Newcastle University has come under attack from cyber criminals who are threatening to expose personal data of students and staff unless a ransom is paid.
The attackers, thought to be the DoppelPaymer cybercrime group, initially attacked the university's systems on 30th August, locking files across the entire network, except for cloud services such as O365 and Zoom.
Data from the university's systems was first exfiltrated then encrypted, a tactic which increases the criminals' leverage in negotiations over payment.
The university's payment portal is a third-party service, the university says, meaning that it's unlikely that payroll data has been affected.
The university says it has reported the incident to the police, the police and the National Crime Agency and the ICO.
On its website it says the issue is ongoing and "could take a number of weeks to address". Students and departments are advised to copy data onto local storage or the dedicated OneDrive service where this is possible, as systems may need to be temporarily taken down.
The university does not speculate publicly on the identity of the attackers, but the DoppelPayment group has claimed responsibility and posted a small sample of stolen data online as evidence.
The group generally attacks large enterprises using phishing techniques to gain entry to networks before deploying ransomware. In November 2019, it was implicated in an attack on Mexican oil giant Pemex, from which it demanded $5 million in ransom. It is also reported to have links with the gang behind Dridex and Magecart group five, which has been behind several attacks on ecommerce websites payment pages.
Newcastle University is not the only such establishment in the city to come under attack. Nearby Northumbria University was also hit at the end of August. In a message to students posted on its website, Peter Francis, deputy vice-chancellor, says "We have been experiencing an ongoing IT issue which has caused significant operational disruption to the University."
It is not known whether the two attacks are linked.
Northumbria University has temporarily switched off some of its services such as Student Portal, Blackboard and other online platforms.
The incidents come as universities prepare to welcome students back after a long absence due to the pandemic. For most students, term starts on 21st September.
The group has a history of abusing the Know Your Customer (KYC) regulations to target financial technology firms
The flaw could have allowed attackers to access private conversations, channels, passwords, keys and tokens, and various functions within the app
The primary aim of the campaign is to fund the North Korean government
More than 1,200 iOS apps use Mintegral's malicious SDK
The Lucifer malware infects machines and forms a botnet to mine cryptocurrency