Cyber Incident Victim: Southern Arkansas University
Date:
Feb 2021
Location:
United States of America
Summary
Southern Arkansas University experienced a second cybersecurity incident involving the Sodinokibi (REvil) ransomware group, following a prior breach linked to Blackbaud. The attackers publicly displayed screenshots of allegedly stolen data, including file directories, on their leak site, indicating unauthorized access and exfiltration of institutional information. The university, closed due to severe weather at the time of reporting, had not yet issued a formal statement regarding the claimed compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Southern Arkansas University experienced a second significant cybersecurity incident in less than a year when the Sodinokibi (REvil) ransomware group targeted the institution around February 16, 2021. This attack followed the university's previous breach involving third-party service provider Blackbaud in May 2020. The Sodinokibi group publicly claimed responsibility by publishing multiple screenshots on their dedicated leak site, demonstrating their unauthorized access to university systems. These images displayed directory structures and file listings purportedly exfiltrated during the attack, though specific file contents weren't visible in the published material. The timing coincided with extreme weather conditions that forced campus closures, preventing immediate university response or verification of the claims when the breach was first reported. Cybersecurity monitoring service SuspectFile initially documented the ransomware group's disclosure, which followed REvil's established pattern of publishing proof-of-concept evidence before potential full data releases.
The incident represented an escalation from the prior Blackbaud breach, transitioning from a third-party vulnerability exploitation to a direct ransomware attack involving data exfiltration. REvil's operational tactics typically involved double-extortion strategies, combining system encryption with threats to publish stolen data unless ransom demands were met. While the specific types of compromised data weren't detailed in the initial disclosure, the directory screenshots suggested potential access to organizational file structures. The university's physical closure during the incident likely impacted their ability to initiate containment protocols or conduct immediate forensic analysis. No information regarding ransom demands, payment status, or data restoration efforts was available at the time of initial reporting due to the institution's weather-related inaccessibility. The attack marked Southern Arkansas University's reappearance in cybersecurity incident tracking within a nine-month period, highlighting persistent targeting of educational institutions by sophisticated threat actors.