The State of Ransomware 2024

2024 has started out with the highest number of January attacks we’ve ever recorded, with 76 attacks representing a 130% increase compared to 2022’s figures. Education topped the list of targeted industries, followed by healthcare and manufacturing. LockBit was the most active ransomware group this month, with Akira knocking BlackCat off the second-place spot for the first time. Notably 91% of disclosed attacks involved data exfiltration.

Check out who made ransomware headlines this month:

1. Australia’s Court Services Victoria (CSV) revealed that hackers were able to disrupt operations and access its audio-visual archive containing sensitive hearing recordings during an attack. The impacted system was immediately isolated and shut down, but investigations revealed that a breach exposed recordings going as far back as the beginning of November 2023. This incident impacted various courts and jurisdictions including the Supreme Court and Magistrates’ Court. It is not known who was behind the attack or if any ransom was demanded in exchange for the compromised data.
2. Swedish supermarket chain Coop fell victim to a Cactus ransomware attack in late December, impacting stores in the county of Värmland. A spokesperson confirmed the cyberattack, stating that upon detection external expertise was engaged to close off “vulnerabilities where intrusions occurred.” According to reports, stores were unable to take card payments on December 22^nd but all stores remained open. Cactus ransomware group did not disclose many details on the attacks including what data was stolen.
3. A Christmas Day attack that knocked out electronic health systems at Anna Jaques Hospital (AJH) has been claimed by Money Message ransomware group. The gang claimed it exfiltrated 600GB of information including data relating to its parent network Beth Israel Lahey Health. The ransom amount demanded was also not disclosed. The exact nature of the exfiltrated data remains unknown.
4. One of Africa’s largest airlines, Kenya Airways, was claimed as a victim by the Ransomexx ransomware group. The ransomware group shared over 2GB of data allegedly stolen from the airline including sensitive information. Compromised data is said to include passenger information, accident reports, investigative activities and plans for the carrier. The organization has not yet made a public announcement acknowledging the claims.
5. Fallon Ambulance Service, a now-defunct subsidiary of Transformative Healthcare, suffered a ransomware attack in April 2023 which impacted data of 911,757 individuals. The attackers gained access to the company’s systems from late February and remained there until late April. BlackCat claimed the attack, stating that they had exported 1TB of data including medical reports, paramedic reports, sensitive patient details, and other information. Transformative’s investigation of the incident concluded in late December 2023 when the breach notification was submitted.
6. French logistics company Groupe IDEA was added to LockBit’s dark web victim site this month. The post from the group did not disclose any details on the breach and only contained a countdown to a deadline date of January 22^nd for an undisclosed ransom demand to be met. It is not known what, or how much data was exfiltrated by the group. Groupe IDEA are yet to make a public comment addressing these claims.
7. Gallery Systems, a museum software solutions provider, announced that IT outages were caused by a ransomware attack. The attack, which took place on December 28^th, caused the company to take systems offline to prevent further devices from being encrypted, which led to wide-spread disruption for over 800 museums. Law enforcement was notified, and an internal investigation launched to determine the impact of the breach. No ransomware group has yet claimed responsibility for the incident.
8. One of the largest insurance companies in the US, First American, confirmed that a cyberattack reported in December was indeed a ransomware attack. The incident forced the company to isolate systems from the internet in an attempt to contain and remediate the incident. Investigations revealed that threat actors accessed certain non-production systems, exfiltrated and encrypted data. It is not known who was behind the attack at this time.
9. BlackCat ransomware group added SAED International to its victim list this month, claiming to have infected all systems and affected services. Although no detailed information was provided by the threat actors, the group suggested that the Saudi Closed Joint Stock Company had “tried to hide the attack from clients” It is not clear what impact the attack had on the organization nor what information has been stolen. SAED are yet to publicly address BlackCat’s claims.
10. A cybersecurity incident around Christmas caused Eagers Automotive to halt all trading operations until further notice. The incident affected the IT systems and daily operations across dealerships in Australia and New Zealand. Notorious ransomware gang LockBit claimed responsibility and added the Australian car dealership to its leak site.
11. US-based transportation provider Estes Express Lines confirmed that it had fallen victim to a cybersecurity incident last year. The attack caused IT outages and affected Estes’ online tracking services. A forensic investigation determined that unauthorized threat actors had accessed systems and exfiltrated data which is said to include names and other personal identifiers belonging to at least 21,184 individuals.
12. LockBit began leaking information stolen from the University of Sherbrooke which was stolen during a ransomware attack in December 2023. The attack had no impact on the university’s activities, but a spokesperson did state that the compromised data had come from one research laboratory. The ransomware group added screenshots as proof of claims to the announcement on the dark web.
13. Mexico’s largest poultry producer, Bachoco, was hacked by Cactus ransomware group just before the new year. The group posted Bachoco on its leak site but provided little information on the attack and did not post a deadline for payment of an undisclosed ransom. It is suggested that 130GB of data was exfiltrated during the incident. A download link to the proof of claims was included which contained PII of employees, stakeholders, and customers as well as other confidential documents.
14. Hunters International ransomware gang breached Bradford Health, causing an operations blackout. The attack resulted in a breach of approximately 770GB of data including agreements, medical records, SQL backups, employee data and business documents. The healthcare facility has made no public comment addressing the claims.
15. Hackers targeted Kaunas University of Technology in Lithuania, launching an attack on that led to the disruption of dozens of systems, and ultimately a leak in sensitive information. Information such as employee names, addresses, contact information and car registrations was compromised. Rhysida has claimed the attack and added a number of screenshots, including scanned passports, to its leak site.
16. In Louisiana, Tulane University is investigating a potential cyberattack following claims made by Meow. The university launched an investigation of the claim and any impact of the attack but did comment that all network systems were operational. The ransomware group posted the university on its leak site on December 13^th but did not include any more information on the attack, with the posting simply stating “soon”.
17. Kershaw County School District (KCSD) in South Carolina was the first educational institute claimed by BlackSuit in 2024. Threat actors posted the school district on its leak site earlier this month, alongside claims that 17GB worth of files had been exfiltrated from the KCSD network during the incident.
18. In Idaho, Blaine County School District was also targeted by BlackSuit during an attack in late December. BlackSuit alleges to have 12GB of data belonging to BCSD, although no proof of claims was added to the dark web listing.
19. Marketing-centered US service provider Televerde fell victim to a cyberattack at the hands of Play. The organization is yet to make a comment on the claims but the group’s posting on its victim site suggests that data was stolen during the attack. Compromised information allegedly includes private and personal confidential data, client documents, budget, IDs, payroll, insurance, taxes, finances, and other company information.
20. In Brazil, Agro Baggio was hacked by Knight ransomware group, causing the organization’s website to be knocked offline. The threat actors added Agro Baggio to its leak site, noting that the network is “tightly closed and unavailable. Knight also claimed to have exfiltrated 70GB of files containing “important data.” A threat was also included in the post highlighting that DPO/LGPD fines are high.
21. At the beginning of the month, mortgage lender LoanDepot was forced to shut down some of its systems to contain a cybersecurity breach, with payments via the servicing portal and other online portals being taken offline. The organization has confirmed that it was hit with a ransomware attack, with malicious actors also encrypting files on compromised devices. An investigation revealed that sensitive personal information of approximately 16.6 million individuals was accessed by the ransomware group responsible. At the time of writing, no ransomware group has yet taken credit for the incident.
22. LockBit claimed responsibility for an attack on the Capital Health hospital network which caused IT system outages and impacted operations for at least one week. LockBit listed the healthcare company on its data leak portal, claiming to have stolen 7TB of sensitive medical information valued at $250,000. The ransomware gang stated that it purposely did not encrypt the hospital’s systems so as not to interfere with patient care.
23. The World Council of Churches confirmed that it was contacted by hackers on December 26^th, demanding a ransom for information accessed during a cyberattack. All systems were unavailable including the website. The WCC stated that it would never give in to such threats. The WCC attack has not been claimed by any ransomware group.
24. The largest zoo in Canada, Toronto Zoo, confirmed that it’s systems had been hit by a ransomware attack but that it had caused no impact to the animals’ care, its website, or its day to day operations. The zoo is investigating whether the incident affected guest, member, or donor records. The incident was reported to the Toronto Police Service and the zoo continues to work with third-party security experts and the City of Toronto’s Chief Information Security Office to determine the extent of the damage. Akira has taken credit for this incident, claiming to have exfiltrated 33GB of data including NDAs, confidential agreements and personal files.
25. Offshore and marine organization ES Group (Holdings) saw information on its systems encrypted as a result of a ransomware attack. The company announced the incident stating that it had impacted the “majority” of its data in its servers but that investigations remained ongoing and the “threat had been contained.” ES Group also commented that there had been no significant impact to its business or operations.
26. Another Singapore-listed company made headlines when IPS Securex Holdings confirmed that it had encountered a ransomware incident which had rendered its network inaccessible. Based on initial investigations, the organization is yet to see any evidence of data exfiltration from the attack. The threat actors behind the attack remain unknown.
27. In Washington, Edmonds School District confirmed that a cyberattack in January last year compromised the sensitive personal information of approximately 250,000 individuals. The school district identified suspicious activities in its internal network and immediately launched an investigation. Compromised data included names and other personal identifiers, financial information and credit and debit card account information. Akira claimed responsibility for the attack in August, allegedly stealing 10GB of data.
28. The Paraguay military issued warnings of Black Hunt ransomware after Tigo Business suffered a cyberattack which impacted cloud and hosting services in the company’s business division. Reports suggest that over 300 servers were encrypted, and backups compromised. The organization was not able to provide a lot of information relating to the attack.
29. Black Basta published 515GB of data allegedly belonging to Park Holidays UK, a holiday park operator with more than 50 sites in the UK. The compromised data included financial documents, and personal documents such as driving licences and passports. The organization has not made a public announcement acknowledging the leak.
30. German engineering company Gräbener Maschinentechnik confirmed that it had also fallen victim to a Black Basta ransomware attack late last year. The organization stated that unauthorized access was gained by threat actors and that it could not rule out data being leaked. The ransomware group has already published the 1.1TB of data exfiltrated from the organization during the attack. Information includes confidential information and company documents.
31. TiAuto Investments, the holding company of Tiger Wheel & Tyres, notified suppliers that it was hit by a ransomware attack on December 28^th. The organization’s security team detected suspicious activity and immediately disconnected the network, enabling them to contain the attack. The organization launched a full forensic cyber audit to determine the scope of the incident and the outcomes. LockBit claimed TiAuto Investments as a victim, but it is not clear what or how much data was exfiltrated during the attack.
32. Over Christmas, Aspiration Training suffered a ransomware attack on part of its network in a data center. Initial investigations revealed that attackers penetrated a small area of the network, encrypting data. Rhysida claimed the incident, demanding 1BTC in exchange for the data exfiltrated. It is not clear at this time what data was compromised in the attack.
33. RE&S Holdings, a Japanese multi-food brand, announced on Jan 11 that it had initiated data recovery following an attack which impacted the data on its servers. RE&S activated business continuity plans and seen no significant impact to its business operations. The company reported that it has not observed any evidence of data exfiltration or the compromise of any personal sensitive information following preliminary investigations.
34. Sources from Fullerton Joint Union High School District revealed that it suffered a “complete internet shutdown” in November. This month it was announced that there is now evidence that some non-sensitive student information was accessed during the attack. Some feel that the superintendent should have acted sooner in informing the school district community about the data breach. It is not known who was behind the attack.
35. Not for profit organization Water for People was targeted by a ransomware attack orchestrated by Medusa. The gang listed Water for People on its darknet site, threatening to publish stolen information unless the organization paid a ransom demand of $300,000. A spokesperson from Water for People commented that the data accessed predates 2021 and did not compromise financial systems or business operations.
36. BlackCat claimed US-based general contractor Builcore as a victim, allegedly exfiltrating 250GB of data during the attack. On its victim site, the group stated that data stolen includes past, present and future clients as well as project information. It was also reported that Builcore refused to negotiate with the threat actors. Builcore has not commented on the breach.
37. The Lutheran World Federation (LWF) became a victim of cyber extortion at the hands of Rhysida. The ransomware group reportedly exfiltrated 734GB of data in 732,665 files. Screenshots, including passports, were released as proof of claims. 50% of the files that “did not sell” have already been leaked. Rhysida has not publicly announced how much data was stolen during the attack and it is not known if a ransom was demanded from the LWF.
38. It has been reported that staff of Australian imaging and diagnostics provider Quantum Radiology were told to tell concerned patients that a November breach was an “operational IT issue.” An unauthorized party breached the company’s IT systems and encrypted its contents including patients’ Medicare numbers, identifying information, claim details and scan reports. A ransomware gang is yet to take credit for this incident.
39. The Arrowhead Regional Computing Consortium announced that a 2023 data breach compromised the sensitive personal information of more than 65,000 people. During an attack in February last year, the educational advisory group detected unauthorized activity in its internal network and immediately launched an investigation into the nature and scope of the incident. The investigation concluded on December 7^th, revealing that sensitive people information including names, SSNs, health insurance information and medical information had been compromised during the attack. LockBit claimed the attack back in April, giving the group seven days to pay an undisclosed ransom before data was published.
40. Personal information from over 7300 individuals was accessed by threat actors during a cyberattack on Carnegie Mellon University (CMU). The university launched an investigation and recovery operation which revealed that unauthorized external actors has accessed its computer systems. Information compromised included names, SSNs and dates of birth.
41. Calvià City Council, a major Majorca tourism hotspot, was targeted by a ransomware attack, with threat actors demanding an $11million ransom. The attack caused IT outages and forced the council to form a crisis committee to evaluate the damage done and create impact mitigation plans. The ransomware group behind the attack remains unknown and the mayor of Calvià has stated that the ransom demand will not be paid under any circumstances.
42. Hackers who claimed to have passenger data of PT Kereta Api Indonesia (KAI) demanded billions of rupiah in bitcoin to the government. The threat actors claim to be in possession of data belonging to employees and passengers alongside other information but have not disclosed the total amount of data breached. The government was asked to pay a ransom of 11.69BTC but KAI has confirmed that it has seen no evidence that any data was leaked.
43. Fortune 500 company, Ashbury Automotive Group, was hacked by the Cactus ransomware gang who published the company’s data on its PR website on January 12^th, claiming to have stolen 62GB and stating that less than 1% of the data was published. Confidential documents including passports, driver’s licenses, IDs, private financial data and employee information is among the data taken during the incident.
44. BianLian ransomware group claimed Republic Shipping Consolidators as a victim on its leak site, publishing 117GB of confidential data belonging to the organization. Compromised information included financial records, email correspondence, internal company documents, personal details of employees and various other technical data. Republic Shipping Consolidators has not yet publicly commented on claims made by the ransomware group.
45. US-based transportation management company Becker Logistics was among Akira’s victims in January, with the ransomware group threatening to release data exfiltrated during an attack. Akira stated that it is in possession of about 43GB of files including personal information, HR, customer info, NDA documents, contracts, and financial information. Becker Logistics has not yet made a public comment addressing the incident.
46. 60,871 individuals were recently notified about a July ransomware attack on ConsensioHealth. The cyberattack which was discovered on July 3^rd, made the network inaccessible to staff members of the billing service. Steps were immediately taken to prevent the spread of the attack and an investigation was launched to determine whether patient data was accessed or copied. In November, the investigation confirmed files containing patient data was stolen including files from seven entities.
47. Memorial University confirmed that a cyberattack on Grenfell Campus during the Christmas break was indeed a ransomware attack. An unauthorized third party gained access to the Grenfell Campus’ network and encrypted data on a number of servers and workstations, rendering IT services unavailable. At this time, the university does not have any evidence that any personal information was compromised. An investigation is ongoing and as of yet, no ransomware group has yet claimed the attack.
48. LockBit breached Foxsemicon Integrated Technology Inc, one of Taiwan’s biggest semiconductor manufacturers, demanding a ransom to avoid publishing troves of data. On January 17^th LockBit pasted a ransom note on the organization’s website, demanding payment of an unspecified amount. According to claims made by the ransomware group, 5TB of data said to include personal data belonging to customers was exfiltrated. The group also threatened that if management did not get in contact that it was “able to completely destroy Foxsemicon with no possibility of recovery”. The organization has not been added to LockBit’s leak site, suggesting that the victim has entered into ransom negotiations or has already paid the amount demanded.
49. Kansas State University announced that it was facing a cybersecurity incident that disrupted certain network systems including VPNs. Impacted systems were taken offline upon detection of the incident. The university engaged third-party IT forensic experts to assist in the ongoing investigation efforts. At the time of writing no ransomware group has taken responsibility for the attack.
50. Netherlands-based denim brand DENHAM the Jeanmaker officially acknowledged falling victim to a cyberattack in late December 2023. The cyberattack did not materially impact DENHAM services in stores or online. A spokesperson confirmed that threat actors accessed some data on affected systems but stressed that information accessed did not include the personal data of consumers who visited its webshop. Akira took credit for the attack, stating on its victim site that it is in possession of 100GB of data archive.
51. Hunters International launched an attack on Gallup-McKinley County Schools in New Mexico. The cyberattack claim lacks critical details including the nature of the data compromised, the extent of the breach, or the motives driving the attack. With no proof of claims added to the leak site, experts are questioning the validity of the claims made.
52. In Maryland, Primary Health & Wellness Center made a public notice regarding a ransomware attack which occurred in October 2023. It stated that ransomware encrypted its network server which contained patient medical records from 2018 to present and included names, addresses, dates of birth, SSNs and medical records. PHWC also claims that it has no evidence to believe that any patient data or protected health information was acquired, exfiltrated or misused. The incident was reported to HHS in December as affecting 4,792 individuals.
53. The FBI, Homeland Security and Oregon City Police Department are investigating an incident which impacted staff and students of Clackamas Community College. Several attacks against the college network took place overnight, with employees receiving emergency notifications about an intrusion. The attack on the servers was quickly isolated, with the origin of the hack being traced back to a Russian IP address. An investigation is ongoing to determine the scope the attack and if data was compromised during the attack. LockBit has claimed responsibility for this incident.
54. Evidence of a cyberattack on Worthen Industries was posted on the ALPHV, aka BlackCat, leak site. The posting states that should the organization not contact the group in three days, Worthen’s “entire corporate data” including personal and confidential data would become public. The group also taunted the organization asking if it valued the reputation of the company. No further details on the attack have been released.
55. Subway restaurant chain has launched an investigation after claims made by LockBit ransomware group. The infamous ransomware group added Subway to its Tor site alongside claims that it had exfiltrated Subways SBS internal system which includes hundreds of gigabytes of data and all financial aspects of the franchise. An undisclosed ransom was demanded with a deadline for payment set as 2^nd February, failure to pay means all data will be published.
56. Tietoevry, a Cloud hosting service provider, announced that one of its Swedish data centers was “partially subject to a ransomware attack.” The attack affected numerous customers, but it is believed that only services of customers in Sweden were impacted. It has not been announced whether sensitive or personal data was stolen during the incident. According to Tietoevry, Akira ransomware gang are responsible for this attack.
57. Ransomware was the culprit behind a cyberattack on Douglas County Libraries in Colorado. The attack which was discovered on January 14^th led to temporary catalogue and service outages. The network was quickly taken offline which impacted several other services offered by the libraries. An investigation has been launched but it is not yet known who was behind the attack and if any data was stolen.
58. The world’s leading aircraft leasing company AerCap experienced a cybersecurity incident “related to ransomware” but claims it suffered no financial impact as a result of the attack. An investigation continues with an aim to establish the extent to which data may have been exfiltrated or otherwise impacted. Slug ransomware group claimed responsibility for the intrusion and listed AerCap as its first public target. The group claims to have stolen 1TB from the organization.
59. LockBit claimed TV Jahn Rheine in Germany as a victim, providing information on substantial amounts of sensitive data stolen, including account information, email conversations and HR records. It is not clear how much information was stolen or what ransom was demanded by the threat actors.
60. First Financial Security Inc reported that it had recently fallen victim to a ransomware attack which resulted in an authorized party being about to access consumers’ sensitive information. The organization secured its systems and determined that threat actors were not successful in encrypting the company’s systems, however, investigations revealed that portions of its IT network were accessed. Compromised data includes names, SSNs and other personal information.
61. Veolia North America revealed that it suffered a ransomware attack which impacted systems of part of its Municipal Water division and disrupted its bill payment systems. The subsidiary of Veolia implemented defensive measures, taking some systems offline temporarily to contain the breach. The organization is working with forensic specialists to assess impact on its operations and systems. No ransomware group has yet claimed responsibility.
62. Japan Foods Holding announced that the company was involved in a ransomware attack during which an unknown third party gained access to its servers and encrypted data. It is believed that there will be no material impact to financial or operational performance. During an initial investigation no evidence of data leakage or exfiltration was found.
63. UK water giant Southern Water confirmed that threat actors broke into its IT systems and exfiltrated a “limited amount of data” following a ransomware attack. Black Basta has claimed responsibility, publishing a snippet of 750GB of stolen data including scans of identity documents, HR related information and corporate care leasing documents. Southern Water stated that although a limited amount of data has been leaked, there is no evidence that customer relationship and financial systems were affected.
64. In Pennsylvania, Bucks County stated that it dealt with a cyberattack which caused outages and problems for county hospitals, libraries and other local services. The incident disabled the county’s Emergency Communications’ Department’s computer-aided dispatch (CAD) systems, causing issues for the emergency services. The county partnered with state and federal agencies to assist with the ongoing investigation into the attack. Further information on this attack is not currently available.
65. The Kansas City Area Transportation Authority (KCATA) announced that it had been targeted by a ransomware attack on January 23^rd, impacting all communication systems. Despite call-center disruption, all routes continued to run as usual with no passenger transit operations impacted. Medusa claimed responsibility, posting data samples on its dark web portal as proof of claims. A ransom of $2,000,000 has been demanded.
66. A cyberattack on financial technology firm EquiLend forced several of its systems offline and caused several days of disruption. A spokesperson stated that firms would have to move to manual processes while the platform remained offline. EquiLend are working with external cybersecurity firms and other professional advisors to assist with investigations. Some reports suggest that LockBit was behind the attack, but the ransomware group has not yet posted any claims on its leak site.
67. The Co-operative Housing Federation of Norway (NBBL) was hit by a “classic ransomware attack” which impacted three of its other companies. In a statement made by NBBL’s Communications Director, it was noted that affected parties were informed and security measures were immediately implemented to minimize the consequences of the attack. NBBL’s CEO commented that NBBL will not be paying any ransom demanded. 8Base has taken credit for the attack, claiming to be in possession of information including financial data, personal data, confidentiality agreements among other confidential information.
68. In Ohio, Groveport Madison Schools is in the process of recovering from a ransomware incident. It took the school district a month to restore services after an attack on December 5^th. The hackers identified themselves as Black Suit, adding the school district to its leak site. A spokesperson confirmed that the hackers stole some staff data, but no student data was compromised during the incident.
69. Akira ransomware group claimed an attack on British bath bomb merchant Lush. The ransomware group claim to have stolen 110GB of data including “a lot of personal documents” such as passport scans. Other company documents relating to accounting, finances, tax, projects and clients is also said to be among the data exfiltrated. There is currently no evidence to suggest that customer data has been impacted. Lush publicly announced a cyberattack in early January but has not publicly acknowledged claims made by Akira.
70. LockBit has reportedly claimed responsibility for an incident involving the Caravan and Motorhome Club in the UK. During the cybersecurity incident customers were unable to reach the company or access any of its digital channels. It took the company five days to make a public disclosure, following on from advice given by its external cybersecurity experts. The ransomware group has not added a lot of detail to its posting about the Caravan and Motorhome Club but has given the organization until February 9^th to meet undisclosed ransom demands.
71. Scottish charity The Richmond Fellowship Scotland was targeted by a ransomware attack which shut down all of its systems for over two weeks. Experts from Police Scotland are investigating but most aspects of the attack are still not known. Medusa has claimed responsibility for the attack, claiming to have stolen an unknown amount of data. A ransom of $300,000 has been set by threat actors in exchange for data stolen.
72. Planet Home Lending LLC was a victim of a ransomware attack in November 2023, but the data breach was only announced by the organization recently. In response to the attack, Planet Home contained the incident, terminated unauthorized access and launched an investigation involving third party specialists. Investigations determined that threat actors were able to access sensitive consumer information.
73. Cactus targeted energy management and automation giant Schneider Electric, reportedly stealing terabytes of corporate data during the cyberattack. The company’s Sustainability Business division was hit in early January, disrupting some of Schneider Electric’s Resource Advisor cloud platform. At this time, it is not known what data was exfiltrated or what the ransom demand is.
74. BlackCat is threatening to release classified documents from numerous U.S. intelligence agencies following an attack on Technica Corporation. The ransomware group added a post on its dark web site claiming to have exfiltrated 300GB of data from the company. The group wrote “documents relate to the FBI and other US intelligence agencies. If Technica does not contact us soon, the data will either be sold or made public.” The posting also included 29 separate documents as a proof of claims which included contracts from the Dept of Defense as well as employee information. Technica are yet to address these claims publicly.
75. Lotus Media Group in Oregon, which oversees one newspaper, and five local radio stations faced a ransomware attack in late January. The incident caused disruptions to operations, with employees locked out of their emails and key systems used to design the print newspaper. Staff are working to restore operations and continue reporting the news. It is not clear who was behind the attack or if any data was exfiltrated.
76. A December cyberattack on Saint Anthony Hospital has recently been claimed by LockBit ransomware gang. LockBit posted the Chicago hospital on its leak site, giving it two days to pay a nearly $900,000 ransom. Administrators determined that files containing patient information had been copied from the network. LockBit didn’t share a lot of information on its posting but did share how they felt about US hospitals, commenting “always US hospitals put their greedy interest over those of their patients and clients.”

In February we recorded 57 publicly disclosed ransomware attacks, a 43% increase over last year’s figures. February saw the temporary takedown of LockBit, which did slow the operation down for a few days, but didn’t stop them from carrying out nine attacks, the same amount as BlackCat. Some attacks dominated headlines this month including Lurie Children’s Hospital, Fulton County, Hipocrate Information Systems in Romania and Epic Games.

Find out who else made the ransomware news headlines during the month:

1. Skokie in Illinois experienced unauthorized access to the village’s computer systems which led to a network outage. It was reported that staff were told to keep information regarding the attack to themselves and not reveal details to the public. Investigations revealed that threat actors had acquired certain files and data from the network, but it was not confirmed what information was held in those files. Hunters International claimed the incident.
2. The Misbourne, a school in the UK, was forced to close to students following a ransomware attack in late January. The incident impacted some of the school’s IT systems which significantly affected its infrastructure and operations. It was revealed this month that personal data belonging to students, families and teachers were stolen during the attack. LockBit took responsibility and confirmed that it had student data, bank details, salary data, HR information and many other confidential agreements in its possession.
3. LockBit also targeted another school systems, causing a district-wide internet outage by compromising its main servers. Groton Public Schools in Connecticut was able to restore 90% of its systems quickly and continued to work through its disaster recovery process in conjunction with local law enforcement. Further details on this incident have not been released.
4. Lurie Children’s Hospital in Chicago was forced to take its IT systems offline and postpone some medical care due to a ransomware attack. Email, phone, on-premises internet and other critical services were impacted. Rhysida took credit while claiming to have stolen 600GB of data from the hospital. The ransomware gang is now offering to sell the stolen data for 60 BTC ($3,700,000) to a single buyer. After a seven-day deadline, the gang will then either sell the data to multiple buyers at a lower price or will leak it for free. The nature of the data stolen has not yet been revealed.
5. French medical imaging system manufacturer DMS Imaging was added to CUBA ransomware group’s victim list, stating that data was exfiltrated at the end of January. Cuba claimed to have files including financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code in its possession. The organization has not yet made a public comment addressing these claims and it is not clear whether a ransom was demanded.
6. Another French organization, Manitou Group, was attacked by LockBit, resulting in systems being encrypted and information exfiltrated. The notorious ransomware group claimed to have stolen 400GB of confidential data including client, employee and financial information from the equipment manufacturer.
7. Potenza local Health Authority in Italy began investigating an attack at ASP of Potenza after the hospital network experienced computer system problems. The attack impacted the ASP, the Matera Health Autority, the San Carlo Hospital and the Rionero Regional Oncology Center. Rhysida claimed responsibility and posted images of passports and documents on its dark web site as proof of claims.
8. The largest telecom operator in Central and South America revealed that it had been hit by a ransomware attack. Claro Company released this information in response to service disruptions in several regions. Reports suggest that Trigona was behind the attack, but the group has not yet posted the organization on its leak site. At this time, it is not clear if any data was exfiltrated during the incident.
9. Although Chicago Extruded Metals has not yet publicly confirmed that it was a victim of a ransomware attack, LockBit has added the organization to its dark web site. The group claimed to have exfiltrated data including financial documents, employee information and client data but has not disclosed how much data it has in its possession.
10. Spanish city Teo announced that a January cyberattack “paralyzed administrative activity” for a number of days. The attack impacted computers used in the social services offices and at the Teo Women’s Information Center. The city is coordinating with state officials, the Spanish Data Protection Agency and the national police agencies on the recovery effort. It is not known who was behind the attack or if any data was stolen.
11. In Ibiza, Sant Antoni de Portmany fell victim to a ransomware attack which limited the work of city employees after IT equipment was “paralyzed.” Containment measures were instituted while the scope of the attack was analyzed. The incident was reported to relevant authorities including the National Cryptologic Centre. At time of writing no further details were available.
12. News outlets have been closely following the fallout from LockBit’s ransomware attack on Fulton County, Georgia. The Fulton County government announced that a “cybersecurity incident” caused widespread systems outages in late January. The outages touched nearly every arm of the government and has since sparked concerns about Fulton County court cases and the overall court systems. LockBit has given multiple deadlines, but Fulton County refused to pay the undisclosed ransom. The group has threatened to leak all data exfiltrated including information linked to Donald Trump’s case, however at time of writing no data has been released. News reports also suggest that a $10.2million upgrade has been approved for the IT infrastructure of the government.
13. In Tennessee, Germantown announced a ransomware attack which resulted in all internal on-site servers being impacted. Some services were affected but city officials stated that the impact was minimal. Initial assessments indicated that data related to finance, utilities and payment information had not been compromised. No ransomware group has yet claimed the attack and it is not known if any data was indeed exfiltrated during the incident.
14. Medusa announced that it had hacked Egyptian platform solutions provider ArpuPlus this month. The ransom demand was set at $100,00 and it is still not known what type of information the ransomware group was able to steal. ArpuPlus has not yet made a public comment addressing the attack.
15. The local government of Washington County in Pennsylvania authorized a ransom payment of $350,000 in response to a cyberattack in January. The incident caused the government to shut down its servers following a warning from the CISA. According to reports the threat actors seized control of the county’s network, “basically paralyzing all of the county’s operations.” It was confirmed that hackers had pilfered large amounts of sensitive data, including information about children in the court system. It is not known who was behind the attack.
16. This month, sporting goods company Burton, who is known for its snowboards, recently reported a “sophisticated cyberattack” that happened one year ago in February 2023. The attack caused disruption to certain computer systems and at the time it was believed that a limited number of files and folders had potentially been accessed. The organization confirmed that 5170 individuals had been impacted by the incident during which hackers obtained names or other personal identifiers of customers.
17. The municipality of Korneuburg in Austria was hit by a ransomware attack which affected all of the data held by the administration including the backup system. Services were hugely impacted with some reports suggesting that funerals were being cancelled due to necessary paperwork being unavailable. Officials have confirmed that they have received a ransom demand but have not disclosed the details. It has been stated that the administration would not be making the extortion payment.
18. Black Basta struck car maker Hyundai Motor Europe in early January, with the group claiming to have stolen three terabytes of corporate data. The attack originally presented itself as IT issues, but investigations began to address claims that a third party had accessed a limited part of the network. The ransomware group added the organization to its leak site, displaying lists of folders as a proof of claims. It is not known what data was stolen by the threat actors.
19. Service Employees International Union (SEIU), one of the largest unions in California, confirmed that network disruptions they experienced in January were a result of a ransomware attack. It was revealed that certain data was encrypted during the incident. LockBit claimed to have stolen 308GB of data from the union including employee SSNs, salary information, and financial documents along with other confidential information.
20. Omega ransomware group claimed Four Hands LLC, a furniture company based in Texas, however the organization has not made a public comment addressing Omega’s claims. The ransomware group is said to have stolen 1.5TB of data including licenses, confidential financial data, employee salary records, NDAs and more.
21. US based non-profit organization Upper Merion Township was hit by a Qilin ransomware attack, during which the threat actors claim to have stolen 500GB of data. On an Instagram post from December, the organization stated that it was experiencing network, email and phone system disruptions, but have not given any further information since then. The leaked information includes employee files, financial charts, email correspondence and private contracts among other confidential documents.
22. The Armentières Hospital Center in France was the victim of a cyberattack in early February which saw printers printing a message stating that all data was encrypted. The hospital immediately disconnected the entire network, shutting down all of its services except for maternity emergencies. Although a ransomware group is yet to take credit for the incident, the hospital confirmed that attackers demanded an undisclosed ransom.
23. Media monitoring software company Onclusive seen its production systems impacted by a ransomware attack. The organization assured customers that there was no evidence of any data having been compromised and that all CRM, financial and internal systems had not been impacted by the incident. The severity of the attack prevented restoration of services for a number of days. Play ransomware group claimed the attack, stating that it had stolen data including private and personal confidential information, client documents, budget and payroll information, financial information and “a lot of technical information”. It is not clear if a ransom demand was made by the group.
24. 8Base ransomware claimed Lili’s Brownies, a French food production company as a victim this month, utilizing a double extortion technique associated with the group. Although the group did not reveal how much data they managed to exfiltrate, it did list the nature of the files which included invoices, receipts, accounting documents, personal data, contracts, and confidential information as well as other sensitive information. The organization has not commented on the event.
25. Danbury Schools in Connecticut are asking for help from the local council to fill in a gap unbudgeted for cybersecurity following an attack in July last year. During the incident computer networks were compromised and servers encrypted causing issues for the school district. Although no ransom was paid to the unknown attackers, a cost of $202,274 was incurred during the fallout. It was also discovered, upon trying to make a claim, that its cyber insurance did not cover software or hardware, rendering it relatively useless in the case of a ransomware attack.
26. The Office of the Colorado State Public Defender remains crippled two weeks after it suffered a ransomware attack. The attack forced the office to shut down its computer network, locking employees out of critical work systems. It was discovered that the attack also encrypted some data on the network. It is not clear who was behind the attack and if any information was accessed by threat actors.
27. Swiss beauty brand La Colline was added to LockBit’s victim list this month, with the ransomware group claiming to have stolen an undisclosed amount of information from the organization. The beauty brand was given a deadline of 3^rd March to pay the unknown ransom. La Colline are yet to publicly verify this incident.
28. In Romania over 100 hospitals were impacted by a ransomware attack targeting Hipocrate Information Systems (HIS). Twenty-five hospitals confirmed that their data was encrypted with another seventy-five being taken offline while experts evaluate if they too have been impacted. The unidentified hackers demanded 3.5BTC ($170,000) to decrypt the data. The Romanian National Cybersecurity Directorate has asked those affected not to contact attackers and not to pay the ransom. The production servers on which HIS runs was heavily impacted during the attack which has led to the systems being down, and files and databases being encrypted. It is not yet known who was behind the attack.
29. In South Africa, Tshwane University of Technology faced a “critical challenge” when it was faced with a ransomware attack in January. Rhysida claimed the attack, demanding 20 BTC (around $61,000) in exchange for exfiltrated data. The nature and amount of stolen data is unknown. Some are criticizing the university’s Vice Chancellor for a delay in the attack being reported to regulators.
30. Spanish electricity company SerCide was a victim of a BlackCat ransomware attack in December. The ransomware group added SerCide to its leak site, leaking a total of 69GB of data after “negotiations were refused”. The group also taunted the organization stating, “good luck restoring your resources which have not been restored for more than one month.” SerCide has not publicly acknowledged the leak.
31. BlackCat also claimed an attack Canada’s Rush Energy, claiming it has been in the organization’s network for a long time. On the group’s leak site, the post went on to say that the organization’s most valuable data had been stolen and that a backdoor into its network had been created, giving the group the ability to come and go. It also warned the organization that should it avoid making a deal with the group that all data will be made public.
32. Lower Valley Energy, who provide energy services to Yellowstone National Park, was also a victim of a BlackCat ransomware attack in late December. The ransomware gang posted the US utility co-op on its leak site but did not include details on what data, if any, was stolen nor if it expected a ransom from the organization. Details on this attack are limited.
33. Trans-Northern Pipelines (TNPI) confirmed it had suffered an internal breach in November but in February it began investigating claims made by ransomware group BlackCat on the dark web. The cybersecurity incident impacted a limited number of internal systems and was quickly contained. However, now BlackCat has added TNPI to its leak site and has published 183GB of data allegedly belonging to the organization. Several names of TPNI employees were also added to the dark web site.
34. Singapore listed Aztech Global discovered a cybersecurity breach which forced the organization to immediately shut down all servers. An unknown actor gained unauthorized access to its IT systems but it is not clear at this time what data, if any, was impacted by the attack. The incident did not affect operations and has had no material financial impact. It is not clear who is behind this attack.
35. Snatch claims to have infiltrated Malabar Gold and Diamonds, exfiltrating around 270GB of information. Among the data stolen is sensitive information about key figures within the organization, with the ransomware gang naming and giving personal information on the CEO and other leaders. Other stolen data is said to include financial performance and turnover of the company.
36. Willis Lease Finance Corporation admitted to falling victim to a “cyberattack” following claims made by Black Basta on the group’s dark web site. Upon discovering the incident, swift action was taken to contain, assess and remediate the situation which included taking all systems offline. Black Basta claim to have exfiltrated 910GB of company data including customer information, HR documents and NDAs. Samples were also posted as proof of claims which included accessed file trees and identity documents. The dark web post made no mention of a ransom demand.
37. On February 13^th, German battery manufacturer Varta announced that it was forced to shut down its IT systems as a proactive measure following a cyberattack on the company. Operations at five production plants and the administration were impacted by the incident. A statement confirmed that at this time the damage or complete impact of the attack cannot be determined as investigations are ongoing. No ransomware group has taken credit for the attack to date.
38. Australian organic and health product supplier Kadac was faced with a $100,000 ransom demand following a cyberattack in early February. Medusa claimed the attack, posting the ransom demand and giving the organization a 10-day deadline to pay to prevent stolen data from being leaked. Exfiltrated data includes customer details, correspondence with brands and suppliers, financial information, marketing data and other confidential information.
39. LockBit claimed responsibility for hacking one of India’s top brokerage firms Motilal Oswal. The organization claim operations were unaffected by the cyberattack and that it is investigating claims made by LockBit. The notorious ransomware gang allegedly has confidential company data in its possession, but it is not clear how much data it may have or what exactly the information includes.
40. Two weeks after an initial attack, Minnesota State University continued to deal with the impact. Reports state that “a few servers” were found encrypted by the university’s IT team at the beginning of February. The university stated that impacted servers did not contain any sensitive information belonging to students or employees. No classes were cancelled as a result of the attack and systems that are integrated with other universities remained unaffected. No ransomware group has yet claimed this attack.
41. Prudential Financial announced that BlackCat had breached its network on February 4^th and had stolen employee and contractor data. An investigation is currently ongoing to assess the full scope and impact of the cyberattack. The Fortune 500 company is yet to find evidence of any customer data having been affected by the incident. The ransomware gang posted a lengthy announcement on its leak site, giving many “facts” about the incident and what the organization is doing in the aftermath, including a claim that the group remained in the Prudential’s networks long after the breach announcement.
42. Trisec, a newcomer to the ransomware landscape, posted Cogans Carrigaline, a Toyota dealership in Ireland, as one of its first victims. The leak site posting did not give much detail on the attack, giving a twenty-day deadline and offering only an email to contact for a ransom price. The automotive retailer has not made a public statement acknowledging an attack or Trisec’s claims.
43. The Emirates Telecommunications Group Company, known as Etisalat, fell victim to a LockBit ransomware attack in mid-February. The ransomware group claimed to have stolen “sensitive files” from the state-owned telecom giant in the UAE, posting a $100,000 ransom demand to secure its data. Screenshots were posted as proof of claims alongside the dark web announcement. Etisalat is yet to publicly address LockBit’s claims.
44. The Grace Lutheran Foundation posted a notice in early February about a data breach which had taken place earlier in the year. It revealed that patient information including name, address, SSNs and health insurance information had been impacted. BlackCat ransomware group added the organization to its leak site, stating that it had acquired 70GB of data during an attack. The group also stated that after two weeks of failed negotiations, Grace Lutheran Communities “refused to protect data of its employees and patients/customers”, which led to the stolen data being leaked.
45. New ransomware group Mogilevich announced that it had successfully breached Infiniti USA’s systems, making the motor manufacturer one of its first victims. The gang claims to have exfiltrated 22GB of data which includes personal information belonging to customers. Inifiniti USA are yet to make a public statement acknowledging these claims.
46. A spokesperson from Welch’s, who are known for producing grape juice and jams, stated that recent “system disruption” was actually the result of a cyberattack. The incident forced the company to shut down all operations, with no notification on when workers would return to work. A spokesperson stated that more than 100 cybersecurity and technology experts are working on the systems and the company is coordinating with law enforcement to investigate the incident. Play ransomware group posted Welch’s on its dark web site, claiming to have exfiltrated data including private and personal confidential information. Client documents, budget, payrolls, IDs, taxes, finance and other information.
47. Numerous systems belonging to German critical infrastructure software provider PSI Software were disrupted by a ransomware attack last month. Upon identifying suspicious network activity, the company took down all external connections and computer systems. PSI also stated that it had seen no evidence to suggest that customer systems had been compromised by the attack. No further details on this incident have been made public.
48. BlackCat ransomware group claimed it hacked KHS&S, adding the US based construction company to its dark web site. The posting on the site gave the organization a 3-day deadline to contact the group before data is released. It also gave names of four KHS&S employees with the note “contacts for journalists.” No other information regarding this attack is available and it seems that KHS&S has not publicly commented on a cyberattack or these claims.
49. The City of Oakley in California declared a local state of emergency following a ransomware attack. The city’s IT department took all systems offline and began coordinating with law enforcement and cybersecurity professionals to investigate the nature and scope of the attack. Emergency services including 911, police, fire and ambulances were not impacted by the attack.
50. Hessen Consumer Center in Germany was hit by a ransomware attack which caused IT systems to shut down and services to be rendered temporarily unavailable. External IT security experts were brought in to aid the not-for-profit’s efforts to restore the availability of all communications impacted. The data on the server and some backup systems were encrypted but it is not yet clear what data may have been involved in the incident. BlackCat added the organization to its leak site, with a comment suggesting that the organization has “visited the chat multiple times but didn’t say and single word”.
51. In February, Aspen Dental filed a notice of data breach relating to a ransomware attack in April 2023. Upon discovery of the incident, Aspen Dental secured its systems and began working with third party data security specialists to investigate the incident. The investigation confirmed that ransomware attackers had gained access to the network and files containing confidential information. Patient and employee details were among those impacted by the attack.
52. Pharmaceutical giants Cencora revealed that it had suffered a cyberattack which led to threat actors stealing data from corporate IT systems. The organization contained the incident and are working with law enforcement, cybersecurity experts and external council to investigate it. Although it has not determined if the incident will materially impact finances or operations, Cencora has learned that some data, which may include personal information, had been exfiltrated during the attack. No ransomware group has claimed this attack to date.
53. Change Healthcare confirmed that it was experiencing a cybersecurity issue which was orchestrated by BlackCat. Experts are working to address the matter and the organization is working closely with law enforcement and third-party consultants to understand the impact to members, patients and customers. The company stated that based on an ongoing investigation, “there’s no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.” BlackCat’s leak site post, which has now been removed, stated that the gang claims to have stolen millions of Americans’ sensitive health and patient information.
54. Gilroy Gardens, a theme park in California, was hit by a ransomware attack in mid-February, locking all on-site servers and machines, including its ticketing systems. Although customer names and credit card information are stored in the impacted systems, Gilroy Gardens, the FBI and third-party security experts do not believe any data was breached or stolen during the attack.
55. Mogilevich ransomware gang added Epic Games to its ransomware leak site claiming to have stolen email addresses, passwords, payment information, source code and other data totally 189GB from the game developers. Epic Games has stated that although it is investigating claims there is currently no evidence to suggest that they are legitimate. News reports suggest that the threat actors are selling the stolen data for $15,000 and would only show samples when it was shown “proof of funds” to purchase.
56. In late February, Rio Hondo Community College District confirmed that it had experienced a ransomware attack in October last year. Upon discovering that portions of its IT network had been encrypted, Rio Hondo took steps to secure its systems and began working with third-party data security specialists to investigate the incident. Sensitive consumer data including personal information was breached during the incident.
57. Black Basta ransomware group has added Australian data management company ZircoDATA to its list of victims. The threat actors claim to have 395GB of data in its possession including financial documents, personal user folders, and confidentiality agreements. The group also posted a large number of documents on its dark web site as proof of the validity of the hack, including passport scans and immigration documents. ZircoDATA are taking the claims seriously and are working with cybersecurity experts to investigate the situation with urgency. At this stage in the investigation there is no evidence to suggest that personal information relating to customers has been impacted.

March saw 59 ransomware attacks make headlines with healthcare and government leading. The City of Hamilton and Town of Ponoka in Canada experienced attacks that caused widespread issues across government systems including online payments, while the City of Huntsville had their data held hostage following an attack. In other news Belgian beer producer Duvel halted production at all Belgian sites and its US site after the Stormous ransomware group claimed to have exfiltrated 8 GB of company data. Keep reading to see who else made the list for March.

1. Australian retail software vendor GaP Solutions was a victim of a LockBit ransomware attack this month. LockBit disclosed the attack on its website, threatening to publish an undisclosed amount of data within 20 days. The post did not mention how much data was exfiltrated nor did it reveal the amount of its ransom demand. GaP Solutions stated that the organization was aware of the claims made by LockBit and had engaged external cybersecurity experts to assist with the investigation. Initial reports suggest that there is no evidence of customer data or infrastructure being compromised.
2. Ward Transport & Logistics experienced a cyberattack on Sunday 3^rd March, impacting multiple layers of its network. The carrier was forced to run limited operations to handle freight already in the system. DragonForce was behind the attack in which they claimed to exfiltrate 574.14GB of data.
3. A notice on Pacific Cataract and Laser Institute’s website stated that a November ransomware attack resulted in sensitive data being exfiltrated. LockBit launched an attack on PCLI which impacted data including names, medical treatment information, health insurance and claim information, financial account data, SSNs and demographic data. PCLI did not notify individuals within the 60-day window, waiting approximately 109 days before releasing details of the incident.
4. Yakima Valley Radiology was added to Karakurt’s leak site in November, but the incident was only recently reported to the Maine Attorney General. The ransomware group claimed the attack in November, stating – without proof- that it had acquired 9.31GB of data including financial reports, client lists with contacts, lists of patients among other sensitive information. It has been revealed that this incident has impacted 235,249 individuals.
5. Muscatine Power and Water in Iowa confirmed that a January ransomware attack led to the exposure of sensitive information from nearly all local residents. The utility company discovered the attack had gained access to its corporate network environment and has since sent out letters to all those impacted. 36,955 individuals had their SSNs accessed by the hackers alongside telecommunications subscriber data. No ransomware group has taken credit for the incident.
6. In Canada, the City of Hamilton is still recovering from a ransomware attack that impacted nearly every facet of government functions. The incident which was discovered in late February impacted nearly every system used for online payments and caused issues with the website and phone systems. Upon discovery of the incident, the city took swift action to investigate, protect systems and minimize the impact on the community. The timeline for full recovery is not yet known, but the city has advised that it is looking to resolve the situation as quickly and effectively as possible.
7. WellNow Urgent Care filed a data breach notice in February relating to an attack which happened almost one year prior. An investigation revealed that in April 2023, WellNow was a target of a successful ransomware attack which resulted in hackers being able to access files containing confidential patient information. After learning sensitive customer information was accessed, the organization reviewed the compromised files to determine what information was leaked and who was impacted. Publicly available breach letters from WellNow do not state what data was affected and no ransomware group has claimed the attack.
8. A notable private hospital in Stockholm fell victim to a sophisticated cyberattack which led to a temporary shutdown of its computer systems and disruption to phone services. Sophiahemmet took immediate precautionary measures upon discovering the attack, which proved crucial in mitigating the impact of the incident. The attack was claimed by Medusa but there has been no indication what data, if any, was compromised.
9. The town of Ponoka in Canada experienced a cybersecurity breach of its network by an unauthorized party. The breach caused system outages involving government payment systems. The town acted immediately to contain the attack and is working with cybersecurity experts to investigate if any personal information was impacted. Cloak ransomware group took credit for the attack, claiming on its dark web site to be in possession of 110GB of information exfiltrated from Ponoka’s network.
10. School District 67 Okanagan-Skaha in British Columbia emailed parents of students informing them of a cyberattack which took place in February. Families learned that personal information of both students and parents may have been compromised. It is not known who was behind the attack or if a ransom was demanded.
11. Stormous ransomware group took credit for an attack on major Belgian beer producer Duvel Moortgat Brewery. The brewery decided to switch off services and as a result production was temporarily halted at all Belgian sites and its US site. The ransomware group claimed to have stolen 88GB of data from Duvel but did not disclose a ransom demand.
12. Supplier of medical technology products Mediplast was targeted by 8Base ransomware group in March, with the group claiming to have stolen a trove of confidential information. The dark web post stated that information including invoices, receipts, accounting documents, personal data, certificates, employment contracts and personal files were exfiltrated during the attack.
13. South St. Paul Public Schools notified staff and families of technical difficulties “that may disrupt certain services” such as online platforms, emails and other digital services. The district was made aware of unauthorized activity within its computer network which forced them to take systems offline to isolate the issue. The district engaged a third-party cybersecurity firm to assist with system recovery and investigate the cause and scope of the unauthorized activity. BlackSuit claimed the attack in mid-March but did not disclose any additional information about the attack.
14. In February, IT specialists from the municipality of Bjuv were greeted with a ransom note from Akira following a cyberattack 2 days prior. According to the Director of Municipal Services, hackers used “an old, insecure door” to infiltrate servers which caused several computer systems to stop working. Employees reinstalled several hundred computers and relied on backups of documents that had been encrypted before receiving Akira’s ransom note. Akira claimed to have 200GB of confidential information including contracts, agreements, and HR files.
15. Akira announced Infosoft as a victim this month, claiming to have stolen a number of confidential files. Data is said to include operational files, projects and documents containing sensitive information. The dark web post mentioned that data would be published soon, suggesting that negotiations between the threat actors and the New Zealand based software development company had failed. Infosoft are yet to make a public comment addressing the claims.
16. Kittery Animal Hospital in Maine announced that it had fallen victim to a ransomware attack which compromised its computer systems making files inaccessible to staff. The clinic was forced to treat animals with the limited technology available. A spokesperson commented that at this point there is no reason to believe that client records had been accessed or exfiltrated. An investigation is ongoing.
17. South African officials are investigating claims made by LockBit stating that the ransomware gang exfiltrated and then leaked 668GB of sensitive national pension data. The Government Pensions Administration Agency (GPAA) suffered a cyberattack which hampered its operations and disrupted pension payments. Investigations remain ongoing.
18. The tax-free travel retail chain Duty Free Americas (DFA) was added to the Black Basta dark web leak page, with the group claiming to have stolen 1.5TB of sensitive information from corporate networks. Files from multiple departments including financial, legal and HR were among the data stolen during the attack. Black Basta also added 15 sample leak pages filed with dozens of passports, social security cards, driver’s licenses, and credit cards as proof of claims.
19. Cactus ransomware group claimed to have infiltrated the networks of Reny Picot, a prominent diary brand in Europe, stealing 350GB of data. Although the leak site post did not specify how much data was stolen, it detailed the type of information compromised. Files included accounting information, HR data, customer data, contracts, R&D documents, corporate correspondence, and personal folders belonging to employees and executive managers. A national ID card belonging to an employee was uploaded as proof of claims. A ransom of $1 million was posted by the group.
20. Ammega was another organization to fall victim to Cactus in March, with the group stealing around 3TB of information during an attack. The ransomware group stated that it had possession of data including accounting information, 150GB of HR data, 100GB of customer data, 250GB of R&D information, and 100GB of corporate correspondence. Cactus posted proof of claims in the form of a confidentiality agreement signed by Ammega and a partner firm. The group demanded a ransom of $9 million in exchange for the exfiltrated data.
21. The spate of attacks by Cactus also included UK based firm Cleshar as a victim, claiming to have stolen 1TB of information from the company’s cloud storage. Compromised files included 40GB of accounting information, 110GB of HR documentation, 130GB of customer data, 3GB of legal documents and 120Gb of corporate correspondence, a picture of an employee’s passport was used as proof of claim. Cactus demanded a ransom of $1 million to stop the data from being made public.
22. In Australia, CHRG, previously known as Castle Hill RSL Group was added to 8Base’s victim list. CHRG issued an advisory on its website in mid-February, warning members of a “cyber incident” that had been detected. The organization stated that ongoing forensic investigations identified that there was no indication of sign-in credentials, membership database or point-of-sale systems having been impacted by the attack. Although statements have been made, CHRG are refusing to comment on 8Base’s claims to avoid impacting the ongoing investigation.
23. After discovering a data breach, metal manufacturer Plymouth Tube Company determined that an unauthorized party may have accessed sensitive information in January. The type of information exposed by the breach includes names, SSNs, DOB, driver’s license numbers and plan information. Cactus took credit for this attack, claiming to have exfiltrated 1.83TB of data belonging to the company.
24. One of the world’s largest yacht retails MarineMax experienced a cybersecurity attack which forced it to take certain systems offline on March 10^th. The organization identified a cybersecurity incident where an unauthorized third party gained access to portions of its internal systems, but an investigation into the nature and scope of the attack is still ongoing. Rhysida added MarineMax to its leak site, giving the retailer just 7 days to pay a ransom demand of 15 BTC. Multiple screenshots of various documentation were posted as proof of claims.
25. Reports suggest that Encina Wastewater Authority was targeted by BlackByte ransomware group this month, although no official statement has been made by the organization at time of writing. The dark web posting included a number of sample documents, adding that the company documents were available for deletion or purchase. The group did not reveal how much data was exfiltrated nor did it publicly demand a ransom, urging those interested to get in contact.
26. The District of Vancouver announced that its municipality’s networks were hit with an “attempted” ransomware attack in mid-March. According to a spokesperson, the district and its partner agencies were the targets of the attack. The attack was detected quickly and stopped shortly after it began but did leave some systems and business applications affected. The municipality confirmed that no ransom was paid to the attackers and that an investigation into the attack is ongoing. At this time there is no evidence of employee or resident personal data loss.
27. The New Mexico Administrative Office of the District Attorneys suffered a cyberattack which impacted two of its servers which serve its offices within 13 judicial districts. Data was encrypted during the attack, making files inaccessible to all staff in impacted areas. It is unclear who was behind the attack and if any information was exfiltrated.
28. Hunters International added Ace Air Cargo to its victim list this month, claiming to have exfiltrated 250.4GB of data from the company. Although the nature of the data stolen has not been disclosed, the dark web posting suggested that 272,624 files were impacted. The air transportation provider has not yet publicly addressed the claims made by the ransomware group.
29. Felda Global Ventures Holdings Berhad in Malaysia was disclosed as a victim of Qilin following a “successful” ransomware attack. Attackers claimed to have stolen data from the agricultural organization but did not state the volume or nature of the exfiltrated information. Although details on the dark web post remained vague, the group did add 32 screenshots as proof of claims, which included a variety of files suggesting that some private contracts, confidential financial sheets, emails, written records, and internal project information had been compromised.
30. Claims made by Stormous suggested that the ransomware group was able to infiltrate networks belonging to the Lebanese Organization for Studies and Trading. The organization has not publicly acknowledged the cyberattack and has not addressed claims made by Stormous. The dark web posting provided no information regarding the nature of the data exfiltrated.
31. Consolidated Benefits Resources, a claims administrator based in Oklahoma was added to BianLian’s dark web site. The ransomware group claimed to have exfiltrated 1.2TB of information during a successful cyberattack. Information is said to include financial data, HR documentation, PII records, PHI records and SQL. No ransom demand or proof of claims was disclosed in the listing.
32. Donut ransomware claimed to have successfully exfiltrated 4TB of data from Void Interactive, developers of popular video game Ready or Not. The cybercriminals threatened the company, stating that if it remained silent it would post the source code and game related data that was stolen. The group also added a link to proof of claims which included a list of various builds of the game in a dev environment.
33. Nevade based Nations Direct Mortgage announced this month that more than 83,000 customers were impacted by a late 2023 data breach. The company stated that it discovered a cybersecurity incident on December 30^th which prompted an investigation involving law enforcements and other government agencies. The investigation determined that an unauthorized third party had gained access to and potentially removed data belonging to a number of individuals. Information including names, addresses, SSNs and Nations Direct loan numbers is said to have been obtained. No ransomware gang has yet claimed responsibility for the attack.
34. Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the theft of customer information. The company revealed that multiple computers were infected with malware, causing security staff to disconnect impacted systems from the network. A public notice stated that although an investigation is ongoing, it has been discovered that files containing personal information and customer information may have been exfiltrated. The scope of the incident, how many individuals were impacted, and which information was taken remains unclear.
35. In Pennsylvania, Scranton School District said it experienced a cybersecurity incident that forced it to take several of its systems offline and delay scheduled classes. The school district announced on social media that a ransomware attack was responsible for the major network outage. All teachers and school staff were asked to refrain from using electronic devices connected to the district’s internal network and uninstall any school-related apps.
36. Pharmaceutical development company Crinetics Pharmaceuticals is investigating a cybersecurity incident following claims from LockBit that data was stolen. The company confirmed that it had recently discovered “suspicious activity in an employee’s account.” The notorious ransomware gang demanded a ransom of $4 million from Crinetics but did not disclose the nature or volume of the exfiltrated data.
37. Long Island Plastic Surgery Group was a victim to a collaborative attack involving two ransomware groups – BlackCat and Radar. BlackCat was responsible for encrypting files, while Radar exfiltrated the data. While BlackCat was negotiating with the victim, the groups are said to be splitting the ransom amount 50/50. The ransom demand was apparently set at $1 million but the healthcare provider ended up paying just $500,000 for the decryptor key but was not interested in paying for the exfiltrated data to be deleted. The groups claim to have exfiltrated 700GB of internal documents including employee and patient records.
38. LockBit leaked 64GB of data allegedly stolen from Egyptian pharma chain El Ezaby Pharmacy after ransom negotiations failed. The data is said to include customer information, financial data, passwords and email archives. Information related to this attack remains vague, with Ezaby Pharmacy yet to publicly address the claims.
39. Radiant Logistics was forced to cut off a portion of its business in Canada following a cyberattack in mid-March. The company announced that it was in “the initial stages of a cybersecurity incident.” Upon detection, the company initiated its incident response and business continuity protocols and began taking measures to limit the impact of the attack. It is reported that the incident is not reasonably likely to materially impact financial conditions. No ransomware gang has yet taken credit for the incident.
40. Leicester City Council in the UK announced that several of the local authority’s critical services were unavailable due to precautionary measures following a cyberattack. The council published several emergency numbers for affected services, including child protection, adult social care safeguarding and homelessness. This incident has not been claimed by a ransomware group.
41. Polycab India claimed that core systems and operations were not impacted by a recent ransomware attack which targeted its IT infrastructure. The incident was claimed by LockBit, with the group stating that it has exfiltrated 500GB of data from Polycab. Threat actors also added 12 screenshots of exfiltrated documents as proof of claims.
42. The American Renal Associates became a victim of a Medusa ransomware attack which saw files encrypted and data exfiltrated during the incident. The ransomware group claimed to have thousands of PHI and PII data files from the company’s servers, adding a filetree containing over 200,000 rows of file names as proof of claims. The ransom for the data was set at $1 million. The healthcare provider has yet to publicly address these claims.
43. Monmouth College disclosed that it had suffered a ransomware attack over the holiday season last year. An investigation revealed that hackers had access to the school’s systems from December 6^th and 44,737 people were impacted by the incident.
44. Henry County, located on the border between Illinois and Iowa, dealt with a wide-ranging cyberattack, forcing it to shut down access to multiple impacted systems. The county’s incident response team partnered with outside companies to begin an investigation into the attack. Medusa ransomware group took credit, posting a ransom demand of $500,000 in exchange for exfiltrated data. The nature and volume of data exfiltrated remains unclear.
45. Weirton Medical Center fell victim to a cyber incident which saw its networks penetrated and data belonging to nearly 27,000 patients exfiltrated. According to a breach notification letter, an unknown actor gained access to certain systems on its network and acquired files over a four-day period. Weirton believe that data accessed may include names, SSNs, DOBs, medical information, health insurance information, treatment information and medical bill financial information.
46. In the Northern Mariana Islands, Commonwealth Healthcare Corporation experienced a “complete data breach from its internal servers.” A posting on an unknown Tor site stated that information including data of all patients, medical histories, personal information, MRI images, and various other sensitive records were stolen during a cyberattack. The listing also shames the institutions, claiming it knows of the incident but is downplaying it and claiming ignorance in the media.
47. Hackers have demanded $700,000 from Tarrant Appraisal District following a cyberattack. The incident caused network disruption, shutting down the district’s website. Although it was originally believed that no sensitive data was exfiltrated, unknown hackers have threatened to release information if the ransom demand is not met. The hackers have not identified themselves, but the district believes that Medusa is behind the attack.
48. The Emergency Medical Services Authority in Oklahoma City announced that it had been a victim of a cyberattack which saw unauthorized individuals gain access to its network in February. Upon discovery, systems were shut down to prevent further spread. Forensic investigations confirmed that the attackers exfiltrated files containing patient data including PII.
49. 500 individuals were impacted by a ransomware attack on Lindsay Municipal Hospital, with BianLian claiming responsibility for the incident. The healthcare provider has not been particularly vocal about the incident, but BianLian has added the hospital to its leak site alongside proof of claims. The listing states that stolen data will be uploaded soon but it is not clear whether Lindsay Municipal Hospital entered into negotiations with the group. The nature of the exfiltrated data is still unknown.
50. St Cloud became the most recent city in Florida to fall victim to a cyberattack. The city discovered a ransomware attack in late March which affected city services and departments, forcing some payments for activities and services to be cash-only. Law enforcement is investigating the incident with city officials yet to confirm who the attackers are and if a ransom was demanded. It is also not clear if any data was exfiltrated during the attack.
51. California-based Select Education Group experienced a cybersecurity incident that compromised the sensitive information of almost 70,000 individuals. The attack enabled hackers to access portions of SEG’s internal networks. The organization has launched an internal investigation, with assistance from third party cybersecurity experts to determine the scope and nature of the incident. Compromised data included names, SSNs, billing and payment records, and academic records. Black Suit took credit for the attack.
52. The City of Jacksonville Beach revealed that a cyber incident in January compromised the sensitive personal information of almost 50,000 individuals. During the attack, the city experienced network security issues which impacted certain City functions. An investigation was immediately launched with the assistance of external experts. Compromised data included the names and other personal identifiers along with SSNs. In February LockBit claimed responsibility, adding the city to its leak site.
53. Gilmer County, Georgia, posted an official announcement on its website confirming a ransomware attack on its systems. The incident required the county to take many of its public services offline for precautionary measures. An investigation has been launched, to determine the effects of the incident. It is not clear at this time if any data was compromised as a result of the attack. No ransomware group has yet claimed responsibility.
54. Qilin ransomware group claimed responsibility for infiltrating systems of UK-based publisher the Big Issue Group. According to the gang’s dark web site, 550GB of data including personnel information, contracts and partner data, financial statements and investment information was stolen during the attack. 12 screenshots were posted on the listing as proof of claims. A ransom was not included in the dark web claims, but the group did accuse its victim to trying to hide the attack and leakage of personal information. The Big Issue have acknowledged the cyberattack, stating that upon discovery immediate steps were taken to mitigate the issue and an investigation was launched.
55. In Canada, the Town of Huntsville shared details of a cybersecurity incident which resulted in digital information being held hostage. The town’s chief administrative officer stated that an unauthorized user infiltrated the town’s systems and data was compromised. It is still unclear if compromised data includes personal information. No ransomware group has yet claimed responsibility for the attack.
56. INC ransomware group posted NHS Scotland on its dark web site, alleging it had 3TB of data belonging to the trust, but officials believe that the incident was contained to one health board. NHS Dumfries and Galloway is said to be the board impacted. Information has been leaked already to verify proof of claims. NHS Scotland are working with Police Scotland, the National Cyber Security Centre, the Scottish government and other agencies to investigate the situation.
57. Houser LLP announced that investigations into a May 2023 ransomware attack has concluded and found that threat actors were able to gain access to sensitive personal information. The Fortune 500 company discovered that certain files had been encrypted during the incident and immediately launched an investigation. Compromised data included names and other personal identifiers, financial account numbers, credit and debit card information and various other types of files. BlackCat claimed responsibility and at the time claimed to have exfiltrated 1.5TB of information from the law firm. It has now been revealed that the ransomware attack compromised the data of almost 700,000 individuals.
58. BSR Infratech India Ltd faced a $80,000 ransom following a ransomware attack in late February. The hackers gained access to business information and data belonging to employees, clients and customers. Data files were also encrypted during the attack. Further information on this attack, including if the ransom was paid are currently unknown.
59. The City of Pensacola confirmed that a cyberattack which shut down city networks and phone systems was indeed a ransomware incident. The phone issues were experienced across city departments causing delays in receiving service through the 311 Citizen Support system. The mayor was unable to give in depth information about the incident as the investigation is ongoing.