Colleges and schools are a big target for cybercriminals, so the fact that a ransomware gang hacked a university in Virginia last month isn’t exactly surprising. What is surprising is what the ransomware gang did next. In a bold move, the gang hijacked the school’s emergency communications system, using it to spam students and faculty with threatening SMS messages and boast about its recent hacking victory.
The unfortunate victim in this case—Bluefield University—is a private Baptist university located in Western Virginia. On April 30th, Bluefield disclosed to the students and faculty that it had been hacked but claimed that it didn’t yet see any evidence of “financial fraud or identity theft” as a result of the incident. Not to be outdone, the gang responsible for the hack—a group known as “Avos” (or “AvosLocker”)—decided it wanted the last word on the matter.
On May 1st, about a day after Bluefield disclosed the hacking episode, Avos apparently used its access to the school’s network to take control of its emergency broadcast system. Bluefield uses a system dubbed “RamAlert,” which it describes as a “wireless emergency notification system created in an effort to enhance communication to students, parents, faculty, and staff during times of crisis on campus.” During the recent crisis that was the ransomware attack, however, it wasn’t administrators who were in control of the system but the hackers—who used it to notify students and faculty alike that the university’s network had officially been pwned and its data stolen. A message sent out to campus-goers read:
“Hello students of Bluefield University! We’re Avoslocker Ransomwar. We hacked the university network to exfiltrate 1.2 TB files...We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog.”
“DO NOT ALLOW the University to lie about severity of the attack! As proof we leak sample Monday May 1st 2023 18:00:00 GMT (2:00:00 PM)“
The gang also said it would “continue attacking [the school] if BU’s president does not pay.”
Following the incident, Bluefield released another statement acknowledging that Avos had “impacted our mass alert system, RAMAlert” and warning students not to “click on any links provided by the individual or respond.”
This is a pretty unusual turn of events and a fairly theatrical move on the part of the Avos ransomware gang. Clearly it was a move designed to intimidate school administrators and cow them into giving in to the gang’s demands.
You could say it’s part of a broader pattern in which ransomware gangs have been growing bolder and more creative with how they execute attacks. More and more, gangs seem to be finding new ways to intimidate victims, in an effort to extract a successful ransom payment. Another example of this is a recent attack on the Minneapolis Public School system in which a gang leaked sensitive student psychological data to the web and aggressively promoted the material on traditional social media channels. Like the Bluefield incident, that one showed gangs using whatever was at their disposal to make paying the gang seem like an appealing option.