{
	"id": "8edee150-969e-4b09-bd80-11989ff96b74",
	"created_at": "2026-04-06T00:07:00.702427Z",
	"updated_at": "2026-04-10T03:20:39.103899Z",
	"deleted_at": null,
	"sha1_hash": "1288003c04535994c033a427acfbe9b40d353076",
	"title": "Ransomware group targets universities in Maryland, California in new data leaks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48214,
	"plain_text": "Ransomware group targets universities in Maryland, California in\r\nnew data leaks\r\nBy Written by\r\nArchived: 2026-04-05 17:59:04 UTC\r\nThe Clop ransomware group has posted financial documents and passport information allegedly belonging to the\r\nUniversity of Maryland and the University of California online. \r\nSecurity\r\nOn March 29, the threat actors began publishing screenshots of data allegedly stolen from the US educational\r\ninstitutes. \r\nThese screenshots, including records that allegedly belong to the University of Maryland, Baltimore, show a\r\nfederal tax document, requests for tuition remission paperwork, an application for the Board of Nursing, passports,\r\nand tax summary documents.\r\nThe leaked data snapshots exposed sensitive information points including the photos and names of individuals,\r\nhome addresses, Social Security numbers, immigration status, dates of birth, and passport numbers. \r\nSensitive information has been redacted in the screenshots below.\r\nscreenshot-2021-03-30-at-10-00-15.png\r\nThe University of California, Merced, also appears to have been subject to the same group's tactics. \r\nScreenshots published by the group, viewed by ZDNet via Kela's threat intelligence suite Darkbeast, include lists\r\nof individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment\r\nrequests. \r\nIn addition, the leaked data appears to include late enrollment benefit application forms for employees and\r\nUCPath Blue Shield health savings plan enrollment requests. \r\nscreenshot-2021-03-29-at-16-42-45.png\r\nClop has been linked to a string of cyberattacks against businesses. Clop is one of many threat groups that will\r\nemploy a 'double-extortion' tactic, in which ransomware may be deployed on a compromised machine first, and\r\nthen the cybercriminals threaten to make corporate or sensitive stolen datasets public on a leak site unless\r\nblackmail demands are met.\r\nEarlier this month, the group leaked data allegedly belonging to the universities of Miami and Colorado. \r\nhttps://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/\r\nPage 1 of 2\n\nOn the same day, records allegedly belonging to Shell were also posted online. The oil giant revealed that a\r\ncyberattack had occurred through the compromise of Accellion FTA servers earlier this month.\r\nOn March 22, the REvil ransomware group published what appears to be financial data from tech giant Acer\r\nfollowing a ransomware incident. Acer was subject to a $50 million ransom demand, of which it is not known if\r\nanything was paid. The company did not confirm that a ransomware attack occurred but did say that IT\r\n\"abnormalities\" had been discovered. \r\nUpdate 14.20 BST: The University of Maryland, College Park, said the leaked sample files shared appear to relate\r\nto the Baltimore campus, UMB, rather than UMD, as listed. \r\nUpdate 1.4.21 / 14.21 BST: A UMB spokesperson told ZDNet:\r\n\"In late December, a criminal ransomware organization known as Clop breached the security of our\r\nAccellion file transfer system. This system was used by our students, faculty, and staff to transfer\r\nencrypted files. We discovered the breach earlier this week, when the hackers posted evidence that they\r\nhad accessed a limited number of files in our system containing some personally identifiable\r\ninformation.\r\nThere is no evidence that the file transfer system was compromised at any other time up to the date it\r\nwas decommissioned and replaced in February.\r\nThe university has reached out to the owners of the compromised files and offered them security\r\nassistance, including free credit monitoring and identity restoration services. We have also informed\r\nfederal and state authorities of this incident.\r\nEvery appropriate security measure was taken by our Center for Information Technology Services,\r\nincluding rigorous monitoring and the timely installation of all patches and upgrades provided by\r\nAccellion.\"\r\nPrevious and related coverage\r\nFBI warns of rise in PYSA ransomware operators targeting US, UK schools\r\nRansomware gangs have found another set of new targets: Schools and universities\r\n2020 was a 'record-breaking' year in US school hacks, security failures\r\nHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0\r\nSource: https://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/\r\nhttps://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/"
	],
	"report_names": [
		"ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434020,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1288003c04535994c033a427acfbe9b40d353076.pdf",
		"text": "https://archive.orkl.eu/1288003c04535994c033a427acfbe9b40d353076.txt",
		"img": "https://archive.orkl.eu/1288003c04535994c033a427acfbe9b40d353076.jpg"
	}
}