Campus Alert Archive
Knox

Akira Ransomware Emails Knox Students Directly: 'Your Privacy Is Already Lost'

ILinfrastructure failureadvisorymedium confidence
Confirmed Threat

In early December 2023, the Akira ransomware group breached Knox College in Galesburg, Illinois, and — when ransom negotiations stalled — emailed students individually from a stolen Knox-affiliated mailing list, telling them their Social Security numbers, medical records, and mental-health files were in attacker hands. The extortion email was first reported by The Knox Student on December 6, 2023, alongside the college's own outage notice. It was one of the earliest cases of ransomware affiliates contacting victims' constituents directly by name and a milestone in the shift toward 'aggressive multi-extortion' tactics.

Alerts
4
Response
min
Killed
0
Injured
0
Institution
Knox College
Private Liberal Arts · IL
~1,100 studentsPrairie Star Alert
Confirmed Timeline

Alert Sequence

4 messages in sequence · 1 verified verbatim

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Approximate reconstructionReconstructed from The Knox Student reporting on the December 4 outage notice365 chars
Knox community, we are currently experiencing a systems outage affecting email, the Knox portal, and other college services. Knox IT Services is actively investigating and working to restore service. Classes will continue as scheduled. We will provide updates as we have them. If you need to reach a faculty or staff member, please use your personal email or phone.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Classic 'systems outage' language — the word 'ransomware' will not appear from the college until counsel approves it nearly two weeks later.
First sent through a redundant alert channel because the main Knox portal had already been taken offline by Knox IT in containment.
UPDATEEmail+1d
Verified verbatimBleepingComputer — screenshot of the Akira email forwarded by multiple Knox students605 chars
We want to inform you that the College has been compromised by us and a lot of private data was stolen, including yours. The amount and importance of the leaked private data is huge, and the College has known it for over a week. They tried to hide this fact and refuse to engage in negotiations. We've got info about your medical records, SSNs, sexual preferences (in case of any), financial reports, college papers and many more. You can sue the institution for the leak of this information. Of course we are open to negotiations and willing to come to an agreement with the College and remove your data.
Verbatim from BleepingComputer's published screenshot. Awkward phrases — 'sexual preferences (in case of any)', 'college papers' — are preserved exactly.
Knox students received this in their personal Gmail accounts, suggesting Akira exfiltrated a contact list with personal addresses alongside institutional ones.
The line 'You can sue the institution' is the operative pressure mechanism: it tries to recruit students as plaintiffs against their own college.
UPDATEEmail+2d
Approximate reconstructionReconstructed from The Record's reporting on Knox's December 6 community message596 chars
Earlier today, members of the Knox community received an email from an unauthorized party claiming to have obtained personal information. We are aware of this email and have been investigating a cybersecurity incident that began on December 4. We want to be clear: the email did not come from Knox College. Please do not respond, do not click any links, and do not pay anyone. Forward the message to itservices@knox.edu and then delete it. We will keep the community informed as our investigation continues, and will notify any individuals directly if we determine their information was affected.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

The instruction not to click links or respond is itself a real-time campus safety advisory — the school is treating extortion emails as the immediate threat vector.
Note 'we will notify any individuals directly if we determine' — careful legal hedging mandated by state breach-notification statutes.
FOLLOW-UPEmail+15d
Approximate reconstructionReconstructed from Knox IT updates and Knox Student follow-up coverage476 chars
Knox IT Services has restored access to Knox email, the Knox portal, and the campus VPN. All faculty and staff will be required to reset their passwords using a new minimum-length standard before logging back in. Multi-factor authentication is now required on all Knox accounts. Affected individuals will receive a separate written notification by U.S. mail with information about complimentary credit monitoring. Thank you for your patience during the cybersecurity incident.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Mandatory MFA rollout is the standard post-ransomware artifact — small colleges almost never have universal MFA before they're hit.
Mailed credit-monitoring notice is required under Illinois Personal Information Protection Act.
Context

Background

Knox College is a 1,100-student private liberal arts college in Galesburg, Illinois, founded in 1837 — Abraham Lincoln debated Stephen Douglas on its quad in 1858. On December 4, 2023, Knox IT Services took the campus portal and email offline after detecting an intrusion. Two days later, on December 6, dozens of current Knox students received a personally addressed extortion email from the Akira ransomware group, threatening to release their medical records, Social Security numbers, and counseling files. The email — first published in screenshot form by BleepingComputer — is now widely cited as one of the earliest examples of ransomware affiliates contacting victims' students by name to pressure a college into paying. Knox issued a counter-notice the same evening telling students to ignore the messages, restored systems by December 20, and was publicly listed on Akira's leak site shortly afterward. CISA later issued joint advisory AA24-109A on Akira, citing Knox among the documented education-sector victims.
Analysis

Key Findings

Akira affiliate emailed individual students at personal Gmail addresses on December 6, 2023 — one of the first widely publicized direct-to-constituent extortion campaigns against a US college.
Knox containment took the campus portal offline on December 4, two days before the public extortion email surfaced.
Universal MFA was rolled out post-incident as part of the recovery — it had not been required for all accounts before the breach.
Incident was cited by CISA's April 2024 advisory AA24-109A on Akira education-sector victims.
Outcome
Knox confirmed the cyberattack on December 6, 2023, brought operations back online by late December, and offered free credit monitoring. The college's data was published on Akira's leak site in late December 2023.
Provenance

Sources

  1. national media
    Akira ransomware gang targets Knox College students with extortion email — BleepingComputer
    bleepingcomputer.com
  2. national media
    Knox College ransomware: Akira sends emails to students — The Record
    therecord.media
  3. Student Paper
    College experiencing systems outage — The Knox Student
    theknoxstudent.com
  4. Official
    CISA Joint Advisory AA24-109A: #StopRansomware: Akira Ransomware
    cisa.gov
Tags
cyberattackransomwareakiradirect-to-student-extortionillinoisprivate-liberal-artsdata-breachinfrastructure-failure
Added May 2026Updated May 2026Via ingestion