Ransomware group targets Universities of Maryland, California in new data leaks

The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online. 

On March 29, the threat actors began publishing screenshots of data allegedly stolen from the US educational institutes. 

These screenshots, including records that allegedly belong to the University of Maryland (UMD), show a federal tax document, requests for tuition remission paperwork, an application for the Board of Nursing, passports, and tax summary documents.

The leaked data snapshots exposed sensitive information points including the photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport numbers. 

Sensitive information has been redacted in the screenshots below.


The University of California (UC) also appears to have been subject to the same group’s tactics. 

Screenshots published by the group, viewed by ZDNet via Kela‘s threat intelligence suite Darkbeast, include lists of individuals and their Social Security numbers, retirement documentation, and 2019/2020 benefit adjustment requests. 

In addition, the leaked data appears to include late enrollment benefit application forms for employees and UCPath Blue Shield health savings plan enrollment requests. 


Clop has been linked to a string of cyberattacks against businesses. Clop is one of many threat groups that will employ a ‘double-extortion’ tactic, in which ransomware may be deployed on a compromised machine first, and then the cybercriminals threaten to make corporate or sensitive stolen datasets public on a leak site unless blackmail demands are met.

Earlier this month, the group leaked data allegedly belonging to the University of Miami and Colorado. 

On the same day, records allegedly belonging to Shell were also posted online. The oil giant revealed that a cyberattack had occurred through the compromise of Accellion FTA servers earlier this month.

On March 22, the REvil ransomware group published what appears to be financial data from tech giant Acer following a ransomware incident. Acer was subject to a $50 million ransom demand, of which it is not known if anything was paid. The company did not confirm that a ransomware attack occurred but did say that IT “abnormalities” had been discovered. 

The University of Maryland and the University of California have not responded to multiple requests for comment by the time of publication. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Leave a Reply

Your email address will not be published. Required fields are marked *