Campus Alert Archive
WNMU

Russian-Linked Qilin Hackers Take WNMU Offline and Miss Payday

NMinfrastructure failureadvisorymedium confidence
Confirmed Threat

Western New Mexico University in Silver City detected unusual activity in its IT environment on Sunday, April 13, 2025 and took its website and digital systems offline. The disruption lasted nearly two weeks, affecting faculty, staff, and more than 3,700 students across five campuses; some employees reported not being paid on time. Officials linked the attack to the Russian-speaking ransomware gang Qilin, which claimed to have stolen payroll data, Social Security numbers, and driver's license information.

Alerts
3
Response
Killed
Injured
Institution
Western New Mexico University
Public Masters · NM
~3,700 studentsWNMU Alerts
Confirmed Timeline

Alert Sequence

3 messages in sequence

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmail
Approximate reconstruction240 chars
WNMU has detected unusual activity in its IT environment and has taken systems offline as a precaution while we investigate. Some services, including the university website, are currently unavailable. We will share updates as we learn more.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Reconstructed from reporting that WNMU 'detected unusual activity in its IT environment' on April 13, 2025 and took systems and its website offline.
Silver City, New Mexico observes daylight saving time, so April timestamps are MDT (UTC-6).
Classified as an advisory rather than a Clery emergency notification because a cyberattack is an operational disruption, not a § 668.46(g) immediate physical threat.
isVerbatimConfirmed:false: the official notification text was not retrievable, so this paraphrases news quotes.
UPDATEEmail
Approximate reconstruction247 chars
The IT disruption that began April 13 is ongoing. Some payroll processing has been delayed. We are aware of reports that personal information may have been accessed and are investigating with outside experts. Affected individuals will be notified.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Reconstructed update reflecting documented impacts: delayed pay for employees including hourly and student workers, and concerns over accessed personal data.
Matches reporting that the Qilin gang claimed payroll information, Social Security numbers, and driver's license data.
isVerbatimConfirmed:false because the official update wording was not available from a primary source.
FOLLOW-UPWebsite
Approximate reconstruction253 chars
Our website is back online. We continue to restore systems following the April cybersecurity incident. We are notifying individuals whose information may have been involved and providing guidance on protecting your identity. Thank you for your patience.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Reconstructed follow-up matching reporting that the WNMU website became accessible again around May 16, 2025 with a posted message about the event.
Labeled a follow-up rather than an all-clear because data-breach notification and system restoration continued well beyond the website's return.
isVerbatimConfirmed:false: the restoration message wording is reconstructed from news coverage.
Context

Background

Western New Mexico University is a Hispanic-Serving Institution in Silver City serving more than 3,700 students across five campuses and online. On Sunday, April 13, 2025, the university detected unusual activity in its IT environment and pulled its website and digital systems offline. Searchlight New Mexico reported the disruption ran nearly two weeks, delayed pay for employees including student workers, and was attributed to Qilin — a Russian-speaking 'ransomware as a service' gang operating since 2022 — which claimed to have exfiltrated payroll data, Social Security numbers, and driver's license information. A UNM cybersecurity team assisted the response, and the public website returned around May 16. Coming almost exactly one year after the New Mexico Highlands University ransomware attack, the WNMU incident underscores how regional and HSI campuses with lean IT staffing have become repeat ransomware targets — and how an attack on the notification infrastructure itself complicates emergency communication.
Analysis

Key Findings

A Qilin ransomware attack took WNMU's website and systems offline for nearly two weeks and delayed employee pay, including for student workers
The attackers claimed to have stolen payroll data, Social Security numbers, and driver's license information, turning the incident into a data-breach notification obligation
WNMU was the second New Mexico regional/HSI campus hit within a year, after NMHU in April 2024, and drew in a UNM cybersecurity team for response
Silver City observes daylight saving time, placing the April timestamps in MDT (UTC-6)
Outcome
WNMU's public website was inaccessible from April 13 until about May 16, when a message about the event was posted. The Qilin group threatened to leak personal data including SSNs and driver's licenses. A UNM cybersecurity team assisted the response.
Provenance

Sources

  1. News
    An infamous group of Russian-linked hackers appears to have launched a crippling cyberattack on WNMU - Source New Mexico
    sourcenm.com
  2. News
    Russian-linked hackers have launched a cyberattack on WNMU - Searchlight New Mexico
    searchlightnm.org
  3. Student Paper
    UNM cybersecurity team responds to Western New Mexico hacking - The Daily Lobo
    dailylobo.com
  4. Source
    Russian-linked hackers appear to have launched a crippling cyberattack on Western New Mexico University - DataBreaches.Net
    databreaches.net
Tags
infrastructure-failureransomwarecyberattackdata-breachadvisorynew-mexicownmuhsiqilin
Added May 2026Updated May 2026Via ingestion