# Michigan State University network breached in ransomware attack **[bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/](https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) May 28, 2020 01:02 PM 0 Michigan State University received a deadline to pay ransomware attackers under the threat that files stolen from the institution’s network will be leaked to the public. The demand is from Netwalker ransomware-as-a-service (RaaS) operators, a group that recently started to recruit skilled network intruders for their affiliate program. ## Proof of stolen data A countdown timer on the attacker’s website shows that the university has about six days to comply or “secret data” will become public. The site set up by the Netwalker ransomware gang gives no details about the attack but they posted images with directories, a passport scan, and two financial documents allegedly stolen from the university’s network. ----- BleepingComputer reached out to Michigan State University (MSU) for more details about the attack but received no reply at publishing time. Information about how and when the attack happened, its impact on MSU, and the ransom demand remain unknown at this time. ## Antivirus removers to disable defenses Netwalker ransomware relies on multiple programs for remote access (Team Viewer, AnyDesk), files from public code repositories, and custom PowerShell scripts. However, they also use at least three legitimate tools to uninstall security software on a compromised system. [Researchers at Sophos security software and hardware company shared in a report](https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/) yesterday that the threat actor also used legitimate removal tools for ESET antivirus, Trend Micro’s Security Agent, and Microsoft Security Client that is part of Microsoft Security Essentials. Apart from tools that enabled intrusion and lateral movement on the victim network, they discovered "individual samples of the Zeppelin Windows ransomware and the Smaug Linux ransomware as well." In a trove of malicious files discovered while investigating a malware campaign from Netwalker, the researchers also found that the attacker also leveraged several vulnerabilities for privilege escalation. ----- One of them is [CVE-2020-0796, for which there is proof-of-concept exploit code released for](https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-exploit-demoed-by-researchers/) local privilege escalation. It can also be exploited for remote code execution, but the code for this is not currently available to the public. Netwalker ransomware group advertised recently that they were looking for new collaborators with access to large enterprise networks. The move is meant to distance themselves from malware distribution through spam, which is a common method. As an incentive, the group promised affiliates huge rewards, a cut between 80% and 84% from paid ransoms. Other ransomware operators typically offer up to 70% from the ransom money. ## Related Articles: [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [SpiceJet airline passengers stranded after ransomware attack](https://www.bleepingcomputer.com/news/security/spicejet-airline-passengers-stranded-after-ransomware-attack/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware vulnerabilities exploits and security defenses as well as ----- research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. -----