Ransomware Group Leaks Information From CU Cyberattack On Dark Web
(CBS4) – A ransomware group leaked data allegedly stolen from the University of Colorado on the dark web. In February, CU announced it was investigating a cyberattack believed to be the largest in the university's history.
The attack targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor. Accellion says the hack impacted fewer than 100 clients, with 25 suffering significant data theft.
The ransomware group CL0P has published data from 25 Accellion hacks on the dark web, including data from the University of Colorado. Cybersecurity threat analyst Brett Callow of Emsisoft says it is highly likely that CL0P has additional data from other Accellion hacks.
"Whether CL0P is responsible for the hacks or is simply handling the extortion is impossible to say, but I suspect the latter," Callow added.
On Tuesday, the university said it is still investigating the scope of the attack.
"We did receive demands that we declined to meet," said Ken McConnellogue, CU Vice President for Communication. "We also advised our users to not pay, which is consistent with the guidance we received from the FBI."
McConnellogue said some staff who use the file transfer service received emails that their personal data had been stolen and would be published if the university didn't pay the ransom. CU is unaware of students receiving extortion demands.
"Organizations in this position are without good option," Callow explained. "If they don't pay the ransom demand, their data will be released online in a series of installments. If they do pay, they'll simply receive a pinky-promise that the stolen data will be destroyed. Obviously, there is absolutely no reason to believe that the criminals would actually do this, especially if the data has significant market value."
CU Boulder was notified of the Accellion attack on Jan. 25. The university's Office of Information Security determined files uploaded by 447 CU users were at risk of unauthorized access. Officials said personal information of CU Boulder and CU Denver students, along with prospective students, and employees may have been accessed.
The university is preparing to notify those affected by the data breach. CU said it would provide monitoring services at no cost for anyone whose information was compromised. In the meantime, students and employees can take proactive steps to protect their identity by visiting identitytheft.gov/databreach.
Accellion said on March 1 that all known File Transfer Appliance vulnerabilities have been remediated.
"Since becoming aware of these attacks, our team has been working around the clock to develop and release patches that resolve each identified FTA vulnerability, and support our customers affected by this incident," said Jonathan Yaron, Accellion's Chief Executive Officer.
CU said it plans to switch to a different file sharing product. Additionally, officials plan to move university data to a cloud-hosted environment and add multi-factor authentication as an extra layer of security.