The ransomware continue to give us no respite and this time it was the University of Pisa that suffered a very serious attack. At 5:37 pm on June 13, the State University suffered a major attack probably caused by the BlackCat ransomware of the cybercriminal group ALPHV. At the present time it would seem that some samples have already been released on the net and there has been a request for a ransom of 4.5 million dollars . As always, in these cases, the attackers have set up a chat with the victim through the dark web in order to communicate and agree on the payment method. Furthermore, the criminal group has aligned itself with the latest double ransom request techniques, so in addition to the payment to recover their data, they also ask for an additional payment to avoid the disclosure of part of the data already in their possession.
How BlackCat ransomware works
In general, ransomware attacks exploit a viral vector already inherent in systems or a human weakness such as phishing. BlackCat is particularly sophisticated compared to the others and is used as RaaS. The group of cybercriminals has already compromised over 60 companies in the world and according to the FBI one of the reasons for greater diffusion can be given by RUST, considered a programming language much more secure than C / C ++.
The ransomware takes advantage of already public user credentials to gain first access to the victim's infrastructure. Once acquired, it continues by taking over the Active Directory user and compromising the administrative users. To continue its spread within systems, BlackCat uses Windows Task Scheduler to configure malicious Windows GPOs and facilitate the replication of malware . The essential activities of the ransomware are performed through some PowerShell scripts that gradually disable components of the host operating system.
Of course, the FBI in its ransomware note greatly discourages paying ransoms to attackers but also understands the corporate data protection difficulties that lead companies to pay.
Evolution of the attack on the University of Pisa
The University of Pisa is experiencing moments of great difficulty as the initial ransom of $ 4.5 million is about to expire. In the next few days, the request to be able to receive your data back could even become 5 million. At the moment, no official communications have been released from the institution even if the authorship of the attack seems true. In fact, the gang has claimed the potential possession of employee and student data through some screenshots disseminated on the darkweb.
The first sources speak of about 54 GB of data stolen from the University including sensitive information of many students including passwords in clear text. If confirmed, the impacts could be enormous for everyone involved in the University's data leakage.
There are many mitigation actions starting from activities on end users to increase their awareness on the issue and related risks. Furthermore, at a systemic level it is always good to try to implement the segregation of environments as much as possible and apply the principle of least privilege . These choices, while difficult to make on systems thought differently in the past, can save companies from lateral movements of these malware. In fact, the main objective of this attack is to encrypt any data it can find. For this it will try to move and replicate itself among all reachable systems.
We will continue to monitor the very delicate situation of the University, hoping that no further particularly negative news will be published.
The article New ransomware attack: huge ransom requested at the University of Pisa was written on: Tech CuE | Close-up Engineering .