Stanford University found itself in the crosshairs of the notorious ransomware gang ‘Akira’ on Friday morning when the group listed the institution on the darknet as the target of a potential ransomware attack. Screenshots of this listing surfaced on various online platforms, including the r/stanford subreddit and X (formerly Twitter), thanks to cyber risk analyst Brett Callow.
University spokesperson Luisa Rapport confirmed that this incident is related to the SUDPS cybersecurity issue previously reported by The Daily. Akira has claimed to possess 430 gigabytes of internal data, including sensitive information and confidential documents. They have issued a threat to leak this information online unless the University complies with their unspecified ransom demand.
The affected data primarily belongs to the Stanford University Department of Public Safety, which handles personnel records, case reports, risk assessments, and information related to student, faculty, and community members’ involvement in crimes. At this stage, it remains unclear how much of this data has been compromised or encrypted by the ransomware.
In a statement released on Friday, the University assured that there is no indication that the incident impacted any other part of the institution or hindered police responses to emergencies. The investigation is ongoing, and the University plans to provide more information to the community once it is concluded.
Akira’s listing on the darknet described Stanford as “known for its entrepreneurial character” and warned that the University would soon gain notoriety for the 430 gigabytes of leaked internal data, including private and confidential information.
Chris Hoofnagle, a law professor and director of the Center for Law & Technology at the University of California, Berkeley, suggested that attackers interested in police entities could be nation-state actors or organized crime groups. He emphasized the importance of limiting information disclosure until the full extent of the breach is known and the network is secure.
Hoofnagle advised that it is common practice for institutions to refrain from notifying affected parties until they have a comprehensive understanding of the breach to avoid multiple notifications if the situation worsens.
In light of the listing, Hoofnagle noted that many organizations opt to pay ransoms, and he encouraged Stanford students to file a security alert if they are concerned about their personal data being exposed.
Akira is a ransomware family first identified in March 2023, known for numerous attacks against organizations in the U.S. and Canada. The group typically demands ransom payments ranging from $200,000 to $4 million and threatens to release data online if the demands are not met. Their darknet website serves as a repository for past and upcoming leaks, with data from previous victims accessible via magnet links.
Cybersecurity firms, including Avast and Arctic Wolf, have identified significant connections between Akira and Conti, another ransomware strain observed since 2020, believed to be distributed by a Russia-based group.
University spokesperson Dee Mostofi confirmed that the investigation is still ongoing, with the University’s privacy and information security teams collaborating with outside experts to address the matter.
In response to concerns expressed on the University IT Slack Channel, Noah Abrahamson, the director of cloud security and information security office operations, acknowledged his team’s awareness of the situation.