Cyber Incident Victim: Georgia Institute of Technology
Date:
Feb 2023
Location:
United States of America
Summary
A ransomware outbreak impacted the Georgia Institute of Technology, part of a global campaign affecting over 3,800 victims including other U.S. and European universities as well as Florida's state court system. The attack exploited a known vulnerability in VMware software, locking internet-facing servers and demanding ransoms, though the criminal operation extorted only $88,000 collectively due to limited payments. While the university did not publicly detail disruptions, Florida's court system reported segregated infrastructure compromises without breaching core networks or data. Many victims recovered data without paying ransoms, indicating operational shortcomings by the attackers. Cybersecurity authorities attributed the incident to criminal actors rather than state-sponsored entities, noting its rapid spread but unsophisticated execution compared to advanced ransomware groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 7, 2023, a widespread ransomware campaign disrupted servers belonging to multiple organizations, including the Georgia Institute of Technology, Florida’s state court system, and universities in the United States and Central Europe. This incident formed part of a larger global outbreak affecting over 3,800 victims, primarily targeting internet-facing servers with a known two-year-old vulnerability in VMware software. Attackers exploited this vulnerability to deploy ransomware, locking systems and posting ransom notes visible via internet scanning tools like Shodan. The hackers demanded payment through cryptocurrency in exchange for decryption keys, though only approximately $88,000 was extorted collectively—a figure below typical ransomware hauls. While the disruption’s operational impacts on affected organizations remained unclear, Florida Supreme Court officials confirmed compromised infrastructure used for administrative court functions but emphasized segregation from core judicial networks, preventing broader system compromise.
Twelve universities, including Georgia Tech, were identified via IP address mapping but did not disclose details about data loss, operational interruptions, or recovery efforts. The attack exhibited limited sophistication, as many victims restored data without paying ransoms, suggesting flaws in the attackers’ execution. Cybersecurity tracking platforms like Ransomwhere and Onyphe monitored the campaign’s rapid spread but noted that public visibility stemmed from the targeting of exposed servers. VMWare reiterated existing guidance urging customers to update software to mitigate the vulnerability. National agencies, including Italy’s digital safety office and Finland’s National Cyber Security Centre, attributed the campaign to criminal actors rather than state-sponsored groups, citing the absence of advanced tactics and modest financial yield. The incident underscored automated ransomware’s persistent risk to inadequately patched infrastructure, with scale rather than novelty defining its significance.