Cyber Incident Victim: Hawaiʻi Community College

On or around June 13, 2023, Hawaiʻi Community College was notified of a ransomware attack. The two-year college, which is part of the University of Hawaiʻi state school system and serves more than 2,500 students across its campuses in Kona and Pālamanui, immediately initiated its response. The University of Hawaiʻi System Information Technology Services was first notified of the issue and subsequently informed officials at the Hawaiʻi Community College campus. In response to the discovery, UH System Information Technology Services took immediate action to contain the threat. Their primary containment measure was to take the entire Hawaiʻi Community College network offline, effectively disconnecting it from the wider university system. They also took additional, unspecified steps to protect all other UH networks from potential compromise. A spokesperson for the college confirmed that Hawaiʻi Community College was the only UH campus identified as being affected by the attack.

Following the initial containment actions, the college engaged with federal authorities and external cybersecurity experts to manage the situation and investigate the incident. The school’s spokesperson declined to publicly comment on the specific ways campus systems were affected by the encryption or data theft, nor would they comment on whether the institution would pay any ransom to the attackers. The public announcement of the incident was made by the college on the evening of Tuesday, June 20, a week after the initial detection. This announcement was released following a claim of responsibility posted by a ransomware group known as NoEscape, which is also stylized as N0_Esc4pe.

The NoEscape ransomware group posted Hawaiʻi Community College to its data leak site, a platform commonly used by cybercriminals to extort victims by threatening to publish stolen data. In their post, the group claimed to have successfully exfiltrated approximately 65 gigabytes of data from the college’s systems. They issued a threat to publicly leak this stolen information if their ransom demands were not met within one week. The emergence of the NoEscape group is a relatively recent development in the ransomware landscape. According to expert analysis, the group was first observed in May 2023, initially advertising its services on the cybercriminal forum known as RAMP. The ransomware itself is assessed as being new and not based on previously leaked or stolen source code from other groups; it is written in the C++ programming language. Despite its novelty, the group had already claimed several victims prior to the attack on the college, including a hospital in Belgium and manufacturing companies in the United States and the Netherlands.

The incident at Hawaiʻi Community College occurred within a broader context of increasing ransomware attacks targeting the education sector, particularly post-secondary institutions. An expert from cybersecurity firm Emsisoft noted that at least 49 post-secondary schools in the United States had been hit with ransomware in 2023 up to that point, with data stolen in at least 43 of those cases. This statistic includes five schools impacted by the widespread MOVEit file transfer software exploitation, though it was unclear if those would be definitively classified as ransomware incidents. The attack on the Hawaiian college followed several other significant ransomware incidents announced in the weeks prior, affecting universities and colleges in the United Kingdom, Germany, and other parts of the United States. The full impact of the attack on the college’s operations, students, and staff remained unclear from public statements, as officials did not detail which specific systems or services were disrupted beyond the complete network takedown. The primary confirmed consequences were the forced isolation of the campus network and the potential exposure of 65 gigabytes of institutional data as claimed by the threat actors. The investigation, conducted in collaboration with federal law enforcement and cybersecurity professionals, continued following the public disclosure.