North Carolina A&T State University, the largest historically black university in the US, was recently hit by a ransomware group called ALPHV, which last month sent university staff in a battle to restore services.
“It affects a lot of my classes, especially because I’m taking a few programming classes, my classes have been canceled,” Melanie McLellan, an industrial systems engineering student, told the school newspaper, The A&T Register. “They’ve been remote, I still haven’t been able to do my assignments.”
The newspaper said the breach occurred the week of March 7, while students and faculty were on spring break. Systems that were disabled by the intrusion included wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River, many of which were unavailable when the student paper was released two weeks ago. published his story.
The report came a day after North Carolina A&T appeared on a darknet site that uses ALPHV to discredit victims in an attempt to persuade them to pay a hefty ransom.
ALPHV, also known as Black Cat, is a relative newcomer to the ransomware-as-a-service scene, in which a core group of developers work with affiliates to infect victims and then split the proceeds. Some of its members have portrayed ALPHV as a successor to the BlackMatter and REvil ransomware groups, and on Thursday researchers from security firm Kaspersky presented evidence supporting that claim.
Reuse of shameless code
An exfiltration tool previously used exclusively by BlackMatter, Kaspersky said, is used by ALPHV/Black Cat and “represents a new data point connecting BlackCat to previous BlackMatter activities.” Previously, BlackMatter used the so-called Fendr tool to collect data before encrypting it on the victim’s server. The exfiltration supports a dual extortion model that requires a payment not only for a decryption key, but also for a swearing that criminals will not make the data public.
“In the past, BlackMatter has prioritized collecting sensitive information with Fendr to successfully support their double coercion scheme, much like BlackCat is doing now, and it demonstrates a practical yet brutal example of malware reuse to carry out their multi-layered blackmail” , Kaspersky researchers wrote. “The modification of this repurposed tool demonstrates a more advanced planning and development regimen for adapting requirements to target environments, indicative of a more effective and experienced criminal program.”
Kaspersky said the ALPHV ransomware is unusual because it is written in the Rust programming language. Another oddity: the individual ransomware executable is specially curated for the target organization, often just hours before the break-in, so that previously collected credentials are hard-coded into the binary.
Thursday’s report said Kaspersky researchers had observed two AlPHV breaches, one against a cloud hosting provider in the Middle East and the other against an oil, gas, mining and construction company in South America. It was during the second incident that Kaspersky discovered the use of Fendr. Other breaches attributed to ALPHV include two German oil suppliers and luxury fashion brand Moncler.
A&T is the seventh U.S. university or college to be hit by ransomware so far this year. according to Brett Callow, a security analyst at security firm Emsisoft. Callow also said at least eight school districts have also been affected, disrupting operations at as many as 214 schools.
