Cyber Incident Victim: Bluefield University

On or around April 30, 2023, Bluefield University, a small private institution in Virginia with approximately 900 students, disclosed it had suffered a cyberattack impacting its IT systems. This initial disclosure stated that the incident had caused all examinations to be postponed. The university's investigation at that time had reportedly found no evidence of any cases of financial fraud or identity theft linked to the event. Despite the disruption, the university communicated that faculty and students could safely use and access key resources such as the MyBU portal, the Canvas learning management system, and library resources through the university's main website. The initial response focused on maintaining academic continuity while remediation efforts began.

The incident escalated significantly on May 1, 2023, when the Avos ransomware gang, also known as AvosLocker, demonstrated they still had access to the university's internal networks. The threat actors specifically compromised the university's RamAlert emergency broadcast system. This system is designed to send critical notifications via SMS text messages and email to students and staff regarding campus emergencies or threats. The attackers weaponized this trusted communication channel to directly contact the university population. They sent out messages that began with "Hello students of Bluefield University! We're Avoslocker Ransomwar. We hacked the university network to exfiltrate 1.2 TB files." The messages claimed the gang had stolen admissions data from thousands of students and warned that their personal information was at risk of being leaked on the dark web.

These unauthorized alerts served multiple purposes for the attackers. They directly challenged the university's initial statement that no evidence of data theft had been found, explicitly telling recipients, "DO NOT ALLOW the University to lie about severity of the attack!" The messages also included a specific deadline, threatening to leak a sample of the stolen data as proof on Monday, May 1, 2023, at 18:00:00 GMT. Subsequent messages sent through the hijacked system shared links and provided instructions on how to access the ransomware gang's data leak site to view further communications and any published data. This action was a clear attempt to increase extortion pressure by publicly demonstrating the severity of the breach and directly involving the victims—the students and staff—in the dispute.

The final message delivered via the compromised RamAlert system urged recipients to share the information with news outlets. It also contained a renewed threat to publish all of the stolen data if the university did not meet the ransom demand. Later on May 1, the threat actors followed through on their threat to leak data. They published a limited sample of the stolen files on their data leak site. The released data included highly sensitive documents, such as a W-2 Tax Form belonging to the university's president and a document related to the institution's insurance policy. This public release of specific, high-impact data was intended to prove the legitimacy of their claims and to further pressure the university into negotiating.

In response to this escalation, Bluefield University published an update on the cyberattack. The university confirmed that its emergency alerts system had been hacked and acknowledged that malicious actors had used it to send fraudulent messages. The update urged students and staff who had been contacted by the cybercriminals not to click on any links contained within those messages or to respond to them. The university reiterated that remediation and system restoration efforts were still underway. However, despite the public data leak, the university's official statement maintained that their investigation had still not found any evidence of abuse of student data. The incident highlighted a novel and aggressive extortion technique, marking one of the first known instances where ransomware actors seized control of an emergency notification system to directly threaten a victim population.

The primary impact of the incident was a significant operational disruption, forcing the postponement of all examinations and requiring a sustained effort to restore IT systems. The compromise of the RamAlert system represented a critical failure in the university's security posture, as it allowed the attackers to exploit a system designed for safety to instead spread fear and uncertainty. The confirmed exfiltration and subsequent leak of at least 1.2 terabytes of data, including sensitive personal and financial information belonging to students, faculty, and high-level administration, created a substantial risk of identity theft and financial fraud for the affected individuals. The release of the president's W-2 form alone contained enough personal information for targeted fraud attempts.

The university's response involved ongoing investigation and remediation efforts focused on restoring affected systems and securing the network from further unauthorized access. Public communications were used to keep the campus community informed, warn them about the fraudulent alerts, and provide guidance on safely accessing university resources. The attackers' methodology demonstrated an evolution in ransomware tactics, moving beyond standard double extortion—encrypting data and threatening to leak it—to incorporate a third layer of pressure by hijacking a critical communication platform to directly contact and threaten the victim organization's constituents. This approach was designed to prevent the victim from downplaying the attack's severity and to amplify the psychological and reputational damage, thereby increasing the likelihood of ransom payment. The event served as a stark example of the increasing boldness and creativity employed by cybercriminal groups in their extortion campaigns.