Munster Technological University (MTU) is being blackmailed and held to ransom by a group of hackers believed to be based either in Russia or part of the former Soviet Union, the High Court has heard.
The cyberattack on MTU’s IT system, which was detected in recent days, is believed to have been carried out by individuals in a ransomware group known as ALPHV aka BlackCat or Noberus, the court heard.
MTU claims that those suspected of carrying out the attack are understood to be made up of former members of the REvil ransomware group, which was proved to be based in Russia. Last year the group attacked a supplier of Apple.
The court heard that the college received a ransom note demanding what Mr Justice Garrett Simons was told at a late sitting of the High Court on Friday was a significant amount of money or else it would publish confidential information the attackers claim to have obtained from MTU’s IT system about the university’s staff and students.
MTU will not be paying any ransom, the court heard.
While the college does not know at this stage the full extent of what data BlackCat has obtained it is very concerned about the attackers’ threat to publish material that may have been taken from the college’s computer system.
If the money is not paid the attackers have threatened to sell, and or, publish confidential information and data about the college’s staff and students allegedly obtained from MTU’s IT system.
The exact figure demanded by the attackers was not disclosed in open court.
As a result, MTU represented by Imogen McGrath SC, with Stephen Walsh BL instructed by Arthur Cox solicitors, obtained an emergency temporary injunction preventing the currently unknown persons behind the attack, and anyone else who has knowledge of the order, from publishing, making available to the public, or sharing any of the university’s confidential material.
The order also requires the defendants or any other person in possession of the confidential data to hand over any such material they may have to MTU.
Seeking the orders Ms McGrath said that the college’s operations and services to its 18,000 students have been significantly disrupted as a result of the attack.
The injunction has been sought in order to protect MTU students and staff’s personal data and prevent BlackCat and anyone else from taking advantage of the breach of its IT system, and from breaching any property and privacy rights of those whose data may be affected.
Investigations by experts into suspicious activities that were first detected in MTU’s IT system on Sunday February 5th are continuing, counsel said.
However, MTU is concerned that data, including personal data, financial information, confidential and commercially sensitive data relating to its students, employees and third parties may have been accessed and extracted by those behind the attack.
Counsel said that an encrypted ransom note was uncovered by MTU’s IT team. The note contained a link that was followed by the National Cyber Security Centre.
Counsel said that a page on the darkweb, a collection of websites that can only be accessed by a specific browser, was located where the ransom demands were outlined.
The demand was placed by BlackCat, and it sought payment of a specific sum by 11.45pm on Friday, February 10th. If the money was not paid Blackcat threatened to publish the data it claims to have obtained from MTU.
It was clear that the intention of those behind the attack was to “blackmail and extort MTU”, counsel said.
The attacker’s actions to date have caused substantial reputational and financial loss to the college, counsel said.
While nothing has been published to date, MTU was concerned that unless it obtained the order from the High Court there was a serious risk that the material will be published online.
Granting the orders Mr Justice Simons said that he was satisfied this was a case where an injunction should be granted on an ex parte basis, where only one side was present in court.
The judge added that he was further satisfied to make orders allowing MTU’s lawyers serve notice of the court’s order on the parties believed to be behind the cyberattack via the Darknet page where the ransom note was posted.
The matter will return before the court later this month.