North Carolina A&T State University, the largest historically black college in the US, was recently attacked by a ransomware group dubbed ALPHV, which has been sending university staff into a scramble for the last month to restore services.
“It’s affecting a lot of my classes, especially as I’m taking some programming classes, my classes have been cancelled,” says Industrial Systems Engineering student Melanie McLellan. told the school newspaper The A&T Register. “They were far away, I still couldn’t do my chores.”
The newspaper said the breach occurred the week of March 7, when students and faculty were on spring break. Systems shut down by the intrusion included wireless connections, Blackboard classes, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River, many of which remained shut down when the student newspaper its story published two weeks ago.
The report came a day after North Carolina A&T surfaced on a dark web site that uses ALPHV to name and shame victims in order to convince them to pay a hefty ransom.
Also known as Black Cat, ALPHV is a relative newcomer to the ransomware-as-a-service scene, in which a core group of developers work with affiliated companies to infect victims and then split any resulting proceeds . Some of its members have portrayed ALPHV as the successor to ransomware groups BlackMatter and REvil, and on Thursday researchers at security firm Kaspersky presented evidence supporting that claim.
Outrageous code reuse
An exfiltration tool previously used exclusively by BlackMatter, said Kaspersky, used by ALPHV/Black Cat, and “represents a new data point connecting BlackCat to past BlackMatter activity.” Previously, BlackMatter used the so-called Fendr tool to collect data before encrypting it on the victim’s server. The exfiltration supports a double extortion model that demands payment not only for a decryption key but also for a small oath that criminals will not publish the data.
“In the past, BlackMatter has prioritized the collection of sensitive information with Fendr to successfully support their dual coercion system, just as BlackCat is doing now, and it shows a practical but brazen example of reusing malware to carry out their multi-layered blackmail .” Kaspersky researchers wrote. “The modification of this reused tool demonstrates a more sophisticated planning and development scheme for adapting to the needs of target environments that is characteristic of a more effective and experienced criminal program.”
Kaspersky said the ALPHV ransomware is unusual because it is written in the Rust programming language. Another oddity: the single ransomware executable is compiled specifically for the affected organization, often just hours before the intrusion, so previously gathered credentials are hard-coded into the binary.
Thursday’s post said Kaspersky researchers observed two AlPHV breaches, one at a cloud hosting provider in the Middle East and the other at an oil, gas, mining and construction company in South America. During the second incident, Kaspersky discovered the use of Fendr. Other violations attributed to ALPHV include two German mineral oil suppliers and Luxury fashion brand Moncler.
A&T is the seventh US university or college hit by ransomware so far this year. after Brett Callow, security analyst at the security company Emsisoft. Callow also said at least eight school districts were also hit, disrupting operations at up to 214 schools.
This article was previously published on Source link