Cyber Incident Victim: North Carolina State University
Date:
Mar 2022
Location:
United States of America
Summary
North Carolina A&T State University experienced a ransomware attack attributed to the ALPHV (Black Cat) group, causing widespread disruption to critical systems including wireless networks, online learning platforms, single sign-on services, and administrative tools during spring break. The incident led to canceled classes and hindered academic assignments, with systems remaining offline for weeks. ALPHV, linked to prior groups like BlackMatter and REvil through shared tools like Fendr, employed a double extortion model and customized ransomware written in Rust. The group listed the university on its darknet site to pressure ransom payment. This attack was part of a broader trend targeting US educational institutions, marking the seventh such incident that year alongside multiple affected school districts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The ransomware attack on North Carolina Agricultural and Technical State University (NC A&T) occurred during the week of March 7, 2022, coinciding with the institution's spring break period. The ALPHV ransomware group, also known as Black Cat, executed the intrusion, forcing university staff into emergency recovery operations that continued for weeks. Critical systems disabled by the attack included campus wireless networks, the Blackboard learning management system, single sign-on portals, VPN access, Jabber communications, Qualtrics survey tools, Banner Document Management, and Chrome River expense management software. These outages persisted for at least two weeks post-incident, severely disrupting academic activities as students returned from break. Industrial systems engineering student Melanie McLellan reported canceled coding classes, remote instruction transitions, and inability to submit assignments due to the ongoing technical disruptions. The university appeared on ALPHV's darknet leak site on March 30, 2022, as part of the group's double extortion tactic to pressure ransom payment through threatened data exposure.
Security researchers from Kaspersky linked ALPHV to previous ransomware operations through forensic evidence, noting the group's use of the Fendr exfiltration tool previously exclusive to the BlackMatter group. The ransomware's unique characteristics included being written in Rust programming language and compiling customized executables for each target organization shortly before deployment, embedding harvested credentials directly into the malware binaries. This incident marked the seventh ransomware attack against a U.S. higher education institution in 2022, part of a broader pattern affecting at least eight K-12 school districts encompassing 214 schools nationwide. While NC A&T focused on service restoration, the attackers leveraged stolen data as additional leverage beyond encryption, consistent with ALPHV's established double extortion model observed in prior attacks against German energy firms, South American industrial companies, and the Moncler fashion brand.