Manchester University students threatened by ransomware gang

Students and staff members at the University of Manchester, which was hit by a cyber attack earlier in June, are receiving emails from the threat actor behind the incident threatening to sell or expose their personal data imminently if a ransom is not paid.

In the email, a copy of which has been obtained and reviewed by Computer Weekly, the threat actor said: “We would like to inform all students, lecturers, administration and staff that we have successfully hacked manchester.ac.uk network [sic] on June 6 2023.

“We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more…. The administration is fully aware of the situation and had been in discussion with us for over a week,” the blackmailers said.

“They, however, value money above the privacy and security of their students and employees. They do not care about you or that ALL your personal information and research work will soon be sold and/or made public.”

The threat actor also named a number of senior academic staff, including the university’s registrar and chief operating officer Patrick Hackett, who was the public face of the university’s initial communications following the incident, and accused them of bearing responsibility for the situation.

Some students have reported receiving a different email in which the threat actor supposedly offers them the chance to pay “a small fee” to them to not disclose their own data. The veracity of this communication, or its connection to the incident, has not been confirmed.

The emails appear to confirm that the university, or a specialist third-party negotiator representing its interest, has been in contact with the gang, but also implies that no ransom has been paid.

The subsequent escalation by the ransomware gang reflects the growth in so-called triple extortion ransomware attacks. Check Point lead security engineer Muhammad Yahya Patel said the rise in this form of attack reflected not only the increased sophistication of the cyber criminal ecosystem, but also its determination to get paid.

“Ransomware gangs were typically less organised than other groups up until a couple of years ago. Now they are becoming far more considered and steadfast in their approach, exploiting large-scale vulnerabilities and executing double and triple extortion to settle their demands,” said Patel.

Put simply, a triple extortion attack is an escalation of a double extortion attack – in which data is encrypted and stolen and leaked to make it more likely that the victim pays. In a triple extortion incident, pressurises the victim to pay by adding a third dimension to their dilemma.

This third layer can take different forms, but may include a distributed denial of service (DDoS) attack on the victim’s network to knock them offline or, in this case, making contact with the victim’s employees, end-users or even customers, and threatening them in order to exert pressure on the victim.

The identity of the ransomware operation behind the attack has not yet been disclosed. However, the University of Manchester has claimed it is not linked to the ongoing mass-victimisation of MOVEit customers by the Clop gang.

A university spokesperson said: “Following our reporting of a cyber incident earlier this month, we are aware that some staff and students have been sent emails purporting to be from those behind it. All staff and students should be wary of opening suspicious emails or phishing attempts, and report them to IT services. They should not respond under any circumstances.

“Our in-house experts and external support are working around-the-clock to resolve this incident, and to understand what data has been accessed. Our priority is to resolve this issue and provide information to those affected as soon as we are able to, and we are focussing all available resources.

“If staff or students are identified who have been personally impacted by this incident they will be contacted through university channels.”

The university is also advising staff and students to be alert to the potential for phishing emails and other malicious actors trying to exploit the situation. It has produced an FAQ, which can be accessed here, and which also includes guidance for A-Level and other prospective students.