The Tshwane University of Technology (TUT) recently suspended deputy vice-chancellor, Professor Bhekisipho Twala over the handling of a massive data breach allegedly orchestrated by the infamous Rhysida.
Tshwane University of Technology ransomware attack: Here’s everything we know
According to reports, the tertiary institution recently faced a critical challenge when it became a target of a ransomware attack on 17 December 2023.
Professor Twala, a respected figure within South Africa’s artificial intelligence and data science fraternities, was reportedly aware of the ransomware attack but delayed reporting it to the Information Regulator until 4 January 2024.
By this time, TUT had lost access to a substantial volume of data files, including those stored in cloud-based backups. The specifics of any ransom demands made by the attackers remain unclear.
Neither Professor Twala nor TUT had returned our requests for comment when this article was published.
Here’s what we know about Rhysida
The group claiming responsibility for this attack is known as Rhysida. Emerging prominently in May 2023, Rhysida has quickly established itself as a formidable entity in the cyber threat landscape, engaging in ransomware activities across various sectors.
The hacker group’s modus operandi involves a comprehensive suite of tactics, techniques, and procedures (TTPs) that span lateral movement, credential access, defence evasion, command and control, and impact.
They’ve been known to deploy their ransomware using tools like Remote Desktop Protocol (RDP), Remote PowerShell Sessions, and PsExec, demonstrating their capability to navigate and manipulate targeted networks efficiently.
The group also employs ntdsutil.exe to access sensitive information and leverages both commodity and bespoke malware, such as SystemBC, for maintaining persistence within compromised networks.
A hallmark of their strategy is the deliberate deletion of logs and forensic artefacts to obscure their presence and activities.
The group has drawn significant attention from cybersecurity and government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Centre (MS-ISAC).
These agencies have identified Rhysida as a ransomware-as-a-service (RaaS) operation, compromising sectors like education, manufacturing, IT, and government.
Understanding the nature of ransomware attacks is essential in grasping the severity of the situation faced by TUT. Ransomware is a type of malware that encrypts the victim’s files, making them inaccessible until a ransom is paid.
Victims are often left with few options: pay the ransom and hope for the decryption key, lose their data, or attempt to restore their systems using backups, assuming these haven’t been compromised. The impact of such attacks can be devastating, leading to significant data loss, financial costs, and damage to the victim’s reputation.