Ransomware group targets universities in Maryland, California in new data leaks


The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online. 

On March 29, the threat actors began publishing screenshots of data allegedly stolen from the US educational institutes. 

These screenshots, including records that allegedly belong to the University of Maryland, Baltimore, show a federal tax document, requests for tuition remission paperwork, an application for the Board of Nursing, passports, and tax summary documents.

The leaked data snapshots exposed sensitive information points including the photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport numbers. 

Sensitive information has been redacted in the screenshots below.

screenshot-2021-03-30-at-10-00-15.png

The University of California, Merced, also appears to have been subject to the same group’s tactics. 

Screenshots published by the group, viewed by ZDNet via Kela‘s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests. 

In addition, the leaked data appears to include late enrollment benefit application forms for employees and UCPath Blue Shield health savings plan enrollment requests. 

screenshot-2021-03-29-at-16-42-45.png

Clop has been linked to a string of cyberattacks against businesses. Clop is one of many threat groups that will employ a ‘double-extortion’ tactic, in which ransomware may be deployed on a compromised machine first, and then the cybercriminals threaten to make corporate or sensitive stolen datasets public on a leak site unless blackmail demands are met.

Earlier this month, the group leaked data allegedly belonging to the universities of Miami and Colorado. 

On the same day, records allegedly belonging to Shell were also posted online. The oil giant revealed that a cyberattack had occurred through the compromise of Accellion FTA servers earlier this month.

On March 22, the REvil ransomware group published what appears to be financial data from tech giant Acer following a ransomware incident. Acer was subject to a $50 million ransom demand, of which it is not known if anything was paid. The company did not confirm that a ransomware attack occurred but did say that IT “abnormalities” had been discovered. 

Update 14.20 BST: The University of Maryland, College Park, said the leaked sample files shared appear to relate to the Baltimore campus, UMB, rather than UMD, as listed. 

ZDNet has reached out to the universities and we will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *