The Hawaiʻi Community College has admitted that it paid a ransom to ransomware actors to prevent the leaking of stolen data of approximately 28,000 people.
Hawaiʻi Community College is an accredited public community college operating two campuses on the island of Hawaii and is part of the University of Hawai'i (UH), which has over 50,000 students.
On June 19th, 2023, the relatively new NoEscape ransomware gang listed UH on its extortion portal, threatening to publish 65 GB of stolen data in a week if a ransom was not paid.
A day later, the College confirmed they suffered a ransomware attack on June 13th, 2023, warning students and faculty that they shut down IT systems to prevent the spread of the malware.
Source: KELA
As UH explained in the relevant announcement published on Wednesday, it carefully considered all options and decided to pay the cybercriminals to protect the personal data of thousands of its students.
"After determining that the compromised data most likely contained personal information of approximately 28,000 individuals, the University of Hawaiʻi made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised," explained UH in a public statement earlier this week.
The university further explains that one element that played a key role in its decision was that the hackers responsible for the attack, NoEscape, are known to leak the personal data of individuals stolen from breached networks if a ransom demand is not paid.
"Working with an external team of cybersecurity experts, UH reached an agreement with the threat actors to destroy all of the information it illegally obtained," continued the UH announcement.
After a ransom payment was made, the ransomware gang removed the University of Hawai'i entry from their data leak site, which is commonly done after paying the extortion demand.
Meanwhile, the restoration of the damaged IT infrastructure is still underway, likely now supported by a decryption key provided by NoEscape, and is expected to be completed by August 14th, 2023.
All 28,000 students and staff impacted by the attack will receive notification letters with enclosed instructions on enrolling in credit monitoring and identity theft protection services through Experian.
Finally, to prevent similar attacks from occurring in the future, UH is working with all ten campuses and their IT system administrators to plug potential vulnerabilities and implement additional security measures.
Unfortunately, paying a ransom to prevent the leak of data does not always go as planned.
In the past, threat actors have promised to destroy data but have not kept their word, continuing to extort the victims or releasing the data.
While there is no history of the NoEscape operation doing this, all students and faculty must act under the assumption that their data was exposed and react accordingly.
Depending on what data was released, this could mean monitoring credit reports for identity theft, changing passwords on sensitive accounts, or being more diligent when opening suspicious emails.
Who is NoEscape?
The NoEscape ransomware operation is a new project launched last month, targeting Windows, Linux, and VMware ESXi servers and performing double-extortion on victims.
BleepingComputer has learned that the threat actors have demanded ransoms as high as $10 million, but the amount UH paid has not yet been made known.
Ransomware analyst Michael Gillespie has found extensive similarities between the NoEscape and Avaddon encryptors, a RaaS operation that abruptly shut down operations in the summer of 2021 following raised attention from law enforcement.
This is a strong sign that NoEscape may be a rebrand of Avaddon, created by the core team of the now-defunct ransomware operation.
Comments
ZeroYourHero - 9 months ago
FYI: A 2020 ruling the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in most cases.
AutomaticJack - 9 months ago
"FYI: A 2020 ruling the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in most cases."
I don't think this is law/enforced as yet - else it would be the end of US based financially motivated attacks. But it needs to happen to make a dent in the problem.
UK FI's will be fiscally responsible for fraud scams in the coming year, the source as well as the destination FI's will be subject to fines. $$$ is always a good kickintheass to get a companies security and bs in line -as long as the fine is large enough. Will be interesting.
h_b_s - 9 months ago
""FYI: A 2020 ruling the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declared it illegal to pay a ransom in most cases."
I don't think this is law/enforced as yet - else it would be the end of US based financially motivated attacks. But it needs to happen to make a dent in the problem.
UK FI's will be fiscally responsible for fraud scams in the coming year, the source as well as the destination FI's will be subject to fines. $$$ is always a good kickintheass to get a companies security and bs in line -as long as the fine is large enough. Will be interesting. "
Yeah, don't bet on it. If the US federal government wants to lower the boom the college administration isn't going to be able to stop it, nor will changing the name of the criminal gang dodge the sanction. The courts aren't going to buy any such argument. (The UK is irrelevant to the discussion. Not a UK organization.)
EndangeredPootisBird - 9 months ago
And people are still surprised when they subject to ransomware, as if maybe there's a reason as to why it still exists...
Idiots. How about actually investing into proper security rather? Oh, I forgot, security doesn't exist in the neoliberal world, as employees and IT teams aren't paid enough to bother, and they don't get a big enough budget to implement actual security, and why pay for something that doesn't impact those at the top?
NoneRain - 9 months ago
Ransom payment should be illegal, always. Government should impose that strictly and public punish those enterprises.
If these morons keep financing crimes, it will be always a great "business".
thatirish - 9 months ago
Worst of ideas, paying a ransom to cybercriminals. Now that college will likely be target by a more sophisticated cybercriminal gang that's looking to make a few bucks from a college that just put itself on a most favored list by hackers, a list of those that will pay the ransom.
defective1up - 9 months ago
Not to mention that the ransomware group they paid could just leak the info anyway making a second attack way more likely.