Michigan State hit by ransomware threatening leak of student and financial data

A blog associated with the NetWalker malware posted screenshots of file directories and a student's passport, saying the files will be published if a ransom is not paid.
Michigan State University
(Michigan State University)

Michigan State University is being targeted by a ransomware attack carried out by a hacker claiming to have stolen files, including students’ personal information, with the threat of publishing them online if a bounty is not paid.

A post appeared Wednesday on a blog affiliated with NetWalker, a relatively newer form of ransomware, containing a screenshot of a Microsoft Windows file directory including folders that appear to belong to individual users on the university’s network. The post threatened “secret data publication” with a countdown clock with about one week remaining. The ransom demanded was not specified.

The NetWalker ransomware, which is sometimes labeled as Mailto, first emerged in mid-2019 and is designed to target enterprise networks rather than individual users, according to Brett Callow, an analyst with the cybersecurity firm Emsisoft who shared the Michigan State screenshot with Scoop News Group. And like other attackers over the past year, hackers using NetWalker have shifted their tactics from merely locking up computer networks in hopes of being paid off to stealing and openly publishing its victims’ data.

The name-and-shame scheme was popularized last year by a ransomware variant called Maze, which has been used in a spree of attacks that have exposed financial records of private-sector entities. The gambit has since been adopted by other ransomware groups, including one that in April published data stolen from the City of Torrance, California.


But NetWalker comes with a twist, Callow said: When the countdown clock hits zero, the stolen files go live.

“Uniquely, the leak site has auto-publishing functionality and a timer,” he said. “When the time has elapsed, the data is automatically published along with the password needed to access it.”

The actors behind NetWalker are known to use phishing or password-spraying attacks to gain access to a network and then use compromised email accounts to send more phishing emails internally, according to the Australian Cyber Security Centre, which sent out an alert in February after the malware was used to attack the Toll Group, an Australian shipping and logistics firm.

NetWalker also operates as a ransomware-as-a-service, making it available for sale on illicit hacker forums, similar to how legitimate technology companies sell software licenses.

Separately, an anonymous Twitter account called Ransom Leaks posted other screenshots from the NetWalker blog that appear to show a student’s passport and a Michigan State financial document from 2015.


While many ransomware attacks can result in victims’ websites or email servers being taken offline either as a result of the infection or as a precaution, MSU’s public-facing site appears to be functional.

“We are aware of a possible intrusion and we are actively looking into it,” Dan Olsen, a Michigan state spokesman, wrote EdScoop in an email.

Benjamin Freed

Written by Benjamin Freed

Benjamin Freed is the managing editor of StateScoop and EdScoop, covering cybersecurity issues affecting state and local governments across the country. He has written extensively about ransomware, election security, and the federal government's role in assisting states, localities and higher education institutions with information security.

Latest Podcasts