Virginia Union University ransomware attack LockBit

Update: 05/06 – 1,309 people in Texas and 459 in Massachusetts have been issued with data breach notifications.

Yesterday, Virginia Union University began issuing data breach notifications to those involved in a cyber attack back in February 2023. A cyber attack that was claimed by the LockBit ransomware gang at the time.

In its data breach letter, VUU says it first detected unauthorized activity on its systems on February 13, 2023. After containing the threat, it promptly conducted a “thorough investigation with external cybersecurity professionals experienced in handling these types of incidents.” On April 1, 2024, it was discovered that certain files containing personal information might have been acquired or accessed by unauthorized individuals. The number of affected individuals currently stands at 1,768.

Affected data includes:

  • Full name
  • Social Security Number
  • Date of birth
  • Driver’s license number
  • State ID

Not all information was impacted for everyone affected. VUU has no evidence that data has been misused.

LockBit didn’t disclose the ransom and we don’t know whether VUU paid it. It is also unclear how LockBit allegedly accessed the university’s systems.

Comparitech contacted Virginia Union University for additional comment and will update this article if it responds.

In the meantime, if you’ve been affected, it’s highly recommended that you take advantage of the credit and identity monitoring services via CyEx that VUU is offering. You should monitor your bank accounts, tax returns, and credit reports for any unauthorized activity. And watch out for any unsolicited emails/messages asking for personal data or containing links or attachments. Avoid clicking on these/opening them until you know it’s from a trusted source.

Who is LockBit?

LockBit is one of the most prolific ransomware gangs of recent years after first appearing in 2019. According to our data, LockBit is responsible for 157 confirmed ransomware attacks in the US alone. These attacks have affected at least 11.6 million records.

So far this year, LockBit is behind ten confirmed attacks in the US with a further 98 unconfirmed claims.

It is believed the group is based in Russia. Often, LockBit will operate a double-extortion model whereby a ransom is demanded to decrypt systems and delete any stolen data.

Ransomware attacks on US education

In 2023, we logged 102 confirmed ransomware attacks on the education sector in the US. A vast increase on the figure of 72 noted in 2022. The attacks in 2023 affected 2,017,053 individual records. The average ransom was $450,000.

So far this year we have tracked 11 confirmed attacks on the US education sector, affecting nearly 9,000 records. We are also monitoring 25 unconfirmed attacks.

Data breaches aren’t the only concern following a ransomware attack on education institutions. They also have the ability to cripple systems, leading to classes being canceled and astronomical recovery costs. In 2022, we noted an average downtime of 11.65 days.

More about Virginia Union University

Located in Richmond, Virginia, VUU is a private institution that was founded in 1865. Today, it’s home to more than 1,200 undergraduate and 400 graduate students.