Hackers hijacked a university's emergency system to threaten students and faculty

Bluefield University, a small, private university in Virginia on the border of West Virginia, is among the long and growing list of U.S. institutions hit by ransomware hackers.

Bluefield University in Bluefield, Va.Google Maps

Hackers hijacked a Virginia university’s emergency alerts system this week and, in what appears to be a first, used it to issue threats to students and faculty: The university must pay up or their files would be leaked online.

In a series of messages sent over Bluefield University’s RamAlert, which sends text messages and emails to students and faculty when there’s a school emergency, hackers pushed university members to put pressure on the school’s president.

“We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog,” the alerts said. 

“if we don’t receive payment, full data leak will be published!!!!!!!!” the message added.

Bluefield University, a small, private university on the border of Virginia and West Virginia, is among the long and growing list of U.S. institutions hit by ransomware hackers, who break into computer systems to then encrypt or threaten to leak files if they are not paid. The school learned of the cyberattack on their systems on Sunday, a Bluefield University spokesperson told NBC News.

On Monday, RamAlert sent out the hackers’ screed, telling students that their information would be published if the school didn’t pay a ransom. The messages from the hackers showed up on Bluefield students’ and teachers’ phones and in their emails, saying they had stolen school files and instructing them to pressure the university’s president to pay the hackers.

Bluefield University text threats.Obtained by NBC News

“We don’t normally get alerts unless it’s about something going on, on campus such as shooter drills, classes canceled due to weather,” Michaela Rose, a Bluefield University student who received the hackers’ messages, told NBC News in a Facebook conversation.

“We are all pretty stressed and worried about the situation due to we don’t know exactly all the details and what’s really going on,” she said.

In pursuit of payment, many hacking groups have become more aggressive in pressuring institutions by taking their appeals directly to people whose files are stolen. In at least one instance, hackers who attacked a Tennessee college emailed students directly, threatening them if their school didn’t pay. In another, hackers who accessed extremely sensitive files of schoolchildren in Minneapolis advertised their exploits on Facebook and Twitter.

Ransomware attacks have become a near-constant scourge, targeting schools, companies and government bodies across the U.S. But Bluefield’s hackers appear to be the first to use an emergency alert system to pressure a victim, said Brett Callow, an analyst at the cybersecurity company Emsisoft.

Ransomware hackers tend to use whatever tools are at their disposal to coerce victims, including encrypting their computer files, publishing stolen information on their websites and promoting their crimes.

NBC News is not naming the hacker group. School information was not published on the group’s website as of Wednesday morning, though ransomware gangs frequently publish, remove and republish victims’ data on their sites.

Bluefield is currently advising students and faculty to not send emails from their school accounts. The university spokesperson declined to comment on whether the school was considering paying the hackers.

Ransomware hackers are rarely publicly identified and often live outside of direct reach of U.S. law enforcement. The hacker group named in the text messages sent to Bluefield students and faculty is one that primarily speaks Russian in underground forums, said Allan Liska, a ransomware expert at the cybersecurity company Recorded Future.

Schools, which rarely invest heavily in cybersecurity, are frequent targets for ransomware hackers, even though many don’t have major funds to pay their attackers. Last year, Lincoln College in Illinois became the first American college to shut down after having difficulty bouncing back from a ransomware attack.

At least 44 American colleges and universities were attacked with ransomware last year, said Callow, the Emsisoft analyst.

This week, which is finals week for many schools, the attacks are even more severe. Ransomware groups have named five other American colleges as victims since Monday, Callow said.

Bluefield, which was supposed to begin its finals on Monday, started them on Tuesday instead.