University of Oklahoma isolates systems after ‘unusual activity’ on IT network

The University of Oklahoma said it is taking steps to address unusual cyber activity it discovered on its network. 

The school, which has more than 34,000 students, appeared on the leak site of a ransomware gang on Tuesday, with the group claiming to have stolen 91 GB of data that allegedly includes employee data, financial information and more.

“The University recently identified unusual activity on our IT network. Upon discovery, we isolated certain systems and are investigating the matter,” a spokesperson told Recorded Future News. “As part of this ongoing process, measures are being implemented across our network.”

The school did not respond to further questions about what caused the incident, what systems were impacted and whether a ransom would be paid. 

The University of Oklahoma had its first official day of the new semester on Monday, but last week was forced to close campus and cancel in-person courses due to a snow storm, prompting employees to work remotely. 

The ransomware gang that claimed to be behind the University of Oklahoma incident has repeatedly targeted higher education institutions by exploiting compromised VPN credentials, according to experts. 

The group, known as Fog, emerged in May 2024 and cybersecurity researchers at Arctic Wolf said all victim organizations listed on the gang’s website were located in the United States, with 80% in the education sector.

“In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors,” Arctic Wolf said. 

Large universities like the University of Oklahoma are frequent targets for ransomware gangs, particularly during or after the holiday season when IT teams are lightly staffed. 

Stanford University and The University of Michigan both dealt with ransomware attacks that forced the schools to take parts of their networks offline. 

Last year, East Central University in Ada, Oklahoma similarly dealt with a ransomware attack that only took down a few campus computers but caused a larger data breach involving student information and Social Security numbers.