Pure Extraction and Ransom (PEAR) claims to have stolen 16 terabytes of data according to Comparitech, following President Patrick F. Leahy’s email to Monmouth students and faculty on Mar. 13 addressing a cybersecurity incident. The University is yet to confirm this information.
According to Comparitech, PEAR is a cybercriminal group that steals and ransoms data. The fairly new group started taking responsibility for attacks in August 2025. PEAR does not encrypt data, but rather focuses on exploitation.
Cyberattacks on educational institutions, particularly universities, are showing a concerning upward ticking trend. In an article titled “Cyberattacks on Higher Ed Rose Dramatically Last Year, Report Shows,” published on June 12, 2024 in EdTech: Focusing on Higher Education, it is stated that ransomware attacks in higher education increased by 70 percent in just one year from 2022-2023. It is estimated that the real percentage is probably much higher given that these numbers were derived just from the attacks in which ransom was not paid. This article mentions two major ransomware gangs LockBit and Rhysdia, formerly known as Vice Society, who were responsible for more than 100 attacks. LocBit has since taken down a large multinational law enforcement action, but clearly new players are entering the game, such as PEAR.
Brian Callahan, PhD, Specialist Professor in the Department of Computer Science and Software Engineering and Director of Monmouth’s Cybersecurity Research Center said, “They’re probably still too new for us to really have a clear idea of who they are and potentially even where they are.”
Prior to Monmouth, Callahan served as the Graduate Program Director for and senior lecturer in the Department of Computer Science and Software Engineering, and as the Director of the Rensselaer Cybersecurity Collaboratory (RCC) at Rensselaer Polytechnic Institute (RPI).
Callahan explained that while we do not know where this group lies, the top of the cybercriminal hierarchy are Advanced Persistent Threats (APT) that are threat actors backed by a nation state. These types of attacks are not able to apprehend the people behind them because they are physically inside the country that is funding them and are not doing anything illegal by their country.
According to Callahan, most major countries have APT’s including the United States. The US predominantly hears about Chinese, North Korea, Russian, and Israel APT’s. Callahan explained these groups as very well funded and organized.
Second on the cybercriminal hierarchy are organized crime groups, where Callahan thinks PEAR most likely falls. “Organized crime and APT’s are pretty sophisticated. It can be very difficult to effectively combat,” Callahan said.
According to Comparitech, PEAR claims to have stolen 16 terabytes of data, including but not limited to Financials, Students’ Private and Confidential Data, Personally Identifiable Information(PII) and Protected Health Information (PHI) records, Minors’ data, Files from OneDrive and Dropbox Cloud Storages.
Callahan explained 16 terabytes as 6,128 full feature length movies worth of data. “It’s not an astronomical amount of data. It’s not what we would call big data, but when you think of the kinds of data a university is likely to have, that’s going to be a lot,” Callahan said.
Data size begins at bytes, then going to kilobytes, to megabytes, to gigabytes, and finally terabytes. The director of Monmouth’s Cybersecurity Research Center said that a single email is in the kilobyte range and that one terabyte can most likely hold millions if not billions of emails.
Considering the cyber criminal group claims to have taken data from OneDrive and DropBox, Callahan said, “It leads me to think that perhaps someone’s credentials were stolen, that had the master keys to all of this stuff.” He added that it is usually phishing, an attack that attempts to steal your money and identity through revealing personal information, according to Microsoft.
In the case of someone’s credentials being stolen, Callahan said if someone does not have a two-factor authentication setup or too weak of one, then it is like logging into your computer when you have full access.
From there, programs can be used by the cybercriminals to email or send themselves the data over the web.
In an article published on Jan. 22, 2025 titled “Why Are Cyberattacks Rising in Higher Education” in Brilliance Security Magazine, it is argued that cyberattacks on higher education are in rapid increase. Since 2023, these attacks have happened in the education and research sector much more frequently than any other sector. In this article, multiple reasons were cited for why higher education institutions are particularly vulnerable to cyber and ransom attacks. Among the reasons cited are access to grants and federal funding, abundance of valuable credentials that can be sold on the dark web, open networks and multiple applications which make universities vulnerable to security breaches. In addition, it was argued that many universities aren’t adequately prepared for such sophisticated attacks due to budgetary constraints and outdated systems.
Similarly, this past January, The Chronicle of Higher Education published an article titled “Why Cyberattacks in Higher Ed Keep Proliferating,” in which it is argued that “colleges are constantly being bombarded with cyberattacks.” The rise of artificial intelligence just made things so much worse and IT departments have a hard time keeping up. The article also lists numerous colleges who have been recent victims of cyberattacks, amongst them Princeton, University of Pennsylvania, Harvard, Dartmouth College, New York University, and Columbia. Ivy league universities and colleges are high on the list of targets given that they commonly have decentralized IT systems that are easier to attack, but clearly, smaller universities are not exempt from these attacks.
Callahan agreed with the sentiment of attacks on universities, and more specifically in the research sector. From the amount of student turnover year to year, to research, health records, and even emails, everything holds monetary value, emphasizing the research being the biggest thing. Callahan used Rensselaer Polytechnic Institute as an example, “That [research] would be their first concern because they would have a lot of government funded research and research that might be under NDA with the government. We probably have some of that here, probably not to the same extent as RPI, but we probably do have some of that here and that is a big dollar ransom.”
In the 2025 Carnegie Classification of Institutions of Higher Education from the American Council on Education (ACE) and the Carnegie Foundation for Advancement of Teaching Monmouth secured recognition as a research college and university (RCU).
To get more specific information on the ransomware attack on our university, The Outlook contacted The Monmouth University Police Department for a comment and they directed us to the University’s Associate Vice President for Marketing and Communications, Tara Peters, who is out of office until Apr. 8.
The Outlook also directed inquiries to John Cavallo, the director of Information Logistics, John Sonn, the Associate Vice President and Chief Information Officer for Information Operations, as well as the Information Management and Information Operations Departments but have not heard back in time for the publication of this article.
If and when The Outlook receives a response from those contacted, their comments will be included in the subsequent ongoing investigation of this cybersecurity incident.
In more traditional attacks where data is encrypted, Callahan said 50% of the time you will never get the ability to decrypt it. In the case of paying the ransom, half of the time they will leak the data anyway, Callahan continued.
The most recent Sophos survey that collected data from 17 countries titled “The State of Ransomware in Education 2025,” their latest annual study of ransomware attacks on educational institutions, shows that 441 educational institutions were attacked the previous year. As to causes, the report finds that institutions cite an unknown security gap as the most common reason. Although cyberattacks and ransomware attacks on educational institutions are increasing, the report found that educational institution’s use of encryptions and data backup are falling. Ransom demands and payments have drastically fallen as well as recovery costs, which is good news, according to Sophos.
The question, however, is how do universities respond to these attacks? According to an article published on Aug. 4, 2023 in Higher Ed Dive, almost half of higher education institutions are hit with ransomware pay to get their data back to prevent data leakage. This is according to a survey conducted by Sophos, a cybersecurity firm which gathered data from 200 colleges in 14 different countries. For example, the article cites that University of California San Francisco paid a little over $1.1 million in 2020 to a hacker group called Netwalker to stop the leak of the data. However, some schools refuse to pay ransom. As reported by The Daily Pennsylvanian in Feb. 2026, University of Pennsylvania refused to pay $1 million ransom after which ShinyHunters, a cybercriminal group responsible for the ransom attack, leaked the data. Similarly, in 2021 University of Colorado refused to pay $17 million to the ransomware group CL0P, according to the CBS News article titled “University Of Colorado Refuses To Pay $17 Million Ransom Following Accellion Data Breach” and published on August 14, 2021. CLOP gradually leaked data and the university provided credit and identity monitoring along with fraud consultation and identity theft restoration to those affected by the data breach, according to the article. The group targeted a vulnerability in the File Transfer Appliance from Accellion, a third-party vendor, exposing similar vulnerabilities many universities have when they purchase services from third party vendors. According to Schellman, that published a recap of cyberattacks on universities in 2023 and updated it in 2026, University of Georgia confirmed in 2023 that cybercriminals gained access to data stored in the MOVEit Secure File Transfer and Automation software from a third-party vendor, that UGA was using to store and transfer sensitive data. In the same article, it is stated that Indiana University unprotected third-party assets were stolen in a cyberattack exposing student names and email addresses, although the university claimed this information was already public.
Callahan added that the FBI will always say not to pay the ransom. By doing that he said you are signaling that you are someone who will pay, notifying your attackers that you will pay them if they do it again. Consequences of cyberattacks can be dire, and not just in financial terms, especially for smaller colleges that are already struggling. Lincoln College, a small school of less than 1,000 students, already struggling after COVID-19 pandemic, shut down due to ransomware attack on the school that happened in 2021. This predominantly black rural college became the first American college to announce permanent closure in May of 2022. The school closed after 157 years of operation, according to The College Post. Additionally, Aladin Cybersecurity in a post made on X on Jan. 6, 2025 titled “University of the West of Scotland Faces Devastating Cyberattack: A Cautionary Tale for Higher Education,” wrote that, “The University of the West of Scotland (UWS) has become a stark example of the catastrophic consequences of cyberattacks on educational institutions. In July 2023, the notorious Rhysida cybergang launched an attack that exposed over 1 million sensitive personal documents on the dark web. This breach has had profound repercussions.” These repercussions according to the post were, “£14.4M deficit for the year ending April 2024, a sharp contrast to the £2.5M surplus from the previous year. The financial crisis has been exacerbated by declining student enrollment following the breach.” The post also states that “Compromised records included sensitive information of students and staff, leading to privacy violations and loss of trust. The leaked data has increased the risk of identity theft and fraud for those affected.” Finally, the poster concludes that, “Cyberattacks on educational institutions are not just IT issues—they threaten the core operations, financial stability, and reputation of universities.”
“Monmouth did everything they were supposed to do upon figuring it out. That would be initializing whatever instant response that they have, very importantly, contacting the FBI,” Callahan said.
On Mar. 31, Information Management emailed all Monmouth students informing them to change their passwords after updating their password policy. The minimum length is now 15 characters (increased from 8). The complexity requirement has increased, containing characters from at least three of the four following categories: uppercase letter, lowercase letter, number, and special character. The password must not reuse any of your past 10 passwords, and passwords must be changed at least every 365 days (increased from 90 days).
In President Leahy’s email addressing the incident he said he understands this news is concerning. “At the conclusion of this review process, we will provide direct notification to any individuals whose personal information was involved,” he added.
