Cyber Incident Victim: North Carolina A&T State University
Date:
Mar 2022
Location:
United States of America
Summary
North Carolina A&T State University experienced a disruptive ransomware attack by the ALPHV group (also known as Black Cat), which compromised critical systems including wireless networks, learning platforms, single sign-on services, VPN access, and administrative tools during spring break. The incident forced class cancellations and hindered academic assignments, with prolonged outages affecting operations weeks later. ALPHV employed a double extortion tactic, threatening to leak stolen data unless a ransom was paid, and utilized custom ransomware written in Rust, uniquely compiled for the target with embedded credentials. The group, linked to prior BlackMatter and REvil operations, listed the university on its darknet site to coerce payment. This attack was part of a broader trend targeting multiple US educational institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
North Carolina A&T State University experienced a ransomware attack during the week of March 7, 2022, coinciding with its spring break period. The ALPHV ransomware group, also known as Black Cat, claimed responsibility for the intrusion, which disrupted critical university systems including wireless networks, the Blackboard learning management system, single sign-on portals, VPN access, Jabber communication tools, Qualtrics survey software, Banner Document Management, and Chrome River applications. University IT personnel initiated restoration efforts immediately after discovery, but many systems remained non-operational two weeks later when reported by the student newspaper *The A&T Register*. The disruption forced class cancellations and remote instruction adjustments, significantly impacting academic activities. Industrial systems engineering student Melanie McLellan described canceled coding classes and an inability to submit assignments due to system outages. On March 31, 2022, ALPHV listed the university on its darknet leak site, a tactic commonly employed to pressure victims into paying ransom demands by threatening public data exposure.
Security researchers from Kaspersky linked ALPHV to previous BlackMatter ransomware operations through forensic analysis of the Fendr data exfiltration tool, which was exclusively used by BlackMatter before appearing in ALPHV attacks. The ALPHV ransomware demonstrated technical distinctiveness through its implementation in the Rust programming language and customization of binaries for specific targets, with attacker credentials hardcoded into executables shortly before deployment. This incident marked one of seven ransomware attacks against US higher education institutions in early 2022, according to Emsisoft analyst Brett Callow, who also documented eight compromised K-12 school districts affecting 214 schools during the same period. ALPHV’s broader victim portfolio included a Middle Eastern cloud hosting provider, a South American oil-gas-mining-construction conglomerate, two German petroleum suppliers, and Italian luxury brand Moncler. The university’s recovery efforts focused on restoring essential academic and administrative systems while managing operational disruptions across multiple departments.