Columbia College, Chicago has become the third US college in a week to fall victim to a cyber-attack involving the Netwalker family of ransomware.
The Illinois educational establishment, along with Michigan State University and the University of California, San Francisco, was targeted by cyber-criminals and given six days to pay a ransom to recover its files.
Netwalker, also known as Mailto or as an updated version of Kokoklock ransomware, was first observed operating in September 2019. The malware works by encrypting data and renaming files with the developer's email address and an extension made up of the victim's unique ID.
Like the attack on the University of California, the assault on Columbia occurred on June 3, exactly one week after Michigan State University was hit. On the Netwalker blog, the cyber-criminals claimed to have exfiltrated "very highly sensitive data like social security numbers and other private information" from Columbia.
Columbia's chief of staff, Laurent Pernot, told the Columbia Chronicle on June 5 that the Netwalker attack was detected by the college's IT systems and contained to a limited number of college servers.
“Some college, employee and student data was accessed by the perpetrators, though the exact nature and extent of that is still being determined,” wrote Pernot, adding that steps had been taken to prevent further breaches.
Updates made to the Netwalker blog yesterday suggest some of the colleges may have succumbed to the attackers' demands.
Emsisoft's Brett Callow told Infosecurity magazine yesterday: "UCSF and Columbia are no longer listed on Netwalker’s leak site, which likely means they paid (making it a lucrative week for the criminals) or that they asked to be delisted pending negotiations. So it appears only MSU is still holding out and refusing to negotiate."
Threat group REvil recently switched from publishing data if a ransom isn't paid to auctioning it off to the highest bidder.
Asked if Netwalker's operators might follow suit, Callow said: "I wouldn’t be at all surprised if Netwalker were to adopt a REvil-like auction process for stolen information. Like other businesses, criminal enterprises adopt each other’s strategies and the introduction of mechanisms enabling stolen data to be monetized would seem to be a logical progression. We saw this with data exfiltration and publishing: the strategy was pioneered by Maze and then quickly adopted by multiple other groups."