Cyber Incident Victim: Rice University
Date:
Feb 2023
Location:
United States of America
Summary
A global ransomware outbreak impacted Rice University among other U.S. and European educational institutions and Florida's state court system, exploiting a known vulnerability in VMware software. The attack, characterized by rapid spread but limited sophistication, affected internet-facing servers, though the operational disruption remained unclear as the university did not publicly disclose details. While the perpetrators demanded ransoms, their campaign yielded minimal payments due to numerous victims recovering data without complying. Cybersecurity experts noted the incident's broad visibility stemmed from exposed servers but emphasized its unsophisticated execution compared to advanced ransomware operators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2023, a widespread ransomware campaign targeted servers globally, impacting Florida’s Supreme Court administrative systems and multiple universities across the United States and Central Europe, including Rice University in Houston, Georgia Institute of Technology in Atlanta, and institutions in Hungary and Slovakia. The attack, first publicly reported on February 7, 2023, exploited a known two-year-old vulnerability in VMware software to compromise internet-facing servers. Ransom notes were posted on affected systems, locking servers and disrupting operations. Researchers identified over 3,800 victims through internet scans using tools like Shodan, making this one of the largest automated ransomware outbreaks observed. The attack lacked sophistication, relying on outdated vulnerabilities rather than novel techniques, but spread rapidly due to its automation and the exposure of unpatched servers. The exact timing of initial compromises and duration of disruptions at Rice University and other institutions were not specified, though the campaign intensified over the preceding weekend.
Florida Supreme Court spokesman Paul Flemming confirmed that the compromised infrastructure was segregated from the Court’s main network, ensuring no data breaches or operational interruptions occurred at the Supreme Court level. Most affected organizations, including the universities, did not publicly disclose operational impacts or data losses. Cybersecurity experts, including Finnish National Cyber Security Centre’s Samuli Kononen, assessed the attack as financially motivated criminal activity rather than state-sponsored aggression due to its technical flaws and limited ransom success. Victims reportedly recovered data without paying in many cases, contrary to typical ransomware operations. The hackers demanded unspecified ransoms but extorted only $88,000 collectively, significantly below typical ransomware profits. VMware urged users to update their software to mitigate the vulnerability. Response actions at Rice University and other academic institutions were not detailed, as none of the twelve contacted universities provided comments to Reuters. Italian and Finnish cybersecurity agencies monitored the incident but found no evidence of advanced persistent threat involvement. The attack underscored persistent risks from unpatched systems despite its limited financial success.