Scottish university UWS targeted by cyber attackers

Data belonging to the University of the West of Scotland (UWS) has been put up for auction by an extortion cybergang.

The university first said it was facing a "cyber incident" earlier this month and police have been investigating.

Now the ransomware gang Rhysida is demanding 20 bitcoin (£450,000) for the confidential data and says it will be sold to the highest bidder.

UWS said it was a "victim of a cyber crime" and the attack affected a number of digital systems and staff data.

BBC Scotland has learned the incident has affected staff laptops, shut off around half of the university's IT systems, and affected student submissions.

The incident was reported to police on 6 July.

At the time, the university's website was down and an error message apologised for "inconvenience". Some areas of the site have since been restored.

Initially, no criminal group came forward to claim responsibility, but ransomware group known as Rhysida has claimed it was behind the incident and has seemingly tried to use the stolen data to extort the university.

The data advertised on the gang's deep web domain includes personal data belonging to staff such as bank details and national insurance numbers as well as internal university documents.

The BBC can confirm that the group listing is real but has been unable to verify the authenticity of the data.

However, the BBC's cyber correspondent Joe Tidy said it was unlikely to be fake.

"In my experience though there is no reason to suggest they are lying," he said. "These criminal gangs operate on profit and reputation. Perversely, it doesn't serve them to fake stolen data."

A UWS spokesperson said some of the details "remain sensitive" in the ongoing criminal investigation, but they were working closely with the relevant authorities, and "following a controlled process to work towards a resolution".

"The university has been the victim of a cyber crime which has affected a number of digital systems," a statement from the university said. "All appropriate steps continue to be taken to manage the situation.

"We have been briefing colleagues and students since the start of this incident and have advised colleagues that some staff data has been accessed. Staff continue to be contacted directly and provided with information and support."

The Rhysida ransomware group was first observed in May of this year according to the cybersecurity website Sentinel One, external. It has launched attacks on multiple organisations across the world.

Sentinel One said the group positioned itself as a "cybersecurity team" which is doing its victims a favour by targeting their systems and highlighting flaws in their online security.

Brett Callow, a threat analyst for the cybersecurity company Emisoft, said the cyber-gang would probably be hoping the university would pay up.

"Realistically, the data likely doesn't have anywhere near the value Rhysida is placing on it - at least, not to a third-party," he said.

"They'll be hoping the university pays up in order to prevent the information being released onto the dark web and subsequently used by other cybercriminals to commit identity fraud."

UWS has campuses in Paisley, Ayr, Dumfries and Blantyre, as well as London.

At the time of the incident, a UWS spokesperson told BBC Scotland the university was working with police, the National Cyber Security Centre, and the Scottish government to resolve the issue.

The National Cyber Security Centre's website says law enforcement does not encourage, endorse, nor condone the payment of ransom demands.

A police spokeswoman said: "An investigation is under way following a report of a cyber incident in Paisley. The matter was reported to police on 3 July, 2023 and inquiries are ongoing."

A Scottish government spokesperson said they were aware of he UWS "IT security incident".

"Support is being provided to the University by national partners, including the Scottish government," they added. "We are aware that the University of the West of Scotland is currently investigating an IT security incident. Support is being provided to the University by national partners, including the Scottish Government."

Last month, the University of Manchester was targeted by a similar cyber-attack and a number of organisations including the BBC were affected by a separate mass hack.