[BreachExchange] Hackers begin publishing stolen documents after Michigan State refuses to pay ransom

Destry Winant destry at riskbasedsecurity.com
Mon Jun 8 10:24:53 EDT 2020


EAST LANSING — A hacker began publishing stolen Michigan State
University financial documents and personal information this week,
shortly after MSU refused to pay a ransom.

The documents were published Wednesday or Thursday, according to
screenshots provided by Brett Callow, a threat analyst with the
anti-malware company Emsisoft. The screenshots show 3.2 gigabytes of
information have been published with more coming "soon" in a second

A sampling of some of the information published includes a student's
passport, an MSU letter from 2014 offering someone a postdoctoral
research associate appointment and a receipt from a pizza order,
according to information provided by Callow.

He noted that hackers in ransomware events typically post older and
less-sensitive information first, giving the organization more
incentive to pay the ransom to prevent the more sensitive information
from being published.

MSU suffered a ransomware attack on Memorial Day. A hacker raided
Department of Physics and Astronomy servers and demanded an
unspecified ransom with a countdown clock that suggested the
information would be published if the bounty wasn't paid by Wednesday,
the same day MSU officials announced they would not be paying the

"We are aware of the release of documents by those who attacked our
servers and workstations and are scouring the information to identify
anyone who may be impacted and provide them with the appropriate
resources," said MSU spokesperson Dan Olsen, in an emailed statement.
"While it remains that this was an isolated incident that only
affected one department on campus, we recognize that any intrusion
causes concern.

"Prior to the public release of some of these files, MSU began
providing information to those we believe may have been impacted by
this intrusion on ways to protect themselves from identity theft. We
will continue to review the files we know were compromised and work
diligently to identify and immediately update any additional people we
believe may be impacted."

The breached servers and workstations went offline soon after the
breach to avoid further exposure, according to Olsen.

More information about the BreachExchange mailing list