Campus Alert Archive
Bluefield

Ransomware Gang Hijacks the Campus Emergency-Alert System to Demand Its Own Ransom

VAinfrastructure failureadvisorymedium confidence
Confirmed Threat

Between late April and early May 2023, the AvosLocker ransomware gang seized control of Bluefield University's RamAlert emergency-notification system and used it to send threatening SMS and email alerts directly to roughly 1,500 students and staff, telling them their personal data had been stolen and warning them not to trust the administration. It is widely cited as the first publicly documented case of a ransomware crew weaponizing a campus mass-notification system as a pressure channel, turning the safety infrastructure itself into the extortion mechanism.

Alerts
4
Response
min
Killed
0
Injured
0
Institution
Bluefield University
Private Bachelors · VA
~900 studentsRamAlert
Confirmed Timeline

Alert Sequence

4 messages in sequence · 1 verified verbatim

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Approximate reconstructionReconstructed from Bluefield University statements quoted by BleepingComputer and the Bluefield Daily Telegraph575 chars
Dear Bluefield Community, On Sunday, April 30, 2023, Bluefield University discovered a cybersecurity incident affecting the University's network. As a precaution, we have taken portions of our network offline, including some of our online classroom systems, while we investigate. We are working with leading cybersecurity professionals to determine the scope of the incident and restore normal operations as quickly as possible. The safety of our students, faculty, and staff remains our top priority. Updates will be communicated as additional information becomes available.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Sent the same evening that students began receiving threatening alerts directly from the attackers — many in the community received the gang's RamAlert messages before this official notice.
Notice carefully avoids the words 'ransomware' and 'AvosLocker'; the FBI was already engaged at this point.
UPDATESMS+13h 30m
Verified verbatimBleepingComputer — screenshot of RamAlert SMS distributed via the hijacked system379 chars
Hello students of Bluefield University! We are Avos Locker Ransomware. We hacked university network to extract 1.2 TB files. We have admissions data from 2018 to 2022, personal data of students and employees. A lot of personal data of students. If university does not pay us, this information will be released. Do not allow the university to lie about the severity of the attack!
Original typos and grammar preserved verbatim: 'We hacked university network', 'university does not pay us', etc. — these tells of non-native English are part of the document.
This is the message that made the case famous. The attackers walked through Bluefield's own RamAlert console and pushed an extortion notice to every phone subscribed to campus safety alerts.
Final exam communications and severe-weather alerts had to be re-routed off RamAlert for the remainder of the semester.
UPDATEEmail+21 h
Approximate reconstructionReconstructed from The Record's reporting quoting Bluefield's May 1 community message498 chars
Earlier today, an unauthorized party used Bluefield University's RamAlert system to send messages to members of our community. These messages did not originate from the University. We have disabled RamAlert while we investigate. Final examinations scheduled for Monday and Tuesday will be administered using alternate procedures; faculty will contact students directly. Please disregard the messages received from RamAlert and rely on official communications from your faculty and university email.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

The university's instruction to ignore RamAlert is itself an emergency notification — and it had to be delivered through email because the emergency-notification system had been taken hostage.
Note the bureaucratic language 'an unauthorized party' rather than naming AvosLocker; institutions almost never name attackers in initial notices.
FOLLOW-UPEmail+14d
Approximate reconstructionReconstructed paraphrase from Bluefield's cybersecurity update page and Bluefield Daily Telegraph coverage532 chars
We are writing to update the Bluefield University community on the cybersecurity incident first reported on April 30. We have determined that an unauthorized party acquired certain files from our network, which may have included personal information of students, applicants, employees, and alumni. The information has since been posted to a website operated by the threat actor. Bluefield University did not make a ransom payment. We are notifying potentially affected individuals directly and offering credit monitoring at no cost.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

The 'we did not pay' line is the operative legal statement; everything else is choreography around the data dump.
By the time this notice went out, the 1.2 TB had been on AvosLocker's leak site for several days.
Context

Background

Bluefield University is a small Baptist-affiliated college in southwest Virginia with roughly 900 students. On Sunday, April 30, 2023, the AvosLocker ransomware group breached the campus network and seized control of RamAlert, the university's Omnilert-powered emergency-notification platform. On Monday morning May 1, the gang used RamAlert to push SMS and email blasts to the entire student body warning that 1.2 TB of data — including admissions records from 2018 to 2022 — had been stolen. The Record and BleepingComputer both documented the hijack as the first publicly known case of a ransomware crew abusing a campus mass-notification platform to apply pressure directly on students and parents. Final exams were rescheduled, RamAlert was taken offline, and the university issued its own counter-notice telling the community to disregard the gang's messages. Bluefield declined to pay; AvosLocker dumped the data publicly in mid-May. The incident is now used in EDUCAUSE and REN-ISAC training as a warning that the emergency-alert system is itself part of the attack surface and must be on a segregated identity tier.
Analysis

Key Findings

First publicly documented incident of a ransomware gang seizing a campus mass-notification system to deliver extortion messages directly to students.
RamAlert (Omnilert) credentials were apparently reachable from the compromised administrative network rather than gated behind a separate identity tier.
Bluefield did not pay; AvosLocker leaked approximately 1.2 TB of stolen data in mid-May 2023.
Final exam scheduling and severe-weather alerts had to be re-routed for the remainder of the semester because the official alert channel could not be trusted.
Outcome
Bluefield acknowledged the attack on April 30, cancelled some final exams, and brought in the FBI and outside incident-response counsel. The university did not pay the ransom; AvosLocker leaked approximately 1.2 TB of stolen data on its dark-web site in mid-May 2023.
Provenance

Sources

  1. national media
    AvosLocker ransomware gang hijacks emergency alert system to extort Bluefield University — BleepingComputer
    bleepingcomputer.com
  2. national media
    Bluefield University hit by ransomware, attackers use emergency broadcast system — The Record
    therecord.media
  3. Official
    Bluefield University cybersecurity update page
    bluefield.edu
  4. Official
    CISA Joint Cybersecurity Advisory AA22-076A: AvosLocker Ransomware
    cisa.gov
Tags
cyberattackransomwareavoslockeralert-system-compromisevirginiaprivate-bachelorsdata-breachfbifirst-of-kindinfrastructure-failure
Added May 2026Updated May 2026Via ingestion