{
	"id": "06b0bdac-9f29-477b-ac0d-c847a44a6cad",
	"created_at": "2026-04-06T00:13:00.349167Z",
	"updated_at": "2026-04-10T03:30:21.148971Z",
	"deleted_at": null,
	"sha1_hash": "795212f4e85f9c974a3e02b6892e2832b88e00a0",
	"title": "Ransomware gang leaks data from Stanford, Maryland universities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2822034,
	"plain_text": "Ransomware gang leaks data from Stanford, Maryland universities\r\nBy Sergiu Gatlan\r\nPublished: 2021-04-03 · Archived: 2026-04-05 20:42:30 UTC\r\nImage: Dom Fou\r\nPersonal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the\r\nUniversity of California was leaked online by the Clop ransomware group.\r\nThe threat actors obtained the documents after hacking the universities' Accellion File Transfer Appliance (FTA) software\r\nused to share and store sensitive information.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nData stolen in the attack targeting Stanford Medicine's Accellion server includes names, addresses, email addresses, Social\r\nSecurity numbers, and financial information, reported the Stanford Daily.\r\n\"We discovered the breach earlier this week when the hackers posted evidence that they had accessed a limited number of\r\nfiles in our system containing some personally identifiable information,\" UMB also told DataBreaches.net.\r\n\"UC has learned that it, along with other universities, government agencies, and private companies throughout the country,\r\nwas recently subject to a cybersecurity attack,\" a statement issued by the UC Office of the President reads.\r\n\"The attack involves the use of Accellion, a vendor used by many organizations for secure file transfer, in which an\r\nunauthorized individual appears to have copied and transferred UC files by exploiting a vulnerability in Accellion's file-transfer service.\"\r\nColorado and Miami universities also hit\r\nSince February, the ransomware operation has been leaking files stolen after compromising vulnerable Accellion FTA file-sharing servers.\r\nThe ransomware gang started leaking the universities' data during late March, attempting to coerce them to pay ransoms to\r\nhave the stolen data deleted and the leaks stopped.\r\nLast month, the Clop ransomware gang leaked other data sets allegedly stolen from the University of Colorado and the\r\nUniversity of Miami.\r\nThe attackers haven't gained access to universities' internal networks, with the incident only impacting their Accellion\r\nservers.\r\nClop leak site\r\nWhile still unclear if Clop is behind these Accellion attacks or they're collaborating with another group, a joint statement\r\nfrom Mandiant and Accellion shed more light on these attacks also linking them to a second operation, the FIN11\r\ncybercrime group.\r\nBleepingComputer has reported multiple data breaches affecting companies and organizations after these threat actors\r\nsuccessfully compromised their Accellion FTA servers and exfiltrated sensitive information.\r\nStarting with January, we reported attacks on energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger,\r\nthe Reserve Bank of New Zealand, Singtel, the Australian Securities and Investments Commission (ASIC), the Office of the\r\nWashington State Auditor (\"SAO\"), as well as multiple universities and other organizations.\r\nFive Eyes members also issued a joint security advisory in February about ongoing attacks and extortion attempts targeting\r\norgs that use vulnerable Accellion File Transfer Appliance (FTA) versions.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/\r\nPage 3 of 4\n\nIn related news, Brown University, a private Ivy League research university, is still working on bringing systems online after\r\nit had to disable them following a cyberattack on Tuesday.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/"
	],
	"report_names": [
		"ransomware-gang-leaks-data-from-stanford-maryland-universities"
	],
	"threat_actors": [
		{
			"id": "6728f306-6259-4e7d-a4ea-59586d90a47d",
			"created_at": "2023-01-06T13:46:39.175292Z",
			"updated_at": "2026-04-10T02:00:03.236282Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"TEMP.Warlock",
				"UNC902"
			],
			"source_name": "MISPGALAXY:FIN11",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1db21349-11d6-4e57-805c-fb1e23a8acab",
			"created_at": "2022-10-25T16:07:23.630365Z",
			"updated_at": "2026-04-10T02:00:04.694622Z",
			"deleted_at": null,
			"main_name": "FIN11",
			"aliases": [
				"Chubby Scorpius",
				"DEV-0950",
				"Lace Tempest",
				"Operation Cyclone"
			],
			"source_name": "ETDA:FIN11",
			"tools": [
				"AZORult",
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"BLUESTEAL",
				"Cl0p",
				"EMASTEAL",
				"FLOWERPIPE",
				"FORKBEARD",
				"FRIENDSPEAK",
				"FlawedAmmyy",
				"GazGolder",
				"Get2",
				"GetandGo",
				"JESTBOT",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MINEDOOR",
				"MIXLABEL",
				"Meterpreter",
				"NAILGUN",
				"POPFLASH",
				"PuffStealer",
				"Rultazo",
				"SALTLICK",
				"SCRAPMINT",
				"SHORTBENCH",
				"SLOWROLL",
				"SPOONBEARD",
				"TiniMet",
				"TinyMet",
				"VIDAR",
				"Vidar Stealer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434380,
	"ts_updated_at": 1775791821,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/795212f4e85f9c974a3e02b6892e2832b88e00a0.pdf",
		"text": "https://archive.orkl.eu/795212f4e85f9c974a3e02b6892e2832b88e00a0.txt",
		"img": "https://archive.orkl.eu/795212f4e85f9c974a3e02b6892e2832b88e00a0.jpg"
	}
}