BlackSuit Ramsomeware Group Hits Oklahoma University


Cyber Attack on East Central University: A Detailed Examination

Incident Overview

On February 16, 2024, East Central University (ECU) in Ada, Oklahoma, became the target of a sophisticated cyber-attack. A cybercriminal group wielding malicious software known as BlackSuit, launched a directed attack against the university’s systems. While ECU’s critical services remained operational, the attackers successfully compromised various campus computers. The group’s efforts included attempts to steal data, encrypt computers, and extort the university.

Immediate Response

Upon detection of the breach, ECU’s Information Technology (I.T.) department acted swiftly, enlisting the aid of a third-party cybersecurity response team. Together, they initiated incident response protocols to assess the attack’s extent, implement countermeasures, and collect forensic evidence. Their joint efforts aimed to restore visibility and control over the campus network and systems. In parallel, ECU took proactive measures such as resetting passwords, evaluating critical services, and formulating a comprehensive incident response strategy.

Communication and Support

ECU developed a multi-faceted communication strategy to address the concerns of those potentially affected. This included direct emails, mandatory employee forums, and optional public forums for students to disseminate information about the incident. A dedicated webpage was established to provide updates, frequently asked questions (FAQs), and resources for assistance. The university also set up a specific email address and phone line for inquiries about the incident.

The Perpetrators: BlackSuit

BlackSuit, the group behind the attack, is an offshoot of another notorious cybercriminal named Royal. According to the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), BlackSuit has victimized over 350 entities worldwide, demanding ransoms totaling more than $275 million. The group has a history of targeting educational institutions across the country.

Method of Attack

The exact method used by BlackSuit to penetrate ECU’s systems remains undetermined. However, the group employs tactics such as infected email attachments, malicious websites, pop-up ads, and trojan applications. In the days following the attack, ECU reported a spike in spam and malicious emails, which may have been related to the breach.

Impact and Recovery

The cyber attack affected various utility and file servers encrypted using ransomware tools. Fortunately, ECU’s most critical systems, which had robust security measures in place, were not compromised. The collaborative efforts of ECU I.T. and the third-party cybersecurity team focused on restoring affected services and bolstering defenses against future attacks.

Ongoing Investigation and Future Prevention

ECU continues to investigate the full scope and scale of the data potentially impacted by the attack. While there is no current evidence that any information was exfiltrated, the university has identified that certain individual names and Social Security numbers may have been accessible to the attackers. ECU is providing notice of this risk as the investigation proceeds.

The university acknowledges the difficulty in thwarting targeted attacks from advanced adversaries. Nonetheless, ECU I.T. is working closely with cybersecurity experts to enhance security measures, understand potential vulnerabilities, and raise awareness about the evolving tactics used by cybercriminals.

Advice for the ECU Community

ECU advises individuals concerned about their data to visit for guidance on protecting themselves in the event of identity theft. The university commits to keeping the community informed as new information emerges.

Staying Informed

For the latest updates on the cyber attack and measures taken by ECU, students, employees, and the public are encouraged to visit the university’s dedicated incident webpage at ECU Data Incident Notice. This resource provides comprehensive information and access to support for those affected by the incident.