A cyberattack on Munster Technology University (MTU) in Ireland was perpetrated by the ransomware gang BlackCat, which has published information allegedly stolen in the breach.
The university first detected strange behaviour on its systems on 5 February, causing it to shut down for several days. Five days later, BlackCat delivered a ransom demand which MTU has, at the time of writing, refused to pay.
BlackCat behind MTU cyberattack
As a result, a dump of more than 6GB of data was released onto the dark web on Sunday. This data appears to include personally identifiable information of staff and students including medical records and student bank account data.
However, exactly what the data includes has not been established yet, Richard Browne, head of Ireland’s National Cyber Security Centre, explained to the Irish Examiner. “Very often when this material is released, very little happens with us depending on what it is. And of course, we don’t know exactly what it is yet,” Browne said.
According to an update released by the university, the MTU secured “an interim injunction to prevent the sale, publication, possession or other use of any data that may have been illegally taken from our systems,” from the High Court of Ireland.
Such measures are unlikely to deter cybercriminals, who are already operating illegally, explained CEO of cybersecurity company BH consulting Brian Honan to Irish news outlet RTE. “They’ve already broken the law, so another injunction isn’t going to deter them any further,” he said.
However, this could help to deter other criminals who are tempted to buy or use the data, Honan continued. “But it’s really in case other people either buy that information from the criminals, or come across the information in some other ways that they would be prevented from publishing the information on their own websites.”
The MTU released a further update yesterday explaining that students and staff are now returning to the campus. “The resumption of in-person teaching on campus is now successfully underway,” it reads. “We are continuing to review the incident and, in particular, the release of data on the ‘dark web’ so that we can provide any persons affected by this incident with further updates and guidance where necessary and as soon as practicable.”
BlackCat and the growing threat of Ransomware-as-a-Service
Russian gang BlackCat is a prevalent threat and a prime example of the growing threat posed by Ransomware-as-a-Service, where criminals lease out their malware to anyone willing to pay for it, a Microsoft security blog says. The gang favours the double extortion technique to coerce its victims into paying the ransom. This is where a criminal will steal information and then encrypt it, threatening to release the data onto the dark web as well as threatening to deprive the victim of access to their encrypted systems.
First observed in November 2021, BlackCat attracted attention through its use of the Rust programming language, which is uncommon in the RaaS landscape. The gang has around 250 victims, the most recent being an Indian rocket propellant manufacturer called Solar Industries.
Other high-profile victims include the Ecuadorian Army, knocking the federal body’s site offline as the gang posted its details to its dark web victim blog. BlackCat also claimed to have attacked US Defence intelligence company the NJVC, posting instructions for the company online. “We strongly recommend that you contact us to discuss your situation,” the gang wrote, “otherwise the confidential data in our possession will be released in stages every 12 hours.” There was no evidence subsequently of NJVC data being released online.