Ransomware Breaches are Only the Beginning
Often when we think about ransomware attacks we focus on how the attackers found their way in and what demands they are making on the victim. We read about the exorbitant ransom demands made on companies we would expect to have the best cyber defense tools in place, while those same companies reassure us that no data was exfiltrated or compromised during the attack. Recent research suggests otherwise however, as it’s estimated that data exfiltration occurs in 70% of all ransomware attacks.
While some organizations are waking up to the fact the ransomware attacks are in fact data breaches, unless perhaps data exfiltration technology can prove otherwise, many are still opting to sweep the attack under the carpet, going so far as to not even disclose to their own employees that their personal data may have been stolen.
Unfortunately, ransomware has moved beyond the encryption of data in exchange for a payment or reinstating files from data recovery backups. Attackers are now more focussed on data theft and double extortion, the practice of putting additional pressure on the victim to get them to pay up before their sensitive data or trade secrets are published for all to see.
In the past, organizations could pay the ransom, or leverage their cyber insurance to deal with the issue and move on from the attack, hopefully focussing on how they could prevent future incidents. Now however, they must worry about the fall out of what happens next, the almost inevitable data breach. A significant worry when a single data breach can bring an organization to its knees, the downtime they face post attack is merely the beginning. When you factor in customer attrition, regulatory reporting, remediation costs, reputational damage and even class action law suits, there is a lot to be concerned about.
In this blog we’ll be following up on some of the most notable ransomware attacks that are making breach headlines in 2021.
Cloud software provider Blackbaud has been sued in 23 proposed consumer class action cases in the U.S. and Canada relating to the ransomware attack and data breach that the company suffered in May 2020. At the time of the attack Blackbaud stressed that a ransom had been paid to the attackers and they had received assurances from the cybercriminals that compromised data had been destroyed. A spokesperson for the firm said they believed the motivation behind the attack was business disruption rather than data theft. They later admitted that the hackers had stolen bank details and passwords. More than 120 organizations were impacted by the breach.
In December we reported on the ransomware attack at Netgain, a Minnesota based provider of managed IT services. At the time, the company declined to speak to the press about the attack but they informed their clients that they were working with cybersecurity experts and leveraging tools to clean up any affected environments.
In January we learned that the fallout from the attack was having significant impacts on some of its clients, including the Family Health Division of Ramsey County. A notification informing clients that hackers may have accessed personal data such as names, addresses, dates of birth, telephone and account numbers, insurance and medical information, etc. had been sent out. An estimated 8700 clients have been impacted and Ramsey County is not the only local government affected by the attack on Netgain.
In November we reported the attack at US Fertility, a network of fertility clinics across the United States. The company disclosed that they had been a victim of ransomware and that an unauthorized party had accessed data including patient names, addresses, birthdates and Social Security numbers during August and September. The organization made headlines again in February when it was revealed that they had been sued by the individuals impacted. The lawsuit also contains a number of issues patients have experienced as a direct result of the exfiltrated data, including reduced credit scores and fraudulent unemployment attempts. The breach victims are requesting that the lawsuit be certified as class action.
Japanese game developer Capcom fell victim to an attack at the hands of the Ragnar Locker gang in November last year. The cybercriminals claimed to have stolen 1TB of sensitive data from their corporate networks in the US, Japan, and Canada. The ransom note included screenshots of stolen files, including employee termination agreements, passports, sales reports and bank statements. In January, the company released an update stating that up to 390,000 people may now be affected by the ransomware attack.
At the start of this year we reported that Dassault Falcon Jet Corp, the US subsidiary of Dassault Aviation, had been the victim of a Ragnar Locker attack. According to media reports and the dates of breach reported by the company it seems the attackers maintained access to company systems for roughly six months, between June and December last year. In January the company confirmed a data breach following the attack. Compromised data included information belonging to employees such as name, personal and company email address, home address, driver’s license number, passport information, data of birth, etc.
Hackney Council made headlines in October when they disclosed that they had been the victim of a serious cyberattack. Despite speculation that the attack was indeed ransomware, the council didn’t divulge this until hackers began publishing stolen data in January. The council has not confirmed the extent of the breach but a criminal group known PYSA has now published what it claims to be a range of sensitive information held by the East London council.
Translink, Vancouver’s transportation network were attacked by the Egregor gang in December. Payment systems were affected from the attack but customers were assured that credit card and payment information had not been accessed. In January however it was reported that a retired employee was suing his former employer following the attack. The lawsuit claims that the data breach led to damages and losses to the employees and other unspecified stakeholders whose personal and banking information were compromised in the breach.
SEPA, the Scottish Environment Protection Agency was attacked by the Conti ransomware gang on Christmas Eve. When the organization refused to pay the ransom, over 4000 files were published by the hackers. It’s estimated that 1.2GB of data was stolen during the attack. The organization emphasized that the data stolen was a fraction of the size of a typical computer hard drive, however, it did include potentially sensitive data including enforcement notices, corporate planning and procurement and staff data. Whilst some of the information was already in the public domain, files relating to staff and suppliers was not.
A ransomware attack on eHealth Saskatchewan that occurred in late December 2019 is now being called one of the largest privacy breaches in the Canadian province. Over 547,000 files containing personal information, including health records were exposed during the attack which was carried out by the RYUK gang. The ransomware attack began when an employee opened an infected Microsoft Word document from a personal account on a personal device while it was being charged by a USB at a work station. The Ministry of Health learned that some of its files had also been exposed in June 2020 but did not notify the privacy commissioner’s office until September. The Information Privacy Commissioner has made a number of recommendations to eHealth.
Canon became the victim of an Maze ransomware attack in August 2020. In early 2021 it was reported that the company was the target of a class action lawsuit for the exposure of current and former employee personal data. The plaintiffs claim that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner. Breached data included drivers licence numbers, date of birth, social security numbers, electronic signatures and financial account numbers.
Kansas based legal services giant Epiq Global reported they had suffered a ransomware attack in February 2020. The attack affected the organization’s entire fleet of computers across its 80 global offices. In July it was reported that a lawsuit was accusing Epiq Systems of negligence and failure to protect consumers’ data after it says attackers were able to extract “nonencrypted and nonredacted personal information.” The complaint which was filed in federal court in California alleged that the data breach occurred in part because the company failed to use current security measures which could have prevented the attack. Epiq has since filed a notice to remove a data breach class action lawsuit from state court to the District Court for Central California.