Ransomware Attack on NJCU by Rhysida Group: Key Details
Ransomware Attack on New Jersey City University by Rhysida Group
Overview of New Jersey City University
New Jersey City University (NJCU) is a public university located in Jersey City, New Jersey. Established in 1927, NJCU serves over 8,500 students and offers a wide range of undergraduate and graduate programs, including two doctoral programs. The university is known for its commitment to equity-driven education and strong ties to the local community. NJCU provides a comprehensive college experience that extends beyond academics, focusing on holistic student development and engagement.
Details of the Ransomware Attack
Between June 4 and June 10, NJCU fell victim to a ransomware attack orchestrated by the Rhysida Ransomware Group. The attackers demanded a ransom of $700,000 in Bitcoin, with a payment deadline set for August 3. The breach compromised sensitive information, including Social Security numbers, driver's license numbers, and financial account details. Despite the attack, NJCU delayed notifying its students and staff for nearly seven weeks. Upon discovering the unauthorized access, NJCU reported the incident to law enforcement and initiated efforts to secure its network and assess the breach's impact.
About the Rhysida Ransomware Group
The Rhysida Ransomware Group is a relatively new player in the cybercrime arena, first sighted in May 2023. The group primarily targets sectors such as education, healthcare, manufacturing, information technology, and government. Rhysida ransomware is written in C++ and targets the Windows Operating System. The group employs a double extortion technique, stealing data before encrypting it and threatening to publish it on the dark web unless a ransom is paid. Rhysida uses the ChaCha20 encryption algorithm and generates ransom notes as PDF documents named “CriticalBreachDetected.pdf”.
Potential Vulnerabilities and Penetration Methods
Rhysida typically leverages phishing campaigns to deploy their ransomware. They rely on valid credentials and establish network connections through VPN for initial access. Upon infiltrating a victim's network, the group employs net commands and tools like Advance IP/Port Scanner to gather critical information about domains. They also use Sysinternals tools like PsExec for lateral movement. NJCU's delay in notifying affected individuals and potential gaps in cybersecurity measures may have contributed to the success of the attack.
Sources
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!