The email went out to students at Knox College, a small liberal arts school in Illinois, on the evening of Dec. 12.
A hacker group known as Hive had broken into the college’s computer system and gained access to student data, a common ransomware tactic. But this group had a new wrinkle for Knox students.
“We have compromised your collage networks,” the email said, written in the kind of broken English common among international ransomware hackers. “The data we have includes your personal information, medical records, psychological assessments, and many other sensitive data.”
“Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want,” the hackers wrote. “To us, this is a normal business day. For you, its a sad day where everyone will see your personal and private info.”
The incident at Knox College marks the first known case in which hackers used their access to contact students directly in order to intimidate them. It highlights how the ongoing scourge of ransomware — which cost the U.S. an estimated $886 million last year — is also one in which hackers are escalating their efforts to get institutions to pay up. The emails to students were first reported by the Galesburg Register-Mail.
“It’s getting harder and harder to convince victims to pay, so this is the kind of extremes they need to go to,” said Allan Liska, an analyst at the cybersecurity company Recorded Future.
“They’re taking this playbook that they’ve used with other businesses before, where they’ll email partners, they’ll email customers and let them know,” he said. “It’s a continual escalation in the extortion market.”
Criminal hackers who specialize in ransomware — shaking down victims by locking their computers and threatening to leak sensitive files — have run rampant in recent years. Since 2020, such attacks have hit dozens of American colleges and universities each year, according to a survey provided to NBC News by Brett Callow, a ransomware analyst at the cybersecurity firm Emsisoft.
Emsisoft said it had tracked 41 incidents against American colleges and universities so far this year, compared to 26 attacks in 2021.
Those attacks come on top of frequent breaches of hospitals, local governments and businesses.
The ransomware attack on Knox caused significant disruption to the college’s operations. According to emails that school administrators sent to students that were seen by NBC News, Knox administrators worried about the malicious code spreading, so they initially shut down campus Wi-Fi and phones, encouraging students to travel to the local library to get online. It also delayed students learning their grades, as the system for grade submission was offline. All students and faculty with campus-owned computers were instructed to shut them down and keep them offline unless cleared in person by the school’s staff.
Students aren’t panicking, but they are worried that their data could be leaked at any moment.
Alex Marcoullier, a Knox College senior who received the email, said she’d like her personal data taken down but that she doesn’t trust the hackers to keep their word.
“Obviously it would be nice to have it taken down. I don’t like having my personal identifying information up on a website to be sold,” she said. “But if it’s already been sold then what good is that going to do?”
Abigail King, a junior who also received the email, already knew that ransomware hackers had attacked the school because Knox had informed students there was an attack and shut down services like campus Wi-Fi.
“My first assumption was this is fake,” she said. “Then I thought about it more, and I was like, they probably do have people’s information.”
Knox is on its winter break, so students have discussed the attack on Discord and Facebook, King said.
“A lot of people are worried about having info stolen,” she said.
A spokesperson for Knox college said in an emailed statement that the school was working with the FBI to resolve the situation, and that the “restoration of full services and the protection of the data entrusted to us are our top priorities.”
It remains unclear if Knox will pay to keep students’ information private. The school declined further comment.
The hackers’ website lists an entry to download data for Knox College but doesn’t actually lead to any student data.
Callow said that that could be intentional: the school may still be negotiating potential payment with the hackers, who want to maximize the threat of releasing student information for leverage.
“I think it’s more likely that Hive is attempting to keep Knox under pressure without actually needing to release any data, as that would weaken their negotiating position,” Callow said. “The college will likely have a response team monitoring the situation, and every empty claim will result in it springing into action — and that ups the costs.”
In some circumstances, educators hit with ransomware are proud to not pay the criminals who extort them. Earlier this year, the Los Angeles Unified School District, the second largest public school district in the country, was attacked by a different ransomware gang. Superintendent Alberto Carvalho was defiant, posting to Facebook that “negotiating with cybercriminals attempting to extort education dollars from our kids, teachers, and staff will never be a justifiable option. LAUSD refuses to pay ransom.”
The LAUSD hackers did, however, counter by exposing private information from the school district. NBC News was able to access student data from the breach on the hackers’ website, like disciplinary reports for individual students. Parents who spoke with The Los Angeles Times were split on whether the district should have paid the hackers.
Marcoullier, the senior, said students are eager for Knox to resolve the situation.
“Everybody’s getting really angry and frustrated with the school, and we’re supposed to go back in a couple weeks,” she said.