Story by Campus Echo editors Mesa Jones and Chris Frazier.
According to an unidentified source, there is evidence that the ransomware that caused the Nov. 12 cyberintrusion which forced N.C. Central University’s services to shut down was developed by a group named Rhysida.
That group then leases out the ransomware software to other bad actors who then send out the phishing emails and — if successful — extortions. Operating in that manner makes Rhysida a ransomware-as-a-service (RaaS) operation.
NCCU Chief Information Officer Joel Faison confirmed that Rhysida was the ransomware variant used.
The ransomware group is named after Rhysida, a type of centipede. The insect has many legs that can branch into different directions. And the ransomware fits that bill, it does exactly that. Different operators send harmful phishing attempts to lure in victims.
According to Bruce dePyssler, faculty advisor to the Campus Echo, one phishing attempt he recently deleted, claimed that NCCU faculty had received across-the-board raises. The email reader was then invited to click on a link for more information on their raise.
Once access to an institution’s network is gained, the ransomware works its way into the institutions existing software to compromise educational, manufacturing, information technology, medical, and government sectors. This is called a “living-on-the-land” technique whose goal is to evade detection.
The Rhysida group, believed to be operating out of Russia, was first identified as a threat in May 2023 and since then, have claimed at least 50 known victims, including the British Library, Chilean Army, Prospect Medical Holdings, and the King Edward Vll Hospital. After attack on King Edward, the attackers threatened to unveil the royal family’s private medical records.
The Rhysida group is thought to have emerged from the declining presence of Vice Society, another known ransomware group, who have been prevalent since 2021. Vice Society, a Russian-based group, was known for attacking the education sector with phishing emails and similar living-off-the-land techniques.
The NCCU breach occurred despite NCCU effort to train faculty, staff, and students using a partnership with KnowBe4. Implemented in Sept. 2022, KnowBe4 sends phishing emails that lure the email user to provide information. Once clicked, the user is then notified that this could have been a real phishing attempt. This is designed to train individuals to only open emails from known sources.
According to Faison, KnowBe4 continues to be an educational tool for the nest.
“Before the intrusion, we were sending out simulators once a month,” Faison said. “It’s about progressing and getting better at detecting phishing emails.”
This week, the re-imaging process made its way to the Farrison-Newton and Mary-Townes buildings. The new Student Center, which will hold viewings of the upcoming graduation ceremonies, was completed late Tuesday.
Faison said that the initial re-imaging schedule has been flexible since IT technicians have to account for the variety of computers across campus.
“Some computers can be re-imaged in ten minutes, but older computers may take longer,” he said.
Regarding NCCU’s recovery, complete restoration and re-imaging are two different phases. Restoration operationalizes NCCU applications, while re-imaging is a clean refresh of the computer’s system, allowing it to connect to the ethernet and wireless services.
Faison said that re-imaging throughout the nest should be complete by the start of January. However, students and faculty should expect restoration to continue into the spring semester.
Regarding students’ continued complications with accessing EOL and Canvas, Faison confirmed that those applications are fully functional and recommended that students experiencing challenges contact the IT help desk.
In the meantime, students and faculty accessing EOL can visit the “Cyberintrusion” blog to be updated on the day-to-day timeline. Restoration continues its progress with the Scholarships tab’s return in EOL, and although Faison admits that the cyberattack happened at a tough time, he’s optimistic about the future.
“I believe we will come out better than we were before,” he said.
The situation is ongoing, and the Campus Echo will provide updates when more information is available.