Skip to content
Campus Alert Archive
Bluefield

Ransomware group hijacked the emergency-alert system to send extortion messages

AI-generated · every claim is source-linked
VAinfrastructure failureadvisorymedium confidence
Confirmed Threat

Between late April and early May 2023, the AvosLocker ransomware gang seized control of Bluefield University's RamAlert emergency-notification system and used it to send threatening SMS and email alerts directly to the students, faculty, and staff subscribed to the system, telling them their personal data had been stolen and warning them not to trust the administration. It is widely cited as the first publicly documented case of a ransomware crew weaponizing a campus mass-notification system as a pressure channel, turning the safety infrastructure itself into the extortion mechanism.

Alerts
4
Response
min
Killed
0
Injured
0
Institution
Bluefield University
Private Bachelors · VA
All Bluefield cases →
~900 studentsRamAlert
Documented Timeline

Alert Sequence

4 messages in sequence · 1 verified verbatim

Some messages in this sequence are documented (their existence, timing, and channel are sourced) but their exact wording is not preserved in the public record. Those entries appear as placeholders; only confirmed text is displayed.

UPDATESMS+13h 30m
Hello students of Bluefield University! We are Avos Locker Ransomware. We hacked university network to extract 1.2 TB files. We have admissions data from 2018 to 2022, personal data of students and employees. A lot of personal data of students. If university does not pay us, this information will be released. Do not allow the university to lie about the severity of the attack!
Original typos and grammar preserved verbatim: 'We hacked university network', 'university does not pay us', etc., these tells of non-native English are part of the document.
This is the message that made the case famous. The attackers walked through Bluefield's own RamAlert console and pushed an extortion notice to every phone subscribed to campus safety alerts.
Final exam communications and severe-weather alerts had to be re-routed off RamAlert for the remainder of the semester.
Context

Background

Bluefield University is a small Baptist-affiliated college in southwest Virginia with roughly 900 students. On Sunday, April 30, 2023, the AvosLocker ransomware group breached the campus network and seized control of RamAlert, the university's emergency-notification platform. On Monday morning May 1, the gang used RamAlert to push SMS and email blasts to the entire student body warning that 1.2 TB of data (including admissions records from 2018 to 2022) had been stolen. The Record and BleepingComputer both documented the hijack as the first publicly known case of a ransomware crew abusing a campus mass-notification platform to apply pressure directly on students and parents. Final exams were rescheduled, RamAlert was taken offline, and the university issued its own counter-notice telling the community to disregard the gang's messages. Bluefield declined to pay; AvosLocker published a portion of the stolen data on its leak site in mid-May. The incident is now used in EDUCAUSE and REN-ISAC training as a warning that the emergency-alert system is itself part of the attack surface and must be on a segregated identity tier.
Analysis

Key Findings

Reported as the first publicly documented incident of a ransomware gang seizing a campus mass-notification system to deliver extortion messages directly to students.
RamAlert credentials were apparently reachable from the compromised administrative network rather than gated behind a separate identity tier.
Bluefield did not pay; AvosLocker published a portion of the stolen data (including the university president's W-2 and an insurance document) on its dark-web leak site in mid-May 2023.
Final exam scheduling and severe-weather alerts had to be re-routed for the remainder of the semester because the official alert channel could not be trusted.
Outcome
Bluefield acknowledged the attack on April 30, cancelled some final exams, and brought in the FBI and outside incident-response counsel. The university did not pay the ransom; AvosLocker subsequently published a portion of the stolen data, including a W-2 tax form for the university's president and an insurance-related document, on its dark-web site in mid-May 2023.
Provenance

Sources

  1. national media
  2. national media
  3. Official
  4. Official
Cite this case

Campus Alert Archive. "Bluefield University: Ransomware group hijacked the emergency-alert system to send extortion messages." Incident of April 30, 2023. Added May 2026; last updated July 2026. https://campusalertarchive.com/case/bluefield-university-avoslocker-ransomware-2023-04-30/

Download case JSON

Alert text quoted on this page remains the work of the issuing institution; the archive is a secondary source.

Tags
cyberattackransomwareavoslockeralert-system-compromisevirginiaprivate-bachelorsdata-breachfbifirst-of-kindinfrastructure-failure
Added May 2026Updated July 2026Via ingestion