding on their previous reply that they had been locked out of access to RAMAlert but still had access to other systems, the affiliate commented, “They’re unable to revoke our access. This is a byproduct of terrible network security and hygiene. They’ll likely never revoke every entry point we have. We’re considering blasting the leak post link through their communication channels other than RamAlert. :)”
In response to a comment by DataBreaches that it would be good to avoid emergency broadcast systems in these days of shooter events when emergency systems could be needed to save lives, the affiliate replied, “Understandable, this was the easiest efficient method to reach students at the time. Everyone is aware of the attack so they can’t hide much now. Unfortunately, they are (intentionally?) misleading media about the initial breach.”
The affiliate clarified that they were referring to a statement made by a university official that the attack started with the email system.
“This did not happen,” the affiliate told DataBreaches. “We used their email system to send ransom notes to staff members immediately after deploying the locker. Maybe this is what they’re speaking about, but we were already deep in AD [Active Directory] before sending emails.”
“They’re clueless even with ‘professional cyber security experts,’ the affiliate added. “An organization with bad IT practices, no MFA, old passwords, shared accounts, etc., will likely remain vulnerable to attacks at all times. If they pay us, we’re glad to share the initial access method. Otherwise, they’ll remain vulnerable to attacks.”
DataBreaches emailed an inquiry to Bluefield quoting the above criticism and asking them if they wished to comment, but no reply was immediately available.
The college’s most recent update was on May 1, after they discovered that the threat actors were blasting out messages to students via the RAMAlert system. They have yet to disclose or confirm the apparent leak of some student data. When asked whether they had exfiltrated any sensitive data on employees or students, like medical or counseling records, the affiliate replied that they hadn’t looked specifically for those types of data, but it might be present in the archive.