BlackCat ransomware group claims attack on Florida International University

The BlackCat (ALPHV) ransomware group says it has struck again, with Florida International University as their latest victim.

The ransomware group, which most recently attacked North Carolina A&T University, claimed it has stolen a range of personal information from students, teachers and staff. Within the 1.2 TB of data it claims to have taken are contracts, accounting documents, social security numbers, email databases and more.

When asked for comment, the university shared a message it sent out to campus on Friday.

“Today, a ransomware group posted that sensitive FIU data had been exfiltrated. We have been investigating and there is no indication thus far that sensitive information has been compromised. At this time, no further information is available,” the university said.

A spokesperson for the university did not respond to follow-up questions about the group’s claims. Cybersecurity experts who looked at the allegedly stolen data confirmed that it did include sensitive information from staff and students at the university.

The attack would make Florida International University the eighth reported US university or college hit with ransomware in 2022 after Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, National University College and North Carolina A&T University.

Recorded Future ransomware expert Allan Liska said through March of 2022, his team has recorded 37 publicly reported ransomware attacks against schools, compared to 127 in all of 2021. The Record is an editorially independent publication owned by Recorded Future.

The first 3 months of this year have seen more attacks than in any previous year, Liska added.

BlackCat has attacked at least three of the US universities or colleges. Emsisoft threat analyst Brett Callow and others believe the group is a rebrand of the BlackMatter and DarkSide ransomware groups. The group has so far been implicated in attacks on two German oil companies and Italian fashion brand Moncler.

Callow noted that while many organizations initially say there is “no evidence information has been compromised,” that is often not the case.

“Absence of evidence is not evidence of absence. In previous incidents, multiple organizations which initially stated they had no evidence of data being compromised later discovered that it had been — usually, when the attackers released it online,” Callow said.