Universities in New Mexico, Oklahoma respond to ransomware attacks

Cybercriminals forced class cancellations, limited access to critical staff systems and exposed the sensitive information of thousands of students at a university in New Mexico, and a school in Oklahoma continued to assess damage caused by a ransomware gang. 

New Mexico Highlands University (NMHU) said it was forced to cancel all classes through this weekend after initially reporting an incident on April 3. Cancellations began that day and affected the public university’s campuses in Albuquerque, Rio Rancho, Santa Fe and Farmington.

NMHU initially said its campus police switchboard and police poles — where students can report emergencies — were not functioning. The school had to provide alternative phone numbers for emergencies.

The school said that by April 5, the cybersecurity firm it hired to deal with the network outage confirmed that it was a ransomware attack. Payroll for professors and staff were also affected by the incident. 

The school said it was told by incident responders that it is “one of several state entities recently attacked” but university spokesperson David Lepre told the Albuquerque Journal that they were not informed of what other New Mexico institutions were affected by recent attacks.

“We are still working to determine the full extent of the attack,” the school said. “To that end, ITS has begun installing software on university computers to assist with the investigation. This software is tightly restricted and monitors only for malicious activity.”

The FBI and several state law enforcement agencies are involved in the response, he added. 

On Tuesday, the school — which serves about 4,000 students — said phones on campus had been restored but internet and VPN connectivity were still down. NMHU has set up centers on campus to help employees with payroll and other actions that cannot be done without the school network.

The school was previously attacked by an unnamed ransomware gang in 2019, causing similar technology outages for almost two weeks. 

New Mexico institutions have faced a barrage of ransomware attacks in recent years, including multiple K-12 schools across the state, hospitals, and several counties — including one that has been attacked twice in the last two years. 

The attacks prompted Gov. Michelle Lujan Grisham to issue an executive order last week mandating comprehensive action to enhance cybersecurity measures across state agencies. The order directs the Department of Information Technology (DoIT) to conduct thorough information technology and security assessments on state agencies for vulnerabilities and hardening defenses as necessary. The order also “encourages all public bodies not subject to the order to voluntarily comply with its rules, standards, and requirements.”

“Cybersecurity is not just a technological issue; it’s a matter of public safety and national security,” Grisham said. 

New Mexico is also one of the few states to pass bills that provide funding for cybersecurity training and ransomware response tools.

BlackSuit ransomware attack in Oklahoma

East Central University in Ada, Oklahoma, announced this week that it is investigating a ransomware attack that took place in February.

The school released multiple advisories saying that while the attack was largely unsuccessful — taking down only a few campus computers — the hackers were still able to access significant amounts of student information including Social Security numbers. 

The advisories also explicitly mention that the school was attacked by the BlackSuit ransomware gang — a rebrand of the Royal ransomware group that launched the devastating attack on the city of Dallas.

“East Central University experienced a directed attack from a cybercriminal group and malicious software known as BlackSuit. While the criminals were not successful in taking down ECU’s critical services, they were able to conduct a successful attack on a variety of campus computers,” the school told students.

“The scope and scale of the data involved on the servers attacked are still being investigated, but currently there has been no evidence that any information was taken.  However, this week, we determined that a number of individual names and Social Security numbers may have been accessible to the criminal group – while we have no confirmation that they were in fact accessed, much less taken, we are providing this notice while we continue to investigate.”

The school’s IT team worked with a cybersecurity firm to stop the attack, reset passwords and answer any questions students and faculty may have.  

They still do not know how the ransomware gang got into the school’s systems but noted that they “did see an increase in spam/malicious emails in the days leading up to the attacks.”

Multiple ransomware experts said the number of attacks on universities, colleges and other post-secondary schools in the U.S. was slightly lower than it was at this point last year.

Emsisoft threat analyst Brett Callow said his team had tracked 14 attacks on U.S. colleges and universities so far this year while Recorded Future ransomware expert Allan Liska said his data also showed a minor dip in the number of attacks targeting post-secondary schools this year. 

Emsisoft tracked at least 72 U.S.-based post-secondary schools impacted by ransomware in 2023.