University of Manchester

Ransomware attackers email bemused students as leverage for a payout

The University of Manchester has fallen victim to a ransomware gang, who are currently applying an interesting twist to their attack. Blackmail and pressure are two ways to extract funds from potential victims. We see this in sextortion cases, as well as in social engineering. Here, the fraudsters are directly mailing affected students in an effort to exert more pressure on the University of Manchester to pay up.

The incident, first discovered on June 6th, involved the likely theft of data by an unauthorised party. Bleeping Computer says it was informed by sources that the attack was ransomware.

The University has not confirmed if ransomware was used specifically, or if the attackers were only interested in stealing data. At time of writing, its cyber incident update page still makes no mention of it:

During the week commencing 6 June, we found out that the University is the victim of a cyber incident. It has been confirmed that some of our systems have been accessed by an unauthorised party and data has likely been copied.

Our in-house experts and external support are working around-the-clock to resolve this incident, and to understand what data has been accessed.

While there are several sets of detailed instruction and information available to students in need of guidance, the threat of data leakage has been hanging over the incident since day one. Sadly, we seem to be at that point now and the University is not playing ball with the attacker’s demands.

As a result, emails like the below are being sent to students:

We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more. The administration is fully aware of the situation had had been in discussion with us for over a week. They, however, value money about the privacy and security of their students and employees. They do not care about you or that ALL of your personal  information and research work will soon be sold/or made public!

The mail then goes on to list several professors, as well as stating that this is the last warning people from the University will receive.

The aim here is to cause a mass panic of angry students demanding that the University pays up. It’s certainly a bold strategy. It’s also very likely to fail. However, ransom success is probably not the aim of the game here. This feels much more like a scorched earth approach.

You won’t pay up? Fine. We’ll cause some chaos on your campus instead.

I have to say, I don’t think this approach will work either despite the (understandably) aggrieved tweets from some students.

As Bleeping Computer notes, no group has claimed responsibility for this attack yet. If the threats are genuine, you should expect to see the data dump uploaded to a site with a countdown timer at some point. Then we’ll know for sure who is behind it.

How to avoid ransomware

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.



Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.