Ransomware gang hijacks university alert system to issue threats

The Avos ransomware gang hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released.

Bluefield University is a small private university in Bluefield, Virginia, with roughly 900 students.

On April 30th, the University disclosed to students and staff that they had suffered a cyberattack that impacted the IT systems, causing all examinations to be postponed.

At the time, the University claimed that its investigation had found no evidence of any cases of financial fraud or identity theft linked to this incident.

"Faculty and students can safely use and access MyBU, Canvas, and library resources through the universities website," explained Bluefield University.

However, the incident took a nasty turn on May 1st, 2023, with the Avos (aka AvosLocker) threat actors still having access to the University's RamAlert system, an emergency alert system used to warn students and staff via email and text of campus emergencies or threats.

As first reported by WVVA, the ransomware gang used the RamAlert system to send both SMS and email alerts warning that personal data was stolen and would be released if Bluefield University did not pay a ransom demand.

"Hello students of Bluefield University! We're Avoslocker Ransomwar. We hacked the university network to exfiltrate 1.2 TB files," read one of the alerts to students and staff.

"We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog."

"DO NOT ALLOW the University to lie about severity of the attack! As proof we leak sample Monday May 1st 2023 18:00:00 GMT (2:00:00 PM)"

Additional alerts shared links and instructions on accessing the ransomware gang's data leak site to see further messages about the attack and any leaked data.

The final message delivered through the hijacked RamAlert system urged recipients to share the information with news outlets and threatened to publish all stolen data if the University did not pay them a ransom.

Later that day, the ransomware gang released a limited amount of stolen data, including a W-2 Tax Form for the University's President and a document related to their insurance policy.

The use of the emergency alert system is likely meant to prevent the University's administration from downplaying the impact of the cyberattack or claiming that no data had been stolen, essentially increasing the extortion pressure on the educational institute.

Bluefield University published an update on the cyberattack, informing students and staff that remediation and system restoration efforts are still underway, and they still haven't found any evidence of abuse of student data.

However, the educational institute admitted that their emergency alerts system had been hacked and urged people contacted by the cybercriminals not to click on any links or respond to these messages.

Ransomware groups have used multiple methods to raise the heat on their victims with double and triple extortion, including calling their partners, emailing their customers, emailing their competitors, or setting up data leak portals with search features.

The hijack of an emergency alerts system appears to be a novel extortion method. While it could be an opportunistic case, it shows the lengths to which ransomware actors go to amplify their blackmail.