BlackSuit Ramsomeware Group Hits Oklahoma University
Cyber Attack on East Central University: A Detailed Examination
Incident Overview
On February 16, 2024, East Central University (ECU) in Ada, Oklahoma, became the target of a sophisticated cyber-attack. A cybercriminal group wielding malicious software known as BlackSuit, launched a directed attack against the university’s systems. While ECU’s critical services remained operational, the attackers successfully compromised various campus computers. The group’s efforts included attempts to steal data, encrypt computers, and extort the university.
Immediate Response
Upon detection of the breach, ECU’s Information Technology (I.T.) department acted swiftly, enlisting the aid of a third-party cybersecurity response team. Together, they initiated incident response protocols to assess the attack’s extent, implement countermeasures, and collect forensic evidence. Their joint efforts aimed to restore visibility and control over the campus network and systems. In parallel, ECU took proactive measures such as resetting passwords, evaluating critical services, and formulating a comprehensive incident response strategy.
Communication and Support
ECU developed a multi-faceted communication strategy to address the concerns of those potentially affected. This included direct emails, mandatory employee forums, and optional public forums for students to disseminate information about the incident. A dedicated webpage was established to provide updates, frequently asked questions (FAQs), and resources for assistance. The university also set up a specific email address and phone line for inquiries about the incident.
The Perpetrators: BlackSuit
BlackSuit, the group behind the attack, is an offshoot of another notorious cybercriminal named Royal. According to the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), BlackSuit has victimized over 350 entities worldwide, demanding ransoms totaling more than $275 million. The group has a history of targeting educational institutions across the country.
Method of Attack
The exact method used by BlackSuit to penetrate ECU’s systems remains undetermined. However, the group employs tactics such as infected email attachments, malicious websites, pop-up ads, and trojan applications. In the days following the attack, ECU reported a spike in spam and malicious emails, which may have been related to the breach.
Impact and Recovery
The cyber attack affected various utility and file servers encrypted using ransomware tools. Fortunately, ECU’s most critical systems, which had robust security measures in place, were not compromised. The collaborative efforts of ECU I.T. and the third-party cybersecurity team focused on restoring affected services and bolstering defenses against future attacks.
Ongoing Investigation and Future Prevention
ECU continues to investigate the full scope and scale of the data potentially impacted by the attack. While there is no current evidence that any information was exfiltrated, the university has identified that certain individual names and Social Security numbers may have been accessible to the attackers. ECU is providing notice of this risk as the investigation proceeds.
The university acknowledges the difficulty in thwarting targeted attacks from advanced adversaries. Nonetheless, ECU I.T. is working closely with cybersecurity experts to enhance security measures, understand potential vulnerabilities, and raise awareness about the evolving tactics used by cybercriminals.
Advice for the ECU Community
ECU advises individuals concerned about their data to visit www.identitytheft.gov for guidance on protecting themselves in the event of identity theft. The university commits to keeping the community informed as new information emerges.
Staying Informed
For the latest updates on the cyber attack and measures taken by ECU, students, employees, and the public are encouraged to visit the university’s dedicated incident webpage at ECU Data Incident Notice. This resource provides comprehensive information and access to support for those affected by the incident.