Following on from our State of Ransomware 2020 blog, we’ll be tracking the 2021 publicized ransomware attacks each month to share with you via this blog. With damages from cybercrime expected to hit $6 trillion this year (up from $3 trillion in 2015), we expect the number of ransomware attacks to increase and newer forms to become more sophisticated and disruptive. To keep informed of what’s happening every month, follow this blog and register for our free monthly ransomware report.
Let’s begin with January and look at the 19 attacks we uncovered during the month.
We start the month with an attack on new York based Apex Laboratory. The company were forced to disclose the attack which happened earlier in 2020 after data stolen during the attack showed up online. A notice posted on Dec 31st revealed that they were the victim of a cyberattack and that certain systems in its environment were encrypted and inaccessible.
Next up is UK-based infrastructure support service provider Amey. The company was targeted by the Mount Locker ransomware gang in mid-December. Documents including correspondence with government departments was posted online in late December.
In October 2020 Hackney Council in London reported that they had been the victim of a very sophisticated cyberattack. The attack drew immediate speculation from experts that ransomware was involved, however, this wasn’t confirmed until January when the PYSA ransomware gang leaked council data online in a double extortion style attack. The data appears to contain a significant amount of personally identifiable information.
The Northern Territory Government in Australia was next to reveal an attack that forced its systems offline for 3 weeks. The attack involved a supplier of one its cloud-based IT systems and they insisted government data was not compromised during the attack.
Colorado-based rail operator and logistics provider OmniTRAX was hit by a ransomware attack that targeted its corporate parent company, Broe Group. The Conti gang were behind the attack which posted exfiltrated data on its leak site. The leak suggests that Broe Group, who is headquartered at the same location refused to pay the ransom.
Norway based AKVA Group, a global supplier of technology to the aquaculture industry revealed that they had been hit by a ransomware attack and that hackers were demanding a ransom. In a statement to the Stock Market in Oslo the company disclosed that they were working with the relevant Norwegian authorities to limit damage and get a full assessment of the situation. The incident resulted in a drop in the share price.
Dassault Falcon Jet Corp, the US subsidiary of Dassault Aviation, suffered a ransomware attack at the hands of the Ragnar Locker gang. According to media reports and the dates of breach reported by the company it seems the attackers maintained access to company systems for roughly six months, between June and December. Compromised data included information belonging to employees such as name, personal and company email address, home address, driver’s license number, passport information, data of birth, etc.
Wentworth Golf and Country Club, one of the most exclusive clubs in England was forced to send an email of apology to its 4000 members who include, high profile celebrities, sports stars, and top business people, after its members’ list was accessed by cybercriminals. According to The Telegraph, club members discovered the incident earlier when an unauthorized message appeared on the Wentworth website claiming “your personal files are encrypted!” with a Bitcoin cryptocurrency payment demand for decryption.
City of Angers in France indicated on its social networks that the city had suffered a ransomware cyberattack over the weekend of January 15th. The attack targeted the information system of the city and the metropolis which caused the closure of certain municipal services.
The Conti ransomware group claimed an attack on the Scottish Environment Protection Agency (SEPA) which saw around 1.2GB of data stolen from its digital systems including databases, contracts, and strategy documents. The hackers published over 4000 files after the organization refused to pay the ransom.
Center Hospitalier de Wallonie Picarde (CHwapi) in Tournai, Belgium became the first healthcare reported attack of the year. The hospital was forced to redirect incoming patients to other facilities after the attack crippled its systems. According to the investigators no ransom demands were made by the hackers which could indicate that the hospital was targeted by mistake.
WestRock, one of the world’s largest paper and packaging companies suffered an attack which affected some of its operational and information technology systems. WestRock is working with security experts on system recovery efforts to minimize the impact on its customers. In a press release the company described the incident as likely leading to a loss of revenue and incremental costs that could affect its bottom line.
Palfinger, an Austria-based Hydraulics Engineering company experienced a global cyberattack that took down their e-mail system and disrupted business operations. A security notice titled ‘Cyberattack’ stated that their Enterprise resource planning (ERP) systems were down and that “a large proportion of the group’s worldwide locations were affected.” The company that operates in almost 30 countries has made it official that its email systems were the worst hit in the file encrypting malware related attack.
Tennessee Wesleyan University (TWU) revealed in a press release that all of the university’s networks were closed after staff and campus officials became aware of a ransomware attack. Online learning was unaffected but staff and students were asked not to use the university systems.
Pan-Asian retail giant Dairy Farm were hit by a REvil ransomware attack with the attackers allegedly demanding a $30 million ransom. The group operates over 10,000 outlets across grocery, convenience store, health and beauty, home furnishing, and restaurants in Asia. Dairy Farm stated that they were not aware of any data being stolen during the attack, however, screenshots seen by BleepingComputer showed that the threat actors continued to have access to email and computers after the attack.
UK Research and Innovation (UKRI) disclosed that a ransomware attack had disrupted services and may have led to data theft. The incident impacted two of the group’s services including a portal used by the Brussels-based UK Research Office and an extranet utilized by UKRI councils.
Illinois based DSC Logistics, a third-party logistics provider and supply chain management company disclosed they had been victims of a cyberattack after a ransomware gang threatened to expose their exfiltrated data on a leak site. Egregor is suspected to be behind the attack.
Georgia based Crisp Regional Health Services discovered they had been a victim of ransomware when nurses working at the facility started seeing ‘files encrypted’ on some of its computer systems. Phone systems were affected, however, the facility disclosed that workflow and patient care was not compromised. The organization is working with external cybersecurity and forensic professionals to determine if patient data was accessed or exfiltrated during the attack.
The last reported attack of the month involved Serco, a global government outsourcer responsible for running part of the UK’s COVID-19 Test and Trace system. The British business which employs 50,000 people confirmed the attack and disclosed that only its mainland European operations had been impacted. Sky News became aware of the incident after spotting a sample of the Babuk ransomware uploaded to VirusTotal. Apparently included was the ransom note addressed to Serco the attackers claimed: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data.”
February saw a total of 23 attacks, up from 16 in 2020. South America reported some large attacks including two major utility companies, the Ministry of Finance and Ecuador’s largest bank. The apparent attack on Kia made a lot of headlines during the month as the company continues to dispute the attack, despite the cybercriminals posting their data on the dark web. Here’s a look at what we uncovered for the month.
The first reported attack of the month involved Brazilian state-owned energy company Companhia Paranaense de Energia (Copel). The attack was the work of the Darkside gang who claimed to have stolen more than 1000 GB of sensitive data. The organization was one of two major electric utilities companies in Brazil to suffer a ransomware attack in the same week.
An attack on the Victor Central School District in New York encrypted its systems and data, locking out users and forcing the closure of all district schools.
Automatic Funds Transfer Services (AFTS), a Seattle based payment processor used by many cities government agencies across the US suffered an attack from a gang known as Cuba. The attack caused significant disruption to their business operations and affected customers such as California’s Department of Motor Vehicles who recently warned of a potential data breach following the attack. The hackers began selling the stolen data on their leak site and claim to have exfiltrated sensitive financial documents.
Eletrobras the largest power utility company in Latin America was the second major utility company in Brazil to suffer an attack in early February. Electronuclear suspended some of its systems to protect the integrity of the network once the attack was discovered.
A widely reported data breach at Foxtons Group, a British estate agents’ company was due to a ransomware attack by the Egregor Group. Foxtons made headlines this month when reports revealed that a large quantity of personal and financial information belonging to its customers had been discovered on the dark web. The data reportedly included over 16,000 credit card details even though a statement from the company had previously stated that the data was considered old and of no threat to customers
Mortgage loan servicing company SN Servicing Corporation was hit by a ransomware attack in 2020. In February, California and Vermont state attorneys were notified of the incident. According to the documents filed, the affected systems were shut down and forensic experts were engaged to determine the impact upon discovering the attack. A preliminary investigation uncovered data related to 2018 billing statements and reimbursement notifications to customers, including names, address, loan numbers, balance information and billing information such as estimated, owed, or paid charges. The Egregor gang has been linked to the attack.
British Columbia-based real estate agency Remax Kelowna was hit with an attack by the Conti ransomware gang who listed them as a victim on their leaks website. According to the firm, the attack occurred at the same time as they were overseeing a software update. They reported that the ransomware was not launched and while some files has been copied, the data was allegedly non-personal in nature.
Ness Digital Engineering Company, an Israeli-based U.S. IT provider was hit by Ragnar Locker ransomware affecting its computer networks in India, the U.S. and Israel. The company said that their clients who include government ministries, hospitals, and local municipalities were not compromised in the attack. A screenshot of the ransom note read “Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!” The text then directed the company to get in touch via live chat to make a deal.
Polish video game company CD Projekt was hit by the HelloKitty ransomware gang. The company disclosed that the attackers had managed to access the network, encrypt some devices and exfiltrate some data. In a tweet disclosing the attack the company shared the ransom note which claimed to have accessed the source code for popular games including Cyberpunk 2077. The company confirmed they did not plan to give into the gangs ransom demands.
French health insurance company Mutuelle Nationale des Hospitaliers (MNH) suffered a ransomware attack that had significant impact on the company’s operations. An independent security researcher shared a Tor web page acting as a ransom negotiation page with media outlet BleepingComputer. RansomExx was behind the attack.
Dax-Côte d’Argent Hospital Center in France was the next reported incident. The attack by the Egregor gang caused major disruptions across their network and forced the hospital to only accept major emergencies. A spokesperson from the hospital administration commented that everything from reading a medical file to the catering system had been affected and the facility was back to pen and paper following the attack.
The second education incident of the month goes to Central Piedmont Community College in North Carolina. The school tweeted that they had experienced a ransomware attack, but it’s not known what gang was responsible. It has so far been reported that no employee or student data was compromised.
Discount Car and Truck Rental, part of the Enterprise group and one of Canada’s biggest rental agencies, was hit by the Darkside ransomware gang. Darkside posted a notice on its leak site stating they had copied 120 GB of corporate, banking and franchise data from the firm. A spokesperson for the company commented that the investigation was ongoing when questioned about how the attack started and whether customer or employee information has been exfiltrated.
International law firm Jones Day were the victims of a ransomware attack carried out by the Clop gang. The law firm claimed that its network had not been compromised and that the theft of data involved a file-sharing company that it used to store files. The gang however claimed that they had obtained 100 gigabytes of files from servers belonging to the firm and that they had begun publishing the exfiltrated data as proof of their successful attack.
The attack on Kia Motors America is probably the most interesting of the month. The incident became known when it was reported that the company was suffering a major IT outage across the U.S., affecting the internal sites used by dealers, mobile apps, and phone and payment systems. It later transpired that the DoppelPaymer gang has claimed the attack and they had demanded a ransom of $20 million for a decryptor and not to leak the stolen data. The Tor victim page stated that a “huge amount” of data had been exfiltrated and would be released in 2-3 weeks if the company refused to negotiate with the hackers. Kia denied they were under attack. The gang then released data belonging to parent organization Hyundai Motor Company but interesting both are denying the attack. In an official statement Kia described the unavailability of its services, including remote start and heating as an “extended systems outage” that began on February 13th. They continued by saying, “we are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.” It’s hard to imagine that this is a hoax on the part of the cybercriminals and experts say it’s possible but not probable.
Yuba County in California was the victim of a ransomware cyberattack which infected some of the county’s computer systems with malware. The malware encrypted the affected systems and the attacker demanded payment from the county in order to obtain a decryption key. It’s not known what criminal gang was behind the attack and according to a spokesperson no ransom payment was made.
Underwriters Laboratories, the world’s leading safety testing authority suffered IT outages after a ransomware attack. In a statement they confirmed that a breach had been detected and that a cybersecurity firm had been brought in to assist with the investigation. It is not yet known who was behind the attack and what type of data may have been compromised. The investigation continues, but at this point the company do not wish to engage with the cybercriminals and instead plan to reinstate any lost data from backups.
TietoEVRY, a major Finnish IT provider were the victim of an attack which caused issues across the services they deliver to customers in the retail, manufacturing, and service-related industries. A company spokesperson confirmed that 25 customers were impacted and at this time it does not seem that any critical or personal data was accessed or stolen by the attackers. It’s not yet known what gang was behind the attack or if any ransom demands have been made.
A recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline has been confirmed as a ransomware attack by the DoppelPaymer gang. The hackers exfiltrated data from the organization and published proof of the attack on their leak site. The NWO does not cooperate with cybercriminals and they are currently working on restoring their network.
An attack on Ecuador’s Ministry of Finance was reported with a new hacking group known as Hotarus Corp behind the incident. Soon after the attack the gang released a text file containing 6,632 login names and hashed password combinations on a hacker forum. The ransomware gang told media outlet BleepingComputer that they had exfiltrated sensitive ministry data.
Banco Pichincha, Ecuador’s largest private bank was the next victim of the Hotarus Corp gang. Following the attack the bank published an official statement stating that a marketing partner had been hacked and not their internal systems. They confirmed that fraudulent (phishing) emails were sent on behalf of the bank to clients in order to carry out illegitimate transactions. However, in an interview with BleepingComputer, the hacking group disputed the banks statement and said they used the marketing company’s attack as a launchpad into the banks internal systems. They claim to have stolen “31,636,026 Million customer records and 58,456 sensitive system records,” including credit card numbers.
Saginaw Township Community Schools in Michigan became the victim of a ransomware attack and the gang behind the attack is unknown. The FBI and Michigan State Police who are investigating the incident are said to be in regular communication with the attackers to try and resolve the situation. Systems have been mostly restored but the investigation continues and at this time it is not known if any personal data was compromised in the attack.
In the last reported attack of the month, Staring College in the Netherlands reported that had been attacked and that they had paid the ransom. It is not known who was behind the attack or how much the ransom was. When employees noticed that their data had been encrypted and their files weren’t accessible the college made the decision to pay the ransom so education and exams could continue without further disruption.
In March we recorded 25 attacks, the highest month of the year so far. An attack on computer giant Acer became the largest ransom demand in history at $50 million, while ransomware attacks halted production at IoT manufacturer Sierra Wireless and beer maker Molson Coors. Here’s a look at what else we uncovered during the month.
We start the month with payroll giant Prism HR. The business services company which counts over 80,000 organizations as customers and has over 2 million employees was reportedly attacked by the Darkside ransomware gang. According employees and their clients, PrismHR told them that they had suffered suspicious activity leading them immediately shut down their servers and network to protect the integrity of their systems.
Up next is Arizona based clinic Cochise Eye and Laser who were infected with ransomware which encrypted its scheduling and billing software. The attack affected up to 100,000 patients. Although there has been no evidence of data exfiltration the incident is still considered a breach of protected health information and patients were notified of the incident.
Healthcare provider Allergy Partners suffered an attack lasting eight days with hackers demanding a ransom of 1.75 million, according to a report filed with the Asheville Police Department. The North Carolina based organization which has clinics across 20 states, informed its patients that those affected by the incident will be updated once it finishes its investigation. It is unclear whether Allergy Partners paid the ransom.
US bank and mortgage lender Flagstar disclosed a data breach following the Accellion cyberattack at the hands of the Clop ransomware gang earlier in the year. BleepingComputer was told that Flagstar received a ransom note demanding a payment in bitcoin or the exfiltrated data would be released. Other victims of the Accellion attack include Bombardier, Royal Dutch Shell, and New Zealand Reserve Bank.
Oklahoma based Managed Service Provider (MSP) Standley Systems were attacked by the REvil gang who claimed to have obtained sensitive data including more than 1,000 social security numbers. The REvil gang is known for leaking data on its Dark Web site and in addition to the social security numbers they claim to have medical documents, personal client data, passport details, etc. On their leak site they posted links to data from six customers as well as backups. The Standley customers mentioned on the REvil leak site were Chaparral Energy, Crawley Petroleum, Ellis Clinic, EverQuest, the Oklahoma Medical Board, and structural steel fabricator W&W Steel.
The systems of SEPE, the Spanish government agency for labour were disrupted when a ransomware attack affected more than 700 agency offices across Spain. The agency confirmed that confidential data was safe and the RYUK ransomware gang were behind the attack.
The Clop ransomware gang claimed to have stolen data from cloud security company Qualys. The gang shared screenshots of stolen files including invoices, tax documents and purchase orders on its data leak site as proof of the hack. The company said the attack had no operational impact but unauthorized access had be obtained to a Accellion server used by the company.
Up next is the Oloron-Sainte-Marie Hospital in France. The attack managed to paralyze the hospital’s IT systems and the attackers demanded $50,000 in Bitcoin to release the data. Staff had to go back to pen and paper as digital patient information was unavailable.
Beer maker Molson Coors disclosed that they suffered a cyberattack which caused significant disruption to their operations, including the production and shipment of beer. The Company is working with a forensic information technology firm alongside legal counsel to investigate the incident and restore systems. Multiple sources in the cybersecurity industry told BleepingComputer that it was a ransomware attack but could not share what gang was involved.
Buffalo Public Schools was forced to abandon in classroom learning for thousands of students when a ransomware attack shut down technology across the district. It’s unclear whether personal data was stolen and a criminal investigation is underway.
The next attack on education took place at South and City College in Birmingham, UK. The college which has 8 sites across the city tweeted: “The college has suffered a major ransomware attack on our IT system, which has disabled many of our core systems.” It’s not yet known who was behind the attack.
Servers of the Pimpri-Chinchwad Smart City project in India were infected with ransomware with attackers encrypting data and demanding payment in Bitcoin for decrypting the lost information.
The Castle School Education Trust (CSET) in Bristol suffered a highly sophisticated ransomware attack which left 23 schools without access to their IT systems. CSET and South Gloucestershire Council are working together with external partners and agencies to investigate the attack and restore the systems, it’s not yet known who was behind the attack.
The next reported attack on computer giant Acer made headlines this month as the $50 million ransom is the largest known to date. The REvil gang were behind the attack. The attackers share some exfiltrated data on their leak site as proof of the attack. The images shown included financial spreadsheets, bank balances, and bank communications.
Cambridge Meridian Academies Trust which runs schools in the UK was hit by an unknown gang. The trust was able to mitigate the attack to some extent and encryption occurred on only some systems. The trust said there was no evidence of a data breach but the Information Commissioner’s Office was notified.
Sierra Wireless, a manufacturer of IoT devices was forced to halt production after a ransomware attack. It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network and the company said the attack was limited to internal systems and customer facing products had not been affected.
US based insurance giant CNA were victim of a ransomware attack using a new variant called Phoenix CryptoLocker, possibly linked to the Evil Corp hacking group. Sources familiar with the attack have told BleepingComputer that over 15,000 devices on their network were encrypted and remote employees logged into the VPN were also affected.
Clothing retailer FatFace paid $2m to the Conti gang when their data was held to ransom. The security incident occurred in January but only became public knowledge in March when the company emailed customers to let them know that their data had been accessed by “an unauthorised third party”. The retailer has faced criticism for failing to disclose the incident in a timely matter and for attempting to insist that affected customers keep the matter quiet.
Sydney-headquartered Nine Network, Australia’s top-rated network was taken off-air for over 24 hours by suspected state-backed attackers in what has been described as the largest attack on a media company in the history of the country. It was claimed that the attack was ransomware but no ransom has yet been demanded.
London-based non-profit multi-academy trust Harris Federation suffered a ransomware attack that affected 50 schools. The attack caused the outage of phone, IT and email systems. The education charity runs 50 Harris primary and secondary academies and has 37,000 students from London and surrounding areas.
Royal Dutch Shell became the next victim of the Clop ransomware gang. The gang exfiltrated sensitive data from a Accellion file transfer service used by the oil giant and later leaked the stolen data online to prompt them to pay a ransom. Some of the leaked data included employee visa and passport information.
The next attack on the education sector hit the University of Maryland. The Clop ransomware gang was behind the attack which saw sensitive information including photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport number leaked online.
The University of California was also attacked by the Clop gang which saw sensitive and personal information leaked online following the attack.
The Maharashtra Industrial Development Corporation (MIDC) in India revealed a ransomware attack had affected its IT systems. Maharashtra is one of the most industrialised states in Mumbai, no ransom demand was made in the ransom note. Ransomware known as SYNack was responsible for the attack.
The last attack of the month takes us to Milan Italy where menswear brand Boggi Milano became victims of the Ragnarok ransomware gang. The hackers claimed to have stolen 40 GBs of data from the company. Founded in 1939, Boggi Milano operated around 200 shops in 38 countries and is among the best known premium Italian menswear brands.
In April we uncovered a whopping 31 ransomware attacks, the busiest month of the year so far and up from just 12 in April 2020. The NBA made headlines when the Babuk gang revealed they had exfiltrated 500GBs of sensitive player data, while the REvil gang demanded $25 million from leading French pharmaceutical company Pierre Fabre and an attack on a Dutch logistics company caused a shortage of cheese in supermarkets in the Netherlands. Here’s a summary of what else we tracked during the month.
The first reported attack of the month was on Asteelflash, a leading French electronics manufacturing services company. While the company has not formally disclosed the attack, the hackers negotiation page showed that the REvil gang had initially demanded a $12 million ransom but as the deadline passed the amount rose to $24 million.
Attacks on education continue to increase in frequency, and this time it was the turn of Broward County School District in Florida. The Conti ransomware gang encrypted the systems and threatened to release sensitive student and teacher data unless a ransom of $40 million was paid.
Applus Technologies, a vehicle inspection services provider were hit by an attack that caused havoc across vehicle inspection sites in 8 states across the US. Following the attack the company was forced to disconnect its IT systems to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems but experts speculate the attack was ransomware.
Hardware chain Home Hardware , one of Canada’s largest dealer owned hardware retailers became a victim of the DarkSide ransomware group. Following the attack the cybercriminals posted a sample of corporate data and threatened to release more if the ransom was not paid.
Attacks on education continued with an attack on the Technological University in Dublin Ireland. The University commented that there was no indication that any data, including personal data, has been “exfiltrated, downloaded, copied or edited”.
The National College of Ireland was next report an attack on the same day. The attack resulted in the Dublin college suspending access to all its IT systems, including Moodle and the Library Service. The college has said that no ransom has been paid.
The next attack on education occurred at Haverhill Public Schools in Massachusetts. Schools were forced to close after the computer systems were hit. The IT department noticed issues with the system and were able to shut down the network before “large scale corruption of the system occurred”.
An attack on global wholesale distributor JBI shut down online systems causing shipping delays and backlogged orders. JBI has 11 warehouses which were impacted by the attack. The attack is still being investigated but JBI has said then that no customer data has been impacted.
The City of Lawrence in Massachusetts was hit by a major cyberattack that disabled its computer systems. Sources told an investigative reporter that the city was “arranging payment” to regain control of the attack in which cybercriminals managed to take over control of the computers at the fire and police department as well as at City Hall.
Leading French pharmaceutical company Pierre Fabre suffered an attack at the hands of the REvil ransomware gang. The organization said they were able to bring the attack under control within 24 hours after temporarily halting production. A screenshot of a Tor payment page showed a ransom demand of $25 million which later doubled to $50 million as there was no contact between the company and the attackers.
The Regional Municipality of Durham became victims of the Clop ransomware gang following an attack on a third party software provider. The gang posted 6.5GB of data exfiltrated during the attack. Two of the documents posted were related to paramedic services and included patient names, addresses, dates of birth and healthcare numbers.
Supermarkets in the Netherlands were left with empty shelves in the cheese aisle after logistics company Bakker Logistiek were hit by a ransomware attack. The company is one of the largest logistics services providers in the Netherlands. It’s not known who was behind the attack but the company has said they believe threat actors gained access to their systems through the recently reported Microsoft Exchange vulnerabilities.
The next attack caused poker machines at Tasmania’s two casinos to go offline. The owner Federal Group was forced to shut down gaming machines in the casino following the incident. The company confirmed the attack was ransomware but it’s not yet known who was behind it.
The University of Portsmouth was forced to close its campus following a ‘technical disruption’ to its IT network believed to be a ransomware attack. An internal email seen by publisher The News said: ‘The university has experienced disruption to IT services due to a ransomware attack.’ The incident is being investigated and it’s not yet known who was behind the attack.
Up next is the National Basketball Association (NBA). The organization suffered an attack by the hacking group known as Babuk. The criminal gang disclosed on their Dark Web page that they had exfiltrated a whopping 500 GB of the Houston Rockets’ data said to include critical non-disclosure agreements, contracts, and even financial info. The cybercriminals are threatening to publish the stolen data if the organization refuses to pay the ransom.
The National Security Authority (NBÚ) in Slovakia registered a series of significant ransomware attacks on targets including those in public administration, telecommunications, energy and IT. Reports say hackers requested hundreds of thousands of Euros to restore the systems. The reported incidents included a serious third-degree cybersecurity incident under the Cyber Security Act – one with the potential to affect elements of the state’s critical infrastructure.
The Dixie Group, a leading US manufacturer of luxury carpets and rugs announced that they had detected a ransomware attack on some of its information technology systems. According to the press release the attack was contained and the company is working with cybersecurity experts and enforcement to investigate the incident.
The next attack was on Taiwan based Quanta Computer, a leading notebook manufacturer and one of Apple’s business partners. The company allegedly refused to communicate with the REvil ransomware gang who then proceeded to hold Apple to ransom for $50 million, threatening to release their blueprints if the ransom wasn’t paid. The hackers revealed they had managed to exfiltrate a lot of sensitive data from the network.
In the next attack hackers targeted Japanese firm Hoya Corp with ransomware. The glassmaker who has 37,000 employees worldwide was allegedly targeted by the Astro Team gang who claim to have stolen around 300 gigabytes of confidential company data.
Upstox, India’s second largest stockbroking firm initiated password resets for millions of traders on its platform earlier this month after learning a huge data breach might have hit it. At the time it was not disclosed they had suffered a ransomware attack, however, an independent internet security researcher told the press that Upstox data was for sale on the Dark Web and the ransom was $1.2 million. The exfiltrated data included names, emails, bank details and record of customer signatures.
Mining technology Company Gyrodata released a statement disclosing that they had been the victim of a ransomware attack that has possibly led to a data breach. Potentially compromised data includes names, addresses, data of birth, social security, passport details and more from past and current employees.
The Metropolitan Police Department in Washington DC confirmed that they had been the victim of a cyberattack after the Babuk ransomware gang shared screenshots of data exfiltrated during the attack. The cybercriminals claimed to have stolen 250 GB of unencrypted files which are said to relate to information such as disciplinary records and files relating to gang members operating in DC. The Babuk gang warned on the data leak page that the police have 3 days to make contact or they will begin contacting gangs to warn them of police informants.
An attack on Canadian company Professional Excavators and Construction started with some of the company’s printers playing up, a few weeks later everything froze. Unfortunately for the company this happened the day before they were planning to submit a bid for a large project. A spokesperson for the company commented that “the damage of not being able to get one of the biggest pursuits in our company’s history is obviously damaging, but to get back up and running has been brutal.”
Santa Clara Valley Transportation Authority (VTA) were the victims of an attack that paralyzed the agency’s computer systems for days. VTA officials initially said they believed they had contained the attack but the Astro ransomware gang disclosed that they had exfiltrated 150 GBs of data that they would post publicly if the authority refused to cooperate.
Australian healthcare provider UnitingCare Queensland released a statement saying that some of their digital and technology systems were inaccessible due a cyberattack. Nine News further commented that the impact due to the ransomware attack was much wider. The broadcaster reported that all operational systems, including internal staff email and booking of patient operations were affected and staff were forced to resort to pen and paper. It’s not yet known who was behind the attack.
Merseyrail, a UK rail network that provides train service throughout Liverpool was forced to confirm that they had been the victim of a cyberattack after the Lockbit ransomware gang used their internal email system to notify employees and journalists about the incident. The email with the subject “Lockbit Ransomware Attack and Data Theft,” appeared to come from the Director’s @merseyrail.org Office 365 email account.
Aspire, a Glasgow based social care agency for the homeless was hit by a double extortion attack by the Conti ransomware gang. The cybercriminals published 100% of the stolen data on the Dark Web three weeks after the attack when payment had not been made.
The Illinois Attorney General Office disclosed they had suffered a ransomware attack after the DopplePaymer gang leaked a large collection of files after negotiations broke down and officials refused to pay the ransom demand. The files published on the Dark Web included personally identifiable information about state prisoners, their grievances, and cases.
An attack on Brazil’s Rio Grande do Sul court system forced the courts to shut down their systems and encrypted employee files. The REvil gang was behind the attack and a $5,000,000 ransom demand.
The Resort Municipality of Whistler, the local government of Canada’s highest-profile ski resort was hit by a ransomware attack that forced them to shut down their network, website, email, and phone systems. During the attack the Whistler.ca website displayed a message stating that the site was under construction and that visitors should contact support. The URL displayed by the attackers led visitors to a Dark Web chat site.
The Presque Isle Police Department in Maine was hit with an attack by the Avaddon ransomware gang. The cybercriminals threatened to release confidential documents if the police failed to pay up. At time of writing the ransom time clock had run out and the hackers had not yet made their next move. The time clock has been replaced with a “coming soon” message.
In May we uncovered 22 ransomware attacks, up just one from May 2020. The most high-profile attack of the month goes to Colonial Pipeline. An attack on the largest fuel pipeline in the US made headlines worldwide and caused havoc throughout several states in the US as the outages caused a shortage of gas. Here’s a snapshot of what other attacks made headlines during the month.
We being the month in Switzerland where cloud hosting provider Swiss Cloud were the first to report a ransomware attack. The firm did not reveal details about the incident but they did disclose that they were working in 24-hour shifts, including weekends to restore service. Payroll giant Sage, one of their most high-profile customers was affected by the outages.
Healthcare giant Scripps was next to report an attack. The San Diego based non-profit healthcare provider was forced to suspend user access to its online portal and switch to alternative methods for patient care operations while some critical care patients were redirected to other facilities following the attack.
Volue Technology, a Norwegian based leading supplier of technology was a victim of RYUK ransomware. The firm took a different approach to disclosing the incident as they set up a webpage with information and updates relating to the attack. The telephone number and email address of their chief executive was also included, urging people to get in touch with him if they needed more information.
The most high-profile attack of the month goes to Colonial Pipeline, the largest fuel pipeline in the US. An attack from the DarkSide ransomware gang caused havoc throughout several states in the US as the outages caused a shortage of gas. The company opted to pay a $5 million ransom so services could be resumed.
The City of Tulsa in Oklahoma were forced to shut down their systems and online services following a ransomware attack. The incident did not disrupt emergency services but it did impact online billing for residents. The city has said that customer information had not been compromised in the attack.
Yamabiko, a Tokyo based manufacturer of power tools and agricultural and industrial machinery was targeted by the Babuk ransomware gang. Although the company had not officially confirmed the attack, the Russian based cybercriminals released some of the exfiltrated data on their leak site. They claimed to have exfiltrated 0.5TB of data from the firm.
Germany headquartered chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang in order to receive a decryptor for their encrypted files and to prevent the threat actors from publicly leaking the exfiltrated data. The cybercriminals claimed to have stolen 150GB of data during the attack. A screenshot including some stolen data was shared on their leak site.
The Health Service Executive in Ireland announced on Twitter that they had experienced a ‘significant’ ransomware attack which forced the shutdown of their systems as precaution. All outpatient appointments were cancelled. The Conti gang set the ransom at $20 million in exchange for decrypting the data and deleting 700Gb of unencrypted files that they had exfiltrated during the attack.
After insurance giant AXA announced that they would be dropping reimbursement for ransomware extortion payments for cyber-insurance policies in France, some of their locations in Asia including Thailand and Hong Kong were hit by ransomware. The Avaddon ransomware group claimed responsibility for the attack and revealed on their leak site that they had exfiltrated 3 TB of sensitive data from the company’s Asian operations.
Visalia Unified School District in California revealed they had experienced a Ransomware attack which knocked many of its district IT systems offline. A press release issued by the district did not specify if any student or teacher information was compromised during the attack.
Waikato District Health Board in New Zealand suffered a ransomware attack which is thought to have started via a malicious email attachment. The attack downed computer and phone systems and forced staff to resort to pen and paper. Patient surgeries and outpatient appointments were also cancelled because of the incident.
The Rockland Public School District in Massachusetts became the next education victim. A notice from the school said no student Chromebooks had been affected but laptop and desktop access for staff was not possible. It’s not known who was behind the attack.
Texas based homebuilders Betenbough scrambled to try and protect their clients after Russian hackers leaked personal information following an attack which saw the criminal gang hold the developers data to ransom. After hiring a cybersecurity expert to help deal with the incident, the company revealed that some sensitive client data had been posted on the Dark Web.
Toyota made news next when they disclosed that they had been hit by two cyberattacks, the first of which hit its subsidiary Daihatsu Diesel Company, meanwhile, numerous Japanese media outlets reported that US subsidiary Auto Parts Manufacturing Mississippi had revealed a ransomware attack. Reports said that some financial and customer data had been exfiltrated and exposed but the company had not paid a ransom and had not been disrupted.
Insurance broker One Call in the UK were hit by the Darkside gang who allegedly set a ransom of £15 million in exchange for not leaking the firms data. The Doncaster based firm have not yet revealed if any customer data was exfiltrated during the attack.
Audio giant Bose Corporation disclosed a data breach following a ransomware attack that hit the company earlier this year. A company spokesperson said that the systems were recovered quickly, no ransom had been paid and that an investigation revealed a small number of affected parties who had been notified. The investigation also found that some employee data had been exfiltrated but had not been leaked on the Dark Web.
Sierra College a Northern California community college was hit by ransomware which affected the college website and some other online systems according to a statement posted by the college. The college is working with third-party cybersecurity forensics experts and law enforcement to investigate the incident.
ParkMobile, a Tulsa Oklahoma firm that manages the city’s downtown parking via its app altered users of a ransomware attack. The company disclosed that the incident was linked to a third-party software vendor. The attack was not related to the earlier attack on the City of Tulsa.
Clover Park School District in Washington was the next victim in education. The hackers threatened to release the exfiltrated data unless a ransom was paid. A screenshot of the message said “Clover Park School District, you’ve been hacked,” “Pay or grief. Sensitive information will be shared to the public … There are (not) any third-party solution(s) which can help you. But you can damage your information”, was shared was local news.
The Azusa Police Department in Southern California became a victim of the DoppelPaymer criminal gang who exfiltrated data and followed up with a ransom demand. Officials of the city of 48,000 residents decided to keep the attack a secret for 2.5 months before disclosing that data compromised in the attack “may have included” social Security numbers, driver’s license numbers, medical information, financial account information and other records. The cybercriminals posted 7 GBs of Azusa records on the Dark Web.
The next reported attack of the month was on the world’s largest meat processing firm JBS Foods. The company was forced to shut down production at several global sites following a cyberattack. JBS USA issued a press release on May 31 confirming that the attack had impacted their North American and Australian IT systems. At time of writing the nature of the attack is still unknown while the investigation continues, but cybersecurity experts believe there is a high chance that ransomware was involved.
The last attack for May hit backup appliance specialist Exagrid. The Conti cybercriminal gang were behind the attack which exfiltrated employee and customer data, confidential contracts and source code. A ransom of $2.6 million was paid to the criminal gang in exchange for the decryption key.
June saw an uptick in the frequency and severity of ransomware attacks across the world. Although there were no global headline-making attacks like the Colonial Pipeline attack of the previous month, attackers successfully crippled several high-profile organizations like Fujifilm, Grupo Fleury and ADATA. Here’s a summary of who made ransomware news during the month.
Japanese multinational conglomerate Fujifilm partially shut down its Tokyo headquarters in response to a ransomware attack on June 2. The company does not know which ransomware group was responsible, but independent analysis suggested that REvil and Qbot may have been behind the attack.
Ferry services in Martha’s Vineyard, Cape Cod, and Nantucket were disrupted by a ransomware attack on June 2. The Regional Steamship Authority managed to avoid cancelling ferries, but passengers suffered significant delays.
Two University of Florida Health hospitals noticed unusual activity in the first few days of June. Hospital IT staff responded by shutting down part of the hospital network, restoring its systems using backups, and requiring staff to resort to pen and paper. Hospital representatives did not immediately confirm the ransomware incident, but later reports indicate that the attack continues to negatively impact patient care.
British retailer Furniture Village confirmed it was the next victim of a ransomware attack. As the largest independent furniture retailer in the UK, the cyberattack created significant delays for customers. The company shut down the affected systems to restrict the scope of the attack and claimed there was no indication that personal data had been lost or compromised.
St. Clair County’s municipal government reported it was targeted by a ransomware attack in early June. County IT administrators first noticed the breach on May 28 and identified the cybercrime group behind the attack as Grief. The group allegedly stole 2.5 gigabytes of sensitive data.
COX Media Group, a large US media conglomerate with 54 radio stations and 33 live TV stations reported suffering a ransomware attack that caused interruptions on some of its media channels causing some of its live broadcasts to be suspended. Investigators have not yet identified the group behind the attack.
iConstituent, a technology vendor used by the US Congress was unavailable for several weeks as a result of a ransomware incident. The attack resulted in almost 60 House member offices being unable to access constituent data through the platform.
Cybercriminals targeted a pipeline firm called LineStar Integrity Services leaking 70 gigabytes of data to the Dark Web, including sensitive employee data and Social Security cards. The attack itself did not cause infrastructural disruptions like last month’s Colonial Pipeline attack did, but the release of sensitive employee data could easily contribute to future attacks.
ADATA, the Taiwan based computer memory and storage component manufacturer was forced it to take its networks offline following a ransomware attack. The Ragnar Locker group claimed responsibility and threatened to release 1.5 terabytes of exfiltrated confidential data if the ransom was not paid.
The Skinner’s Kent Academy and Skinner’s Kent Primary School in the UK reported that ransomware attacks were behind recent school closures. On June 10th, the South England trust that runs these two schools reported that cybercriminals had exfiltrated student data, medical records, and human resources files from the school’s on-premises servers.
Food service supplier Edward Don was forced to shut down parts of its company network to protect itself from a cyberattack. The company did not release any information about the nature of the attack, but employees were forced to temporarily move to newly created Gmail accounts to communicate with customers. The attack is likely to cause supply chain disruptions for hospitals, restaurants, hotels, and bars.
Cybercrime organization REvil claimed responsibility for attacking Sol Oriens , a US government contractor that manages nuclear weapons programs for the National Nuclear Security Administration. The organization claimed there was no indication that classified data was compromised during the attack.
Solar and wind developer Invenergy reported an attack that included the disclosure of personal data connected to its chief executive officer Michael Polsky. REvil claimed responsibility and said that it had exfiltrated 4 terabytes of sensitive data, including projects and contracts, as well as the terms of non-disclosure agreements.
The Town of Freeport reported that its computer network was shut down as a result of a cyberattack. The town was told to pay $10,000 in cryptocurrency to Avaddon, the criminal gang that claimed responsibility for the attack. According to the municipal administration, Freeport did not pay the ransom and experienced no data breach. The town’s manager maintains that its swift actions contained the attack which led only to partial losses.
Des Moines Community College shut down its online instruction system as a result of a ransomware attack. Within two weeks the community was able to return to online classes with help from a third-party cybersecurity forensics provider. Administrators did not disclose whether or not a ransom had been paid.
The Humber River Hospital in Toronto reported it had been struck by a ransomware attack. Upon discovering the attack the hospital’s IT team immediately began restarting and patching its computer systems manually. Patient records and other essential services had to be shut down to mitigate the impact but the hospital’s surgeries and ER departments continued to function.
Judson Independent School District in San Antonio suffered a ransomware attack that crippled its summer programs. School staff did not have access to district email or phones, and officials did not specify when they expected systems to be restored. Nevertheless, the school continued to carry out its summer programs, replacing digital test-taking tools with pencil and paper for the time being.
A fertility clinic in Georgia notified 38,000 patients that their medical data may have been leaked in a ransomware attack that took place on June 22nd. Reproductive Biology Associates reported that leaked data included patient names, addresses, social security numbers, lab results, and more. Officials did not confirm whether the clinic had paid a ransom, but they did confirm that clinic administrators had managed to regain access to their files.
Mountain Regional, a water district provider in Summit County reported that some of its hardware had been encrypted by cybercriminals. Officials claimed that the attack had not compromised public health or safety and declared that the criminal gang did not access private customer data. Water District administrators have confirmed that they did not pay the ransom.
All six Lucky Star casino resorts in Oklahoma closed on June 22, 2021 after reporting a major ransomware attack. Owned and operated by the Cheyenne and Arapaho Tribes, Lucky Star runs casinos in Concho, Clinton, Canton, and Watonga, as well as two smaller gaming parlours in Hammon and Concho.
The City of Liege in Belgium suffered a disruption of its municipal IT systems following a cyberattack. City IT staff shut down the local governments network to prevent the malware from spreading while employees were instructed employees not to turn on computers in their office. The Ryuk ransomware gang was most likely behind the attack.
Grupo Fleury, one of the largest medical diagnostics providers in Brazil notified visitors to their website that a cyberattack had disrupted its IT systems. The organization did not comment on the cyberattack, but independent cybersecurity sources have confirmed that the REvil gang were behind it. Officials have not mentioned whether patient data had been compromised.
St. Joseph’s/Candler Hospital in Georgia reported that they had been a victim of ransomware. Local officials claimed that prior preparation and redundancy had given them a robust system for resisting cyberattacks and mitigating the impact, but they did have concerns about the possible exfiltration of patient data during the incident.
A Kentucky municipal zoning agency called Planning and Development Services of Kenton County reported that hackers encrypted its computer systems and demanded a $400,000 ransom. The government agency did not disclose how many files were encrypted, but officials have stated that the agency did not pay the ransom. The agency managed to recover some of its data through cloud and hardcopy backups but they did not elaborate on how much data was missing.
An attack on Iowa-based Wolfe Eye Clinic resulted in theft of data belonging to 500,000 patients. While the cyberattack occurred earlier in the year the complexity of the incident wasn’t determined and disclosed until late June.
The Salvation Army was next to find themselves victim of a ransomware attack. The UK arm of the religious charitable organization confirmed they were investigating ‘an IT incident’ but have declined to give further information, such as the identity of the criminal attackers or the volume and type of data accessed by them. At time of writing data has yet to emerge on any known ransomware gang leak sites. The Conti gang has been suspected to be behind the attack but this hasn’t been confirmed.
July racked up 29 ransomware attacks, up from just 12 reported in the same month last year. The REvil gang was particularly busy with their attack on Kaseya which resulted in a 70 million USD ransom. The incident affected up to 1500 organizations including a large chain of supermarkets in Sweden, an animal hospital in Maine and a school district in Tennessee. In an interesting turn of events the Babuk gang became victims of ransomware at the hands of an unknown group who took control of their Dark Web forum and demanded a $5000 ransom which they refused to pay. Here’s a snapshot of what else we uncovered during the month.
We start the month with a massive supply chain attack on US software company Kaseya. The REvil gang cause havoc globally when they launched the attack over the 4th of July weekend. Multiple managed service providers (MSPs) were impacted as well as over 1500 end customers. REvil demanded a whopping $70 million USD ransom.
REvil struck the University Medical Center of Southern Nevada next. Although the medical center took quick action to contain the threat, it seems patient data was still exfiltrated. UBM said it was working with the Las Vegas Metropolitan Police Department, the FBI, and third-party cybersecurity experts to determine the exact origin and scope of the breach.
Up next is another large attack at the hands of the REvil gang. This time its Coop, a chain of supermarkets in Sweden. The supermarket confirmed they were forced to close over half of their 800 stores due to a colossal cyberattack. The attack was a result of the Kaseya attack a few days prior. Although Coop doesn’t use Kaseya directly on its systems it appears on of their software providers does. This incident highlights the growing concern around supply chain attacks where bad actors can extort multiple victims by attacking their supplier.
In at number four is 4 New Square Chambers, a Barristers Chamber in the UK who took an interesting approach to their recent ransomware attack. They responded by getting a court order demanding that the cybercriminals did not share any stolen data. The firm obtained a privacy injunction from the High Court at the end of June against “person or persons unknown” who were “blackmailing” the firm. An interesting and strange approach to negotiating with hackers but unlikely to keep the exfiltrated data safe from exposure.
Up next is another supply chain attack, this time on technology distributor SYNNEX. The California based firm admitted that its systems and Microsoft accounts had been attacked after the National Committee of the US Republican Party (RNC) named it as the source of their recent security incident. Cozy Bear is thought to be behind the attack.
REvil strikes again, this time in Maryland, USA. Just after lunch on the Friday before the July 4th weekend the town administrator for Leonardtown Maryland received a pop up message on her computer which froze before she even had the chance to read it entirely. It was apparent later that day that the town had been a victim of the Kaseya ransomware attack which reached Leonardtown through its IT management company, JustTech. The ransom demand was $45,000 per computer.
Wiregrass Electric Cooperative in Alabama was hit by a ransomware attack which left customers without access to their account information. The cooperative later announced that no data was compromised during the attack, but member account information and payment statements were taken offline as a precaution. The cooperative did not release any information about the source of the attack.
Swiss online consumer outlet Comparis filed a criminal complaint over a ransomware attack that affected some of their systems. Comparis, which is a consumer comparison online service did not pay a ransom or comment on whether the incident was linked to the Kaseya attack.
American fashion brand and retailer Guess admitted to an earlier ransomware attack after it led to a customer data breach. The investigation determined that personal information may have been accessed or acquired by an unauthorized actor. The Darkside ransomware gang claimed the attack on their data leak site and noted that they had exfiltrated 200 GBs of data from the retailer. Guess directly operates over 1000 retail stores in the Americas, Europe, and Asia, and had an additional 539 stores through partners worldwide.
The next incident was reported in eastern Germany where the municipality of Anhalt-Bitterfeld computer systems were paralyzed by a ransomware attack described by the federal cybersecurity watchdog as the country’s first-ever “cyber-catastrophe.” The municipality did not comment on the identity of the attacker or whether or not there had been a ransom demand, citing a police investigation.
Pennsylvania-based Famous Smoke Shop was forced to shut down its website, retail store and cigar lounge due to a ransomware attack. The CEO reported the incident on July 12th and announced that they had been one of the 1500 victims impacted from the holiday weekend attack on Kaseya. He stated that they refused to pay the ransom but hopes the business would be up and running soon as without the data they couldn’t make any sales. Thousands of customers were impacted.
The next victim from the Kaseya attack was Morgan County Schools in Tennessee, USA. The school confirmed at a board meeting that the hack had occurred on Friday July 2nd and was contained to some of their office computers. The REvil group demanded that school officials pay a ransom to release the files. It’s not yet known how much the ransom demand was or if any student or staff data was compromised during the attack.
An attack on York Animal Hospital in Maine managed to wipe all patient records from the last four years. The practice’s computers locked up, and the screen on one carried a ransom note demanding $80,000 in Bitcoin for files to be restored, the practice refused to pay. The REvil gang was behind the attack.
Cloudstar, a Florida based company that provides technology for hundreds of title companies and lenders was hit by a ‘highly-sophisticated’ ransomware attack. Cloudstar operates five data centers throughout the US and provides around-the-clock support to title professionals in the real estate, finance and insurance sector. The attack prevented transactions in the title industry causing havoc in the real estate and lending sector.
15. Newhall School District in California were shocked to find themselves a victim of ransomware when staff connecting to the school district’s server were met with a mysterious pop-up message saying they would not be able to log in. A few minutes later it was revealed that all 10 schools in the district, representing around 6,000 children, had been hit with a ransomware attack and all teachers were instructed to log off immediately. Luckily the district had purchased cyber insurance but district officials would not say if a ransom was paid.
Virginia Tech confirmed they had been targeted in two recent cyberattacks but they don’t believe any data was stolen. Although a few of the university systems used Kaseya, a spokesperson commented that the malware the hackers pushed out to Kaseya customers could have exposed student data but they had not found any evidence that data loss had occurred. An earlier attack took place in May but its not believed any data was exfiltrated. The university did not pay a ransom for either attack.
The next attack took place in Ecuador where state run Corporación Nacional de Telecomunicación (CNT) became a victim of RansomEXX ransomware. The attack disrupted business operations, the payment portal and customer support. CNT is Ecuador’s state-run telecommunication carrier that offers landline and mobile phone services, satellite TV, and internet connectivity.
Campbell Conroy & O’Neil, P.C. (Campbell), a US law firm who counts dozens of Fortune and Global 500 companies as clients recently disclosed that an earlier ransomware attack had resulted in a data breach. The firms current and past clients include companies such as Apple, Mercedes Benz, British Airways and Marriott to name a few. Campbell didn’t reveal the identity of the ransomware gang behind the attack or if any data had been exfiltrated.
Shriro Holdings, an Australian distributor of white goods and consumer electronics issued a letter to shareholders to notify them that bad actors had gained “unauthorized access to its operating systems”. The company is working with a cyber forensics firm to establish the extent of the attack.
The Washoe Tribe of Nevada and California was reportedly the victim of a ransomware attack earlier in the year. According to information received by news outlet The Record-Courier, the tribe found that several of its servers were encrypted in April and they were able to recover most of their data so they decided not to pay the ransom. On May 5th they tribe discovered that their data had been posted on the Dark Web.
Northern Rail in the UK, a government run transportation network had their new self-service ticket machines targeted by a ransomware attack. The attack occurred just two months after 621 of the touch-screen units were installed at 420 stations across the north of England at a cost of £17 million. The company stated they had taken “swift action” along with its supplier, Flowbird and no customer or payment data was compromised.
The City of Geneva in Ohio were hit by a new strain of ransomware known as AvosLocker. The small city disclosed the incident after data exfiltrated in the attack appeared on the bad actors leak site. AvosLocker is a new gang who have hit relatively small targets to date. Officials have not disclosed whether or not they received a ransom demand, however the gang threatened to release all stolen data which included items such as court records and tax returns including social security numbers on the Dark Web leak site.
Officials from Sunset Beach, a seaside town in North Carolina disclosed that they had been attacked by a series of ransomware hacks over a six week period. The revelation came out during a town council meeting when the Planning Director was questioned about the progress of a floodplain project. The official’s response was “all my floodplain permits … were part of that hacking. ” The town was able to recover most of their documents thanks to a backup system in use.
Florida Heart Associates shared that they had been a victim of ransomware in May this year. Ultimately they made the decision not to pay and they were successful in getting back control, but not before the cybercriminals took down their phone lines and basically destroyed their entire system. The organization shared with media that they had lost staff as a result of the attack and had only just got their phones back online. The clinic is operating at 50% but hope to be back to normal soon.
A ransomware attack on New York based Emma Willard School resulted in the theft of employee social security numbers and financial information. Officials at the private high school for girls stated that they aren’t sure how much data was stolen in the attack. School officials haven’t provided details on how the school handled the attack but they did say they took immediate steps but unfortunately some data was illegally removed from their systems.
The next attack must have come as a surprise for the Babuk ransomware gang when it was a case of hack the hackers. The groups latest endeavour, a Dark Web ransomware forum called RAMP, was overloaded with pornography during an attack. The unknown party behind the attack demanded $5000 which Babuk refused to pay. Babuk managed to wipe the images but they were quickly uploaded by the attackers again. With ransomware actors turning on each other now, ransomware news could get a lot more interesting!
South African port operator Transnet was forced to halt operations after a ransomware attack crippled its IT systems. The attack hit the entire state run Transnet Group which has almost 56,000 employees. The importing of goods by sea containers into South Africa has been halted and reports have stated that ships are bypassing South African ports and heading to neighbouring countries instead.
Canadian entertainment technology provider D-Box shared that they were recovering from a ransomware attack that partially paralyzed many of its IT systems earlier in the month. The company worked with experts to determine that the attack was limited to their internal systems only.
The City of Grass Valley in Nevada discovered that bad actors had been able to access their information systems. The unknown gang behind the attack disclosed that they had exfiltrated data which they planned to publish if a ransom wasn’t paid. The City decided to pay the ransom to prevent the data from being exposed, the ransom payment was covered by their insurer. The city is working to identify what data was stolen and who was affected.
In August we uncovered 21 reported ransomware attacks with government and healthcare being the most targeted during the month. The first healthcare incident took place in Italy where the Italian vaccination registration system was taken offline by RansomEXX. While US based Eskenazi Health and Memorial Health System were forced to divert ambulances and cancel procedures due to ransomware attacks. Here’s a summary of what we uncovered during the month.
The first reported incident of the month took place in Italy where the Italian vaccination registration system was taken offline by the RansomEXX gang. The attack on Italy’s Lazio region had rendered every file in the system inaccessible and meant that residents of the region which includes Rome, were unable to book Covid-19 vaccinations.
Venture capital firm Advanced Technology Ventures made headlines after a ransomware attack resulted in the theft of personal information relating to its investors. It’s estimated that 300 investors were impacted by the attack which was disclosed when a letter was sent to the Maine Attorneys General’s Office. Data exfiltrated during the attack included names, email addresses, phone numbers and Social Security Numbers of individual investors in company funds.
The Isle of Wight Education Federation in the UK was next to disclose that their IT systems were impacted by a ransomware attack which affected six schools. The ransomware attack encrypted the schools data and left staff with no access to the network.
Italian energy group ERG reported minor impact on their organization following at attack from the LockBit 2.0 gang. The company shared updates on social media which confirmed the rumours around the attack saying that “they had experienced only a few minor disruptions to ICT infrastructure which were quickly being overcome due to the prompt deployment of its internal cybersecurity procedures.
Eskenazi Health in Indiana was forced to divert ambulances following a ransomware attack. The hospital shared that they had shut down the network out of “an abundance of caution and to maintain the safety and integrity of our patient care”. It’s not yet known who was behind that attack.
Up next is the City of Joplin in Missouri whose insurer paid an unknown criminal gang $320,000 to prevent data from being shared following a ransomware attack. A forensics investigation is ongoing to determine the type of data accessed.
Another Italian attack, this time it’s luxury fashion house Ermenegildo Zegna. The company which is the largest menswear brand in the world by revenue operates 480 retail stores. The RansomEXX criminal gang claimed the attack and admitted to exfiltrating 20.74GB of data from the company.
The next victim for RansomEXX was Taiwanese PC manufacturer Gigabyte. Sources told news outlet Bleeping Computer that the gang had stolen 12GB of sensitive internal data as well as info from a code repository during the attack. The company is working with law enforcement and has not commented on whether or not they would pay the ransom.
Up next is Ireland headquartered global IT consultancy giant Accenture who became a victim of the LockBit ransomware gang. The cybercriminal gang claimed to have stolen 6TB of files and demanded a $50 million ransom.
The Department of Environmental Protection in Maine issued a warning to municipalities to be on alert following two ransomware intrusions that occurred in the Aroostook County town of Limestone and the town of Mount Desert on Mount Desert Island. A spokesperson said both attacks were fairly minor and there was no health and safety threat to the public.
An attack on Memorial Health System saw dozens of hospitals and clinics in West Virginia and Ohio cancelling surgeries and diverting ambulances following a ransomware attack. Staff access to IT systems was affected across virtually all operations at the health system which represents 64 clinics.
Twin Falls Idaho experienced service disruptions impacting most of its departments for a 2 week period following a ransomware attack, thankfully emergency services ran on a different system and were not affected. A forensics specialist was brought in to investigate.
The Ministry of Economy of the Government of Brazil announced that the internal network of the National Treasury was hit by a ransomware attack. Multiple government agencies and security specialists were brought in to investigate the incident which is said to have impacted the internal network.
Forviva Group, a UK based social housing group confirmed that data had been stolen from ForHousing and Liberty, two organizations within the group. They confirmed that no tenant or staff data from ForHousing’s systems had been accessed during the ransomware attack, but ‘a small amount’ of data from Liberty had been compromised.
Tokio Marine Insurance Singapore, a subsidiary of Tokio Marine Group, released a statement confirming a ransomware cyberattack. In the statement they shared that they had contained the attack and that there was no indication of a breach of customer or confidential information. A third party has been brought in to investigate.
Nokia subsidiary SAC Wireless was a victim of the Conti ransomware gang who were able to successfully breach its network, exfiltrate data and encrypt the company’s systems. Personal information relating to past and current employees was compromised. The gang claimed to have stolen 250GB of files.
Next to make headlines was Bangkok Air, Thailand’s third largest airline. The company issued a press release confirming the attack after the LockBit gang posted a message on the Dark Web threatening to release stolen data if the ransom wasn’t paid. The hackers claimed to have stolen over 200GBs of data. The airline was not interested in negotiating with the criminal gang.
A ransomware attack at Eye & Retina Surgeons (ERS) in Singapore has potentially exposed the personal data of more than 73,000 patients. Following the attack the Singapore government instructed ERS to work with the country’s federal cybersecurity agency to implement stronger defences against future attacks.
The Sault Ste. Marie Police in Ontario Canada became a victim of ransomware in the third week of August. Following the attack they issued a statement stating that its 911 service or online reporting for less urgent crimes had not been impacted. At time of writing email remains unavailable and the organization has not confirmed whether police dispatch or record systems had been impacted.
The City of Rolle located near Lake Geneva in Switzerland initially downplayed the impact a ransomware attack that they described as a ‘weak attack’. Soon after however, the criminal gang known as Vice Society posted a large number of confidential documents to the Dark Web. The city then issued a press release saying they regretted underestimating the seriousness of the attack. The city did not pay the attackers.
Indiana based CarePointe ENT, an ear, nose, throat, sinus and hearing center, suffered a ransomware attack that may have exposed the personal health data of nearly 50,000 patients. The ransomware attack encrypted the electronic health data which may have included information such has name, address, date of birth, social security, etc. The organization released a statement to patients saying they believed the attackers wanted money and not their data but they should be aware their information was encrypted by the attackers.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.