North Carolina A&T State University, the largest historically black college in the US, University was recently struck by a ransomware Group called ALPHV, sending university staff into a scramble to restore services last month.
“It’s affecting a lot of my classes, especially since I do take a couple of coding classes, my classes have been canceled,” Melanie McLellan, an industrial system engineering student, told the school newspaper, The A&T Register. “They have been remote, I still haven’t been able to do my assignments.”
The paper said the breach occurred the week of March 7 while students and faculty were on spring break. Systems taken down by the intrusion included wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Qualtrics, Banner Document Management, and Chrome River, many of which remained down when the student newspaper published its story two weeks ago.
The report came a day after North Carolina A&T appeared on a darknet site that ALPHV uses to name and shame victims in an attempt to persuade them to pay a hefty ransom.
ALPHV, which also goes by the name Black Cat, is a relative newcomer to the ransomware-as-a-service scene, in which a core group of developers works with affiliates to infect victims and then split any proceeds that result. Some of its members have portrayed ALPHV as a successor to the BlackMatter and REvil ransomware groups, and on Thursday, researchers at security firm Kaspersky presented evidence that backed up that claim.
Brazen code reuse
An exfiltration tool previously used exclusively by BlackMatter, Kaspersky said, is being used by ALPHV/Black Cat and “represents a new data point connecting BlackCat with past BlackMatter activity.” Previously, BlackMatter used the so-called Fendr tool to collect data before encrypting it on the victim’s server. The exfiltration supports a double extortion model that requires a payment not just for a decryption key but also for a pinky swear that criminals won’t make the data public.
“In the past, BlackMatter prioritized collection of sensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now doing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered blackmail,” Kaspersky researchers wrote. “The modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a more effective and experienced criminal program.”
Kaspersky said the ALPHV ransomware is unusual because it’s written in the Rust programming language. Another oddity: The individual ransomware executable is compiled specifically for the organization being targeted, often just hours before the intrusion, so that previously collected login credentials are hardcoded into the binary.
Thursday’s post said Kaspersky researchers had observed two AlPHV breaches, one on a cloud hosting provider in the Middle East and the other against an oil, gas, mining, and construction company in South America. It was during the second incident that Kaspersky detected the use of Fendr. Other breaches attributed to ALPHV include two German oil suppliers and luxury fashion brand Moncler.
A&T is the seventh US university or college to be hit by ransomware so far this year, according to Brett Callow, a security analyst at security firm Emsisoft. Callow also said that at least eight school districts have also been hit, disrupting operations at as many as 214 schools.