An infamous group of Russianlinked hackers appears to have launched a crippling cyberattack on WNMU Searchlight New Mexico Russianlinked hackers have launched a cyberattack on WNMU
pSearchlight New Mexicopp
Independent Investigative Journalism ppFor nearly two weeks Western New Mexico Universitys website and digital systems have been held hostage by what officials in internal emails have called the efforts of a foreign hacking group The university has not publicly addressed the severity of the attack but documentation obtained by Searchlight New Mexico indicates that an infamous Russianspeaking hacking group is behind the attack and claims to have access to employee payroll data Social Security numbers and drivers licensesppIf you refuse to communicate with us and we do not come to an agreement your data will be reviewed and published on our blog the ransomware on WNMU employee computers says Data includes Employees personal data CVs DL SSN Complete network map including credentials for local and remote services Financial information including clients data bills budgets annual reportsppIn an image of an employees computer shared with Searchlight a note that threatens to leak the employees Social Security number drivers license and the universitys complete network map is signed by Qilin a hacking group that the federal government has accused of running a ransomwareasaservice operation Qilin has earned a cutthroat reputation for being willing to go after anyone Last year it was accused of being involved in a cyberattack that forced a hospital system to cancel more than 1000 appointments and operations Earlier this year it made headlines for its role in stealing the Social Security numbers and drivers licenses of journalists who work for newspapers owned by Lee EnterprisesppSince April 13 the WNMU website has been inaccessible to the public Faculty members told Searchlight that they and their students can use digital platforms like Canvas which are hosted by a third party but theyre unable to use classroom tools that connect to the internet like printers or projectorsppIn an image shared with Searchlight one employees laptop screen displayed the same threatening ransomware message whenever they attempted to open a file on their work computer The message was signed Qilin and its contents bear the hallmark signs of ransomware in which hackers hold sensitive data hostage until they receive a ransom payment Even if they do receive a payment groups like these may leak the sensitive information anywayppppppWe have downloaded compromising and sensitive data from your systemnetwork Our group cooperates with the mass media If you refuse to communicate with us and we do not come to an agreement your data will be reviewed and published on our blog the message says Data includes Employees personal data CVs DL SSN Complete network map including credentials for local and remote services Financial information including clients data bills budgets annual reportsppThe note instructs recipients to download a Tor browser commonly used to access the dark web and visit a specific site to begin negotiations with the hackers You need cipher keyour decrypt software to restore your files the police or authorities will not be able to help you get the cipher key We encourage you to consider your decisionsppOn April 25 a Friday payday at WNMU hourly and student employees said they had not yet received their direct deposits In an email to employees reviewed by Searchlight the university said the problem stemmed from an unexpected complication during the file upload process to the bank and said some employees might experience further delays in receiving the payments If this delay results in any overdraft fees the university will reimburse those charges the email said ppThe cyberattack comes at an inopportune time for university leaders who are working to rebuild trust with the faculty senate student body state government and the surrounding Silver City community Since December when former university president Joseph Shepard resigned from his post and the governor demanded the resignations of the sitting regents the campus has been without a permanent leader New regents have only been on the job since late March and now find themselves leading a university in disarrayppThreats like these have become common enough in local government that in 2022 the US Department of Homeland Security launched the State and Local Cybersecurity Grant Program the first of its kind to help upgrade and protect IT networks across the country It awarded nearly 280 million in grant funding for fiscal year 2024 nearly 4 million of which went to New Mexico and anticipated awarding 1 billion over four years ppIn an email to executive managers on April 14 one day after the attack Provost and Vice President of Academic Affairs Jack Crocker said WNMU experienced a cyberattack from a foreign hacking group and said the university had the ongoing collective support and assistance of the New Mexico Higher Education Department the Federal Bureau of Investigation and other university cyber experts to help us combat the attackppIn an email to Searchlight Higher Education Department spokesperson Auriella Ortiz said the agency was working closely with the state Department of Information Technology to evaluate the issueppWNMU is undertaking a formal investigation to identify the scope of the incident and to facilitate necessary remediation efforts she wrote Our primary objective as state agencies is to support the university in restoring and continuing normal business operations following this incidentppWhether that collective firepower will be enough to combat the hacking group remains to be seen Qilin has developed a reputation for wreaking havoc wherever it goes Last year it was accused of being involved with an attack on a healthcare provider in London that forced hospitals to immediately halt operations Qilin has been operational since 2022 and operates ransomware as a service according to a 2024 report from the US Department of Health and Human Services This allows independent hackers to use its digital tools in exchange for a 15 to 20 percent share of the ransom payments The 2024 report says that the groups typical demand for ransom is 50000 to 800000ppActors practice double extortion and operate a data leak site where victims are posted Victims are directed to communicate with the attackers via dark web portals or encrypted messaging services ensuring the attackers anonymity and complicating law enforcement efforts to track interactions the HHS report says Payments are demanded in cryptocurrencies such as Bitcoin or Monero However even after payment there is no guarantee that victims will receive the decryption tools required to recover their datappMeanwhile the severity of the situation hasnt come through in the schools public messaging While select systems remain offline a recent WNMU Facebook post said key academic and communications platforms continue to be accessible For nearly two weeks WNMUs website has been down and employees have had varying degrees of access to their emails Everything on the university website minutes and agendas for Board of Regents meetings campus announcements and calendars of events has been blocked from public view and students have had to use alternative login methods to access online homework lectures and examsppIn public social media posts and emails to students the university has not blamed a cyberattack or other nefarious activity for leading to the outages Instead it has simply said it is working through technical issues Internal communications however show that the situation is more serious than the universitys public depictionsppThe university has also enlisted the help of private cybersecurity companies A number of WiFi hotspots have been installed on campus and students have received instructions on alternative ways to access Canvas an online coursework program used by universities around the nationppIn the meantime the plan is to keep campus open Crocker wrote in his email to managers Facetoface classes will meet and alternative access to onlinehybrid classes is being created However university internet email phones and connections outside WNMU are inoperable at this time and must remain so until the issues are resolved Scheduled events such as the scholarship luncheon softball games Cultural Affairs lectures will continue ppWhile faculty and hourly employees have received different communications from the top students have seemingly been left in the dark as to the serious nature of the system outageppIn an email to students last week the university made no mention of a cyberattack Instead it told students that WNMU is currently addressing technical issues affecting access to several key webbased services It also told students that protecting your personal data including your student status is a top priorityppIn a statement Friday university spokesperson Mario Sanchez said impacted individuals would be notified if their personal information was involved in the attackppThe universitys investigation into this incident is ongoing If the investigation determines that personal information was involved impacted individuals will be notified in accordance with applicable law We understand there was an issue with payroll processing for the current pay period but our bank has let us know that the issue has been corrected and payroll should be posted todayppRepublish This StoryppppRepublish our articles for free online or in print under a Creative Commons licenseppThis work is licensed under a ppby Joshua Bowling Searchlight New Mexico April 25 2025ppJoshua Bowling Searchlights criminal justice reporter spent nearly six years covering local government the environment and other issues at the Arizona Republic His accountability reporting exposed unsustainable growth water scarcity costly forest management and injustice in a historically Black community that was overrun by industrialization Raised in the Southwest he graduated from Arizona State Universitys Walter Cronkite School of Journalism and Mass Communicationpp
2 Comments
ppThis is evidence of WNMU IT department incompetencepp441 Greg Avenue
Santa Fe NM 87501ppMail
PO Box 32087
Santa Fe NM 87594pp ppSearchlight New Mexico is a nonpartisan nonprofit news organization dedicated to investigative and public service journalism in the interest of the people of New MexicoppOur mission is to deliver highimpact investigative reporting to inspire New Mexicans to demand action on systemic problems that plague our stateppWe believe that great reporting can motivate all New Mexicans to confront racial and economic inequities government corruption and negligence and abuses of powerppSearchlight New Mexico is a registered 501c3 organization Our tax identification number is 813234552 Your contribution is tax deductiblep
Independent Investigative Journalism ppFor nearly two weeks Western New Mexico Universitys website and digital systems have been held hostage by what officials in internal emails have called the efforts of a foreign hacking group The university has not publicly addressed the severity of the attack but documentation obtained by Searchlight New Mexico indicates that an infamous Russianspeaking hacking group is behind the attack and claims to have access to employee payroll data Social Security numbers and drivers licensesppIf you refuse to communicate with us and we do not come to an agreement your data will be reviewed and published on our blog the ransomware on WNMU employee computers says Data includes Employees personal data CVs DL SSN Complete network map including credentials for local and remote services Financial information including clients data bills budgets annual reportsppIn an image of an employees computer shared with Searchlight a note that threatens to leak the employees Social Security number drivers license and the universitys complete network map is signed by Qilin a hacking group that the federal government has accused of running a ransomwareasaservice operation Qilin has earned a cutthroat reputation for being willing to go after anyone Last year it was accused of being involved in a cyberattack that forced a hospital system to cancel more than 1000 appointments and operations Earlier this year it made headlines for its role in stealing the Social Security numbers and drivers licenses of journalists who work for newspapers owned by Lee EnterprisesppSince April 13 the WNMU website has been inaccessible to the public Faculty members told Searchlight that they and their students can use digital platforms like Canvas which are hosted by a third party but theyre unable to use classroom tools that connect to the internet like printers or projectorsppIn an image shared with Searchlight one employees laptop screen displayed the same threatening ransomware message whenever they attempted to open a file on their work computer The message was signed Qilin and its contents bear the hallmark signs of ransomware in which hackers hold sensitive data hostage until they receive a ransom payment Even if they do receive a payment groups like these may leak the sensitive information anywayppppppWe have downloaded compromising and sensitive data from your systemnetwork Our group cooperates with the mass media If you refuse to communicate with us and we do not come to an agreement your data will be reviewed and published on our blog the message says Data includes Employees personal data CVs DL SSN Complete network map including credentials for local and remote services Financial information including clients data bills budgets annual reportsppThe note instructs recipients to download a Tor browser commonly used to access the dark web and visit a specific site to begin negotiations with the hackers You need cipher keyour decrypt software to restore your files the police or authorities will not be able to help you get the cipher key We encourage you to consider your decisionsppOn April 25 a Friday payday at WNMU hourly and student employees said they had not yet received their direct deposits In an email to employees reviewed by Searchlight the university said the problem stemmed from an unexpected complication during the file upload process to the bank and said some employees might experience further delays in receiving the payments If this delay results in any overdraft fees the university will reimburse those charges the email said ppThe cyberattack comes at an inopportune time for university leaders who are working to rebuild trust with the faculty senate student body state government and the surrounding Silver City community Since December when former university president Joseph Shepard resigned from his post and the governor demanded the resignations of the sitting regents the campus has been without a permanent leader New regents have only been on the job since late March and now find themselves leading a university in disarrayppThreats like these have become common enough in local government that in 2022 the US Department of Homeland Security launched the State and Local Cybersecurity Grant Program the first of its kind to help upgrade and protect IT networks across the country It awarded nearly 280 million in grant funding for fiscal year 2024 nearly 4 million of which went to New Mexico and anticipated awarding 1 billion over four years ppIn an email to executive managers on April 14 one day after the attack Provost and Vice President of Academic Affairs Jack Crocker said WNMU experienced a cyberattack from a foreign hacking group and said the university had the ongoing collective support and assistance of the New Mexico Higher Education Department the Federal Bureau of Investigation and other university cyber experts to help us combat the attackppIn an email to Searchlight Higher Education Department spokesperson Auriella Ortiz said the agency was working closely with the state Department of Information Technology to evaluate the issueppWNMU is undertaking a formal investigation to identify the scope of the incident and to facilitate necessary remediation efforts she wrote Our primary objective as state agencies is to support the university in restoring and continuing normal business operations following this incidentppWhether that collective firepower will be enough to combat the hacking group remains to be seen Qilin has developed a reputation for wreaking havoc wherever it goes Last year it was accused of being involved with an attack on a healthcare provider in London that forced hospitals to immediately halt operations Qilin has been operational since 2022 and operates ransomware as a service according to a 2024 report from the US Department of Health and Human Services This allows independent hackers to use its digital tools in exchange for a 15 to 20 percent share of the ransom payments The 2024 report says that the groups typical demand for ransom is 50000 to 800000ppActors practice double extortion and operate a data leak site where victims are posted Victims are directed to communicate with the attackers via dark web portals or encrypted messaging services ensuring the attackers anonymity and complicating law enforcement efforts to track interactions the HHS report says Payments are demanded in cryptocurrencies such as Bitcoin or Monero However even after payment there is no guarantee that victims will receive the decryption tools required to recover their datappMeanwhile the severity of the situation hasnt come through in the schools public messaging While select systems remain offline a recent WNMU Facebook post said key academic and communications platforms continue to be accessible For nearly two weeks WNMUs website has been down and employees have had varying degrees of access to their emails Everything on the university website minutes and agendas for Board of Regents meetings campus announcements and calendars of events has been blocked from public view and students have had to use alternative login methods to access online homework lectures and examsppIn public social media posts and emails to students the university has not blamed a cyberattack or other nefarious activity for leading to the outages Instead it has simply said it is working through technical issues Internal communications however show that the situation is more serious than the universitys public depictionsppThe university has also enlisted the help of private cybersecurity companies A number of WiFi hotspots have been installed on campus and students have received instructions on alternative ways to access Canvas an online coursework program used by universities around the nationppIn the meantime the plan is to keep campus open Crocker wrote in his email to managers Facetoface classes will meet and alternative access to onlinehybrid classes is being created However university internet email phones and connections outside WNMU are inoperable at this time and must remain so until the issues are resolved Scheduled events such as the scholarship luncheon softball games Cultural Affairs lectures will continue ppWhile faculty and hourly employees have received different communications from the top students have seemingly been left in the dark as to the serious nature of the system outageppIn an email to students last week the university made no mention of a cyberattack Instead it told students that WNMU is currently addressing technical issues affecting access to several key webbased services It also told students that protecting your personal data including your student status is a top priorityppIn a statement Friday university spokesperson Mario Sanchez said impacted individuals would be notified if their personal information was involved in the attackppThe universitys investigation into this incident is ongoing If the investigation determines that personal information was involved impacted individuals will be notified in accordance with applicable law We understand there was an issue with payroll processing for the current pay period but our bank has let us know that the issue has been corrected and payroll should be posted todayppRepublish This StoryppppRepublish our articles for free online or in print under a Creative Commons licenseppThis work is licensed under a ppby Joshua Bowling Searchlight New Mexico April 25 2025ppJoshua Bowling Searchlights criminal justice reporter spent nearly six years covering local government the environment and other issues at the Arizona Republic His accountability reporting exposed unsustainable growth water scarcity costly forest management and injustice in a historically Black community that was overrun by industrialization Raised in the Southwest he graduated from Arizona State Universitys Walter Cronkite School of Journalism and Mass Communicationpp
2 Comments
ppThis is evidence of WNMU IT department incompetencepp441 Greg Avenue
Santa Fe NM 87501ppMail
PO Box 32087
Santa Fe NM 87594pp ppSearchlight New Mexico is a nonpartisan nonprofit news organization dedicated to investigative and public service journalism in the interest of the people of New MexicoppOur mission is to deliver highimpact investigative reporting to inspire New Mexicans to demand action on systemic problems that plague our stateppWe believe that great reporting can motivate all New Mexicans to confront racial and economic inequities government corruption and negligence and abuses of powerppSearchlight New Mexico is a registered 501c3 organization Our tax identification number is 813234552 Your contribution is tax deductiblep
