Cyber Incident Victim: Knox College
Date:
Dec 2022
Location:
United States of America
Summary
Hive Ransomware Group claimed responsibility for a cyberattack on Knox College, asserting they encrypted critical infrastructure and data, compromised backup servers, and exfiltrated sensitive personal information including medical records and Social Security numbers. The institution acknowledged the ransomware incident but did not confirm the perpetrators, while restoring some services like wireless networks and cloud-based applications. Hive threatened to leak stolen data and criticized the college's security response, alleging failed negotiations. The college advised affected individuals to reset passwords, enable two-factor authentication, and monitor financial accounts for suspicious activity, noting ongoing investigations to determine the incident's full scope.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 1, 2022, Knox College experienced significant disruptions to its computer systems following a ransomware attack claimed by the Hive Ransomware Group, an FBI-identified criminal organization. The group sent emails to multiple Knox students on November 30, asserting they had encrypted critical infrastructure and data, compromised backup servers, and exfiltrated sensitive personal information including Social Security numbers and medical records. Hive threatened to leak the data within 24 hours and sell the stolen information on hacker forums. Knox College administrators, including Communications President Lisa Van Riper, acknowledged receiving communications from Hive in internal emails to faculty, staff, and students but did not confirm the group’s involvement or validate the extent of the claimed compromises. College President C. Andrew McGadney described the event as an ongoing “ransomware incident” in a December 1 community update, noting the disruptions caused considerable operational stress and inconvenience. Initial recovery efforts restored wireless networks, cloud-based services, and Google Workspace applications like Gmail and Google Drive, though other systems remained offline.
The college initiated a multi-phase response, mandating password resets, two-factor authentication enrollment, and device scans for all college-owned equipment starting November 26. Knox’s ITS department directed individuals to contact a dedicated help desk for technical support during business hours. McGadney advised community members to monitor financial accounts, review credit reports, and consider fraud alerts or credit freezes as precautionary measures, though the investigation into the incident’s scope and data impact remained ongoing. Hive’s email alleged unsuccessful negotiations with Knox’s security team, accusing the college of rejecting ransom terms and relying on “inexperienced” experts. Federal advisories highlighted Hive’s ransomware-as-a-service model, noting the group had extorted $100 million from over 1,300 global victims by November 2022. Knox emphasized strengthening systems before full restoration and committed to notifying affected parties if data exposure was confirmed. No public confirmation of data leaks or ransom payments was provided by the college during the incident’s initial disclosure period.