Three hackers are working together to steal personal information from a computer.

Scottish University UWS Targeted By Rhysida Ransomware Group

The University of Western Scotland (UWS) is believed to have had its data stolen in a ransomware attack. This stolen information has been made available for purchase on the dark web by Rhysida, a recently discovered ransomware group.

The Rhysida ransomware group has demanded a payment of 20 bitcoins (about £450,000) in return for the sensitive data. They have also said they will auction off the data to the highest bidder.

UWS claimed that it had been the victim of a “cybercrime” which had an effect on a number of digital systems and personnel data. The incident impacted staff laptops, caused the university’s IT services to stop in around half of the cases, and affected student applications.

The incident hit in early July, resulting in a temporary outage of some of UWS’s critical services, including its public-facing website. The information on “offer” allegedly contains personal information about staff employees, as well as financial and National Insurance data. A number of internal university documents are also thought to be included in this data.

According to the findings of the threat intelligence platform FalconFeeds, the Rhysida ransomware group has included the University of the West of Scotland among its list of victims. They claim that the stolen data is being stored for auction on their “dark web portal”.

Rhysida Ransomware Sells Data for 20 Bitcoins
Rhysida Ransomware Sells Data for 20 Bitcoins (FalconFeeds)

The university includes campuses in Blantyre, Dumfries, Paisley, and Ayr. In a statement, it mentioned working together with the Scottish Government, Police Scotland, and the National Cyber Security Centre to respond to the incident.

All appropriate steps continue to be taken to manage the situation. The incident remains an ongoing criminal investigation and we continue to work closely with the relevant authorities, such as Police Scotland, the National Cyber Security Centre [NCSC] and the Scottish Government, who are providing support and advice. We have also reported the incident to the Information Commissioner.

The Rhysida ransomware collective, named after a large centipede native to Africa, Central and South America, as well as South and Southeast Asia, is a relatively new venture. It has not yet claimed many victims, and there is little information known about it. However, the organisation was responsible for the release of a collection of papers obtained from the Chilean Army in June 2023.

Rhysida has a number of facts that are frequently shown by other ransomware groups, according to SentinelOne experts who have thoroughly researched the group’s operating strategies. This includes the misguided notion that they serve as their targets’ helpful penetration testers. Another characteristic of their strategy is the use of double extortion, as was seen in the UWS attack.

It is spread via common techniques like phishing campaigns. According to SentinelOne, the malware is still in the early stages of development and lacks characteristics common to ransomware that is often employed, such as VSS removal.

According to Spencer Starkey, vice president of SonicWall EMEA:

Schools and universities are huge powerhouses of data which hold incredibly sensitive information, making them a likely target for hackers. The education sector is a vital institution which sits at the very centre of our society. Students, teachers and parents alike need to be able to trust that their sensitive information is being kept safe.

The education sector saw the largest rate of ransomware attacks in 2022, according to recent Sophos research. Targeted organisations included 78% of institutions of higher learning and 81% of schools, up from 65% and 55% in 2021, respectively. Unfortunately, the industry also saw significant ransom payments, with 55% of universities and 48% of schools suffering recovery expenses in the millions.

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts