Rhysida Ransomware Gang Demands £450,000 from University After Attack

The ransomware gang Rysida has stolen sensitive data allegedly belonging to the University of West Scotland (UWS) and has put it up for auction on its dark web portal.

The group is demanding that the university pay 20 bitcoin (£452,640 / $582,685) for the confidential data and warned that no payment will mean it will be sold to the highest bidder. 

It comes after UWS admitted to experiencing issues with its systems earlier this month in what it called a “cyber incident” at the time. 

Police were first alerted of the incident on July 6 when the university’s website went down and an error message apologised for “inconvenience”. 

UWS then enlisted the help of the National Cybersecurity Centre (NCSC) as well as the Scottish government to deal with the incident.

A spokesperson for the university told BBC Scotland at the time that it was “experiencing an ongoing cyber incident which is currently affecting a number of digital systems”.

"An investigation is underway following a report of a cyber incident in Paisley. The matter was reported to police on 3 July 2023 and inquiries are ongoing, said A police spokeswoman said.

Rhysida strikes again

No criminal group initially came forward to claim responsibility for the attack, but yesterday Rhysida said it was behind the breach and began auctioning off the data.

The fact that the UWS data has now been posted to the gang’s blog suggests that it likely chose not to pay a ransom, in line with guidelines posted on the NCSC’s website. 

Ransomware gangs will often threaten to publish or sell sensitive data, stolen from a victim, to the dark web to pressure them into paying, alongside offering to supply a decryption key for their encrypted systems. This is called double extortion.

#Rhysida has listed the University of the West of Scotland. #ransomware pic.twitter.com/MnpQ591C9q

— Brett Callow (@BrettCallow) July 26, 2023

Deriving its name from a species of millipede, Rhysida was first discovered in May when it launched a series of attacks on the Chilean Army, along with multiple global organisations across public and private sectors around the world. 

The cybersecurity company Sentinel One said the hacking group is positioning itself as a “cybersecurity team” that is supposedly helping its victims by identifying flaws in their online security. 

The cybersecurity firm believes that Rhysida's attacks are not targeted, deploying attacks on organisations from all sectors and countries around the world. 

University Data Under Attack

The Rhysida ransomware attack is just one of the latest cyber incidents targeting educational institutions across the UK. 

In June this year, an attack on the University of Manchester exposed the data of over 1 million NHS patients, allowing hackers to copy data from the university's systems dating back to 2012. 

Meanwhile, in May, Wymondham College the UK’s largest state boarding school, was hit by a “sophisticated cyberattack” impacting several of the college’s systems, including access to files and resources. 

According to this year’s National Cyber Security Centre (NCSC) and National Grid for Learning (LGfL) report, the education sector is topping hackers’ shopping lists, with over three-quarters of UK schools falling victim to at least one type of cyber incident over the past twelve months. 

The NCSC found that higher education institutions like universities are more severely impacted by cyber-attacks than schools, urging them to stay vigilant as hackers hit the classroom. 

“Educational institutions are frequently targeted by cybercriminals as they regularly collect and store huge amounts of highly sensitive, confidential, and regulated information,” said Simon Bain, founder and CEO of OmniIndex. 

“Considering the sheer volume of phishing and ransomware attacks facing educational institutions, any measures that can be taken to secure data further and protect their organisations will go a long way in deterring attackers.” 

“With this comes huge risks and privacy concerns. The potential consequences of such an attack mean that proactivity is invaluable,” Bain added.