2023 Hawaii Community College Ransomware Attack Forensic Analysis

Executive Summary

On June 19th 2023, Hawaii Community College suffered a ransomware attack carried out by a group known as “NoEscape.” Although data was stolen from 28,000 people, the college swiftly took their network offline to prevent the spread of the ransomware.  To protect the data of the individuals affected, the attacker’s ransom was paid. The college collaborated with federal authorities and external cybersecurity professionals to assess the breach, contain the threat, and develop a remediation plan. The University of Hawaii also increased scanning and monitoring across its campuses and deployed additional security technologies to better protect servers and networks against future cyber threats.

Background

​NoEscape is a ransomware group that formed in May 2023. The group is believed to be a rebranding of the now-defunct Avaddon ransomware group, which ceased operations in 2021. They are also believed to be of Russian origin since they avoid targeting organizations in Commonwealth of Independent States countries as many ransomware groups that operate out of Russia similarly do [4]. The threat actors use a variety of tactics that are both common and distinct when compared to other ransomware groups. NoEscape maintains a TOR-based platform where they list victims and their stolen data, a common tactic among modern ransomware groups to leverage pressure against the victim. Beyond the standard double extortion methods of encrypting data and threatening to release it, NoEscape adds pressure by launching additional attacks, such as Distributed Denial of Service (DDoS), against the victim [3]. 

Impact

NoEscape’s ransomware attack had several significant impacts on Hawaii Community College. The attack led to data from 28,000 students and staff being stolen, such as names, social security numbers and financial aid information. The cybersecurity experts and law enforcement consulted were unable to take down NoEscape’s data leak site as it presented significant challenges due to the inherent design of TOR. The application provides anonymity by routing traffic through a decentralized network of relays, concealing users’ identities and server locations. This decentralization means there’s no central authority to target for shutdown, making it difficult for law enforcement agencies to trace and arrest these cybercriminals [2]. Ultimately, Hawaii Community College paid a ransom in the low six-figure range, specifically less than $250,000, in an attempt to prevent the public release of sensitive data compromised during the ransomware attack [5].

Mitigation

Hawaii Community College consulted with professionals and paid the attackers to decrease the likelihood of their stolen data from being leaked. The institution also sent notification letters to all the victims of the data breach with instructions on how to enroll in credit monitoring and identity theft protection services in order to further mitigate and even potentially prevent any further damage from being done [7]. The University of Hawaii system responded to the incident by increasing network monitoring across its campuses and adopting “additional security technologies” to better protect its servers from future cyber attacks [8]. As of October 2023, the University of Hawaii system  requires Duo, a multifactor authentication application, to access user accounts. Available since 2013, users are no longer permitted to bypass the technology [1].  Although these measures may provide defense against future attacks, earlier implementation would have been ideal, as the technology was already available. 

Relevance

Ransomware attacks have been increasing over the years, and it’s crucial that organizations take steps to mitigate the risk of them occurring proactively instead of reactively. According to a report by Searchlight Cyber, there has been a 56% increase in the number of active ransomware groups compared to the same period in 2023 [6]. It’s more important than ever to ensure that proper cyber hygiene is being exercised. Users must be trained to use caution before clicking unfamiliar links or attachments that could potentially spread malware. Corporations should ensure that their security measures are up to date, as viruses have the potential to be more destructive and harder to detect due to advancements such as Ransomware 3.0. In the event of an attack, organizations need to ensure that victims are informed of the damage so the victims can take steps to protect themselves against future damage.

References

[1] Arbor, A. (2013, February 19) Duo Security Launches World’s Most Secure Mobile ID. Duo.
https://duo.com/resources/news-and-press/releases/duo-security-launches-worlds-most-secure-mobile-id

[2] Corsa, D. (2024, May 17). What Is the Dark Web? Everything You Need to Know. Compass IT Compliance. https://www.compassitc.com/blog/what-is-the-dark-web-everything-you-need-to-know

[3] Cyble Research & Intelligence Labs. (2023, June 1). ‘NoEscape’ Ransomware-as-a-Service (RaaS). Cyble. https://cyble.com/blog/noescape-ransomware-as-a-service-raas/

[4] Farghly, A. (2024, May 10). Unveiling NoEscape Ransomware: A Deep Dive into Its Tactics and Defenses. Aziz Farghly’s Blog. https://farghlymal.github.io/NoEscape-Ransomware-Analysis/

[5] KHON2 News. (2023, July 26). 28,000 Affected by UH Cyber Attack. KHON2. https://www.khon2.com/hawaii-crime/28000-affected-by-uh-cyber-attack/

[6] Searchlight Cyber. (2024, September). Ransomware in H1 2024: Trends from the Dark Web. Searchlight Cyber. https://slcyber.io/wp-content/uploads/2024/09/Ransomware-In-H1-2024-Report-Searchlight-Cyber.pdf

[7] Toulas, B. (2023, July 28). Hawai’i Community College Pays Ransomware Gang to Prevent Data Leak. BleepingComputer. https://www.bleepingcomputer.com/news/security/hawaii-community-college-pays-ransomware-gang-to-prevent-data-leak/

[8] University of Hawaiʻi News. (2023, July 26). Hawaiʻi CC Cyber Attack Resolved. University of Hawaiʻi System News. https://www.hawaii.edu/news/2023/07/26/hawaii-cc-cyber-attack-resolved/