Update: KCC Resumes Operations Post-Ransomware AttackCollege Offers MFA, In-Person Password Reset for Staff, Students
Update - May 4, 2022: This story has been updated to reflect that KCC resumed regular functions on Wednesday and to include comments from Stephan Chenette of AttackIQ.
Kellogg Community College, or KCC, which had suspended classes in all its campuses on Monday due to a ransomware attack, has resumed regular functions starting Wednesday, a Tuesday note says.
KCC houses nearly 8,400 students across five campuses in Battle Creek, Albion, Coldwater, Hastings and Fort Custer Industrial Park in Michigan.
The organization's technological issues surfaced on Friday, but it only attributed them to the ransomware attack on Sunday.
KCC Alert: Since our update yesterday, we have learned that the technology issues we have been experiencing were caused by a ransomware attack that continues to affect our systems. We have been working with our IRT experts to resolve the situation as quickly as possible. (1/4)— Kellogg Comm College (@Kellogg_CC) May 2, 2022
While KCC's incident response team investigates the extent of the damage and works to resolve the situation, the management has suspended all classes indefinitely.
"We have been working with our IRT experts to resolve this situation as quickly as possible. As we are investigating this incident, all campuses will remain closed until further notice, and we are canceling classes until we are able to reopen safely," KCC says in a notice published on Monday morning.
In an updated notice on Tuesday, KCC informed its staff and students about the resumption of services.
The notice says, "We have positive news to share! Thanks to the dedicated work of our Information, Research and Technology team, we are proud to announce that all Kellogg Community College operations will be able to resume as usual starting at 8 a.m. tomorrow. While our investigation into this incident continues with the support of independent advisors, we have made great progress in our restoration efforts and these third-party experts have confirmed that our systems are safe and secure to interact with."
As part of an immediate response to the current situation, KCC has implemented additional "security measures to prevent any further unauthorized access" to its network. This, according to KCC, includes a forced password reset for all students, faculty and staff members.
"Additionally, as a precautionary measure, all campuses have been disconnected and our systems will remain offline until they are deemed secure by our IT experts," KCC's notice at the time said. This step may, however, hinder access to college-related services, "including campus emails, online classes, and resources."
Now, due to the progress that KCC has made in system restoration, "all parties who had their passwords reset will be able to set a new password as well as set up multi-factor authentication in order to securely access the Kellogg Community College online system," KCC says.
To help the staff and students perform the password reset and subsequently set up the MFA on their respective accounts, KCC has published a blog post explaining the step-by-step process.
But KCC’s management says that the process works only for those who have updated their contact information, either through the "Update Contact Info" button in Moodle or via the Bruin Portal Contact Information. Otherwise, the person is required to visit the campus and reset the password in person, KCC says.
"For those who would like in-person assistance with this, on-campus support will be available tomorrow, May 4, at the North Avenue campus from 8 a.m. to 8 p.m.," KCC’s notice says.
The incident and the immediate suspension of classes appears to be a cause of concern for students, with exams and the end of the semester fast approaching. "We understand that our students might be concerned about this situation, especially as we are nearing the end of the semester and for many, exams are top of mind. We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner," KCC said in the earlier notice.
But in the latest update from KCC’s management, it says, "Given our ability to restore operations and ensure an effective return to campus, we have no anticipation that we will need to extend the semester beyond its current schedule. Regarding delays in completing course work and final exams, your professors will share specific details with you as appropriate."
KCC did not respond to Information Security Media Group's request for details on the identity of the ransomware group or its demands.
Fingers Pointing at BlackCat?
BlackCat, aka Alphv, which is considered to be a rebrand of the DarkSide or BlackMatter ransomware group, has been highly active lately. It is known to have targeted at least three universities, and two of them - the Florida International University, or FIU, and the North Carolina Agricultural and Technical State University - are based in the U.S. (see: Update: What's BlackCat Ransomware Been Up to Recently?).
In a post published on its darknet website, BlackCat claims to have stolen nearly 1.2TB of data and 300GB of SQL databases from FIU. The post says that the stolen data allegedly contained PII of students and staff members, including their Social Security numbers and contacts. But the university, at the time, told ISMG that its preliminary investigation showed no risk to any financial information, Social Security numbers, or information on student performance. Its education process also was not affected.
BlackHat also listed the North Carolina Agricultural and Technical State University on its darknet website. But the ransomware operators did not specify how much data they exfiltrated from the university.
At the time, a spokesperson for NCAT State University told ISMG that its IT services department had shut down various systems to contain the incident immediately after it was notified. "After exhaustive review, multiple investigating agencies have found no current faculty, staff or student data were affected," the spokesperson said at the time.
Educational Institutions Targeted
Noting the surge in ransomware attacks on universities and colleges in recent days, Brett Callow, a threat analyst at Emsisoft, says that BlackCat, or Alphv, has increased its targeting of educational institutions.
According to Callow, at least 10 U.S. universities or colleges and eight school districts, for a total of 214 schools, have been affected by ransomware so far this year. He says data was stolen in at least 11 of the 18 incidents.
Emsisoft, a New-Zealand-based antivirus company, says in its report on the state of ransomware in the U.S. in 2021 that 88 U.S. education sector organizations were affected by ransomware in 2021 - 62 were school districts, and the rest were campuses of 26 colleges and universities. The attacks disrupted learning at 1,043 individual schools, the report says.
Stephan Chenette, co-founder and CTO of cybersecurity firm AttackIQ, tells ISMG that educational institutions continue to be an attractive target for cybercriminals because "they store large amounts of valuable personally identifiable information and often lack critical resources for proper security measures."
Kellogg Community College officials say there are backups in place, which is a good first step, but it is critical for educational organizations to also implement security solutions that scan and monitor the organization-owned and managed assets. Chenette says, "This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats," he adds.
It is important for these organizations to adopt a proactive and threat-informed approach to their security strategy that allows them to effectively thwart ransomware attacks, Chenette says. "To best defend against ransomware, it’s also important to understand the common tactics, techniques and procedures used by the adversary. In doing so, schools and universities can then use automated adversary emulations to verify their defense effectiveness to gain insights about security team performance, enable better security decision-making and lead to an overall improvement in security outcomes."