Ransomware Attack Disrupts WSU Tech: 10GB Data Leaked by Fog Group
Ransomware Attack on Wichita State University Campus of Applied Sciences and Technology by Fog Group
Overview of the Victim
Wichita State University Campus of Applied Sciences and Technology, commonly known as WSU Tech, is a public community college located in Wichita, Kansas. The institution, previously known as Wichita Area Technical College, became affiliated with Wichita State University in 2018. WSU Tech operates multiple campuses in the Wichita metropolitan area, with its primary campus being the National Center for Aviation Training. The college offers over 100 degree and certificate programs across various fields, including business, healthcare, engineering, and technology. WSU Tech is particularly noted for its focus on applied sciences and technical education, providing students with practical skills that are directly applicable in the workforce.
Attack Details
The ransomware attack on WSU Tech was discovered on July 23, 2024, and has resulted in a data leak of approximately 10GB. The institution is currently assessing the extent of the breach and working on mitigation strategies to secure its systems and protect sensitive information. The attack has disrupted the college's operations, affecting both students and faculty. The ransomware group Fog has claimed responsibility for the attack via their dark web leak site.
About the Ransomware Group
Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," informing victims that their files have been encrypted and urging them to contact the attackers for file recovery. Fog ransomware has been particularly disruptive, with a significant focus on the education sector, where 80% of its victims are located.
Penetration and Impact
Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration. Once inside, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. Currently, there is no known decryptor available for Fog ransomware, meaning that paying the ransom does not guarantee file restoration. The ransom demands are usually made in Bitcoin, and the threat actors may provide a link and a code for communication within the ransom note.
Vulnerabilities and Targeting
WSU Tech's focus on applied sciences and technical education makes it a valuable target for ransomware groups like Fog. The institution's reliance on digital infrastructure for educational delivery and administrative functions increases its vulnerability to cyberattacks. Additionally, the open admissions policy and diverse student body may contribute to a broader attack surface, making it easier for threat actors to exploit potential weaknesses in the system.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!