Full Report
The University of the Bahamas, which serves thousands of students and is one of the Caribbean nation's biggest employers, said several systems went offline after a ransomware attack.
Analysis Summary
# Incident Report: University of The Bahamas Ransomware Attack
## Executive Summary
The University of The Bahamas suffered a significant ransomware attack beginning on February 2nd, which immediately disabled all online application systems, including email and classwork platforms, leading to the cancellation of all online classes. The incident potentially impacted personal information, forcing the university to implement manual cash-only transactions and provide temporary contacts while working with law enforcement and industry experts on network restoration under enhanced security protocols.
## Incident Details
- **Discovery Date:** February 2 (Date attack began)
- **Incident Date:** February 2
- **Affected Organization:** University of The Bahamas
- **Sector:** Education
- **Geography:** The Bahamas
## Timeline of Events
### Initial Access
- **Date/Time:** February 2
- **Vector:** Unspecified (Implied ransomware entry)
- **Details:** Attack began, immediately impacting all online applications including email and systems used for classwork.
### Lateral Movement
- *Details not specified in the provided text.*
### Data Exfiltration/Impact
- **Date/Time:** On or shortly after February 2nd
- **Details:** Online classes were cancelled. Financial systems (credit card machines) were disabled. The university confirmed that personal information *may* have been impacted. Telephone systems were offline for several days.
### Detection & Response
- **Date/Time:** February 3 (Confirmed ransomware attack)
- **Details:** The school confirmed the ransomware attack on February 3rd. Response included working with law enforcement, urging students to reset passwords, continuing in-person classes, extending deadlines, accepting only cash at kiosks, providing temporary mobile numbers for contact, and implementing a phased network restoration with industry experts and enhanced security protocols. The public website returned to service on Friday (February 5th or 6th, based on context).
## Attack Methodology
- **Initial Access:** Unspecified (Likely a known ransomware entry vector)
- **Persistence:** Unspecified
- **Privilege Escalation:** Unspecified
- **Defense Evasion:** Unspecified
- **Credential Access:** Unspecified (Implied need to access personal information)
- **Discovery:** Unspecified
- **Lateral Movement:** Resulted in the disabling of all network-dependent systems (email, online applications, phone systems).
- **Collection:** Personal information may have been impacted, suggesting data collection occurred.
- **Exfiltration:** Potential exfiltration of personal information.
- **Impact:** Service unavailability of email, class systems, and phone/payment systems (ransomware encryption/disruption).
## Impact Assessment
- **Financial:** Disruption to payment processing (credit card machines down, requiring cash-only kiosks). Costs associated with remediation and expert consultation are implied.
- **Data Breach:** Potential impact to personal information of students and staff (5,000 students and 700+ faculty/staff).
- **Operational:** Cancellation of all online classes; required shift to manual operations (cash payments); extension of administrative deadlines; disruption of internal/external communications (phone systems offline).
- **Reputational:** Negative publicity associated with a major service outage and potential data compromise at a key national institution.
## Indicators of Compromise
- **Network indicators:** *None provided (URLs/IPs must be defanged).*
- **File indicators:** *None provided.*
- **Behavioral indicators:** Complete shutdown of primary online services, including email and class platforms.
## Response Actions
- **Containment:** Working with law enforcement and industry experts to contain the incident.
- **Eradication:** Implementing a phased approach to network restoration incorporating enhanced security protocols.
- **Recovery:** Restoring key services, including the public website (returned Friday), while maintaining temporary contact methods (mobile numbers).
## Lessons Learned
- Reliance on digital infrastructure makes critical services extremely vulnerable to ransomware events.
- Procedures for manual operations (like cash-only transactions) were established, although likely at significant inconvenience.
- The need for robust, layered cybersecurity defenses, especially given the regional trend of targeting Caribbean institutions.
## Recommendations
- Immediately isolate and conduct forensic analysis on systems to determine the exact scope of breached personal information.
- Review and enhance multi-factor authentication and endpoint detection and response capabilities across the network.
- Develop and rigorously test comprehensive offline (paper/manual) continuity plans for critical administrative and academic functions to minimize disruption during future outages.
- Assess current backup strategy to ensure rapid, isolated recovery without paying a ransom.