Following on from our State of Ransomware 2020 blog, we’ll be tracking the 2021 publicized ransomware attacks each month to share with you via this blog. With damages from cybercrime expected to hit $6 trillion this year (up from $3 trillion in 2015), we expect the number of ransomware attacks to increase and newer forms to become more sophisticated and disruptive. To keep informed of what’s happening every month, follow this blog and register for our free monthly ransomware report.
Let’s begin with January and look at the 19 attacks we uncovered during the month.
We start the month with an attack on new York based Apex Laboratory. The company were forced to disclose the attack which happened earlier in 2020 after data stolen during the attack showed up online. A notice posted on Dec 31st revealed that they were the victim of a cyberattack and that certain systems in its environment were encrypted and inaccessible.
Next up is UK-based infrastructure support service provider Amey. The company was targeted by the Mount Locker ransomware gang in mid-December. Documents including correspondence with government departments was posted online in late December.
In October 2020 Hackney Council in London reported that they had been the victim of a very sophisticated cyberattack. The attack drew immediate speculation from experts that ransomware was involved, however, this wasn’t confirmed until January when the PYSA ransomware gang leaked council data online in a double extortion style attack. The data appears to contain a significant amount of personally identifiable information.
The Northern Territory Government in Australia was next to reveal an attack that forced its systems offline for 3 weeks. The attack involved a supplier of one its cloud-based IT systems and they insisted government data was not compromised during the attack.
Colorado-based rail operator and logistics provider OmniTRAX was hit by a ransomware attack that targeted its corporate parent company, Broe Group. The Conti gang were behind the attack which posted exfiltrated data on its leak site. The leak suggests that Broe Group, who is headquartered at the same location refused to pay the ransom.
Norway based AKVA Group, a global supplier of technology to the aquaculture industry revealed that they had been hit by a ransomware attack and that hackers were demanding a ransom. In a statement to the Stock Market in Oslo the company disclosed that they were working with the relevant Norwegian authorities to limit damage and get a full assessment of the situation. The incident resulted in a drop in the share price.
Dassault Falcon Jet Corp, the US subsidiary of Dassault Aviation, suffered a ransomware attack at the hands of the Ragnar Locker gang. According to media reports and the dates of breach reported by the company it seems the attackers maintained access to company systems for roughly six months, between June and December. Compromised data included information belonging to employees such as name, personal and company email address, home address, driver’s license number, passport information, data of birth, etc.
Wentworth Golf and Country Club, one of the most exclusive clubs in England was forced to send an email of apology to its 4000 members who include, high profile celebrities, sports stars, and top business people, after its members’ list was accessed by cybercriminals. According to The Telegraph, club members discovered the incident earlier when an unauthorized message appeared on the Wentworth website claiming “your personal files are encrypted!” with a Bitcoin cryptocurrency payment demand for decryption.
City of Angers in France indicated on its social networks that the city had suffered a ransomware cyberattack over the weekend of January 15th. The attack targeted the information system of the city and the metropolis which caused the closure of certain municipal services.
The Conti ransomware group claimed an attack on the Scottish Environment Protection Agency (SEPA) which saw around 1.2GB of data stolen from its digital systems including databases, contracts, and strategy documents. The hackers published over 4000 files after the organization refused to pay the ransom.
Center Hospitalier de Wallonie Picarde (CHwapi) in Tournai, Belgium became the first healthcare reported attack of the year. The hospital was forced to redirect incoming patients to other facilities after the attack crippled its systems. According to the investigators no ransom demands were made by the hackers which could indicate that the hospital was targeted by mistake.
WestRock, one of the world’s largest paper and packaging companies suffered an attack which affected some of its operational and information technology systems. WestRock is working with security experts on system recovery efforts to minimize the impact on its customers. In a press release the company described the incident as likely leading to a loss of revenue and incremental costs that could affect its bottom line.
Palfinger, an Austria-based Hydraulics Engineering company experienced a global cyberattack that took down their e-mail system and disrupted business operations. A security notice titled ‘Cyberattack’ stated that their Enterprise resource planning (ERP) systems were down and that “a large proportion of the group’s worldwide locations were affected.” The company that operates in almost 30 countries has made it official that its email systems were the worst hit in the file encrypting malware related attack.
Tennessee Wesleyan University (TWU) revealed in a press release that all of the university’s networks were closed after staff and campus officials became aware of a ransomware attack. Online learning was unaffected but staff and students were asked not to use the university systems.
Pan-Asian retail giant Dairy Farm were hit by a REvil ransomware attack with the attackers allegedly demanding a $30 million ransom. The group operates over 10,000 outlets across grocery, convenience store, health and beauty, home furnishing, and restaurants in Asia. Dairy Farm stated that they were not aware of any data being stolen during the attack, however, screenshots seen by BleepingComputer showed that the threat actors continued to have access to email and computers after the attack.
UK Research and Innovation (UKRI) disclosed that a ransomware attack had disrupted services and may have led to data theft. The incident impacted two of the group’s services including a portal used by the Brussels-based UK Research Office and an extranet utilized by UKRI councils.
Illinois based DSC Logistics, a third-party logistics provider and supply chain management company disclosed they had been victims of a cyberattack after a ransomware gang threatened to expose their exfiltrated data on a leak site. Egregor is suspected to be behind the attack.
Georgia based Crisp Regional Health Services discovered they had been a victim of ransomware when nurses working at the facility started seeing ‘files encrypted’ on some of its computer systems. Phone systems were affected, however, the facility disclosed that workflow and patient care was not compromised. The organization is working with external cybersecurity and forensic professionals to determine if patient data was accessed or exfiltrated during the attack.
The last reported attack of the month involved Serco, a global government outsourcer responsible for running part of the UK’s COVID-19 Test and Trace system. The British business which employs 50,000 people confirmed the attack and disclosed that only its mainland European operations had been impacted. Sky News became aware of the incident after spotting a sample of the Babuk ransomware uploaded to VirusTotal. Apparently included was the ransom note addressed to Serco the attackers claimed: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data.”
February saw a total of 23 attacks, up from 16 in 2020. South America reported some large attacks including two major utility companies, the Ministry of Finance and Ecuador’s largest bank. The apparent attack on Kia made a lot of headlines during the month as the company continues to dispute the attack, despite the cybercriminals posting their data on the dark web. Here’s a look at what we uncovered for the month.
The first reported attack of the month involved Brazilian state-owned energy company Companhia Paranaense de Energia (Copel). The attack was the work of the Darkside gang who claimed to have stolen more than 1000 GB of sensitive data. The organization was one of two major electric utilities companies in Brazil to suffer a ransomware attack in the same week.
An attack on the Victor Central School District in New York encrypted its systems and data, locking out users and forcing the closure of all district schools.
Automatic Funds Transfer Services (AFTS), a Seattle based payment processor used by many cities government agencies across the US suffered an attack from a gang known as Cuba. The attack caused significant disruption to their business operations and affected customers such as California’s Department of Motor Vehicles who recently warned of a potential data breach following the attack. The hackers began selling the stolen data on their leak site and claim to have exfiltrated sensitive financial documents.
Eletrobras the largest power utility company in Latin America was the second major utility company in Brazil to suffer an attack in early February. Electronuclear suspended some of its systems to protect the integrity of the network once the attack was discovered.
A widely reported data breach at Foxtons Group, a British estate agents’ company was due to a ransomware attack by the Egregor Group. Foxtons made headlines this month when reports revealed that a large quantity of personal and financial information belonging to its customers had been discovered on the dark web. The data reportedly included over 16,000 credit card details even though a statement from the company had previously stated that the data was considered old and of no threat to customers
Mortgage loan servicing company SN Servicing Corporation was hit by a ransomware attack in 2020. In February, California and Vermont state attorneys were notified of the incident. According to the documents filed, the affected systems were shut down and forensic experts were engaged to determine the impact upon discovering the attack. A preliminary investigation uncovered data related to 2018 billing statements and reimbursement notifications to customers, including names, address, loan numbers, balance information and billing information such as estimated, owed, or paid charges. The Egregor gang has been linked to the attack.
British Columbia-based real estate agency Remax Kelowna was hit with an attack by the Conti ransomware gang who listed them as a victim on their leaks website. According to the firm, the attack occurred at the same time as they were overseeing a software update. They reported that the ransomware was not launched and while some files has been copied, the data was allegedly non-personal in nature.
Ness Digital Engineering Company, an Israeli-based U.S. IT provider was hit by Ragnar Locker ransomware affecting its computer networks in India, the U.S. and Israel. The company said that their clients who include government ministries, hospitals, and local municipalities were not compromised in the attack. A screenshot of the ransom note read “Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!” The text then directed the company to get in touch via live chat to make a deal.
Polish video game company CD Projekt was hit by the HelloKitty ransomware gang. The company disclosed that the attackers had managed to access the network, encrypt some devices and exfiltrate some data. In a tweet disclosing the attack the company shared the ransom note which claimed to have accessed the source code for popular games including Cyberpunk 2077. The company confirmed they did not plan to give into the gangs ransom demands.
French health insurance company Mutuelle Nationale des Hospitaliers (MNH) suffered a ransomware attack that had significant impact on the company’s operations. An independent security researcher shared a Tor web page acting as a ransom negotiation page with media outlet BleepingComputer. RansomExx was behind the attack.
Dax-Côte d’Argent Hospital Center in France was the next reported incident. The attack by the Egregor gang caused major disruptions across their network and forced the hospital to only accept major emergencies. A spokesperson from the hospital administration commented that everything from reading a medical file to the catering system had been affected and the facility was back to pen and paper following the attack.
The second education incident of the month goes to Central Piedmont Community College in North Carolina. The school tweeted that they had experienced a ransomware attack, but it’s not known what gang was responsible. It has so far been reported that no employee or student data was compromised.
Discount Car and Truck Rental, part of the Enterprise group and one of Canada’s biggest rental agencies, was hit by the Darkside ransomware gang. Darkside posted a notice on its leak site stating they had copied 120 GB of corporate, banking and franchise data from the firm. A spokesperson for the company commented that the investigation was ongoing when questioned about how the attack started and whether customer or employee information has been exfiltrated.
International law firm Jones Day were the victims of a ransomware attack carried out by the Clop gang. The law firm claimed that its network had not been compromised and that the theft of data involved a file-sharing company that it used to store files. The gang however claimed that they had obtained 100 gigabytes of files from servers belonging to the firm and that they had begun publishing the exfiltrated data as proof of their successful attack.
The attack on Kia Motors America is probably the most interesting of the month. The incident became known when it was reported that the company was suffering a major IT outage across the U.S., affecting the internal sites used by dealers, mobile apps, and phone and payment systems. It later transpired that the DoppelPaymer gang has claimed the attack and they had demanded a ransom of $20 million for a decryptor and not to leak the stolen data. The Tor victim page stated that a “huge amount” of data had been exfiltrated and would be released in 2-3 weeks if the company refused to negotiate with the hackers. Kia denied they were under attack. The gang then released data belonging to parent organization Hyundai Motor Company but interesting both are denying the attack. In an official statement Kia described the unavailability of its services, including remote start and heating as an “extended systems outage” that began on February 13th. They continued by saying, “we are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.” It’s hard to imagine that this is a hoax on the part of the cybercriminals and experts say it’s possible but not probable.
Yuba County in California was the victim of a ransomware cyberattack which infected some of the county’s computer systems with malware. The malware encrypted the affected systems and the attacker demanded payment from the county in order to obtain a decryption key. It’s not known what criminal gang was behind the attack and according to a spokesperson no ransom payment was made.
Underwriters Laboratories, the world’s leading safety testing authority suffered IT outages after a ransomware attack. In a statement they confirmed that a breach had been detected and that a cybersecurity firm had been brought in to assist with the investigation. It is not yet known who was behind the attack and what type of data may have been compromised. The investigation continues, but at this point the company do not wish to engage with the cybercriminals and instead plan to reinstate any lost data from backups.
TietoEVRY, a major Finnish IT provider were the victim of an attack which caused issues across the services they deliver to customers in the retail, manufacturing, and service-related industries. A company spokesperson confirmed that 25 customers were impacted and at this time it does not seem that any critical or personal data was accessed or stolen by the attackers. It’s not yet known what gang was behind the attack or if any ransom demands have been made.
A recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline has been confirmed as a ransomware attack by the DoppelPaymer gang. The hackers exfiltrated data from the organization and published proof of the attack on their leak site. The NWO does not cooperate with cybercriminals and they are currently working on restoring their network.
An attack on Ecuador’s Ministry of Finance was reported with a new hacking group known as Hotarus Corp behind the incident. Soon after the attack the gang released a text file containing 6,632 login names and hashed password combinations on a hacker forum. The ransomware gang told media outlet BleepingComputer that they had exfiltrated sensitive ministry data.
Banco Pichincha, Ecuador’s largest private bank was the next victim of the Hotarus Corp gang. Following the attack the bank published an official statement stating that a marketing partner had been hacked and not their internal systems. They confirmed that fraudulent (phishing) emails were sent on behalf of the bank to clients in order to carry out illegitimate transactions. However, in an interview with BleepingComputer, the hacking group disputed the banks statement and said they used the marketing company’s attack as a launchpad into the banks internal systems. They claim to have stolen “31,636,026 Million customer records and 58,456 sensitive system records,” including credit card numbers.
Saginaw Township Community Schools in Michigan became the victim of a ransomware attack and the gang behind the attack is unknown. The FBI and Michigan State Police who are investigating the incident are said to be in regular communication with the attackers to try and resolve the situation. Systems have been mostly restored but the investigation continues and at this time it is not known if any personal data was compromised in the attack.
In the last reported attack of the month, Staring College in the Netherlands reported that had been attacked and that they had paid the ransom. It is not known who was behind the attack or how much the ransom was. When employees noticed that their data had been encrypted and their files weren’t accessible the college made the decision to pay the ransom so education and exams could continue without further disruption.
In March we recorded 25 attacks, the highest month of the year so far. An attack on computer giant Acer became the largest ransom demand in history at $50 million, while ransomware attacks halted production at IoT manufacturer Sierra Wireless and beer maker Molson Coors. Here’s a look at what else we uncovered during the month.
We start the month with payroll giant Prism HR. The business services company which counts over 80,000 organizations as customers and has over 2 million employees was reportedly attacked by the Darkside ransomware gang. According employees and their clients, PrismHR told them that they had suffered suspicious activity leading them immediately shut down their servers and network to protect the integrity of their systems.
Up next is Arizona based clinic Cochise Eye and Laser who were infected with ransomware which encrypted its scheduling and billing software. The attack affected up to 100,000 patients. Although there has been no evidence of data exfiltration the incident is still considered a breach of protected health information and patients were notified of the incident.
Healthcare provider Allergy Partners suffered an attack lasting eight days with hackers demanding a ransom of 1.75 million, according to a report filed with the Asheville Police Department. The North Carolina based organization which has clinics across 20 states, informed its patients that those affected by the incident will be updated once it finishes its investigation. It is unclear whether Allergy Partners paid the ransom.
US bank and mortgage lender Flagstar disclosed a data breach following the Accellion cyberattack at the hands of the Clop ransomware gang earlier in the year. BleepingComputer was told that Flagstar received a ransom note demanding a payment in bitcoin or the exfiltrated data would be released. Other victims of the Accellion attack include Bombardier, Royal Dutch Shell, and New Zealand Reserve Bank.
Oklahoma based Managed Service Provider (MSP) Standley Systems were attacked by the REvil gang who claimed to have obtained sensitive data including more than 1,000 social security numbers. The REvil gang is known for leaking data on its Dark Web site and in addition to the social security numbers they claim to have medical documents, personal client data, passport details, etc. On their leak site they posted links to data from six customers as well as backups. The Standley customers mentioned on the REvil leak site were Chaparral Energy, Crawley Petroleum, Ellis Clinic, EverQuest, the Oklahoma Medical Board, and structural steel fabricator W&W Steel.
The systems of SEPE, the Spanish government agency for labour were disrupted when a ransomware attack affected more than 700 agency offices across Spain. The agency confirmed that confidential data was safe and the RYUK ransomware gang were behind the attack.
The Clop ransomware gang claimed to have stolen data from cloud security company Qualys. The gang shared screenshots of stolen files including invoices, tax documents and purchase orders on its data leak site as proof of the hack. The company said the attack had no operational impact but unauthorized access had be obtained to a Accellion server used by the company.
Up next is the Oloron-Sainte-Marie Hospital in France. The attack managed to paralyze the hospital’s IT systems and the attackers demanded $50,000 in Bitcoin to release the data. Staff had to go back to pen and paper as digital patient information was unavailable.
Beer maker Molson Coors disclosed that they suffered a cyberattack which caused significant disruption to their operations, including the production and shipment of beer. The Company is working with a forensic information technology firm alongside legal counsel to investigate the incident and restore systems. Multiple sources in the cybersecurity industry told BleepingComputer that it was a ransomware attack but could not share what gang was involved.
Buffalo Public Schools was forced to abandon in classroom learning for thousands of students when a ransomware attack shut down technology across the district. It’s unclear whether personal data was stolen and a criminal investigation is underway.
The next attack on education took place at South and City College in Birmingham, UK. The college which has 8 sites across the city tweeted: “The college has suffered a major ransomware attack on our IT system, which has disabled many of our core systems.” It’s not yet known who was behind the attack.
Servers of the Pimpri-Chinchwad Smart City project in India were infected with ransomware with attackers encrypting data and demanding payment in Bitcoin for decrypting the lost information.
The Castle School Education Trust (CSET) in Bristol suffered a highly sophisticated ransomware attack which left 23 schools without access to their IT systems. CSET and South Gloucestershire Council are working together with external partners and agencies to investigate the attack and restore the systems, it’s not yet known who was behind the attack.
The next reported attack on computer giant Acer made headlines this month as the $50 million ransom is the largest known to date. The REvil gang were behind the attack. The attackers share some exfiltrated data on their leak site as proof of the attack. The images shown included financial spreadsheets, bank balances, and bank communications.
Cambridge Meridian Academies Trust which runs schools in the UK was hit by an unknown gang. The trust was able to mitigate the attack to some extent and encryption occurred on only some systems. The trust said there was no evidence of a data breach but the Information Commissioner’s Office was notified.
Sierra Wireless, a manufacturer of IoT devices was forced to halt production after a ransomware attack. It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network and the company said the attack was limited to internal systems and customer facing products had not been affected.
US based insurance giant CNA were victim of a ransomware attack using a new variant called Phoenix CryptoLocker, possibly linked to the Evil Corp hacking group. Sources familiar with the attack have told BleepingComputer that over 15,000 devices on their network were encrypted and remote employees logged into the VPN were also affected.
Clothing retailer FatFace paid $2m to the Conti gang when their data was held to ransom. The security incident occurred in January but only became public knowledge in March when the company emailed customers to let them know that their data had been accessed by “an unauthorised third party”. The retailer has faced criticism for failing to disclose the incident in a timely matter and for attempting to insist that affected customers keep the matter quiet.
Sydney-headquartered Nine Network, Australia’s top-rated network was taken off-air for over 24 hours by suspected state-backed attackers in what has been described as the largest attack on a media company in the history of the country. It was claimed that the attack was ransomware but no ransom has yet been demanded.
London-based non-profit multi-academy trust Harris Federation suffered a ransomware attack that affected 50 schools. The attack caused the outage of phone, IT and email systems. The education charity runs 50 Harris primary and secondary academies and has 37,000 students from London and surrounding areas.
Royal Dutch Shell became the next victim of the Clop ransomware gang. The gang exfiltrated sensitive data from a Accellion file transfer service used by the oil giant and later leaked the stolen data online to prompt them to pay a ransom. Some of the leaked data included employee visa and passport information.
The next attack on the education sector hit the University of Maryland. The Clop ransomware gang was behind the attack which saw sensitive information including photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport number leaked online.
The University of California was also attacked by the Clop gang which saw sensitive and personal information leaked online following the attack.
The Maharashtra Industrial Development Corporation (MIDC) in India revealed a ransomware attack had affected its IT systems. Maharashtra is one of the most industrialised states in Mumbai, no ransom demand was made in the ransom note. Ransomware known as SYNack was responsible for the attack.
The last attack of the month takes us to Milan Italy where menswear brand Boggi Milano became victims of the Ragnarok ransomware gang. The hackers claimed to have stolen 40 GBs of data from the company. Founded in 1939, Boggi Milano operated around 200 shops in 38 countries and is among the best known premium Italian menswear brands.
In April we uncovered a whopping 31 ransomware attacks, the busiest month of the year so far and up from just 12 in April 2020. The NBA made headlines when the Babuk gang revealed they had exfiltrated 500GBs of sensitive player data, while the REvil gang demanded $25 million from leading French pharmaceutical company Pierre Fabre and an attack on a Dutch logistics company caused a shortage of cheese in supermarkets in the Netherlands. Here’s a summary of what else we tracked during the month.
The first reported attack of the month was on Asteelflash, a leading French electronics manufacturing services company. While the company has not formally disclosed the attack, the hackers negotiation page showed that the REvil gang had initially demanded a $12 million ransom but as the deadline passed the amount rose to $24 million.
Attacks on education continue to increase in frequency, and this time it was the turn of Broward County School District in Florida. The Conti ransomware gang encrypted the systems and threatened to release sensitive student and teacher data unless a ransom of $40 million was paid.
Applus Technologies, a vehicle inspection services provider were hit by an attack that caused havoc across vehicle inspection sites in 8 states across the US. Following the attack the company was forced to disconnect its IT systems to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems but experts speculate the attack was ransomware.
Hardware chain Home Hardware , one of Canada’s largest dealer owned hardware retailers became a victim of the DarkSide ransomware group. Following the attack the cybercriminals posted a sample of corporate data and threatened to release more if the ransom was not paid.
Attacks on education continued with an attack on the Technological University in Dublin Ireland. The University commented that there was no indication that any data, including personal data, has been “exfiltrated, downloaded, copied or edited”.
The National College of Ireland was next report an attack on the same day. The attack resulted in the Dublin college suspending access to all its IT systems, including Moodle and the Library Service. The college has said that no ransom has been paid.
The next attack on education occurred at Haverhill Public Schools in Massachusetts. Schools were forced to close after the computer systems were hit. The IT department noticed issues with the system and were able to shut down the network before “large scale corruption of the system occurred”.
An attack on global wholesale distributor JBI shut down online systems causing shipping delays and backlogged orders. JBI has 11 warehouses which were impacted by the attack. The attack is still being investigated but JBI has said then that no customer data has been impacted.
The City of Lawrence in Massachusetts was hit by a major cyberattack that disabled its computer systems. Sources told an investigative reporter that the city was “arranging payment” to regain control of the attack in which cybercriminals managed to take over control of the computers at the fire and police department as well as at City Hall.
Leading French pharmaceutical company Pierre Fabre suffered an attack at the hands of the REvil ransomware gang. The organization said they were able to bring the attack under control within 24 hours after temporarily halting production. A screenshot of a Tor payment page showed a ransom demand of $25 million which later doubled to $50 million as there was no contact between the company and the attackers.
The Regional Municipality of Durham became victims of the Clop ransomware gang following an attack on a third party software provider. The gang posted 6.5GB of data exfiltrated during the attack. Two of the documents posted were related to paramedic services and included patient names, addresses, dates of birth and healthcare numbers.
Supermarkets in the Netherlands were left with empty shelves in the cheese aisle after logistics company Bakker Logistiek were hit by a ransomware attack. The company is one of the largest logistics services providers in the Netherlands. It’s not known who was behind the attack but the company has said they believe threat actors gained access to their systems through the recently reported Microsoft Exchange vulnerabilities.
The next attack caused poker machines at Tasmania’s two casinos to go offline. The owner Federal Group was forced to shut down gaming machines in the casino following the incident. The company confirmed the attack was ransomware but it’s not yet known who was behind it.
The University of Portsmouth was forced to close its campus following a ‘technical disruption’ to its IT network believed to be a ransomware attack. An internal email seen by publisher The News said: ‘The university has experienced disruption to IT services due to a ransomware attack.’ The incident is being investigated and it’s not yet known who was behind the attack.
Up next is the National Basketball Association (NBA). The organization suffered an attack by the hacking group known as Babuk. The criminal gang disclosed on their Dark Web page that they had exfiltrated a whopping 500 GB of the Houston Rockets’ data said to include critical non-disclosure agreements, contracts, and even financial info. The cybercriminals are threatening to publish the stolen data if the organization refuses to pay the ransom.
The National Security Authority (NBÚ) in Slovakia registered a series of significant ransomware attacks on targets including those in public administration, telecommunications, energy and IT. Reports say hackers requested hundreds of thousands of Euros to restore the systems. The reported incidents included a serious third-degree cybersecurity incident under the Cyber Security Act – one with the potential to affect elements of the state’s critical infrastructure.
The Dixie Group, a leading US manufacturer of luxury carpets and rugs announced that they had detected a ransomware attack on some of its information technology systems. According to the press release the attack was contained and the company is working with cybersecurity experts and enforcement to investigate the incident.
The next attack was on Taiwan based Quanta Computer, a leading notebook manufacturer and one of Apple’s business partners. The company allegedly refused to communicate with the REvil ransomware gang who then proceeded to hold Apple to ransom for $50 million, threatening to release their blueprints if the ransom wasn’t paid. The hackers revealed they had managed to exfiltrate a lot of sensitive data from the network.
In the next attack hackers targeted Japanese firm Hoya Corp with ransomware. The glassmaker who has 37,000 employees worldwide was allegedly targeted by the Astro Team gang who claim to have stolen around 300 gigabytes of confidential company data.
Upstox, India’s second largest stockbroking firm initiated password resets for millions of traders on its platform earlier this month after learning a huge data breach might have hit it. At the time it was not disclosed they had suffered a ransomware attack, however, an independent internet security researcher told the press that Upstox data was for sale on the Dark Web and the ransom was $1.2 million. The exfiltrated data included names, emails, bank details and record of customer signatures.
Mining technology Company Gyrodata released a statement disclosing that they had been the victim of a ransomware attack that has possibly led to a data breach. Potentially compromised data includes names, addresses, data of birth, social security, passport details and more from past and current employees.
The Metropolitan Police Department in Washington DC confirmed that they had been the victim of a cyberattack after the Babuk ransomware gang shared screenshots of data exfiltrated during the attack. The cybercriminals claimed to have stolen 250 GB of unencrypted files which are said to relate to information such as disciplinary records and files relating to gang members operating in DC. The Babuk gang warned on the data leak page that the police have 3 days to make contact or they will begin contacting gangs to warn them of police informants.
An attack on Canadian company Professional Excavators and Construction started with some of the company’s printers playing up, a few weeks later everything froze. Unfortunately for the company this happened the day before they were planning to submit a bid for a large project. A spokesperson for the company commented that “the damage of not being able to get one of the biggest pursuits in our company’s history is obviously damaging, but to get back up and running has been brutal.”
Santa Clara Valley Transportation Authority (VTA) were the victims of an attack that paralyzed the agency’s computer systems for days. VTA officials initially said they believed they had contained the attack but the Astro ransomware gang disclosed that they had exfiltrated 150 GBs of data that they would post publicly if the authority refused to cooperate.
Australian healthcare provider UnitingCare Queensland released a statement saying that some of their digital and technology systems were inaccessible due a cyberattack. Nine News further commented that the impact due to the ransomware attack was much wider. The broadcaster reported that all operational systems, including internal staff email and booking of patient operations were affected and staff were forced to resort to pen and paper. It’s not yet known who was behind the attack.
Merseyrail, a UK rail network that provides train service throughout Liverpool was forced to confirm that they had been the victim of a cyberattack after the Lockbit ransomware gang used their internal email system to notify employees and journalists about the incident. The email with the subject “Lockbit Ransomware Attack and Data Theft,” appeared to come from the Director’s @merseyrail.org Office 365 email account.
Aspire, a Glasgow based social care agency for the homeless was hit by a double extortion attack by the Conti ransomware gang. The cybercriminals published 100% of the stolen data on the Dark Web three weeks after the attack when payment had not been made.
The Illinois Attorney General Office disclosed they had suffered a ransomware attack after the DopplePaymer gang leaked a large collection of files after negotiations broke down and officials refused to pay the ransom demand. The files published on the Dark Web included personally identifiable information about state prisoners, their grievances, and cases.
An attack on Brazil’s Rio Grande do Sul court system forced the courts to shut down their systems and encrypted employee files. The REvil gang was behind the attack and a $5,000,000 ransom demand.
The Resort Municipality of Whistler, the local government of Canada’s highest-profile ski resort was hit by a ransomware attack that forced them to shut down their network, website, email, and phone systems. During the attack the Whistler.ca website displayed a message stating that the site was under construction and that visitors should contact support. The URL displayed by the attackers led visitors to a Dark Web chat site.
The Presque Isle Police Department in Maine was hit with an attack by the Avaddon ransomware gang. The cybercriminals threatened to release confidential documents if the police failed to pay up. At time of writing the ransom time clock had run out and the hackers had not yet made their next move. The time clock has been replaced with a “coming soon” message.
In May we uncovered 22 ransomware attacks, up just one from May 2020. The most high-profile attack of the month goes to Colonial Pipeline. An attack on the largest fuel pipeline in the US made headlines worldwide and caused havoc throughout several states in the US as the outages caused a shortage of gas. Here’s a snapshot of what other attacks made headlines during the month.
We being the month in Switzerland where cloud hosting provider Swiss Cloud were the first to report a ransomware attack. The firm did not reveal details about the incident but they did disclose that they were working in 24-hour shifts, including weekends to restore service. Payroll giant Sage, one of their most high-profile customers was affected by the outages.
Healthcare giant Scripps was next to report an attack. The San Diego based non-profit healthcare provider was forced to suspend user access to its online portal and switch to alternative methods for patient care operations while some critical care patients were redirected to other facilities following the attack.
Volue Technology, a Norwegian based leading supplier of technology was a victim of RYUK ransomware. The firm took a different approach to disclosing the incident as they set up a webpage with information and updates relating to the attack. The telephone number and email address of their chief executive was also included, urging people to get in touch with him if they needed more information.
The most high-profile attack of the month goes to Colonial Pipeline, the largest fuel pipeline in the US. An attack from the DarkSide ransomware gang caused havoc throughout several states in the US as the outages caused a shortage of gas. The company opted to pay a $5 million ransom so services could be resumed.
The City of Tulsa in Oklahoma were forced to shut down their systems and online services following a ransomware attack. The incident did not disrupt emergency services but it did impact online billing for residents. The city has said that customer information had not been compromised in the attack.
Yamabiko, a Tokyo based manufacturer of power tools and agricultural and industrial machinery was targeted by the Babuk ransomware gang. Although the company had not officially confirmed the attack, the Russian based cybercriminals released some of the exfiltrated data on their leak site. They claimed to have exfiltrated 0.5TB of data from the firm.
Germany headquartered chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang in order to receive a decryptor for their encrypted files and to prevent the threat actors from publicly leaking the exfiltrated data. The cybercriminals claimed to have stolen 150GB of data during the attack. A screenshot including some stolen data was shared on their leak site.
The Health Service Executive in Ireland announced on Twitter that they had experienced a ‘significant’ ransomware attack which forced the shutdown of their systems as precaution. All outpatient appointments were cancelled. The Conti gang set the ransom at $20 million in exchange for decrypting the data and deleting 700Gb of unencrypted files that they had exfiltrated during the attack.
After insurance giant AXA announced that they would be dropping reimbursement for ransomware extortion payments for cyber-insurance policies in France, some of their locations in Asia including Thailand and Hong Kong were hit by ransomware. The Avaddon ransomware group claimed responsibility for the attack and revealed on their leak site that they had exfiltrated 3 TB of sensitive data from the company’s Asian operations.
Visalia Unified School District in California revealed they had experienced a Ransomware attack which knocked many of its district IT systems offline. A press release issued by the district did not specify if any student or teacher information was compromised during the attack.
Waikato District Health Board in New Zealand suffered a ransomware attack which is thought to have started via a malicious email attachment. The attack downed computer and phone systems and forced staff to resort to pen and paper. Patient surgeries and outpatient appointments were also cancelled because of the incident.
The Rockland Public School District in Massachusetts became the next education victim. A notice from the school said no student Chromebooks had been affected but laptop and desktop access for staff was not possible. It’s not known who was behind the attack.
Texas based homebuilders Betenbough scrambled to try and protect their clients after Russian hackers leaked personal information following an attack which saw the criminal gang hold the developers data to ransom. After hiring a cybersecurity expert to help deal with the incident, the company revealed that some sensitive client data had been posted on the Dark Web.
Toyota made news next when they disclosed that they had been hit by two cyberattacks, the first of which hit its subsidiary Daihatsu Diesel Company, meanwhile, numerous Japanese media outlets reported that US subsidiary Auto Parts Manufacturing Mississippi had revealed a ransomware attack. Reports said that some financial and customer data had been exfiltrated and exposed but the company had not paid a ransom and had not been disrupted.
Insurance broker One Call in the UK were hit by the Darkside gang who allegedly set a ransom of £15 million in exchange for not leaking the firms data. The Doncaster based firm have not yet revealed if any customer data was exfiltrated during the attack.
Audio giant Bose Corporation disclosed a data breach following a ransomware attack that hit the company earlier this year. A company spokesperson said that the systems were recovered quickly, no ransom had been paid and that an investigation revealed a small number of affected parties who had been notified. The investigation also found that some employee data had been exfiltrated but had not been leaked on the Dark Web.
Sierra College a Northern California community college was hit by ransomware which affected the college website and some other online systems according to a statement posted by the college. The college is working with third-party cybersecurity forensics experts and law enforcement to investigate the incident.
ParkMobile, a Tulsa Oklahoma firm that manages the city’s downtown parking via its app altered users of a ransomware attack. The company disclosed that the incident was linked to a third-party software vendor. The attack was not related to the earlier attack on the City of Tulsa.
Clover Park School District in Washington was the next victim in education. The hackers threatened to release the exfiltrated data unless a ransom was paid. A screenshot of the message said “Clover Park School District, you’ve been hacked,” “Pay or grief. Sensitive information will be shared to the public … There are (not) any third-party solution(s) which can help you. But you can damage your information”, was shared was local news.
The Azusa Police Department in Southern California became a victim of the DoppelPaymer criminal gang who exfiltrated data and followed up with a ransom demand. Officials of the city of 48,000 residents decided to keep the attack a secret for 2.5 months before disclosing that data compromised in the attack “may have included” social Security numbers, driver’s license numbers, medical information, financial account information and other records. The cybercriminals posted 7 GBs of Azusa records on the Dark Web.
The next reported attack of the month was on the world’s largest meat processing firm JBS Foods. The company was forced to shut down production at several global sites following a cyberattack. JBS USA issued a press release on May 31 confirming that the attack had impacted their North American and Australian IT systems. At time of writing the nature of the attack is still unknown while the investigation continues, but cybersecurity experts believe there is a high chance that ransomware was involved.
The last attack for May hit backup appliance specialist Exagrid. The Conti cybercriminal gang were behind the attack which exfiltrated employee and customer data, confidential contracts and source code. A ransom of $2.6 million was paid to the criminal gang in exchange for the decryption key.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.