Cyber Incident Victim: Michigan State University
Date:
May 2020
Location:
United States of America
Summary
Michigan State University was targeted by the NetWalker ransomware gang, which encrypted files and issued a one-week deadline for an undisclosed ransom payment. The attackers threatened to leak stolen documents, including student passports and financial records, on their dark web site if demands were unmet, subsequently publishing samples as proof of compromise. While the full impact remained unclear due to reduced on-campus operations during the pandemic, the incident risked sensitive data exposure and potential disruption to internal systems. The university did not publicly comment on the attack or its response measures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 28, 2020, Michigan State University (MSU) was publicly identified as a victim of a ransomware attack by the NetWalker (Mailto) ransomware operation. The attackers announced the breach on their dark web leak site, providing a one-week deadline for MSU administrators to pay an undisclosed ransom demand to decrypt encrypted files. The ransomware gang explicitly threatened to publish stolen university data if payment was not made or if MSU attempted to restore systems from backups. To substantiate their claims, NetWalker operators published five images on their leak site: two displaying directory structures purportedly from MSU's network, one scanned passport belonging to a student, and two scans of financial documents associated with the university. This intrusion occurred during a period when most students and staff were operating remotely due to the COVID-19 pandemic, potentially obscuring the immediate operational impact on campus-based systems.
The incident highlighted NetWalker's established pattern of operating a dedicated leak site to pressure victims, placing MSU among at least twelve known entities targeted with this double-extortion tactic. Historical victims of the group included Toll Group, an Australian logistics company, and the municipal network of Weiz, Austria. While the full scope of data compromise and network disruption at MSU remained unclear, the publication of sensitive student and financial records demonstrated a partial breach of institutional data. University officials did not publicly confirm the attack's operational consequences or detail any response measures, with an MSU spokesperson declining to comment on the incident when contacted by media. The pandemic-related shift to remote operations introduced uncertainty regarding the attackās effect on academic continuity, as core systems supporting virtual instruction might have remained unaffected despite potential compromises to internal administrative networks. The lack of disclosed remediation actions or communication from MSU left the resolution timeline and final outcomes undocumented in public reporting.