Cyber Incident Victim: University of Detroit Mercy
Date:
Feb 2022
Location:
United States of America
Summary
The University of Detroit Mercy experienced unauthorized network access by the Lockbit 2.0 ransomware group, which threatened to release stolen data unless its demands were met. The institution confirmed the breach and engaged cybersecurity experts to investigate, though specifics about compromised servers or data types were not disclosed. While no personal information had surfaced on the dark web at the time of reporting, cybersecurity experts warned that Lockbit 2.0 routinely publishes exfiltrated data to shame victims who refuse ransom payments. The group, known for indiscriminately targeting global organizations across sectors, actively publicizes its compromises and follows through on threats to leak data. The university’s investigation remained ongoing without further details on ransom demands.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 4, 2022, the University of Detroit Mercy confirmed unauthorized access to its cyber network following a ransomware attack claimed by the Lockbit 2.0 group. The breach occurred earlier that morning, with the threat actors demanding payment by February 13 under threat of publicly releasing stolen data. University officials did not disclose specific details about compromised computer servers or the nature of the exfiltrated information but acknowledged engaging private cybersecurity firms to investigate the incident. While the institution stated no personal data had yet appeared on dark web platforms at the time of reporting, cybersecurity experts warned such disclosures were likely imminent based on Lockbit 2.0's operational patterns. The group maintained an active "PR site" to publicly shame victims by listing newly compromised organizations daily, leveraging data exposure as additional pressure for ransom compliance.
Lockbit 2.0 demonstrated consistent global targeting practices, attacking organizations regardless of size or sector—including education, government, and public entities—according to cyber liability expert David Derigiotis of Burns and Wilcox. The group's methodology involved both encrypting victim data and exfiltrating it for potential publication, creating dual leverage points for extortion. University officials and law enforcement did not reveal the specific ransom demands or payment deadlines beyond the February 13 data release ultimatum. The investigation remained active with no public confirmation of whether university systems were fully restored or whether negotiations occurred with the threat actors. Institutional responses focused on containment through external cybersecurity partnerships while monitoring for potential data exposure, reflecting the unresolved status of the incident at the time of reporting.