A private investigator who specializes in negotiating with ransomware hackers said Wednesday that K-State students’ personal information is at risk of being sold.
K-State is investigating a cybersecurity breach it reported Wednesday. University officials said the breach is affecting multiple online systems.
Kurtis Minder, the founder and CEO of GroupSense, said resolving a conflict with hackers usually results in some form of payment. Minder’s company is not working with K-State on the incident, but he is considered one of the leaders in the field of cybersecurity.
He said even if K-State doesn’t have to pay any fees to the hackers, the university is still going to have a “bad day” at the end of the attack.
“In some cases, companies will have really good backups and fairly refined, or practiced, business continuity processes that they can put into place and restore their systems and get back up running without paying,” Minder said. “There’s still a pretty negative outcome, though, and that is when you don’t pay the bad guys. Let’s say you can restore the operational nature of your systems without paying them; they still took all that information from you.”
Minder said organizations that don’t give money to hackers still pay a price.
“What they do to punish you for not paying is they release or sell that data to other bad guys,” Minder said. “For example, all the HIPAA and regulatory stuff will come into play because they’re going to dump all that student information in a public forum to punish you for not paying.”
He said K-State’s announcement “sounds like a duck,” meaning the details surrounding the university’s security breach is familiar to what he does for a living.
The FBI warns ransomware victims that paying money to hackers is not a guarantee that they’ll return the information — and in fact, it can lead to further criminal activity. But as Minder told The New Yorker in a 2021 article, some entities can’t just shut down while authorities investigate.
K-State’s online breach isn’t only affecting students and faculty, but groups that work closely with the university.
Garrett Brown, a fifth-year senior at K-State who majors in cybersecurity, works for The Collegian Media Group. He’s the information technology employee for the collegiate publications, which includes The Collegian newspaper, the Royal Purple Yearbook and Manhappenin’ Magazine.
Brown said he figured it was Mother Nature causing issues.
“A few days ago, a lot of K-State networks went offline,” Brown said. “I think some people kind of figured it was due to weather. That’s at least what I thought. Then, last night (K-State) sent out a big announcement, saying that the outage was still being worked on and that it had confirmed that it ended up being a big cybersecurity incident.”
Brown filled out a ticket with the K-State Help Desk because The Collegian wasn’t able to publish any stories online.
“Right now, they haven’t really told me much,” Brown said. “They ended up telling us not to reboot it, so they can kind of see what state the machine was in for forensics’ sake. They said for me to unplug it from the network so that it wouldn’t spread to other things and to keep an eye on the rest of the systems in case something weird happens.”
He said CMG’s breach only includes its web server for now and that most of its functions are “pretty much operational.”
Brown said he doesn’t know enough to conclude where the ransomware group is based, but he said some places are the most likely.
“I’ve definitely listened to enough cyber security true crime podcasts and there are definitely a lot of things where it’s either Russia, North Korea or China,” Brown said. “It always seems like a scapegoat, but you hear a lot of these stories and it’s like, ‘Oh..., actually a lot of it come from these three countries.’”
Brown’s conclusions weren’t far off from Minder’s experience.
“If I was shooting from the hip, 80-plus percent of these attacks emanate from Russia or from a very heavily Russian influenced eastern European country like Belarus, Moldova parts of Ukraine, Donetsk and that area,” Minder said. “There’s a small number of these attacks that emanate from China, North Korea and some in South America. (GroupSense) had a few emanate from other countries like Germany and so on, but those are sort of the exception and not the rule. Most of these are coming from Russia.”
Minder said if companies, businesses or universities don’t “communicate in good faith,” the ransomware groups from these countries will advertise that their data has been stolen. This is to get victims to cooperate.
The websites hackers use are called “shame sites.” Minder said he’ll be looking to see if K-State is on any of these online systems.
K-State announced that it had been “experiencing a disruption” to its VPN, K-State emails and some media sites. After 24 hours, the university reported Thursday morning that K-State Today emails will return in “temporary format,” only part of the recovery process.
This isn’t the first time the state of Kansas has been under attack.
In October 2023, the Kansas Judicial Branch announced that its systems had been breached.
The ransomware hacking forced county court clerks, attorneys and judges to revert back to paper filings for record keeping. The public was unable to view records from remote locations, even after county officials were able to access documents in Topeka.
Clerks worked together to relay information via email during the recovery process.
Court personnel started transitioning the paper records into the online system that had previously been used in December 2023, and online records are still not up to date.
