Cyber Incident Victim: Columbia College Chicago
Date:
May 2020
Location:
United States of America
Summary
The Netwalker ransomware group compromised Columbia College of Chicago, exfiltrating sensitive data and encrypting systems, threatening public release unless a ransom was paid. Stolen information included student applications containing Social Security numbers, employee records, medical studies, and financial documents, with the attackers leveraging exposed Remote Desktop Services and phishing campaigns to infiltrate networks. This incident was part of a broader campaign targeting U.S. educational institutions, reflecting the ransomware operation's focus on stealing unencrypted files prior to encryption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Netwalker ransomware operation targeted Columbia College of Chicago in late May 2020 as part of a broader campaign against U.S. educational institutions. On May 28, 2020, the threat actors publicly claimed via their data leak site to have successfully encrypted the college's systems and stolen unencrypted data. They issued a ransom demand with a threat to release the stolen data if payment was not made by an unspecified deadline. This announcement followed their attack on Michigan State University earlier the same day and preceded their June 3 disclosure of an attack against the University of California San Francisco (UCSF). While specific technical details about Columbia College's compromise weren't disclosed in available reports, Netwalker's established modus operandi involved exploiting vulnerable Remote Desktop Services and deploying phishing campaigns to infiltrate networks. The operators systematically exfiltrated data prior to encryption, a tactic confirmed in their UCSF attack where stolen records included student applications containing Social Security numbers, employee information, medical studies, and financial documents.
The incident occurred during Netwalker's aggressive rebranding phase following its transition from Mailto ransomware in February 2020. The group demonstrated particular focus on academic institutions during this period, with three major U.S. colleges publicly named as victims within one week. No confirmation emerged regarding whether Columbia College fulfilled the ransom demand or experienced data publication. Netwalker's operational patterns suggested potential targeting of common vulnerabilities in educational sector infrastructure, though no specific application flaws were identified in this case. The ransomware group maintained an active data leak site where they posted victim announcements and sample documents to pressure organizations into paying, as evidenced by their publication of UCSF file screenshots. Columbia College's incident reflected the escalating risk to educational institutions from ransomware groups increasingly combining encryption attacks with double-extortion tactics involving data theft.