)
An Oregon-based community college experienced significant operational disruptions following a ransomware attack by the ‘LockBit’ group, leading to the cancellation of classes and halting financial aid payments. A week into the ordeal, Cybersixgill reported the appearance of LockBit's official statement on its data leak website.
Behind the Headline
In January this year, Clackamas Community College experienced a ransomware attack attributed to the LockBit ransomware group. The attack led to the disruption of the college's operations, including the cancellation of classes and the temporary shutdown of its online systems. Students and faculty were prevented from accessing the school's online portal, Moodle, affecting approximately 16,000 students and 900 faculty members. The institution referred to the incident as an "attempted ransomware attack," however since then, there have been a number of posts on X (formerly Twitter) of screenshots mentioning Clackamas Community College on LockBit’s dedicated leak site, citing a ransomware deadline of 16th February 2024.
Following the incident, staff informed their students and its impact through social media channels. A dedicated website was also launched to provide updates on the status of their investigation and the recovery process, reiterating tips and best practices to students including reviewing their credit card and bank account statements, obtaining and reviewing credit reports, considering placing a fraud alert on credit reports and placing a credit freeze. The team have also highlighted the importance of vigilance to avoid phishing scams and the practice of changing passwords regularly as good cyber hygiene.
Although specific details about the ransom demands or whether any personal information was compromised were not disclosed, the event raised concerns among the college community about the security of their personal data. The college took steps to isolate some systems from the network to safeguard them while continuing to investigate the attack's full scope.
The college worked closely with law enforcement to assess and mitigate the situation. In addition to reporting the incident, preserving evidence and disconnecting infected systems, law enforcement agencies strongly discourage victims from paying the ransom as they believe that paying the ransom does not guarantee that the attackers will provide the decryption key or release the stolen data.
This is at least the second crippling cyberattack against educational institutions in the Portland area in the last 12 months. Cybercrime group Vice Society reportedly claimed credit for a ransomware attack on Lewis & Clark College in the spring of 2023. Looking further afield, Robins & Morton, Stanton Williams, A-State (Arkansas State University), American University of Antigua, CIC Group, Flood Law, Lakeland Community College, Michael Sullivan & Associates and Taylor University have all experience ransomware attacks since the start of 2023.
Threat Actor Motivations
Universities and colleges are regularly of interest to cybercriminals and can be targeted by a broad range of threat actors including:
Organized Cybercrime Groups: These actors target educational institutions for financial gain, leveraging ransomware, phishing, or other malware to extort money, steal sensitive information (such as personal data and intellectual property), or sell access to compromised systems.
State-Sponsored Actors: Some attacks are carried out by groups affiliated with or sponsored by nation-states. These actors may be interested in obtaining research data, intellectual property, or sensitive information related to national security or economic advantage.
Hacktivists: Activist hackers might target universities and colleges to make a political statement, protest against the institution's policies, or draw attention to specific causes. Their attacks can range from website defacement to data breaches.
Insider Threats: Sometimes, the threat comes from within the institution itself. Disgruntled employees, students, or faculty members might misuse their access to the institution's network to conduct sabotage, steal data, or otherwise harm the institution.
Script Kiddies and Opportunistic Hackers: These are individuals with limited skills who use pre-made tools to exploit known vulnerabilities. Educational institutions, with their vast and often under-secured networks, can be attractive targets for these actors looking to practice their skills or cause disruption for personal amusement.
Educational Institutions store a vast amount of valuable data, including personal and financial information, cutting-edge research and valuable intellectual property. They can be an easy target for threat actors because they often have limited cybersecurity measures in place compared to other sectors and have open networks that allow students, faculty, and staff to connect their devices. Their openness can make it easier for cybercriminals to gain unauthorized access to the network and launch attacks. This, combined with a general lack of cybersecurity awareness by employees and students make them more susceptible to phishing attacks, social engineering, or other forms of cybercrime.
)
)
)
)