The Hawaiʻi Community College has admitted that it paid a ransom to ransomware actors to prevent the leaking of stolen data of approximately 28,000 people.
Hawaiʻi Community College is an accredited public community college operating two campuses on the island of Hawaii and is part of the University of Hawai’i (UH), which has over 50,000 students.
On June 19th, 2023, the relatively new NoEscape ransomware gang listed UH on its extortion portal, threatening to publish 65 GB of stolen data in a week if a ransom was not paid.
A day later, the College confirmed they suffered a ransomware attack on June 13th, 2023, warning students and faculty that they shut down IT systems to prevent the spread of the malware.
As UH explained in the relevant announcement published on Wednesday, it carefully considered all options and decided to pay the cybercriminals to protect the personal data of thousands of its students.
“After determining that the compromised data most likely contained personal information of approximately 28,000 individuals, the University of Hawaiʻi made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised,” explained UH in a public statement earlier this week.
The university further explains that one element that played a key role in its decision was that the hackers responsible for the attack, NoEscape, are known to leak the personal data of individuals stolen from breached networks if a ransom demand is not paid.
“Working with an external team of cybersecurity experts, UH reached an agreement with the threat actors to destroy all of the information it illegally obtained,” continued the UH announcement.
After a ransom payment was made, the ransomware gang removed the University of Hawai’i entry from their data leak site, which is commonly done after paying the extortion demand.
Meanwhile, the restoration of the damaged IT infrastructure is still underway, likely now supported by a decryption key provided by NoEscape, and is expected to be completed by August 14th, 2023.
All 28,000 students and staff impacted by the attack will receive notification letters with enclosed instructions on enrolling in credit monitoring and identity theft protection services through Experian.
Finally, to prevent similar attacks from occurring in the future, UH is working with all ten campuses and their IT system administrators to plug potential vulnerabilities and implement additional security measures.
Unfortunately, paying a ransom to prevent the leak of data does not always go as planned.
In the past, threat actors have promised to destroy data but have not kept their word, continuing to extort the victims or releasing the data.
While there is no history of the NoEscape operation doing this, all students and faculty must act under the assumption that their data was exposed and react accordingly.
Depending on what data was released, this could mean monitoring credit reports for identity theft, changing passwords on sensitive accounts, or being more diligent when opening suspicious emails.
Who is NoEscape?
The NoEscape ransomware operation is a new project launched last month, targeting Windows, Linux, and VMware ESXi servers and performing double-extortion on victims.
BleepingComputer has learned that the threat actors have demanded ransoms as high as $10 million, but the amount UH paid has not yet been made known.
Ransomware analyst Michael Gillespie has found extensive similarities between the NoEscape and Avaddon encryptors, a RaaS operation that abruptly shut down operations in the summer of 2021 following raised attention from law enforcement.
This is a strong sign that NoEscape may be a rebrand of Avaddon, created by the core team of the now-defunct ransomware operation.