In recent months, several universities were hit by the Clop ransomware gang, specialists think all the attacks are linked to Accellion File Transfer Appliance (FTA) software, a third-party vendor, which was used by students and staff to transfer encrypted files.

Staff and students at the University of Maryland had their private information, such as passports, names, addresses, financial information, and Social Security numbers posted online following a ransomware attack in December.

In late December, CLOP breached the security of our Accellion file transfer system. This system was used by our students, faculty, and staff to transfer encrypted files. We discovered the breach earlier this week when the hackers posted evidence that they had accessed a limited number of files in our system containing some personally identifiable information. said UMD representative Alex Likowski.


The same ransomware gang also hit the Accellion server used by Stanford Medicine at the Stanford University and the University of California.

“UC has learned that it, along with other universities, government agencies, and private companies throughout the country, was recently subject to a cybersecurity attack”, a statement issued by the UC Office of the President reads.

The attackers have also been sending threatening mass emails threatening to disclose data in an effort to scare people into giving them money.

In February, FireEye security specialists associated a series of cyberattacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11, but despite that, no systems were encrypted nor networks compromised. 

Clop leak site example


They also issued a joint security advisory about ongoing attacks and extortion attempts targeting organizations that use vulnerable Accellion File Transfer Appliance (FTA) versions.

These are not the only universities hit by the Clop ransomware gang, the University of Colorado and the University of Miami reported that files were accessed in January and included personal data and some health, study, and research data.

Yeshiva University in New York City, also reported that student and employee Social Security numbers and financial information were stolen and that some were posted online.

Brown University, a private Ivy League research university, is also still working on bringing systems online after it had to disable them following a cyberattack on Tuesday.

The cyberattacks affected about 300 organizations, including universities, government institutions, and private companies.

The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to install a shell dubbed DEWMODE on the aim networks.

Although it is still uncertain if behind these Accellion cyberattacks is Clop ransomware or if they collaborate with another group, Accellion released a statement in March that declared it had closed “all known” vulnerabilities and no new ones had been found.

Universities Targeted in Ongoing IRS Phishing Attacks

Clop Ransomware Applies Leverage from Customers to Convince Victims to Pay

Clop Ransomware Leaks Data Stolen from Colorado, Miami Universities

Accellion Attackers Stole Data and Breached Companies Running FTA Servers

Svend-Erik Jakobsen on April 5, 2021 at 8:29 pm


Leave a Reply

Your email address will not be published. Required fields are marked *