State of ransomware 2024
By |Published On: March 1st, 2024|64 min read|Categories: Ransomware, Research|
PDF Report Banner

Get our Monthly Ransomware Report as a PDF

vCISO Ransomware Report

Free vCISO Ransomware Assessment

state of ransomware 2024 february


2024 has started out with the highest number of January attacks we’ve ever recorded, with 76 attacks representing a 130% increase compared to 2022’s figures. Education topped the list of targeted industries, followed by healthcare and manufacturing. LockBit was the most active ransomware group this month, with Akira knocking BlackCat off the second-place spot for the first time. Notably 91% of disclosed attacks involved data exfiltration.

Check out who made ransomware headlines this month:

  1. Australia’s Court Services Victoria (CSV) revealed that hackers were able to disrupt operations and access its audio-visual archive containing sensitive hearing recordings during an attack. The impacted system was immediately isolated and shut down, but investigations revealed that a breach exposed recordings going as far back as the beginning of November 2023. This incident impacted various courts and jurisdictions including the Supreme Court and Magistrates’ Court. It is not known who was behind the attack or if any ransom was demanded in exchange for the compromised data.
  2. Swedish supermarket chain Coop fell victim to a Cactus ransomware attack in late December, impacting stores in the county of Värmland. A spokesperson confirmed the cyberattack, stating that upon detection external expertise was engaged to close off “vulnerabilities where intrusions occurred.” According to reports, stores were unable to take card payments on December 22nd but all stores remained open. Cactus ransomware group did not disclose many details on the attacks including what data was stolen.
  3. A Christmas Day attack that knocked out electronic health systems at Anna Jaques Hospital (AJH) has been claimed by Money Message ransomware group. The gang claimed it exfiltrated 600GB of information including data relating to its parent network Beth Israel Lahey Health. The ransom amount demanded was also not disclosed. The exact nature of the exfiltrated data remains unknown.
  4. One of Africa’s largest airlines, Kenya Airways, was claimed as a victim by the Ransomexx ransomware group. The ransomware group shared over 2GB of data allegedly stolen from the airline including sensitive information. Compromised data is said to include passenger information, accident reports, investigative activities and plans for the carrier. The organization has not yet made a public announcement acknowledging the claims.
  5. Fallon Ambulance Service, a now-defunct subsidiary of Transformative Healthcare, suffered a ransomware attack in April 2023 which impacted data of 911,757 individuals. The attackers gained access to the company’s systems from late February and remained there until late April. BlackCat claimed the attack, stating that they had exported 1TB of data including medical reports, paramedic reports, sensitive patient details, and other information. Transformative’s investigation of the incident concluded in late December 2023 when the breach notification was submitted.
  6. French logistics company Groupe IDEA was added to LockBit’s dark web victim site this month. The post from the group did not disclose any details on the breach and only contained a countdown to a deadline date of January 22nd for an undisclosed ransom demand to be met. It is not known what, or how much data was exfiltrated by the group. Groupe IDEA are yet to make a public comment addressing these claims.
  7. Gallery Systems, a museum software solutions provider, announced that IT outages were caused by a ransomware attack. The attack, which took place on December 28th, caused the company to take systems offline to prevent further devices from being encrypted, which led to wide-spread disruption for over 800 museums. Law enforcement was notified, and an internal investigation launched to determine the impact of the breach. No ransomware group has yet claimed responsibility for the incident.
  8. One of the largest insurance companies in the US, First American, confirmed that a cyberattack reported in December was indeed a ransomware attack. The incident forced the company to isolate systems from the internet in an attempt to contain and remediate the incident. Investigations revealed that threat actors accessed certain non-production systems, exfiltrated and encrypted data. It is not known who was behind the attack at this time.
  9. BlackCat ransomware group added SAED International to its victim list this month, claiming to have infected all systems and affected services. Although no detailed information was provided by the threat actors, the group suggested that the Saudi Closed Joint Stock Company had “tried to hide the attack from clients” It is not clear what impact the attack had on the organization nor what information has been stolen. SAED are yet to publicly address BlackCat’s claims.
  10. A cybersecurity incident around Christmas caused Eagers Automotive to halt all trading operations until further notice. The incident affected the IT systems and daily operations across dealerships in Australia and New Zealand. Notorious ransomware gang LockBit claimed responsibility and added the Australian car dealership to its leak site.
  11. US-based transportation provider Estes Express Lines confirmed that it had fallen victim to a cybersecurity incident last year. The attack caused IT outages and affected Estes’ online tracking services. A forensic investigation determined that unauthorized threat actors had accessed systems and exfiltrated data which is said to include names and other personal identifiers belonging to at least 21,184 individuals.
  12. LockBit began leaking information stolen from the University of Sherbrooke which was stolen during a ransomware attack in December 2023. The attack had no impact on the university’s activities, but a spokesperson did state that the compromised data had come from one research laboratory. The ransomware group added screenshots as proof of claims to the announcement on the dark web.
  13. Mexico’s largest poultry producer, Bachoco, was hacked by Cactus ransomware group just before the new year. The group posted Bachoco on its leak site but provided little information on the attack and did not post a deadline for payment of an undisclosed ransom. It is suggested that 130GB of data was exfiltrated during the incident. A download link to the proof of claims was included which contained PII of employees, stakeholders, and customers as well as other confidential documents.
  14. Hunters International ransomware gang breached Bradford Health, causing an operations blackout. The attack resulted in a breach of approximately 770GB of data including agreements, medical records, SQL backups, employee data and business documents. The healthcare facility has made no public comment addressing the claims.
  15. Hackers targeted Kaunas University of Technology in Lithuania, launching an attack on that led to the disruption of dozens of systems, and ultimately a leak in sensitive information. Information such as employee names, addresses, contact information and car registrations was compromised. Rhysida has claimed the attack and added a number of screenshots, including scanned passports, to its leak site.
  16. In Louisiana, Tulane University is investigating a potential cyberattack following claims made by Meow. The university launched an investigation of the claim and any impact of the attack but did comment that all network systems were operational. The ransomware group posted the university on its leak site on December 13th but did not include any more information on the attack, with the posting simply stating “soon”.
  17. Kershaw County School District (KCSD) in South Carolina was the first educational institute claimed by BlackSuit in 2024. Threat actors posted the school district on its leak site earlier this month, alongside claims that 17GB worth of files had been exfiltrated from the KCSD network during the incident.
  18. In Idaho, Blaine County School District was also targeted by BlackSuit during an attack in late December. BlackSuit alleges to have 12GB of data belonging to BCSD, although no proof of claims was added to the dark web listing.
  19. Marketing-centered US service provider Televerde fell victim to a cyberattack at the hands of Play. The organization is yet to make a comment on the claims but the group’s posting on its victim site suggests that data was stolen during the attack. Compromised information allegedly includes private and personal confidential data, client documents, budget, IDs, payroll, insurance, taxes, finances, and other company information.
  20. In Brazil, Agro Baggio was hacked by Knight ransomware group, causing the organization’s website to be knocked offline. The threat actors added Agro Baggio to its leak site, noting that the network is “tightly closed and unavailable. Knight also claimed to have exfiltrated 70GB of files containing “important data.” A threat was also included in the post highlighting that DPO/LGPD fines are high.
  21. At the beginning of the month, mortgage lender LoanDepot was forced to shut down some of its systems to contain a cybersecurity breach, with payments via the servicing portal and other online portals being taken offline. The organization has confirmed that it was hit with a ransomware attack, with malicious actors also encrypting files on compromised devices. An investigation revealed that sensitive personal information of approximately 16.6 million individuals was accessed by the ransomware group responsible. At the time of writing, no ransomware group has yet taken credit for the incident.
  22. LockBit claimed responsibility for an attack on the Capital Health hospital network which caused IT system outages and impacted operations for at least one week. LockBit listed the healthcare company on its data leak portal, claiming to have stolen 7TB of sensitive medical information valued at $250,000. The ransomware gang stated that it purposely did not encrypt the hospital’s systems so as not to interfere with patient care.
  23. The World Council of Churches confirmed that it was contacted by hackers on December 26th, demanding a ransom for information accessed during a cyberattack. All systems were unavailable including the website. The WCC stated that it would never give in to such threats. The WCC attack has not been claimed by any ransomware group.
  24. The largest zoo in Canada, Toronto Zoo, confirmed that it’s systems had been hit by a ransomware attack but that it had caused no impact to the animals’ care, its website, or its day to day operations. The zoo is investigating whether the incident affected guest, member, or donor records. The incident was reported to the Toronto Police Service and the zoo continues to work with third-party security experts and the City of Toronto’s Chief Information Security Office to determine the extent of the damage. Akira has taken credit for this incident, claiming to have exfiltrated 33GB of data including NDAs, confidential agreements and personal files.
  25. Offshore and marine organization ES Group (Holdings) saw information on its systems encrypted as a result of a ransomware attack. The company announced the incident stating that it had impacted the “majority” of its data in its servers but that investigations remained ongoing and the “threat had been contained.” ES Group also commented that there had been no significant impact to its business or operations.
  26. Another Singapore-listed company made headlines when IPS Securex Holdings confirmed that it had encountered a ransomware incident which had rendered its network inaccessible. Based on initial investigations, the organization is yet to see any evidence of data exfiltration from the attack. The threat actors behind the attack remain unknown.
  27. In Washington, Edmonds School District confirmed that a cyberattack in January last year compromised the sensitive personal information of approximately 250,000 individuals. The school district identified suspicious activities in its internal network and immediately launched an investigation. Compromised data included names and other personal identifiers, financial information and credit and debit card account information. Akira claimed responsibility for the attack in August, allegedly stealing 10GB of data.
  28. The Paraguay military issued warnings of Black Hunt ransomware after Tigo Business suffered a cyberattack which impacted cloud and hosting services in the company’s business division. Reports suggest that over 300 servers were encrypted, and backups compromised. The organization was not able to provide a lot of information relating to the attack.
  29. Black Basta published 515GB of data allegedly belonging to Park Holidays UK, a holiday park operator with more than 50 sites in the UK. The compromised data included financial documents, and personal documents such as driving licences and passports. The organization has not made a public announcement acknowledging the leak.
  30. German engineering company Gräbener Maschinentechnik confirmed that it had also fallen victim to a Black Basta ransomware attack late last year. The organization stated that unauthorized access was gained by threat actors and that it could not rule out data being leaked. The ransomware group has already published the 1.1TB of data exfiltrated from the organization during the attack. Information includes confidential information and company documents.
  31. TiAuto Investments, the holding company of Tiger Wheel & Tyres, notified suppliers that it was hit by a ransomware attack on December 28th. The organization’s security team detected suspicious activity and immediately disconnected the network, enabling them to contain the attack. The organization launched a full forensic cyber audit to determine the scope of the incident and the outcomes. LockBit claimed TiAuto Investments as a victim, but it is not clear what or how much data was exfiltrated during the attack.
  32. Over Christmas, Aspiration Training suffered a ransomware attack on part of its network in a data center. Initial investigations revealed that attackers penetrated a small area of the network, encrypting data. Rhysida claimed the incident, demanding 1BTC in exchange for the data exfiltrated. It is not clear at this time what data was compromised in the attack.
  33. RE&S Holdings, a Japanese multi-food brand, announced on Jan 11 that it had initiated data recovery following an attack which impacted the data on its servers. RE&S activated business continuity plans and seen no significant impact to its business operations. The company reported that it has not observed any evidence of data exfiltration or the compromise of any personal sensitive information following preliminary investigations.
  34. Sources from Fullerton Joint Union High School District revealed that it suffered a “complete internet shutdown” in November. This month it was announced that there is now evidence that some non-sensitive student information was accessed during the attack. Some feel that the superintendent should have acted sooner in informing the school district community about the data breach. It is not known who was behind the attack.
  35. Not for profit organization Water for People was targeted by a ransomware attack orchestrated by Medusa. The gang listed Water for People on its darknet site, threatening to publish stolen information unless the organization paid a ransom demand of $300,000. A spokesperson from Water for People commented that the data accessed predates 2021 and did not compromise financial systems or business operations.
  36. BlackCat claimed US-based general contractor Builcore as a victim, allegedly exfiltrating 250GB of data during the attack. On its victim site, the group stated that data stolen includes past, present and future clients as well as project information. It was also reported that Builcore refused to negotiate with the threat actors. Builcore has not commented on the breach.
  37. The Lutheran World Federation (LWF) became a victim of cyber extortion at the hands of Rhysida. The ransomware group reportedly exfiltrated 734GB of data in 732,665 files. Screenshots, including passports, were released as proof of claims. 50% of the files that “did not sell” have already been leaked. Rhysida has not publicly announced how much data was stolen during the attack and it is not known if a ransom was demanded from the LWF.
  38. It has been reported that staff of Australian imaging and diagnostics provider Quantum Radiology were told to tell concerned patients that a November breach was an “operational IT issue.” An unauthorized party breached the company’s IT systems and encrypted its contents including patients’ Medicare numbers, identifying information, claim details and scan reports. A ransomware gang is yet to take credit for this incident.
  39. The Arrowhead Regional Computing Consortium announced that a 2023 data breach compromised the sensitive personal information of more than 65,000 people. During an attack in February last year, the educational advisory group detected unauthorized activity in its internal network and immediately launched an investigation into the nature and scope of the incident. The investigation concluded on December 7th, revealing that sensitive people information including names, SSNs, health insurance information and medical information had been compromised during the attack. LockBit claimed the attack back in April, giving the group seven days to pay an undisclosed ransom before data was published.
  40. Personal information from over 7300 individuals was accessed by threat actors during a cyberattack on Carnegie Mellon University (CMU). The university launched an investigation and recovery operation which revealed that unauthorized external actors has accessed its computer systems. Information compromised included names, SSNs and dates of birth.
  41. Calvià City Council, a major Majorca tourism hotspot, was targeted by a ransomware attack, with threat actors demanding an $11million ransom. The attack caused IT outages and forced the council to form a crisis committee to evaluate the damage done and create impact mitigation plans. The ransomware group behind the attack remains unknown and the mayor of Calvià has stated that the ransom demand will not be paid under any circumstances.
  42. Hackers who claimed to have passenger data of PT Kereta Api Indonesia (KAI) demanded billions of rupiah in bitcoin to the government. The threat actors claim to be in possession of data belonging to employees and passengers alongside other information but have not disclosed the total amount of data breached. The government was asked to pay a ransom of 11.69BTC but KAI has confirmed that it has seen no evidence that any data was leaked.
  43. Fortune 500 company, Ashbury Automotive Group, was hacked by the Cactus ransomware gang who published the company’s data on its PR website on January 12th, claiming to have stolen 62GB and stating that less than 1% of the data was published. Confidential documents including passports, driver’s licenses, IDs, private financial data and employee information is among the data taken during the incident.
  44. BianLian ransomware group claimed Republic Shipping Consolidators as a victim on its leak site, publishing 117GB of confidential data belonging to the organization. Compromised information included financial records, email correspondence, internal company documents, personal details of employees and various other technical data. Republic Shipping Consolidators has not yet publicly commented on claims made by the ransomware group.
  45. US-based transportation management company Becker Logistics was among Akira’s victims in January, with the ransomware group threatening to release data exfiltrated during an attack. Akira stated that it is in possession of about 43GB of files including personal information, HR, customer info, NDA documents, contracts, and financial information. Becker Logistics has not yet made a public comment addressing the incident.
  46. 60,871 individuals were recently notified about a July ransomware attack on ConsensioHealth. The cyberattack which was discovered on July 3rd, made the network inaccessible to staff members of the billing service. Steps were immediately taken to prevent the spread of the attack and an investigation was launched to determine whether patient data was accessed or copied. In November, the investigation confirmed files containing patient data was stolen including files from seven entities.
  47. Memorial University confirmed that a cyberattack on Grenfell Campus during the Christmas break was indeed a ransomware attack. An unauthorized third party gained access to the Grenfell Campus’ network and encrypted data on a number of servers and workstations, rendering IT services unavailable. At this time, the university does not have any evidence that any personal information was compromised. An investigation is ongoing and as of yet, no ransomware group has yet claimed the attack.
  48. LockBit breached Foxsemicon Integrated Technology Inc, one of Taiwan’s biggest semiconductor manufacturers, demanding a ransom to avoid publishing troves of data. On January 17th LockBit pasted a ransom note on the organization’s website, demanding payment of an unspecified amount. According to claims made by the ransomware group, 5TB of data said to include personal data belonging to customers was exfiltrated. The group also threatened that if management did not get in contact that it was “able to completely destroy Foxsemicon with no possibility of recovery”. The organization has not been added to LockBit’s leak site, suggesting that the victim has entered into ransom negotiations or has already paid the amount demanded.
  49. Kansas State University announced that it was facing a cybersecurity incident that disrupted certain network systems including VPNs. Impacted systems were taken offline upon detection of the incident. The university engaged third-party IT forensic experts to assist in the ongoing investigation efforts. At the time of writing no ransomware group has taken responsibility for the attack.
  50. Netherlands-based denim brand DENHAM the Jeanmaker officially acknowledged falling victim to a cyberattack in late December 2023. The cyberattack did not materially impact DENHAM services in stores or online. A spokesperson confirmed that threat actors accessed some data on affected systems but stressed that information accessed did not include the personal data of consumers who visited its webshop. Akira took credit for the attack, stating on its victim site that it is in possession of 100GB of data archive.
  51. Hunters International launched an attack on Gallup-McKinley County Schools in New Mexico. The cyberattack claim lacks critical details including the nature of the data compromised, the extent of the breach, or the motives driving the attack. With no proof of claims added to the leak site, experts are questioning the validity of the claims made.
  52. In Maryland, Primary Health & Wellness Center made a public notice regarding a ransomware attack which occurred in October 2023. It stated that ransomware encrypted its network server which contained patient medical records from 2018 to present and included names, addresses, dates of birth, SSNs and medical records. PHWC also claims that it has no evidence to believe that any patient data or protected health information was acquired, exfiltrated or misused. The incident was reported to HHS in December as affecting 4,792 individuals.
  53. The FBI, Homeland Security and Oregon City Police Department are investigating an incident which impacted staff and students of Clackamas Community College. Several attacks against the college network took place overnight, with employees receiving emergency notifications about an intrusion. The attack on the servers was quickly isolated, with the origin of the hack being traced back to a Russian IP address. An investigation is ongoing to determine the scope the attack and if data was compromised during the attack. LockBit has claimed responsibility for this incident.
  54. Evidence of a cyberattack on Worthen Industries was posted on the ALPHV, aka BlackCat, leak site. The posting states that should the organization not contact the group in three days, Worthen’s “entire corporate data” including personal and confidential data would become public. The group also taunted the organization asking if it valued the reputation of the company. No further details on the attack have been released.
  55. Subway restaurant chain has launched an investigation after claims made by LockBit ransomware group. The infamous ransomware group added Subway to its Tor site alongside claims that it had exfiltrated Subways SBS internal system which includes hundreds of gigabytes of data and all financial aspects of the franchise. An undisclosed ransom was demanded with a deadline for payment set as 2nd February, failure to pay means all data will be published.
  56. Tietoevry, a Cloud hosting service provider, announced that one of its Swedish data centers was “partially subject to a ransomware attack.” The attack affected numerous customers, but it is believed that only services of customers in Sweden were impacted. It has not been announced whether sensitive or personal data was stolen during the incident. According to Tietoevry, Akira ransomware gang are responsible for this attack.
  57. Ransomware was the culprit behind a cyberattack on Douglas County Libraries in Colorado. The attack which was discovered on January 14th led to temporary catalogue and service outages. The network was quickly taken offline which impacted several other services offered by the libraries. An investigation has been launched but it is not yet known who was behind the attack and if any data was stolen.
  58. The world’s leading aircraft leasing company AerCap experienced a cybersecurity incident “related to ransomware” but claims it suffered no financial impact as a result of the attack. An investigation continues with an aim to establish the extent to which data may have been exfiltrated or otherwise impacted. Slug ransomware group claimed responsibility for the intrusion and listed AerCap as its first public target. The group claims to have stolen 1TB from the organization.
  59. LockBit claimed TV Jahn Rheine in Germany as a victim, providing information on substantial amounts of sensitive data stolen, including account information, email conversations and HR records. It is not clear how much information was stolen or what ransom was demanded by the threat actors.
  60. First Financial Security Inc reported that it had recently fallen victim to a ransomware attack which resulted in an authorized party being about to access consumers’ sensitive information. The organization secured its systems and determined that threat actors were not successful in encrypting the company’s systems, however, investigations revealed that portions of its IT network were accessed. Compromised data includes names, SSNs and other personal information.
  61. Veolia North America revealed that it suffered a ransomware attack which impacted systems of part of its Municipal Water division and disrupted its bill payment systems. The subsidiary of Veolia implemented defensive measures, taking some systems offline temporarily to contain the breach. The organization is working with forensic specialists to assess impact on its operations and systems. No ransomware group has yet claimed responsibility.
  62. Japan Foods Holding announced that the company was involved in a ransomware attack during which an unknown third party gained access to its servers and encrypted data. It is believed that there will be no material impact to financial or operational performance. During an initial investigation no evidence of data leakage or exfiltration was found.
  63. UK water giant Southern Water confirmed that threat actors broke into its IT systems and exfiltrated a “limited amount of data” following a ransomware attack. Black Basta has claimed responsibility, publishing a snippet of 750GB of stolen data including scans of identity documents, HR related information and corporate care leasing documents. Southern Water stated that although a limited amount of data has been leaked, there is no evidence that customer relationship and financial systems were affected.
  64. In Pennsylvania, Bucks County stated that it dealt with a cyberattack which caused outages and problems for county hospitals, libraries and other local services. The incident disabled the county’s Emergency Communications’ Department’s computer-aided dispatch (CAD) systems, causing issues for the emergency services. The county partnered with state and federal agencies to assist with the ongoing investigation into the attack. Further information on this attack is not currently available.
  65. The Kansas City Area Transportation Authority (KCATA) announced that it had been targeted by a ransomware attack on January 23rd, impacting all communication systems. Despite call-center disruption, all routes continued to run as usual with no passenger transit operations impacted. Medusa claimed responsibility, posting data samples on its dark web portal as proof of claims. A ransom of $2,000,000 has been demanded.
  66. A cyberattack on financial technology firm EquiLend forced several of its systems offline and caused several days of disruption. A spokesperson stated that firms would have to move to manual processes while the platform remained offline. EquiLend are working with external cybersecurity firms and other professional advisors to assist with investigations. Some reports suggest that LockBit was behind the attack, but the ransomware group has not yet posted any claims on its leak site.
  67. The Co-operative Housing Federation of Norway (NBBL) was hit by a “classic ransomware attack” which impacted three of its other companies. In a statement made by NBBL’s Communications Director, it was noted that affected parties were informed and security measures were immediately implemented to minimize the consequences of the attack. NBBL’s CEO commented that NBBL will not be paying any ransom demanded. 8Base has taken credit for the attack, claiming to be in possession of information including financial data, personal data, confidentiality agreements among other confidential information.
  68. In Ohio, Groveport Madison Schools is in the process of recovering from a ransomware incident. It took the school district a month to restore services after an attack on December 5th. The hackers identified themselves as Black Suit, adding the school district to its leak site. A spokesperson confirmed that the hackers stole some staff data, but no student data was compromised during the incident.
  69. Akira ransomware group claimed an attack on British bath bomb merchant Lush. The ransomware group claim to have stolen 110GB of data including “a lot of personal documents” such as passport scans. Other company documents relating to accounting, finances, tax, projects and clients is also said to be among the data exfiltrated. There is currently no evidence to suggest that customer data has been impacted. Lush publicly announced a cyberattack in early January but has not publicly acknowledged claims made by Akira.
  70. LockBit has reportedly claimed responsibility for an incident involving the Caravan and Motorhome Club in the UK. During the cybersecurity incident customers were unable to reach the company or access any of its digital channels. It took the company five days to make a public disclosure, following on from advice given by its external cybersecurity experts. The ransomware group has not added a lot of detail to its posting about the Caravan and Motorhome Club but has given the organization until February 9th to meet undisclosed ransom demands.
  71. Scottish charity The Richmond Fellowship Scotland was targeted by a ransomware attack which shut down all of its systems for over two weeks. Experts from Police Scotland are investigating but most aspects of the attack are still not known. Medusa has claimed responsibility for the attack, claiming to have stolen an unknown amount of data. A ransom of $300,000 has been set by threat actors in exchange for data stolen.
  72. Planet Home Lending LLC was a victim of a ransomware attack in November 2023, but the data breach was only announced by the organization recently. In response to the attack, Planet Home contained the incident, terminated unauthorized access and launched an investigation involving third party specialists. Investigations determined that threat actors were able to access sensitive consumer information.
  73. Cactus targeted energy management and automation giant Schneider Electric, reportedly stealing terabytes of corporate data during the cyberattack. The company’s Sustainability Business division was hit in early January, disrupting some of Schneider Electric’s Resource Advisor cloud platform. At this time, it is not known what data was exfiltrated or what the ransom demand is.
  74. BlackCat is threatening to release classified documents from numerous U.S. intelligence agencies following an attack on Technica Corporation. The ransomware group added a post on its dark web site claiming to have exfiltrated 300GB of data from the company. The group wrote “documents relate to the FBI and other US intelligence agencies. If Technica does not contact us soon, the data will either be sold or made public.” The posting also included 29 separate documents as a proof of claims which included contracts from the Dept of Defense as well as employee information. Technica are yet to address these claims publicly.
  75. Lotus Media Group in Oregon, which oversees one newspaper, and five local radio stations faced a ransomware attack in late January. The incident caused disruptions to operations, with employees locked out of their emails and key systems used to design the print newspaper. Staff are working to restore operations and continue reporting the news. It is not clear who was behind the attack or if any data was exfiltrated.
  76. A December cyberattack on Saint Anthony Hospital has recently been claimed by LockBit ransomware gang. LockBit posted the Chicago hospital on its leak site, giving it two days to pay a nearly $900,000 ransom. Administrators determined that files containing patient information had been copied from the network. LockBit didn’t share a lot of information on its posting but did share how they felt about US hospitals, commenting “always US hospitals put their greedy interest over those of their patients and clients.”


In February we recorded 57 publicly disclosed ransomware attacks, a 43% increase over last year’s figures. February saw the temporary takedown of LockBit, which did slow the operation down for a few days, but didn’t stop them from carrying out nine attacks, the same amount as BlackCat. Some attacks dominated headlines this month including Lurie Children’s Hospital, Fulton County, Hipocrate Information Systems in Romania and Epic Games.

Find out who else made the ransomware news headlines during the month:

  1. Skokie in Illinois experienced unauthorized access to the village’s computer systems which led to a network outage. It was reported that staff were told to keep information regarding the attack to themselves and not reveal details to the public. Investigations revealed that threat actors had acquired certain files and data from the network, but it was not confirmed what information was held in those files. Hunters International claimed the incident.
  2. The Misbourne, a school in the UK, was forced to close to students following a ransomware attack in late January. The incident impacted some of the school’s IT systems which significantly affected its infrastructure and operations. It was revealed this month that personal data belonging to students, families and teachers were stolen during the attack. LockBit took responsibility and confirmed that it had student data, bank details, salary data, HR information and many other confidential agreements in its possession.
  3. LockBit also targeted another school systems, causing a district-wide internet outage by compromising its main servers. Groton Public Schools in Connecticut was able to restore 90% of its systems quickly and continued to work through its disaster recovery process in conjunction with local law enforcement. Further details on this incident have not been released.
  4. Lurie Children’s Hospital in Chicago was forced to take its IT systems offline and postpone some medical care due to a ransomware attack. Email, phone, on-premises internet and other critical services were impacted. Rhysida took credit while claiming to have stolen 600GB of data from the hospital. The ransomware gang is now offering to sell the stolen data for 60 BTC ($3,700,000) to a single buyer. After a seven-day deadline, the gang will then either sell the data to multiple buyers at a lower price or will leak it for free. The nature of the data stolen has not yet been revealed.
  5. French medical imaging system manufacturer DMS Imaging was added to CUBA ransomware group’s victim list, stating that data was exfiltrated at the end of January. Cuba claimed to have files including financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code in its possession. The organization has not yet made a public comment addressing these claims and it is not clear whether a ransom was demanded.
  6. Another French organization, Manitou Group, was attacked by LockBit, resulting in systems being encrypted and information exfiltrated. The notorious ransomware group claimed to have stolen 400GB of confidential data including client, employee and financial information from the equipment manufacturer.
  7. Potenza local Health Authority in Italy began investigating an attack at ASP of Potenza after the hospital network experienced computer system problems. The attack impacted the ASP, the Matera Health Autority, the San Carlo Hospital and the Rionero Regional Oncology Center. Rhysida claimed responsibility and posted images of passports and documents on its dark web site as proof of claims.
  8. The largest telecom operator in Central and South America revealed that it had been hit by a ransomware attack. Claro Company released this information in response to service disruptions in several regions. Reports suggest that Trigona was behind the attack, but the group has not yet posted the organization on its leak site. At this time, it is not clear if any data was exfiltrated during the incident.
  9. Although Chicago Extruded Metals has not yet publicly confirmed that it was a victim of a ransomware attack, LockBit has added the organization to its dark web site. The group claimed to have exfiltrated data including financial documents, employee information and client data but has not disclosed how much data it has in its possession.
  10. Spanish city Teo announced that a January cyberattack “paralyzed administrative activity” for a number of days. The attack impacted computers used in the social services offices and at the Teo Women’s Information Center. The city is coordinating with state officials, the Spanish Data Protection Agency and the national police agencies on the recovery effort. It is not known who was behind the attack or if any data was stolen.
  11. In Ibiza, Sant Antoni de Portmany fell victim to a ransomware attack which limited the work of city employees after IT equipment was “paralyzed.” Containment measures were instituted while the scope of the attack was analyzed. The incident was reported to relevant authorities including the National Cryptologic Centre. At time of writing no further details were available.
  12. News outlets have been closely following the fallout from LockBit’s ransomware attack on Fulton County, Georgia. The Fulton County government announced that a “cybersecurity incident” caused widespread systems outages in late January. The outages touched nearly every arm of the government and has since sparked concerns about Fulton County court cases and the overall court systems. LockBit has given multiple deadlines, but Fulton County refused to pay the undisclosed ransom. The group has threatened to leak all data exfiltrated including information linked to Donald Trump’s case, however at time of writing no data has been released. News reports also suggest that a $10.2million upgrade has been approved for the IT infrastructure of the government.
  13. In Tennessee, Germantown announced a ransomware attack which resulted in all internal on-site servers being impacted. Some services were affected but city officials stated that the impact was minimal. Initial assessments indicated that data related to finance, utilities and payment information had not been compromised. No ransomware group has yet claimed the attack and it is not known if any data was indeed exfiltrated during the incident.
  14. Medusa announced that it had hacked Egyptian platform solutions provider ArpuPlus this month. The ransom demand was set at $100,00 and it is still not known what type of information the ransomware group was able to steal. ArpuPlus has not yet made a public comment addressing the attack.
  15. The local government of Washington County in Pennsylvania authorized a ransom payment of $350,000 in response to a cyberattack in January. The incident caused the government to shut down its servers following a warning from the CISA. According to reports the threat actors seized control of the county’s network, “basically paralyzing all of the county’s operations.” It was confirmed that hackers had pilfered large amounts of sensitive data, including information about children in the court system. It is not known who was behind the attack.
  16. This month, sporting goods company Burton, who is known for its snowboards, recently reported a “sophisticated cyberattack” that happened one year ago in February 2023. The attack caused disruption to certain computer systems and at the time it was believed that a limited number of files and folders had potentially been accessed. The organization confirmed that 5170 individuals had been impacted by the incident during which hackers obtained names or other personal identifiers of customers.
  17. The municipality of Korneuburg in Austria was hit by a ransomware attack which affected all of the data held by the administration including the backup system. Services were hugely impacted with some reports suggesting that funerals were being cancelled due to necessary paperwork being unavailable. Officials have confirmed that they have received a ransom demand but have not disclosed the details. It has been stated that the administration would not be making the extortion payment.
  18. Black Basta struck car maker Hyundai Motor Europe in early January, with the group claiming to have stolen three terabytes of corporate data. The attack originally presented itself as IT issues, but investigations began to address claims that a third party had accessed a limited part of the network. The ransomware group added the organization to its leak site, displaying lists of folders as a proof of claims. It is not known what data was stolen by the threat actors.
  19. Service Employees International Union (SEIU), one of the largest unions in California, confirmed that network disruptions they experienced in January were a result of a ransomware attack. It was revealed that certain data was encrypted during the incident. LockBit claimed to have stolen 308GB of data from the union including employee SSNs, salary information, and financial documents along with other confidential information.
  20. Omega ransomware group claimed Four Hands LLC, a furniture company based in Texas, however the organization has not made a public comment addressing Omega’s claims. The ransomware group is said to have stolen 1.5TB of data including licenses, confidential financial data, employee salary records, NDAs and more.
  21. US based non-profit organization Upper Merion Township was hit by a Qilin ransomware attack, during which the threat actors claim to have stolen 500GB of data. On an Instagram post from December, the organization stated that it was experiencing network, email and phone system disruptions, but have not given any further information since then. The leaked information includes employee files, financial charts, email correspondence and private contracts among other confidential documents.
  22. The Armentières Hospital Center in France was the victim of a cyberattack in early February which saw printers printing a message stating that all data was encrypted. The hospital immediately disconnected the entire network, shutting down all of its services except for maternity emergencies. Although a ransomware group is yet to take credit for the incident, the hospital confirmed that attackers demanded an undisclosed ransom.
  23. Media monitoring software company Onclusive seen its production systems impacted by a ransomware attack. The organization assured customers that there was no evidence of any data having been compromised and that all CRM, financial and internal systems had not been impacted by the incident. The severity of the attack prevented restoration of services for a number of days. Play ransomware group claimed the attack, stating that it had stolen data including private and personal confidential information, client documents, budget and payroll information, financial information and “a lot of technical information”. It is not clear if a ransom demand was made by the group.
  24. 8Base ransomware claimed Lili’s Brownies, a French food production company as a victim this month, utilizing a double extortion technique associated with the group. Although the group did not reveal how much data they managed to exfiltrate, it did list the nature of the files which included invoices, receipts, accounting documents, personal data, contracts, and confidential information as well as other sensitive information. The organization has not commented on the event.
  25. Danbury Schools in Connecticut are asking for help from the local council to fill in a gap unbudgeted for cybersecurity following an attack in July last year. During the incident computer networks were compromised and servers encrypted causing issues for the school district. Although no ransom was paid to the unknown attackers, a cost of $202,274 was incurred during the fallout. It was also discovered, upon trying to make a claim, that its cyber insurance did not cover software or hardware, rendering it relatively useless in the case of a ransomware attack.
  26. The Office of the Colorado State Public Defender remains crippled two weeks after it suffered a ransomware attack. The attack forced the office to shut down its computer network, locking employees out of critical work systems. It was discovered that the attack also encrypted some data on the network. It is not clear who was behind the attack and if any information was accessed by threat actors.
  27. Swiss beauty brand La Colline was added to LockBit’s victim list this month, with the ransomware group claiming to have stolen an undisclosed amount of information from the organization. The beauty brand was given a deadline of 3rd March to pay the unknown ransom. La Colline are yet to publicly verify this incident.
  28. In Romania over 100 hospitals were impacted by a ransomware attack targeting Hipocrate Information Systems (HIS). Twenty-five hospitals confirmed that their data was encrypted with another seventy-five being taken offline while experts evaluate if they too have been impacted. The unidentified hackers demanded 3.5BTC ($170,000) to decrypt the data. The Romanian National Cybersecurity Directorate has asked those affected not to contact attackers and not to pay the ransom. The production servers on which HIS runs was heavily impacted during the attack which has led to the systems being down, and files and databases being encrypted. It is not yet known who was behind the attack.
  29. In South Africa, Tshwane University of Technology faced a “critical challenge” when it was faced with a ransomware attack in January. Rhysida claimed the attack, demanding 20 BTC (around $61,000) in exchange for exfiltrated data. The nature and amount of stolen data is unknown. Some are criticizing the university’s Vice Chancellor for a delay in the attack being reported to regulators.
  30. Spanish electricity company SerCide was a victim of a BlackCat ransomware attack in December. The ransomware group added SerCide to its leak site, leaking a total of 69GB of data after “negotiations were refused”. The group also taunted the organization stating, “good luck restoring your resources which have not been restored for more than one month.” SerCide has not publicly acknowledged the leak.
  31. BlackCat also claimed an attack Canada’s Rush Energy, claiming it has been in the organization’s network for a long time. On the group’s leak site, the post went on to say that the organization’s most valuable data had been stolen and that a backdoor into its network had been created, giving the group the ability to come and go. It also warned the organization that should it avoid making a deal with the group that all data will be made public.
  32. Lower Valley Energy, who provide energy services to Yellowstone National Park, was also a victim of a BlackCat ransomware attack in late December. The ransomware gang posted the US utility co-op on its leak site but did not include details on what data, if any, was stolen nor if it expected a ransom from the organization. Details on this attack are limited.
  33. Trans-Northern Pipelines (TNPI) confirmed it had suffered an internal breach in November but in February it began investigating claims made by ransomware group BlackCat on the dark web. The cybersecurity incident impacted a limited number of internal systems and was quickly contained. However, now BlackCat has added TNPI to its leak site and has published 183GB of data allegedly belonging to the organization. Several names of TPNI employees were also added to the dark web site.
  34. Singapore listed Aztech Global discovered a cybersecurity breach which forced the organization to immediately shut down all servers. An unknown actor gained unauthorized access to its IT systems but it is not clear at this time what data, if any, was impacted by the attack. The incident did not affect operations and has had no material financial impact. It is not clear who is behind this attack.
  35. Snatch claims to have infiltrated Malabar Gold and Diamonds, exfiltrating around 270GB of information. Among the data stolen is sensitive information about key figures within the organization, with the ransomware gang naming and giving personal information on the CEO and other leaders. Other stolen data is said to include financial performance and turnover of the company.
  36. Willis Lease Finance Corporation admitted to falling victim to a “cyberattack” following claims made by Black Basta on the group’s dark web site. Upon discovering the incident, swift action was taken to contain, assess and remediate the situation which included taking all systems offline. Black Basta claim to have exfiltrated 910GB of company data including customer information, HR documents and NDAs. Samples were also posted as proof of claims which included accessed file trees and identity documents. The dark web post made no mention of a ransom demand.
  37. On February 13th, German battery manufacturer Varta announced that it was forced to shut down its IT systems as a proactive measure following a cyberattack on the company. Operations at five production plants and the administration were impacted by the incident. A statement confirmed that at this time the damage or complete impact of the attack cannot be determined as investigations are ongoing. No ransomware group has taken credit for the attack to date.
  38. Australian organic and health product supplier Kadac was faced with a $100,000 ransom demand following a cyberattack in early February. Medusa claimed the attack, posting the ransom demand and giving the organization a 10-day deadline to pay to prevent stolen data from being leaked. Exfiltrated data includes customer details, correspondence with brands and suppliers, financial information, marketing data and other confidential information.
  39. LockBit claimed responsibility for hacking one of India’s top brokerage firms Motilal Oswal. The organization claim operations were unaffected by the cyberattack and that it is investigating claims made by LockBit. The notorious ransomware gang allegedly has confidential company data in its possession, but it is not clear how much data it may have or what exactly the information includes.
  40. Two weeks after an initial attack, Minnesota State University continued to deal with the impact. Reports state that “a few servers” were found encrypted by the university’s IT team at the beginning of February. The university stated that impacted servers did not contain any sensitive information belonging to students or employees. No classes were cancelled as a result of the attack and systems that are integrated with other universities remained unaffected. No ransomware group has yet claimed this attack.
  41. Prudential Financial announced that BlackCat had breached its network on February 4th and had stolen employee and contractor data. An investigation is currently ongoing to assess the full scope and impact of the cyberattack. The Fortune 500 company is yet to find evidence of any customer data having been affected by the incident. The ransomware gang posted a lengthy announcement on its leak site, giving many “facts” about the incident and what the organization is doing in the aftermath, including a claim that the group remained in the Prudential’s networks long after the breach announcement.
  42. Trisec, a newcomer to the ransomware landscape, posted Cogans Carrigaline, a Toyota dealership in Ireland, as one of its first victims. The leak site posting did not give much detail on the attack, giving a twenty-day deadline and offering only an email to contact for a ransom price. The automotive retailer has not made a public statement acknowledging an attack or Trisec’s claims.
  43. The Emirates Telecommunications Group Company, known as Etisalat, fell victim to a LockBit ransomware attack in mid-February. The ransomware group claimed to have stolen “sensitive files” from the state-owned telecom giant in the UAE, posting a $100,000 ransom demand to secure its data. Screenshots were posted as proof of claims alongside the dark web announcement. Etisalat is yet to publicly address LockBit’s claims.
  44. The Grace Lutheran Foundation posted a notice in early February about a data breach which had taken place earlier in the year. It revealed that patient information including name, address, SSNs and health insurance information had been impacted. BlackCat ransomware group added the organization to its leak site, stating that it had acquired 70GB of data during an attack. The group also stated that after two weeks of failed negotiations, Grace Lutheran Communities “refused to protect data of its employees and patients/customers”, which led to the stolen data being leaked.
  45. New ransomware group Mogilevich announced that it had successfully breached Infiniti USA’s systems, making the motor manufacturer one of its first victims. The gang claims to have exfiltrated 22GB of data which includes personal information belonging to customers. Inifiniti USA are yet to make a public statement acknowledging these claims.
  46. A spokesperson from Welch’s, who are known for producing grape juice and jams, stated that recent “system disruption” was actually the result of a cyberattack. The incident forced the company to shut down all operations, with no notification on when workers would return to work. A spokesperson stated that more than 100 cybersecurity and technology experts are working on the systems and the company is coordinating with law enforcement to investigate the incident. Play ransomware group posted Welch’s on its dark web site, claiming to have exfiltrated data including private and personal confidential information. Client documents, budget, payrolls, IDs, taxes, finance and other information.
  47. Numerous systems belonging to German critical infrastructure software provider PSI Software were disrupted by a ransomware attack last month. Upon identifying suspicious network activity, the company took down all external connections and computer systems. PSI also stated that it had seen no evidence to suggest that customer systems had been compromised by the attack. No further details on this incident have been made public.
  48. BlackCat ransomware group claimed it hacked KHS&S, adding the US based construction company to its dark web site. The posting on the site gave the organization a 3-day deadline to contact the group before data is released. It also gave names of four KHS&S employees with the note “contacts for journalists.” No other information regarding this attack is available and it seems that KHS&S has not publicly commented on a cyberattack or these claims.
  49. The City of Oakley in California declared a local state of emergency following a ransomware attack. The city’s IT department took all systems offline and began coordinating with law enforcement and cybersecurity professionals to investigate the nature and scope of the attack. Emergency services including 911, police, fire and ambulances were not impacted by the attack.
  50. Hessen Consumer Center in Germany was hit by a ransomware attack which caused IT systems to shut down and services to be rendered temporarily unavailable. External IT security experts were brought in to aid the not-for-profit’s efforts to restore the availability of all communications impacted. The data on the server and some backup systems were encrypted but it is not yet clear what data may have been involved in the incident. BlackCat added the organization to its leak site, with a comment suggesting that the organization has “visited the chat multiple times but didn’t say and single word”.
  51. In February, Aspen Dental filed a notice of data breach relating to a ransomware attack in April 2023. Upon discovery of the incident, Aspen Dental secured its systems and began working with third party data security specialists to investigate the incident. The investigation confirmed that ransomware attackers had gained access to the network and files containing confidential information. Patient and employee details were among those impacted by the attack.
  52. Pharmaceutical giants Cencora revealed that it had suffered a cyberattack which led to threat actors stealing data from corporate IT systems. The organization contained the incident and are working with law enforcement, cybersecurity experts and external council to investigate it. Although it has not determined if the incident will materially impact finances or operations, Cencora has learned that some data, which may include personal information, had been exfiltrated during the attack. No ransomware group has claimed this attack to date.
  53. Change Healthcare confirmed that it was experiencing a cybersecurity issue which was orchestrated by BlackCat. Experts are working to address the matter and the organization is working closely with law enforcement and third-party consultants to understand the impact to members, patients and customers. The company stated that based on an ongoing investigation, “there’s no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.” BlackCat’s leak site post, which has now been removed, stated that the gang claims to have stolen millions of Americans’ sensitive health and patient information.
  54. Gilroy Gardens, a theme park in California, was hit by a ransomware attack in mid-February, locking all on-site servers and machines, including its ticketing systems. Although customer names and credit card information are stored in the impacted systems, Gilroy Gardens, the FBI and third-party security experts do not believe any data was breached or stolen during the attack.
  55. Mogilevich ransomware gang added Epic Games to its ransomware leak site claiming to have stolen email addresses, passwords, payment information, source code and other data totally 189GB from the game developers. Epic Games has stated that although it is investigating claims there is currently no evidence to suggest that they are legitimate. News reports suggest that the threat actors are selling the stolen data for $15,000 and would only show samples when it was shown “proof of funds” to purchase.
  56. In late February, Rio Hondo Community College District confirmed that it had experienced a ransomware attack in October last year. Upon discovering that portions of its IT network had been encrypted, Rio Hondo took steps to secure its systems and began working with third-party data security specialists to investigate the incident. Sensitive consumer data including personal information was breached during the incident.
  57. Black Basta ransomware group has added Australian data management company ZircoDATA to its list of victims. The threat actors claim to have 395GB of data in its possession including financial documents, personal user folders, and confidentiality agreements. The group also posted a large number of documents on its dark web site as proof of the validity of the hack, including passport scans and immigration documents. ZircoDATA are taking the claims seriously and are working with cybersecurity experts to investigate the situation with urgency. At this stage in the investigation there is no evidence to suggest that personal information relating to customers has been impacted.


Share This Story, Choose Your Platform!

Related Posts