Data supposedly stolen from The University of West Scotland (UWS) has been put up for auction on ransomware gang Rhysida’s dark web victim blog, hinting that the university has refused to cooperate with the group’s demands for payment. UWS admitted to experiencing system issues earlier this month attributing the disturbance to a “cyber incident”.
The gang is demanding 20 bitcoin (£452,640) for the data, and says it will be sold to the highest bidder.
University of West Scotland cyberattack claimed by Rhysida ransomware gang
UWS announced it suffered the attack on 7 July, enlisting the help of the National Cybersecurity Centre (NCSC) as well as the Scottish government to deal with the incident. A spokesperson for the university told the BBC at the time that it was “experiencing an ongoing cyber incident which is currently affecting a number of digital systems”.
No criminal group initially came forward to claim responsibility, but today Rhysida said it was behind the breach and is auctioning off the data it took in the breach.
Deriving its name from a species of millipede, the gang was first spotted in May of this year when it launched attacks on the Chilean Army, as well as multiple organisations across the public and private sectors around the world.
The fact that the UWS data has now been posted to the gang’s blog implies that it has opted not to pay a ransom, in line with NCSC guidelines. Ransomware gangs will often threaten to publish or sell sensitive data, stolen from a victim, to the dark web to pressure them into paying, alongside offering to supply a decryption key for their encrypted systems. This is called double extortion.
Tech Monitor has contacted the University of West Scotland for comment on the cyberattack, and whether it has received or paid a ransom demand.
Cyberattacks on universities in the UK
Universities in the UK and Ireland have been frequent targets for ransomware groups. In February, the BlackCat gang attacked the University of Munster in Ireland, leading to sensitive data being published on the dark web.
The university first detected strange behaviour on its systems on 5 February, causing it to shut down for several days. Five days later, BlackCat delivered a ransom demand that MTU says it has refused to pay.
In June, the University of Manchester was also attacked. Patrick Hackett, the university’s chief operating officer, said at the time: “It has been confirmed that some of our systems have been accessed by an unauthorised party and data has likely been copied. Our in-house experts and external support are working around the clock to resolve this incident, and to understand what data have been accessed.”
Universities are often targeted by ransomware gangs. According to a report by Sophos released today, 79% of IT leaders in higher education providers surveyed admitted to being hit by ransomware in the past year, a dramatic increase from 64% in 2022. Of the attacks, 40% of them are due to exploited vulnerabilities, 37% to compromised credentials and 12% to malicious emails.
According to the research, which polled a sample of 400 higher education tech executives, only 16% of universities consider themselves to be well-protected, while 73% feel that “there is more to be done”. Despite staffing issues, however, the overall cost of a data breach in an institute of higher education has gone down, from £1.42m last year to £1.06m in 2023, Sophos says.