North Carolina A&T hit with ransomware after ALPHV attack
Image: Dom Fou, The Record
Jonathan Greig April 7, 2022

North Carolina A&T hit with ransomware after ALPHV attack

North Carolina A&T hit with ransomware after ALPHV attack

North Carolina A&T University has become the latest school hit with ransomware in 2022.

The largest historically black college or university (HBCU) showed up on the ransomware victim site of the ALPHV/Black Cat group on Wednesday after they released a public statement two weeks ago detailing a “cybersecurity breach.” 

The university said it was attacked during the week of its spring break between March 7-11, continuing a longstanding trend of ransomware groups attacking victims when they know security teams will be at their smallest. 

The ransomware attack disrupted the school’s wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management and Chrome River. Some of the services are still down. 

The ALPHV/Black Cat ransomware group said it stole the personal information – including Social Security numbers – of students, teaching staff and others. The group also claimed to have stolen contracts, financial information, SQL databases and email databases. 

North Carolina A&T University Director of Media Relations Jackie Torok told The Record that “after exhaustive review, multiple investigating agencies have found no current faculty, students or staff were affected by this incident.”

She declined to comment further when asked questions about claims from the ransomware group that disputed her comments. 

A listing from ALPHV/BlackCat’s ransomware page.

Emsisoft threat analyst Brett Callow, a ransomware expert tracking attacks on schools and local governments, said North Carolina A&T University was at least the seventh US university or college attacked with ransomware in 2022. 

Many experts believe the ALPHV/Black Cat ransomware group is a rebrand of the BlackMatter and DarkSide ransomware groups. The group has so far been implicated in attacks on two German oil companies and Italian fashion brand Moncler

In January, Palo Alto Networks’ Unit 42 released a deep-dive that found the group racked up at least 10 victims in December, giving it the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42. 

‘Making progress’

North Carolina A&T University faced backlash from students about their lack of notification about the ransomware attack. Todd Simmons, the Vice-Chancellor of University Relations, told the school newspaper that they had to “respect the integrity of the investigation that is being undertaken by federal and state authorities.” 

He added that the university wanted to give the IT department time to restore services and also did not want to “signal any vulnerabilities to any potential bad actors that they might take advantage of.”

“They’re making progress, of course not as fast as all of us would like including IT services, but when I tell you that the staff there is literally working around the clock to resolve this. I really feel for the colleagues there who are just putting in a Herculean lift to get us fully back and functional,” Simmons told the school newspaper. 

“[This] is a part of an overall dynamic where literally hundreds of thousands of hack attempts are made daily on institutions like ours. We avoid 99.9% of those hacks, but it only takes one to compromise your system.”

Recorded Future ransomware expert Allan Liska said colleges and universities continue to be attractive targets for ransomware groups.

“2022 is shaping up to be even worse than 2021 in terms of ransomware attacks on schools,” he said.

“Like primary and secondary schools, colleges and universities struggle and lack the budget and staff to properly secure themselves against the onslaught of ransomware attacks.”

Liska said through March of 2022, his team has recorded 37 publicly reported ransomware attacks against schools, compared to 127 in all of 2021. The first 3 months of this year have seen more attacks than in any previous year, he added. 

Experts have confirmed that at least six US universities and colleges – Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, National University College – have been hit with ransomware this year. 

One North Carolina A&T University engineering student, Melanie McLellan, told the school newspaper that the ransomware attack made it nearly impossible for her to complete many assignments. 

“It’s affecting a lot of my classes, especially since I do take a couple of coding classes, my classes have been canceled. They have been remote, I still haven’t been able to do my assignments,” McLellan said.

Another HBCU, Howard University, announced that it was hit with a ransomware attack last September. The attack forced the school to cancel classes and limit student access to university resources. 

Who is ALPHV?

Kaspersky released a new report today detailing two separate attacks by ALPHV, noting that the complexity of the malware used, combined with the vast experience of the actors behind it, “make the gang one of the major players in today’s ransomware market.”

BlackCat/ALPHV victims by country. Image: Palo Alto Networks’ Unit 42

Unit 42’s report said the ransomware emerged in mid-November 2021 as an innovative ransomware-as-a-service (RaaS) group leveraging the Rust programming language and offering affiliates 80-90% of ransom payments.

The group has been seen targeting both Windows and Linux systems, according to Unit 42, which added that it has observed affiliates asking for ransom amounts of up to $14 million. In some instances, affiliates have offered discounts of $9 million if the ransom is paid before the established time. They allow ransom to be paid in Bitcoin and Monero.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.