The Avos ransomware gang hijacked Bluefield University’s emergency broadcast system, “RamAlert”, to send students and staff text messages and email alerts that their data had been stolen and would soon be published.
Bluefield University is a small private university located in Bluefield, Virginia with approximately 900 students.
On April 30, the University disclosed to students and staff that they had suffered a cyberattack that impacted IT systems, causing all exams to be postponed.
At the time, the University said its investigation found no evidence of financial fraud or identity theft related to the incident.
“Faculty and students can securely use and access MyBU, Canvas and library resources through the universities website,” explained Bluefield University.
However, the incident took a bad turn on May 1, 2023, with the Avos (aka AvosLocker) threat actors always have access to the University’s RamAlert system, an emergency alert system used to notify students and staff via email and text of emergencies or threats on campus.
As reported for the first time by WVVA, the ransomware gang used the RamAlert system to send SMS and email alerts warning that personal data had been stolen and would be released if Bluefield University did not pay a ransom demand.
“Hello students of Bluefield University! We are Avoslocker Ransomwar. We have hacked into the university network to exfiltrate 1.2TB files,” read one of the student and staff alerts.
“We have admissions data of thousands of students. Your personal information may be leaked to the darkweb blog.”
“DO NOT LET the University lie about the seriousness of the attack! As proof, we are releasing a sample on Monday May 1, 2023 at 18:00:00 GMT (14:00:00)”
Additional alerts shared links and instructions on accessing the ransomware gang’s data leak site to see further messages about the attack and any data leaks.
The final message delivered through the hijacked RamAlert system urged recipients to share the information with the media and threatened to release all stolen data if the University did not pay them a ransom.
Later that day, the ransomware gang released a limited amount of stolen data, including a W-2 tax form for the university president and a document related to their insurance policy.
The use of the emergency alert system is likely to prevent the University administration from downplaying the impact of the cyberattack or asserting that no data has been stolen, which essentially increases the pressure of extortion on the educational institution.
Bluefield University has released an update on the cyberattack, notifying students and staff that remediation and system restoration efforts are still ongoing, and they have still found no evidence of abuse of the student data.
However, the educational institute acknowledged that its emergency alerts system had been hacked and urged those contacted by the cybercriminals not to click on any links or respond to such messages.
Ransomware groups have used several methods to up the ante on their victims with double and triple extortion, including call their partners, send emails to their customers, send e-mails to their competitorsor set up data leak portals with search functions.
Hijacking an emergency alert system seems to be a new method of extortion. While this may be an opportunistic case, it shows how far ransomware actors go to amplify their blackmail.