Following on from our State of Ransomware 2020 blog, we’ve tracked the 2021 publicized ransomware attacks each month to share with you via this blog. With damages from cybercrime expected to hit $6 trillion this year (up from $3 trillion in 2015), we expect the number of ransomware attacks to increase and newer forms to become more sophisticated and disruptive. To keep informed of what’s happening every month, follow this blog and register for our free monthly ransomware report.
We’ve been keeping track of key trends and myths in the sector in our annual State of Ransomware report to spot the major moments, with detailed breakdowns for 2020, 2021, 2022 and 2023.
Learn more about how BlackFog protects enterprises from the threats posed by ransomware.
Ransomware Attacks by Industry
Ransomware Attacks by Country
Ransomware Attacks by Month
January
Let’s begin with January and look at the 19 attacks we uncovered during the month.
- We start the month with an attack on new York based Apex Laboratory. The company were forced to disclose the attack which happened earlier in 2020 after data stolen during the attack showed up online. A notice posted on Dec 31st revealed that they were the victim of a cyberattack and that certain systems in its environment were encrypted and inaccessible.
- Next up is UK-based infrastructure support service provider Amey. The company was targeted by the Mount Locker ransomware gang in mid-December. Documents including correspondence with government departments was posted online in late December.
- In October 2020 Hackney Council in London reported that they had been the victim of a very sophisticated cyberattack. The attack drew immediate speculation from experts that ransomware was involved, however, this wasn’t confirmed until January when the PYSA ransomware gang leaked council data online in a double extortion style attack. The data appears to contain a significant amount of personally identifiable information.
- The Northern Territory Government in Australia was next to reveal an attack that forced its systems offline for 3 weeks. The attack involved a supplier of one its cloud-based IT systems and they insisted government data was not compromised during the attack.
- Colorado-based rail operator and logistics provider OmniTRAX was hit by a ransomware attack that targeted its corporate parent company, Broe Group. The Conti gang were behind the attack which posted exfiltrated data on its leak site. The leak suggests that Broe Group, who is headquartered at the same location refused to pay the ransom.
- Norway based AKVA Group, a global supplier of technology to the aquaculture industry revealed that they had been hit by a ransomware attack and that hackers were demanding a ransom. In a statement to the Stock Market in Oslo the company disclosed that they were working with the relevant Norwegian authorities to limit damage and get a full assessment of the situation. The incident resulted in a drop in the share price.
- Dassault Falcon Jet Corp, the US subsidiary of Dassault Aviation, suffered a ransomware attack at the hands of the Ragnar Locker gang. According to media reports and the dates of breach reported by the company it seems the attackers maintained access to company systems for roughly six months, between June and December. Compromised data included information belonging to employees such as name, personal and company email address, home address, driver’s license number, passport information, data of birth, etc.
- Wentworth Golf and Country Club, one of the most exclusive clubs in England was forced to send an email of apology to its 4000 members who include, high profile celebrities, sports stars, and top business people, after its members’ list was accessed by cybercriminals. According to The Telegraph, club members discovered the incident earlier when an unauthorized message appeared on the Wentworth website claiming “your personal files are encrypted!” with a Bitcoin cryptocurrency payment demand for decryption.
- City of Angers in France indicated on its social networks that the city had suffered a ransomware cyberattack over the weekend of January 15th. The attack targeted the information system of the city and the metropolis which caused the closure of certain municipal services.
- The Conti ransomware group claimed an attack on the Scottish Environment Protection Agency (SEPA) which saw around 1.2GB of data stolen from its digital systems including databases, contracts, and strategy documents. The hackers published over 4000 files after the organization refused to pay the ransom.
- Center Hospitalier de Wallonie Picarde (CHwapi) in Tournai, Belgium became the first healthcare reported attack of the year. The hospital was forced to redirect incoming patients to other facilities after the attack crippled its systems. According to the investigators no ransom demands were made by the hackers which could indicate that the hospital was targeted by mistake.
- WestRock, one of the world’s largest paper and packaging companies suffered an attack which affected some of its operational and information technology systems. WestRock is working with security experts on system recovery efforts to minimize the impact on its customers. In a press release the company described the incident as likely leading to a loss of revenue and incremental costs that could affect its bottom line.
- Palfinger, an Austria-based Hydraulics Engineering company experienced a global cyberattack that took down their e-mail system and disrupted business operations. A security notice titled ‘Cyberattack’ stated that their Enterprise resource planning (ERP) systems were down and that “a large proportion of the group’s worldwide locations were affected.” The company that operates in almost 30 countries has made it official that its email systems were the worst hit in the file encrypting malware related attack.
- Tennessee Wesleyan University (TWU) revealed in a press release that all of the university’s networks were closed after staff and campus officials became aware of a ransomware attack. Online learning was unaffected but staff and students were asked not to use the university systems.
- Pan-Asian retail giant Dairy Farm were hit by a REvil ransomware attack with the attackers allegedly demanding a $30 million ransom. The group operates over 10,000 outlets across grocery, convenience store, health and beauty, home furnishing, and restaurants in Asia. Dairy Farm stated that they were not aware of any data being stolen during the attack, however, screenshots seen by BleepingComputer showed that the threat actors continued to have access to email and computers after the attack.
- UK Research and Innovation (UKRI) disclosed that a ransomware attack had disrupted services and may have led to data theft. The incident impacted two of the group’s services including a portal used by the Brussels-based UK Research Office and an extranet utilized by UKRI councils.
- Illinois based DSC Logistics, a third-party logistics provider and supply chain management company disclosed they had been victims of a cyberattack after a ransomware gang threatened to expose their exfiltrated data on a leak site. Egregor is suspected to be behind the attack.
- Georgia based Crisp Regional Health Services discovered they had been a victim of ransomware when nurses working at the facility started seeing ‘files encrypted’ on some of its computer systems. Phone systems were affected, however, the facility disclosed that workflow and patient care was not compromised. The organization is working with external cybersecurity and forensic professionals to determine if patient data was accessed or exfiltrated during the attack.
- The last reported attack of the month involved Serco, a global government outsourcer responsible for running part of the UK’s COVID-19 Test and Trace system. The British business which employs 50,000 people confirmed the attack and disclosed that only its mainland European operations had been impacted. Sky News became aware of the incident after spotting a sample of the Babuk ransomware uploaded to VirusTotal. Apparently included was the ransom note addressed to Serco the attackers claimed: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data.”
February
February saw a total of 23 attacks, up from 16 in 2020. South America reported some large attacks including two major utility companies, the Ministry of Finance and Ecuador’s largest bank. The apparent attack on Kia made a lot of headlines during the month as the company continues to dispute the attack, despite the cybercriminals posting their data on the dark web. Here’s a look at what we uncovered for the month.
- The first reported attack of the month involved Brazilian state-owned energy company Companhia Paranaense de Energia (Copel). The attack was the work of the Darkside gang who claimed to have stolen more than 1000 GB of sensitive data. The organization was one of two major electric utilities companies in Brazil to suffer a ransomware attack in the same week.
- An attack on the Victor Central School District in New York encrypted its systems and data, locking out users and forcing the closure of all district schools.
- Automatic Funds Transfer Services (AFTS), a Seattle based payment processor used by many cities government agencies across the US suffered an attack from a gang known as Cuba. The attack caused significant disruption to their business operations and affected customers such as California’s Department of Motor Vehicles who recently warned of a potential data breach following the attack. The hackers began selling the stolen data on their leak site and claim to have exfiltrated sensitive financial documents.
- Eletrobras the largest power utility company in Latin America was the second major utility company in Brazil to suffer an attack in early February. Electronuclear suspended some of its systems to protect the integrity of the network once the attack was discovered.
- A widely reported data breach at Foxtons Group, a British estate agents’ company was due to a ransomware attack by the Egregor Group. Foxtons made headlines this month when reports revealed that a large quantity of personal and financial information belonging to its customers had been discovered on the dark web. The data reportedly included over 16,000 credit card details even though a statement from the company had previously stated that the data was considered old and of no threat to customers
- Mortgage loan servicing company SN Servicing Corporation was hit by a ransomware attack in 2020. In February, California and Vermont state attorneys were notified of the incident. According to the documents filed, the affected systems were shut down and forensic experts were engaged to determine the impact upon discovering the attack. A preliminary investigation uncovered data related to 2018 billing statements and reimbursement notifications to customers, including names, address, loan numbers, balance information and billing information such as estimated, owed, or paid charges. The Egregor gang has been linked to the attack.
- British Columbia-based real estate agency Remax Kelowna was hit with an attack by the Conti ransomware gang who listed them as a victim on their leaks website. According to the firm, the attack occurred at the same time as they were overseeing a software update. They reported that the ransomware was not launched and while some files has been copied, the data was allegedly non-personal in nature.
- Ness Digital Engineering Company, an Israeli-based U.S. IT provider was hit by Ragnar Locker ransomware affecting its computer networks in India, the U.S. and Israel. The company said that their clients who include government ministries, hospitals, and local municipalities were not compromised in the attack. A screenshot of the ransom note read “Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!” The text then directed the company to get in touch via live chat to make a deal.
- Polish video game company CD Projekt was hit by the HelloKitty ransomware gang. The company disclosed that the attackers had managed to access the network, encrypt some devices and exfiltrate some data. In a tweet disclosing the attack the company shared the ransom note which claimed to have accessed the source code for popular games including Cyberpunk 2077. The company confirmed they did not plan to give into the gangs ransom demands.
- French health insurance company Mutuelle Nationale des Hospitaliers (MNH) suffered a ransomware attack that had significant impact on the company’s operations. An independent security researcher shared a Tor web page acting as a ransom negotiation page with media outlet BleepingComputer. RansomExx was behind the attack.
- Dax-Côte d’Argent Hospital Center in France was the next reported incident. The attack by the Egregor gang caused major disruptions across their network and forced the hospital to only accept major emergencies. A spokesperson from the hospital administration commented that everything from reading a medical file to the catering system had been affected and the facility was back to pen and paper following the attack.
- The second education incident of the month goes to Central Piedmont Community College in North Carolina. The school tweeted that they had experienced a ransomware attack, but it’s not known what gang was responsible. It has so far been reported that no employee or student data was compromised.
- Discount Car and Truck Rental, part of the Enterprise group and one of Canada’s biggest rental agencies, was hit by the Darkside ransomware gang. Darkside posted a notice on its leak site stating they had copied 120 GB of corporate, banking and franchise data from the firm. A spokesperson for the company commented that the investigation was ongoing when questioned about how the attack started and whether customer or employee information has been exfiltrated.
- International law firm Jones Day were the victims of a ransomware attack carried out by the Clop gang. The law firm claimed that its network had not been compromised and that the theft of data involved a file-sharing company that it used to store files. The gang however claimed that they had obtained 100 gigabytes of files from servers belonging to the firm and that they had begun publishing the exfiltrated data as proof of their successful attack.
- The attack on Kia Motors America is probably the most interesting of the month. The incident became known when it was reported that the company was suffering a major IT outage across the U.S., affecting the internal sites used by dealers, mobile apps, and phone and payment systems. It later transpired that the DoppelPaymer gang has claimed the attack and they had demanded a ransom of $20 million for a decryptor and not to leak the stolen data. The Tor victim page stated that a “huge amount” of data had been exfiltrated and would be released in 2-3 weeks if the company refused to negotiate with the hackers. Kia denied they were under attack. The gang then released data belonging to parent organization Hyundai Motor Company but interesting both are denying the attack. In an official statement Kia described the unavailability of its services, including remote start and heating as an “extended systems outage” that began on February 13th. They continued by saying, “we are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.” It’s hard to imagine that this is a hoax on the part of the cybercriminals and experts say it’s possible but not probable.
- Yuba County in California was the victim of a ransomware cyberattack which infected some of the county’s computer systems with malware. The malware encrypted the affected systems and the attacker demanded payment from the county in order to obtain a decryption key. It’s not known what criminal gang was behind the attack and according to a spokesperson no ransom payment was made.
- Underwriters Laboratories, the world’s leading safety testing authority suffered IT outages after a ransomware attack. In a statement they confirmed that a breach had been detected and that a cybersecurity firm had been brought in to assist with the investigation. It is not yet known who was behind the attack and what type of data may have been compromised. The investigation continues, but at this point the company do not wish to engage with the cybercriminals and instead plan to reinstate any lost data from backups.
- TietoEVRY, a major Finnish IT provider were the victim of an attack which caused issues across the services they deliver to customers in the retail, manufacturing, and service-related industries. A company spokesperson confirmed that 25 customers were impacted and at this time it does not seem that any critical or personal data was accessed or stolen by the attackers. It’s not yet known what gang was behind the attack or if any ransom demands have been made.
- A recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline has been confirmed as a ransomware attack by the DoppelPaymer gang. The hackers exfiltrated data from the organization and published proof of the attack on their leak site. The NWO does not cooperate with cybercriminals and they are currently working on restoring their network.
- An attack on Ecuador’s Ministry of Finance was reported with a new hacking group known as Hotarus Corp behind the incident. Soon after the attack the gang released a text file containing 6,632 login names and hashed password combinations on a hacker forum. The ransomware gang told media outlet BleepingComputer that they had exfiltrated sensitive ministry data.
- Banco Pichincha, Ecuador’s largest private bank was the next victim of the Hotarus Corp gang. Following the attack the bank published an official statement stating that a marketing partner had been hacked and not their internal systems. They confirmed that fraudulent (phishing) emails were sent on behalf of the bank to clients in order to carry out illegitimate transactions. However, in an interview with BleepingComputer, the hacking group disputed the banks statement and said they used the marketing company’s attack as a launchpad into the banks internal systems. They claim to have stolen “31,636,026 Million customer records and 58,456 sensitive system records,” including credit card numbers.
- Saginaw Township Community Schools in Michigan became the victim of a ransomware attack and the gang behind the attack is unknown. The FBI and Michigan State Police who are investigating the incident are said to be in regular communication with the attackers to try and resolve the situation. Systems have been mostly restored but the investigation continues and at this time it is not known if any personal data was compromised in the attack.
- In the last reported attack of the month, Staring College in the Netherlands reported that had been attacked and that they had paid the ransom. It is not known who was behind the attack or how much the ransom was. When employees noticed that their data had been encrypted and their files weren’t accessible the college made the decision to pay the ransom so education and exams could continue without further disruption.
March
In March we recorded 25 attacks, the highest month of the year so far. An attack on computer giant Acer became the largest ransom demand in history at $50 million, while ransomware attacks halted production at IoT manufacturer Sierra Wireless and beer maker Molson Coors. Here’s a look at what else we uncovered during the month.
- We start the month with payroll giant Prism HR. The business services company which counts over 80,000 organizations as customers and has over 2 million employees was reportedly attacked by the Darkside ransomware gang. According employees and their clients, PrismHR told them that they had suffered suspicious activity leading them immediately shut down their servers and network to protect the integrity of their systems.
- Up next is Arizona based clinic Cochise Eye and Laser who were infected with ransomware which encrypted its scheduling and billing software. The attack affected up to 100,000 patients. Although there has been no evidence of data exfiltration the incident is still considered a breach of protected health information and patients were notified of the incident.
- Healthcare provider Allergy Partners suffered an attack lasting eight days with hackers demanding a ransom of 1.75 million, according to a report filed with the Asheville Police Department. The North Carolina based organization which has clinics across 20 states, informed its patients that those affected by the incident will be updated once it finishes its investigation. It is unclear whether Allergy Partners paid the ransom.
- US bank and mortgage lender Flagstar disclosed a data breach following the Accellion cyberattack at the hands of the Clop ransomware gang earlier in the year. BleepingComputer was told that Flagstar received a ransom note demanding a payment in bitcoin or the exfiltrated data would be released. Other victims of the Accellion attack include Bombardier, Royal Dutch Shell, and New Zealand Reserve Bank.
- Oklahoma based Managed Service Provider (MSP) Standley Systems were attacked by the REvil gang who claimed to have obtained sensitive data including more than 1,000 social security numbers. The REvil gang is known for leaking data on its Dark Web site and in addition to the social security numbers they claim to have medical documents, personal client data, passport details, etc. On their leak site they posted links to data from six customers as well as backups. The Standley customers mentioned on the REvil leak site were Chaparral Energy, Crawley Petroleum, Ellis Clinic, EverQuest, the Oklahoma Medical Board, and structural steel fabricator W&W Steel.
- The systems of SEPE, the Spanish government agency for labour were disrupted when a ransomware attack affected more than 700 agency offices across Spain. The agency confirmed that confidential data was safe and the RYUK ransomware gang were behind the attack.
- The Clop ransomware gang claimed to have stolen data from cloud security company Qualys. The gang shared screenshots of stolen files including invoices, tax documents and purchase orders on its data leak site as proof of the hack. The company said the attack had no operational impact but unauthorized access had be obtained to a Accellion server used by the company.
- Up next is the Oloron-Sainte-Marie Hospital in France. The attack managed to paralyze the hospital’s IT systems and the attackers demanded $50,000 in Bitcoin to release the data. Staff had to go back to pen and paper as digital patient information was unavailable.
- Beer maker Molson Coors disclosed that they suffered a cyberattack which caused significant disruption to their operations, including the production and shipment of beer. The Company is working with a forensic information technology firm alongside legal counsel to investigate the incident and restore systems. Multiple sources in the cybersecurity industry told BleepingComputer that it was a ransomware attack but could not share what gang was involved.
- Buffalo Public Schools was forced to abandon in classroom learning for thousands of students when a ransomware attack shut down technology across the district. It’s unclear whether personal data was stolen and a criminal investigation is underway.
- The next attack on education took place at South and City College in Birmingham, UK. The college which has 8 sites across the city tweeted: “The college has suffered a major ransomware attack on our IT system, which has disabled many of our core systems.” It’s not yet known who was behind the attack.
- Servers of the Pimpri-Chinchwad Smart City project in India were infected with ransomware with attackers encrypting data and demanding payment in Bitcoin for decrypting the lost information.
- The Castle School Education Trust (CSET) in Bristol suffered a highly sophisticated ransomware attack which left 23 schools without access to their IT systems. CSET and South Gloucestershire Council are working together with external partners and agencies to investigate the attack and restore the systems, it’s not yet known who was behind the attack.
- The next reported attack on computer giant Acer made headlines this month as the $50 million ransom is the largest known to date. The REvil gang were behind the attack. The attackers share some exfiltrated data on their leak site as proof of the attack. The images shown included financial spreadsheets, bank balances, and bank communications.
- Cambridge Meridian Academies Trust which runs schools in the UK was hit by an unknown gang. The trust was able to mitigate the attack to some extent and encryption occurred on only some systems. The trust said there was no evidence of a data breach but the Information Commissioner’s Office was notified.
- Sierra Wireless, a manufacturer of IoT devices was forced to halt production after a ransomware attack. It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network and the company said the attack was limited to internal systems and customer facing products had not been affected.
- US based insurance giant CNA were victim of a ransomware attack using a new variant called Phoenix CryptoLocker, possibly linked to the Evil Corp hacking group. Sources familiar with the attack have told BleepingComputer that over 15,000 devices on their network were encrypted and remote employees logged into the VPN were also affected.
- Clothing retailer FatFace paid $2m to the Conti gang when their data was held to ransom. The security incident occurred in January but only became public knowledge in March when the company emailed customers to let them know that their data had been accessed by “an unauthorised third party”. The retailer has faced criticism for failing to disclose the incident in a timely matter and for attempting to insist that affected customers keep the matter quiet.
- Sydney-headquartered Nine Network, Australia’s top-rated network was taken off-air for over 24 hours by suspected state-backed attackers in what has been described as the largest attack on a media company in the history of the country. It was claimed that the attack was ransomware but no ransom has yet been demanded.
- London-based non-profit multi-academy trust Harris Federation suffered a ransomware attack that affected 50 schools. The attack caused the outage of phone, IT and email systems. The education charity runs 50 Harris primary and secondary academies and has 37,000 students from London and surrounding areas.
- Royal Dutch Shell became the next victim of the Clop ransomware gang. The gang exfiltrated sensitive data from a Accellion file transfer service used by the oil giant and later leaked the stolen data online to prompt them to pay a ransom. Some of the leaked data included employee visa and passport information.
- The next attack on the education sector hit the University of Maryland. The Clop ransomware gang was behind the attack which saw sensitive information including photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport number leaked online.
- The University of California was also attacked by the Clop gang which saw sensitive and personal information leaked online following the attack.
- The Maharashtra Industrial Development Corporation (MIDC) in India revealed a ransomware attack had affected its IT systems. Maharashtra is one of the most industrialised states in Mumbai, no ransom demand was made in the ransom note. Ransomware known as SYNack was responsible for the attack.
- The last attack of the month takes us to Milan Italy where menswear brand Boggi Milano became victims of the Ragnarok ransomware gang. The hackers claimed to have stolen 40 GBs of data from the company. Founded in 1939, Boggi Milano operated around 200 shops in 38 countries and is among the best known premium Italian menswear brands.
April
In April we uncovered a whopping 31 ransomware attacks, the busiest month of the year so far and up from just 12 in April 2020. The NBA made headlines when the Babuk gang revealed they had exfiltrated 500GBs of sensitive player data, while the REvil gang demanded $25 million from leading French pharmaceutical company Pierre Fabre and an attack on a Dutch logistics company caused a shortage of cheese in supermarkets in the Netherlands. Here’s a summary of what else we tracked during the month.
- The first reported attack of the month was on Asteelflash, a leading French electronics manufacturing services company. While the company has not formally disclosed the attack, the hackers negotiation page showed that the REvil gang had initially demanded a $12 million ransom but as the deadline passed the amount rose to $24 million.
- Attacks on education continue to increase in frequency, and this time it was the turn of Broward County School District in Florida. The Conti ransomware gang encrypted the systems and threatened to release sensitive student and teacher data unless a ransom of $40 million was paid.
- Applus Technologies, a vehicle inspection services provider were hit by an attack that caused havoc across vehicle inspection sites in 8 states across the US. Following the attack the company was forced to disconnect its IT systems to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems but experts speculate the attack was ransomware.
- Hardware chain Home Hardware , one of Canada’s largest dealer owned hardware retailers became a victim of the DarkSide ransomware group. Following the attack the cybercriminals posted a sample of corporate data and threatened to release more if the ransom was not paid.
- Attacks on education continued with an attack on the Technological University in Dublin Ireland. The University commented that there was no indication that any data, including personal data, has been “exfiltrated, downloaded, copied or edited”.
- The National College of Ireland was next report an attack on the same day. The attack resulted in the Dublin college suspending access to all its IT systems, including Moodle and the Library Service. The college has said that no ransom has been paid.
- The next attack on education occurred at Haverhill Public Schools in Massachusetts. Schools were forced to close after the computer systems were hit. The IT department noticed issues with the system and were able to shut down the network before “large scale corruption of the system occurred”.
- An attack on global wholesale distributor JBI shut down online systems causing shipping delays and backlogged orders. JBI has 11 warehouses which were impacted by the attack. The attack is still being investigated but JBI has said then that no customer data has been impacted.
- The City of Lawrence in Massachusetts was hit by a major cyberattack that disabled its computer systems. Sources told an investigative reporter that the city was “arranging payment” to regain control of the attack in which cybercriminals managed to take over control of the computers at the fire and police department as well as at City Hall.
- Leading French pharmaceutical company Pierre Fabre suffered an attack at the hands of the REvil ransomware gang. The organization said they were able to bring the attack under control within 24 hours after temporarily halting production. A screenshot of a Tor payment page showed a ransom demand of $25 million which later doubled to $50 million as there was no contact between the company and the attackers.
- The Regional Municipality of Durham became victims of the Clop ransomware gang following an attack on a third party software provider. The gang posted 6.5GB of data exfiltrated during the attack. Two of the documents posted were related to paramedic services and included patient names, addresses, dates of birth and healthcare numbers.
- Supermarkets in the Netherlands were left with empty shelves in the cheese aisle after logistics company Bakker Logistiek were hit by a ransomware attack. The company is one of the largest logistics services providers in the Netherlands. It’s not known who was behind the attack but the company has said they believe threat actors gained access to their systems through the recently reported Microsoft Exchange vulnerabilities.
- The next attack caused poker machines at Tasmania’s two casinos to go offline. The owner Federal Group was forced to shut down gaming machines in the casino following the incident. The company confirmed the attack was ransomware but it’s not yet known who was behind it.
- The University of Portsmouth was forced to close its campus following a ‘technical disruption’ to its IT network believed to be a ransomware attack. An internal email seen by publisher The News said: ‘The university has experienced disruption to IT services due to a ransomware attack.’ The incident is being investigated and it’s not yet known who was behind the attack.
- Up next is the National Basketball Association (NBA). The organization suffered an attack by the hacking group known as Babuk. The criminal gang disclosed on their Dark Web page that they had exfiltrated a whopping 500 GB of the Houston Rockets’ data said to include critical non-disclosure agreements, contracts, and even financial info. The cybercriminals are threatening to publish the stolen data if the organization refuses to pay the ransom.
- The National Security Authority (NBÚ) in Slovakia registered a series of significant ransomware attacks on targets including those in public administration, telecommunications, energy and IT. Reports say hackers requested hundreds of thousands of Euros to restore the systems. The reported incidents included a serious third-degree cybersecurity incident under the Cyber Security Act – one with the potential to affect elements of the state’s critical infrastructure.
- The Dixie Group, a leading US manufacturer of luxury carpets and rugs announced that they had detected a ransomware attack on some of its information technology systems. According to the press release the attack was contained and the company is working with cybersecurity experts and enforcement to investigate the incident.
- The next attack was on Taiwan based Quanta Computer, a leading notebook manufacturer and one of Apple’s business partners. The company allegedly refused to communicate with the REvil ransomware gang who then proceeded to hold Apple to ransom for $50 million, threatening to release their blueprints if the ransom wasn’t paid. The hackers revealed they had managed to exfiltrate a lot of sensitive data from the network.
- In the next attack hackers targeted Japanese firm Hoya Corp with ransomware. The glassmaker who has 37,000 employees worldwide was allegedly targeted by the Astro Team gang who claim to have stolen around 300 gigabytes of confidential company data.
- Upstox, India’s second largest stockbroking firm initiated password resets for millions of traders on its platform earlier this month after learning a huge data breach might have hit it. At the time it was not disclosed they had suffered a ransomware attack, however, an independent internet security researcher told the press that Upstox data was for sale on the Dark Web and the ransom was $1.2 million. The exfiltrated data included names, emails, bank details and record of customer signatures.
- Mining technology Company Gyrodata released a statement disclosing that they had been the victim of a ransomware attack that has possibly led to a data breach. Potentially compromised data includes names, addresses, data of birth, social security, passport details and more from past and current employees.
- The Metropolitan Police Department in Washington DC confirmed that they had been the victim of a cyberattack after the Babuk ransomware gang shared screenshots of data exfiltrated during the attack. The cybercriminals claimed to have stolen 250 GB of unencrypted files which are said to relate to information such as disciplinary records and files relating to gang members operating in DC. The Babuk gang warned on the data leak page that the police have 3 days to make contact or they will begin contacting gangs to warn them of police informants.
- An attack on Canadian company Professional Excavators and Construction started with some of the company’s printers playing up, a few weeks later everything froze. Unfortunately for the company this happened the day before they were planning to submit a bid for a large project. A spokesperson for the company commented that “the damage of not being able to get one of the biggest pursuits in our company’s history is obviously damaging, but to get back up and running has been brutal.”
- Santa Clara Valley Transportation Authority (VTA) were the victims of an attack that paralyzed the agency’s computer systems for days. VTA officials initially said they believed they had contained the attack but the Astro ransomware gang disclosed that they had exfiltrated 150 GBs of data that they would post publicly if the authority refused to cooperate.
- Australian healthcare provider UnitingCare Queensland released a statement saying that some of their digital and technology systems were inaccessible due a cyberattack. Nine News further commented that the impact due to the ransomware attack was much wider. The broadcaster reported that all operational systems, including internal staff email and booking of patient operations were affected and staff were forced to resort to pen and paper. It’s not yet known who was behind the attack.
- Merseyrail, a UK rail network that provides train service throughout Liverpool was forced to confirm that they had been the victim of a cyberattack after the Lockbit ransomware gang used their internal email system to notify employees and journalists about the incident. The email with the subject “Lockbit Ransomware Attack and Data Theft,” appeared to come from the Director’s @merseyrail.org Office 365 email account.
- Aspire, a Glasgow based social care agency for the homeless was hit by a double extortion attack by the Conti ransomware gang. The cybercriminals published 100% of the stolen data on the Dark Web three weeks after the attack when payment had not been made.
- The Illinois Attorney General Office disclosed they had suffered a ransomware attack after the DopplePaymer gang leaked a large collection of files after negotiations broke down and officials refused to pay the ransom demand. The files published on the Dark Web included personally identifiable information about state prisoners, their grievances, and cases.
- An attack on Brazil’s Rio Grande do Sul court system forced the courts to shut down their systems and encrypted employee files. The REvil gang was behind the attack and a $5,000,000 ransom demand.
- The Resort Municipality of Whistler, the local government of Canada’s highest-profile ski resort was hit by a ransomware attack that forced them to shut down their network, website, email, and phone systems. During the attack the Whistler.ca website displayed a message stating that the site was under construction and that visitors should contact support. The URL displayed by the attackers led visitors to a Dark Web chat site.
- The Presque Isle Police Department in Maine was hit with an attack by the Avaddon ransomware gang. The cybercriminals threatened to release confidential documents if the police failed to pay up. At time of writing the ransom time clock had run out and the hackers had not yet made their next move. The time clock has been replaced with a “coming soon” message.
May
In May we uncovered 22 ransomware attacks, up just one from May 2020. The most high-profile attack of the month goes to Colonial Pipeline. An attack on the largest fuel pipeline in the US made headlines worldwide and caused havoc throughout several states in the US as the outages caused a shortage of gas. Here’s a snapshot of what other attacks made headlines during the month.
- We being the month in Switzerland where cloud hosting provider Swiss Cloud were the first to report a ransomware attack. The firm did not reveal details about the incident but they did disclose that they were working in 24-hour shifts, including weekends to restore service. Payroll giant Sage, one of their most high-profile customers was affected by the outages.
- Healthcare giant Scripps was next to report an attack. The San Diego based non-profit healthcare provider was forced to suspend user access to its online portal and switch to alternative methods for patient care operations while some critical care patients were redirected to other facilities following the attack.
- Volue Technology, a Norwegian based leading supplier of technology was a victim of RYUK ransomware. The firm took a different approach to disclosing the incident as they set up a webpage with information and updates relating to the attack. The telephone number and email address of their chief executive was also included, urging people to get in touch with him if they needed more information.
- The most high-profile attack of the month goes to Colonial Pipeline, the largest fuel pipeline in the US. An attack from the DarkSide ransomware gang caused havoc throughout several states in the US as the outages caused a shortage of gas. The company opted to pay a $5 million ransom so services could be resumed.
- The City of Tulsa in Oklahoma were forced to shut down their systems and online services following a ransomware attack. The incident did not disrupt emergency services but it did impact online billing for residents. The city has said that customer information had not been compromised in the attack.
- Yamabiko, a Tokyo based manufacturer of power tools and agricultural and industrial machinery was targeted by the Babuk ransomware gang. Although the company had not officially confirmed the attack, the Russian based cybercriminals released some of the exfiltrated data on their leak site. They claimed to have exfiltrated 0.5TB of data from the firm.
- Germany headquartered chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang in order to receive a decryptor for their encrypted files and to prevent the threat actors from publicly leaking the exfiltrated data. The cybercriminals claimed to have stolen 150GB of data during the attack. A screenshot including some stolen data was shared on their leak site.
- The Health Service Executive in Ireland announced on Twitter that they had experienced a ‘significant’ ransomware attack which forced the shutdown of their systems as precaution. All outpatient appointments were cancelled. The Conti gang set the ransom at $20 million in exchange for decrypting the data and deleting 700Gb of unencrypted files that they had exfiltrated during the attack.
- After insurance giant AXA announced that they would be dropping reimbursement for ransomware extortion payments for cyber-insurance policies in France, some of their locations in Asia including Thailand and Hong Kong were hit by ransomware. The Avaddon ransomware group claimed responsibility for the attack and revealed on their leak site that they had exfiltrated 3 TB of sensitive data from the company’s Asian operations.
- Visalia Unified School District in California revealed they had experienced a Ransomware attack which knocked many of its district IT systems offline. A press release issued by the district did not specify if any student or teacher information was compromised during the attack.
- Waikato District Health Board in New Zealand suffered a ransomware attack which is thought to have started via a malicious email attachment. The attack downed computer and phone systems and forced staff to resort to pen and paper. Patient surgeries and outpatient appointments were also cancelled because of the incident.
- The Rockland Public School District in Massachusetts became the next education victim. A notice from the school said no student Chromebooks had been affected but laptop and desktop access for staff was not possible. It’s not known who was behind the attack.
- Texas based homebuilders Betenbough scrambled to try and protect their clients after Russian hackers leaked personal information following an attack which saw the criminal gang hold the developers data to ransom. After hiring a cybersecurity expert to help deal with the incident, the company revealed that some sensitive client data had been posted on the Dark Web.
- Toyota made news next when they disclosed that they had been hit by two cyberattacks, the first of which hit its subsidiary Daihatsu Diesel Company, meanwhile, numerous Japanese media outlets reported that US subsidiary Auto Parts Manufacturing Mississippi had revealed a ransomware attack. Reports said that some financial and customer data had been exfiltrated and exposed but the company had not paid a ransom and had not been disrupted.
- Insurance broker One Call in the UK were hit by the Darkside gang who allegedly set a ransom of £15 million in exchange for not leaking the firms data. The Doncaster based firm have not yet revealed if any customer data was exfiltrated during the attack.
- Audio giant Bose Corporation disclosed a data breach following a ransomware attack that hit the company earlier this year. A company spokesperson said that the systems were recovered quickly, no ransom had been paid and that an investigation revealed a small number of affected parties who had been notified. The investigation also found that some employee data had been exfiltrated but had not been leaked on the Dark Web.
- Sierra College a Northern California community college was hit by ransomware which affected the college website and some other online systems according to a statement posted by the college. The college is working with third-party cybersecurity forensics experts and law enforcement to investigate the incident.
- ParkMobile, a Tulsa Oklahoma firm that manages the city’s downtown parking via its app altered users of a ransomware attack. The company disclosed that the incident was linked to a third-party software vendor. The attack was not related to the earlier attack on the City of Tulsa.
- Clover Park School District in Washington was the next victim in education. The hackers threatened to release the exfiltrated data unless a ransom was paid. A screenshot of the message said “Clover Park School District, you’ve been hacked,” “Pay or grief. Sensitive information will be shared to the public … There are (not) any third-party solution(s) which can help you. But you can damage your information”, was shared was local news.
- The Azusa Police Department in Southern California became a victim of the DoppelPaymer criminal gang who exfiltrated data and followed up with a ransom demand. Officials of the city of 48,000 residents decided to keep the attack a secret for 2.5 months before disclosing that data compromised in the attack “may have included” social Security numbers, driver’s license numbers, medical information, financial account information and other records. The cybercriminals posted 7 GBs of Azusa records on the Dark Web.
- The next reported attack of the month was on the world’s largest meat processing firm JBS Foods. The company was forced to shut down production at several global sites following a cyberattack. JBS USA issued a press release on May 31 confirming that the attack had impacted their North American and Australian IT systems. At time of writing the nature of the attack is still unknown while the investigation continues, but cybersecurity experts believe there is a high chance that ransomware was involved.
- The last attack for May hit backup appliance specialist Exagrid. The Conti cybercriminal gang were behind the attack which exfiltrated employee and customer data, confidential contracts and source code. A ransom of $2.6 million was paid to the criminal gang in exchange for the decryption key.
June
June saw an uptick in the frequency and severity of ransomware attacks across the world. Although there were no global headline-making attacks like the Colonial Pipeline attack of the previous month, attackers successfully crippled several high-profile organizations like Fujifilm, Grupo Fleury and ADATA. Here’s a summary of who made ransomware news during the month.
- Japanese multinational conglomerate Fujifilm partially shut down its Tokyo headquarters in response to a ransomware attack on June 2. The company does not know which ransomware group was responsible, but independent analysis suggested that REvil and Qbot may have been behind the attack.
- Ferry services in Martha’s Vineyard, Cape Cod, and Nantucket were disrupted by a ransomware attack on June 2. The Regional Steamship Authority managed to avoid cancelling ferries, but passengers suffered significant delays.
- Two University of Florida Health hospitals noticed unusual activity in the first few days of June. Hospital IT staff responded by shutting down part of the hospital network, restoring its systems using backups, and requiring staff to resort to pen and paper. Hospital representatives did not immediately confirm the ransomware incident, but later reports indicate that the attack continues to negatively impact patient care.
- British retailer Furniture Village confirmed it was the next victim of a ransomware attack. As the largest independent furniture retailer in the UK, the cyberattack created significant delays for customers. The company shut down the affected systems to restrict the scope of the attack and claimed there was no indication that personal data had been lost or compromised.
- St. Clair County’s municipal government reported it was targeted by a ransomware attack in early June. County IT administrators first noticed the breach on May 28 and identified the cybercrime group behind the attack as Grief. The group allegedly stole 2.5 gigabytes of sensitive data.
- COX Media Group, a large US media conglomerate with 54 radio stations and 33 live TV stations reported suffering a ransomware attack that caused interruptions on some of its media channels causing some of its live broadcasts to be suspended. Investigators have not yet identified the group behind the attack.
- iConstituent, a technology vendor used by the US Congress was unavailable for several weeks as a result of a ransomware incident. The attack resulted in almost 60 House member offices being unable to access constituent data through the platform.
- Cybercriminals targeted a pipeline firm called LineStar Integrity Services leaking 70 gigabytes of data to the Dark Web, including sensitive employee data and Social Security cards. The attack itself did not cause infrastructural disruptions like last month’s Colonial Pipeline attack did, but the release of sensitive employee data could easily contribute to future attacks.
- ADATA, the Taiwan based computer memory and storage component manufacturer was forced it to take its networks offline following a ransomware attack. The Ragnar Locker group claimed responsibility and threatened to release 1.5 terabytes of exfiltrated confidential data if the ransom was not paid.
- The Skinner’s Kent Academy and Skinner’s Kent Primary School in the UK reported that ransomware attacks were behind recent school closures. On June 10th, the South England trust that runs these two schools reported that cybercriminals had exfiltrated student data, medical records, and human resources files from the school’s on-premises servers.
- Food service supplier Edward Don was forced to shut down parts of its company network to protect itself from a cyberattack. The company did not release any information about the nature of the attack, but employees were forced to temporarily move to newly created Gmail accounts to communicate with customers. The attack is likely to cause supply chain disruptions for hospitals, restaurants, hotels, and bars.
- Cybercrime organization REvil claimed responsibility for attacking Sol Oriens , a US government contractor that manages nuclear weapons programs for the National Nuclear Security Administration. The organization claimed there was no indication that classified data was compromised during the attack.
- Solar and wind developer Invenergy reported an attack that included the disclosure of personal data connected to its chief executive officer Michael Polsky. REvil claimed responsibility and said that it had exfiltrated 4 terabytes of sensitive data, including projects and contracts, as well as the terms of non-disclosure agreements.
- The Town of Freeport reported that its computer network was shut down as a result of a cyberattack. The town was told to pay $10,000 in cryptocurrency to Avaddon, the criminal gang that claimed responsibility for the attack. According to the municipal administration, Freeport did not pay the ransom and experienced no data breach. The town’s manager maintains that its swift actions contained the attack which led only to partial losses.
- Des Moines Community College shut down its online instruction system as a result of a ransomware attack. Within two weeks the community was able to return to online classes with help from a third-party cybersecurity forensics provider. Administrators did not disclose whether or not a ransom had been paid.
- The Humber River Hospital in Toronto reported it had been struck by a ransomware attack. Upon discovering the attack the hospital’s IT team immediately began restarting and patching its computer systems manually. Patient records and other essential services had to be shut down to mitigate the impact but the hospital’s surgeries and ER departments continued to function.
- Judson Independent School District in San Antonio suffered a ransomware attack that crippled its summer programs. School staff did not have access to district email or phones, and officials did not specify when they expected systems to be restored. Nevertheless, the school continued to carry out its summer programs, replacing digital test-taking tools with pencil and paper for the time being.
- A fertility clinic in Georgia notified 38,000 patients that their medical data may have been leaked in a ransomware attack that took place on June 22nd. Reproductive Biology Associates reported that leaked data included patient names, addresses, social security numbers, lab results, and more. Officials did not confirm whether the clinic had paid a ransom, but they did confirm that clinic administrators had managed to regain access to their files.
- Mountain Regional, a water district provider in Summit County reported that some of its hardware had been encrypted by cybercriminals. Officials claimed that the attack had not compromised public health or safety and declared that the criminal gang did not access private customer data. Water District administrators have confirmed that they did not pay the ransom.
- All six Lucky Star casino resorts in Oklahoma closed on June 22, 2021 after reporting a major ransomware attack. Owned and operated by the Cheyenne and Arapaho Tribes, Lucky Star runs casinos in Concho, Clinton, Canton, and Watonga, as well as two smaller gaming parlours in Hammon and Concho.
- The City of Liege in Belgium suffered a disruption of its municipal IT systems following a cyberattack. City IT staff shut down the local governments network to prevent the malware from spreading while employees were instructed employees not to turn on computers in their office. The Ryuk ransomware gang was most likely behind the attack.
- Grupo Fleury, one of the largest medical diagnostics providers in Brazil notified visitors to their website that a cyberattack had disrupted its IT systems. The organization did not comment on the cyberattack, but independent cybersecurity sources have confirmed that the REvil gang were behind it. Officials have not mentioned whether patient data had been compromised.
- St. Joseph’s/Candler Hospital in Georgia reported that they had been a victim of ransomware. Local officials claimed that prior preparation and redundancy had given them a robust system for resisting cyberattacks and mitigating the impact, but they did have concerns about the possible exfiltration of patient data during the incident.
- A Kentucky municipal zoning agency called Planning and Development Services of Kenton County reported that hackers encrypted its computer systems and demanded a $400,000 ransom. The government agency did not disclose how many files were encrypted, but officials have stated that the agency did not pay the ransom. The agency managed to recover some of its data through cloud and hardcopy backups but they did not elaborate on how much data was missing.
- An attack on Iowa-based Wolfe Eye Clinic resulted in theft of data belonging to 500,000 patients. While the cyberattack occurred earlier in the year the complexity of the incident wasn’t determined and disclosed until late June.
- The Salvation Army was next to find themselves victim of a ransomware attack. The UK arm of the religious charitable organization confirmed they were investigating ‘an IT incident’ but have declined to give further information, such as the identity of the criminal attackers or the volume and type of data accessed by them. At time of writing data has yet to emerge on any known ransomware gang leak sites. The Conti gang has been suspected to be behind the attack but this hasn’t been confirmed.
July
July racked up 29 ransomware attacks, up from just 12 reported in the same month last year. The REvil gang was particularly busy with their attack on Kaseya which resulted in a 70 million USD ransom. The incident affected up to 1500 organizations including a large chain of supermarkets in Sweden, an animal hospital in Maine and a school district in Tennessee. In an interesting turn of events the Babuk gang became victims of ransomware at the hands of an unknown group who took control of their Dark Web forum and demanded a $5000 ransom which they refused to pay. Here’s a snapshot of what else we uncovered during the month.
- We start the month with a massive supply chain attack on US software company Kaseya. The REvil gang cause havoc globally when they launched the attack over the 4th of July weekend. Multiple managed service providers (MSPs) were impacted as well as over 1500 end customers. REvil demanded a whopping $70 million USD ransom.
- REvil struck the University Medical Center of Southern Nevada next. Although the medical center took quick action to contain the threat, it seems patient data was still exfiltrated. UBM said it was working with the Las Vegas Metropolitan Police Department, the FBI, and third-party cybersecurity experts to determine the exact origin and scope of the breach.
- Up next is another large attack at the hands of the REvil gang. This time its Coop, a chain of supermarkets in Sweden. The supermarket confirmed they were forced to close over half of their 800 stores due to a colossal cyberattack. The attack was a result of the Kaseya attack a few days prior. Although Coop doesn’t use Kaseya directly on its systems it appears on of their software providers does. This incident highlights the growing concern around supply chain attacks where bad actors can extort multiple victims by attacking their supplier.
- In at number four is 4 New Square Chambers, a Barristers Chamber in the UK who took an interesting approach to their recent ransomware attack. They responded by getting a court order demanding that the cybercriminals did not share any stolen data. The firm obtained a privacy injunction from the High Court at the end of June against “person or persons unknown” who were “blackmailing” the firm. An interesting and strange approach to negotiating with hackers but unlikely to keep the exfiltrated data safe from exposure.
- Up next is another supply chain attack, this time on technology distributor SYNNEX. The California based firm admitted that its systems and Microsoft accounts had been attacked after the National Committee of the US Republican Party (RNC) named it as the source of their recent security incident. Cozy Bear is thought to be behind the attack.
- REvil strikes again, this time in Maryland, USA. Just after lunch on the Friday before the July 4th weekend the town administrator for Leonardtown Maryland received a pop up message on her computer which froze before she even had the chance to read it entirely. It was apparent later that day that the town had been a victim of the Kaseya ransomware attack which reached Leonardtown through its IT management company, JustTech. The ransom demand was $45,000 per computer.
- Wiregrass Electric Cooperative in Alabama was hit by a ransomware attack which left customers without access to their account information. The cooperative later announced that no data was compromised during the attack, but member account information and payment statements were taken offline as a precaution. The cooperative did not release any information about the source of the attack.
- Swiss online consumer outlet Comparis filed a criminal complaint over a ransomware attack that affected some of their systems. Comparis, which is a consumer comparison online service did not pay a ransom or comment on whether the incident was linked to the Kaseya attack.
- American fashion brand and retailer Guess admitted to an earlier ransomware attack after it led to a customer data breach. The investigation determined that personal information may have been accessed or acquired by an unauthorized actor. The Darkside ransomware gang claimed the attack on their data leak site and noted that they had exfiltrated 200 GBs of data from the retailer. Guess directly operates over 1000 retail stores in the Americas, Europe, and Asia, and had an additional 539 stores through partners worldwide.
- The next incident was reported in eastern Germany where the municipality of Anhalt-Bitterfeld computer systems were paralyzed by a ransomware attack described by the federal cybersecurity watchdog as the country’s first-ever “cyber-catastrophe.” The municipality did not comment on the identity of the attacker or whether or not there had been a ransom demand, citing a police investigation.
- Pennsylvania-based Famous Smoke Shop was forced to shut down its website, retail store and cigar lounge due to a ransomware attack. The CEO reported the incident on July 12th and announced that they had been one of the 1500 victims impacted from the holiday weekend attack on Kaseya. He stated that they refused to pay the ransom but hopes the business would be up and running soon as without the data they couldn’t make any sales. Thousands of customers were impacted.
- The next victim from the Kaseya attack was Morgan County Schools in Tennessee, USA. The school confirmed at a board meeting that the hack had occurred on Friday July 2nd and was contained to some of their office computers. The REvil group demanded that school officials pay a ransom to release the files. It’s not yet known how much the ransom demand was or if any student or staff data was compromised during the attack.
- An attack on York Animal Hospital in Maine managed to wipe all patient records from the last four years. The practice’s computers locked up, and the screen on one carried a ransom note demanding $80,000 in Bitcoin for files to be restored, the practice refused to pay. The REvil gang was behind the attack.
- Cloudstar, a Florida based company that provides technology for hundreds of title companies and lenders was hit by a ‘highly-sophisticated’ ransomware attack. Cloudstar operates five data centers throughout the US and provides around-the-clock support to title professionals in the real estate, finance and insurance sector. The attack prevented transactions in the title industry causing havoc in the real estate and lending sector.
- 15. Newhall School District in California were shocked to find themselves a victim of ransomware when staff connecting to the school district’s server were met with a mysterious pop-up message saying they would not be able to log in. A few minutes later it was revealed that all 10 schools in the district, representing around 6,000 children, had been hit with a ransomware attack and all teachers were instructed to log off immediately. Luckily the district had purchased cyber insurance but district officials would not say if a ransom was paid.
- Virginia Tech confirmed they had been targeted in two recent cyberattacks but they don’t believe any data was stolen. Although a few of the university systems used Kaseya, a spokesperson commented that the malware the hackers pushed out to Kaseya customers could have exposed student data but they had not found any evidence that data loss had occurred. An earlier attack took place in May but its not believed any data was exfiltrated. The university did not pay a ransom for either attack.
- The next attack took place in Ecuador where state run Corporación Nacional de Telecomunicación (CNT) became a victim of RansomEXX ransomware. The attack disrupted business operations, the payment portal and customer support. CNT is Ecuador’s state-run telecommunication carrier that offers landline and mobile phone services, satellite TV, and internet connectivity.
- Campbell Conroy & O’Neil, P.C. (Campbell), a US law firm who counts dozens of Fortune and Global 500 companies as clients recently disclosed that an earlier ransomware attack had resulted in a data breach. The firms current and past clients include companies such as Apple, Mercedes Benz, British Airways and Marriott to name a few. Campbell didn’t reveal the identity of the ransomware gang behind the attack or if any data had been exfiltrated.
- Shriro Holdings, an Australian distributor of white goods and consumer electronics issued a letter to shareholders to notify them that bad actors had gained “unauthorized access to its operating systems”. The company is working with a cyber forensics firm to establish the extent of the attack.
- The Washoe Tribe of Nevada and California was reportedly the victim of a ransomware attack earlier in the year. According to information received by news outlet The Record-Courier, the tribe found that several of its servers were encrypted in April and they were able to recover most of their data so they decided not to pay the ransom. On May 5th they tribe discovered that their data had been posted on the Dark Web.
- Northern Rail in the UK, a government run transportation network had their new self-service ticket machines targeted by a ransomware attack. The attack occurred just two months after 621 of the touch-screen units were installed at 420 stations across the north of England at a cost of £17 million. The company stated they had taken “swift action” along with its supplier, Flowbird and no customer or payment data was compromised.
- The City of Geneva in Ohio were hit by a new strain of ransomware known as AvosLocker. The small city disclosed the incident after data exfiltrated in the attack appeared on the bad actors leak site. AvosLocker is a new gang who have hit relatively small targets to date. Officials have not disclosed whether or not they received a ransom demand, however the gang threatened to release all stolen data which included items such as court records and tax returns including social security numbers on the Dark Web leak site.
- Officials from Sunset Beach, a seaside town in North Carolina disclosed that they had been attacked by a series of ransomware hacks over a six week period. The revelation came out during a town council meeting when the Planning Director was questioned about the progress of a floodplain project. The official’s response was “all my floodplain permits … were part of that hacking. ” The town was able to recover most of their documents thanks to a backup system in use.
- Florida Heart Associates shared that they had been a victim of ransomware in May this year. Ultimately they made the decision not to pay and they were successful in getting back control, but not before the cybercriminals took down their phone lines and basically destroyed their entire system. The organization shared with media that they had lost staff as a result of the attack and had only just got their phones back online. The clinic is operating at 50% but hope to be back to normal soon.
- A ransomware attack on New York based Emma Willard School resulted in the theft of employee social security numbers and financial information. Officials at the private high school for girls stated that they aren’t sure how much data was stolen in the attack. School officials haven’t provided details on how the school handled the attack but they did say they took immediate steps but unfortunately some data was illegally removed from their systems.
- The next attack must have come as a surprise for the Babuk ransomware gang when it was a case of hack the hackers. The groups latest endeavour, a Dark Web ransomware forum called RAMP, was overloaded with pornography during an attack. The unknown party behind the attack demanded $5000 which Babuk refused to pay. Babuk managed to wipe the images but they were quickly uploaded by the attackers again. With ransomware actors turning on each other now, ransomware news could get a lot more interesting!
- South African port operator Transnet was forced to halt operations after a ransomware attack crippled its IT systems. The attack hit the entire state run Transnet Group which has almost 56,000 employees. The importing of goods by sea containers into South Africa has been halted and reports have stated that ships are bypassing South African ports and heading to neighbouring countries instead.
- Canadian entertainment technology provider D-Box shared that they were recovering from a ransomware attack that partially paralyzed many of its IT systems earlier in the month. The company worked with experts to determine that the attack was limited to their internal systems only.
- The City of Grass Valley in Nevada discovered that bad actors had been able to access their information systems. The unknown gang behind the attack disclosed that they had exfiltrated data which they planned to publish if a ransom wasn’t paid. The City decided to pay the ransom to prevent the data from being exposed, the ransom payment was covered by their insurer. The city is working to identify what data was stolen and who was affected.
August
In August we uncovered 21 reported ransomware attacks with government and healthcare being the most targeted during the month. The first healthcare incident took place in Italy where the Italian vaccination registration system was taken offline by RansomEXX. While US based Eskenazi Health and Memorial Health System were forced to divert ambulances and cancel procedures due to ransomware attacks. Here’s a summary of what we uncovered during the month.
- The first reported incident of the month took place in Italy where the Italian vaccination registration system was taken offline by the RansomEXX gang. The attack on Italy’s Lazio region had rendered every file in the system inaccessible and meant that residents of the region which includes Rome, were unable to book Covid-19 vaccinations.
- Venture capital firm Advanced Technology Ventures made headlines after a ransomware attack resulted in the theft of personal information relating to its investors. It’s estimated that 300 investors were impacted by the attack which was disclosed when a letter was sent to the Maine Attorneys General’s Office. Data exfiltrated during the attack included names, email addresses, phone numbers and Social Security Numbers of individual investors in company funds.
- The Isle of Wight Education Federation in the UK was next to disclose that their IT systems were impacted by a ransomware attack which affected six schools. The ransomware attack encrypted the schools data and left staff with no access to the network.
- Italian energy group ERG reported minor impact on their organization following at attack from the LockBit 2.0 gang. The company shared updates on social media which confirmed the rumours around the attack saying that “they had experienced only a few minor disruptions to ICT infrastructure which were quickly being overcome due to the prompt deployment of its internal cybersecurity procedures.
- Eskenazi Health in Indiana was forced to divert ambulances following a ransomware attack. The hospital shared that they had shut down the network out of “an abundance of caution and to maintain the safety and integrity of our patient care”. It’s not yet known who was behind that attack.
- Up next is the City of Joplin in Missouri whose insurer paid an unknown criminal gang $320,000 to prevent data from being shared following a ransomware attack. A forensics investigation is ongoing to determine the type of data accessed.
- Another Italian attack, this time it’s luxury fashion house Ermenegildo Zegna. The company which is the largest menswear brand in the world by revenue operates 480 retail stores. The RansomEXX criminal gang claimed the attack and admitted to exfiltrating 20.74GB of data from the company.
- The next victim for RansomEXX was Taiwanese PC manufacturer Gigabyte. Sources told news outlet Bleeping Computer that the gang had stolen 12GB of sensitive internal data as well as info from a code repository during the attack. The company is working with law enforcement and has not commented on whether or not they would pay the ransom.
- Up next is Ireland headquartered global IT consultancy giant Accenture who became a victim of the LockBit ransomware gang. The cybercriminal gang claimed to have stolen 6TB of files and demanded a $50 million ransom.
- The Department of Environmental Protection in Maine issued a warning to municipalities to be on alert following two ransomware intrusions that occurred in the Aroostook County town of Limestone and the town of Mount Desert on Mount Desert Island. A spokesperson said both attacks were fairly minor and there was no health and safety threat to the public.
- An attack on Memorial Health System saw dozens of hospitals and clinics in West Virginia and Ohio cancelling surgeries and diverting ambulances following a ransomware attack. Staff access to IT systems was affected across virtually all operations at the health system which represents 64 clinics.
- Twin Falls Idaho experienced service disruptions impacting most of its departments for a 2 week period following a ransomware attack, thankfully emergency services ran on a different system and were not affected. A forensics specialist was brought in to investigate.
- The Ministry of Economy of the Government of Brazil announced that the internal network of the National Treasury was hit by a ransomware attack. Multiple government agencies and security specialists were brought in to investigate the incident which is said to have impacted the internal network.
- Forviva Group, a UK based social housing group confirmed that data had been stolen from ForHousing and Liberty, two organizations within the group. They confirmed that no tenant or staff data from ForHousing’s systems had been accessed during the ransomware attack, but ‘a small amount’ of data from Liberty had been compromised.
- Tokio Marine Insurance Singapore, a subsidiary of Tokio Marine Group, released a statement confirming a ransomware cyberattack. In the statement they shared that they had contained the attack and that there was no indication of a breach of customer or confidential information. A third party has been brought in to investigate.
- Nokia subsidiary SAC Wireless was a victim of the Conti ransomware gang who were able to successfully breach its network, exfiltrate data and encrypt the company’s systems. Personal information relating to past and current employees was compromised. The gang claimed to have stolen 250GB of files.
- Next to make headlines was Bangkok Air, Thailand’s third largest airline. The company issued a press release confirming the attack after the LockBit gang posted a message on the Dark Web threatening to release stolen data if the ransom wasn’t paid. The hackers claimed to have stolen over 200GBs of data. The airline was not interested in negotiating with the criminal gang.
- A ransomware attack at Eye & Retina Surgeons (ERS) in Singapore has potentially exposed the personal data of more than 73,000 patients. Following the attack the Singapore government instructed ERS to work with the country’s federal cybersecurity agency to implement stronger defences against future attacks.
- The Sault Ste. Marie Police in Ontario Canada became a victim of ransomware in the third week of August. Following the attack they issued a statement stating that its 911 service or online reporting for less urgent crimes had not been impacted. At time of writing email remains unavailable and the organization has not confirmed whether police dispatch or record systems had been impacted.
- The City of Rolle located near Lake Geneva in Switzerland initially downplayed the impact a ransomware attack that they described as a ‘weak attack’. Soon after however, the criminal gang known as Vice Society posted a large number of confidential documents to the Dark Web. The city then issued a press release saying they regretted underestimating the seriousness of the attack. The city did not pay the attackers.
- Indiana based CarePointe ENT, an ear, nose, throat, sinus and hearing center, suffered a ransomware attack that may have exposed the personal health data of nearly 50,000 patients. The ransomware attack encrypted the electronic health data which may have included information such has name, address, date of birth, social security, etc. The organization released a statement to patients saying they believed the attackers wanted money and not their data but they should be aware their information was encrypted by the attackers.
September
September had a slow start with the bulk of what we uncovered being reported in the latter half of the month. For the first time this year the total reported number was lower than that of 2020, however, given the trends this year it’s likely that many of the incidents have yet to be disclosed publicly. We tracked 24 incidents including the Department of Justice in South Africa, two major U.S. farming cooperatives, and multinational electronics giant JVCKenwood. Here’s a summary of what we uncovered.
- Almost 9 months after the Accellion data breach, Beaumont Health in Michigan joined the list of healthcare organizations impacted by the cyberattack. The health system recently notified around 1500 patients that their data may have been compromised in the attack.
- Jipmer, the Jawaharlal Institute of Postgraduate Medical Education & Research in India was forced to suspend patient tele-consultations following a ransomware attack. All computer systems at the facility were taken offline as a result.
- Howard University in Washington DC was the first school to report an attack this month. The incident was discovered just weeks after students returned to campus and as a result classes were cancelled. Ransom details remain unknown but the university has said that there was no evidence so far to suggest that any personal data of its 9500 undergraduate and graduate students had been accessed or exfiltrated.
- Japan -based camera and binocular manufacturer Olympus released an official statement to confirm that they had been attacked by the BlackMatter ransomware gang and that their computer systems in Europe, Middle East and Africa had been impacted. The internal forensics team were able to contain the malware spread by shutting down the infected computers.
- The Justice Department in South Africa made global news when it was disclosed they had become a victim of ransomware. The incident left all of the department’s information systems encrypted and unavailable according to a statement shared by WhatsApp. “All electronic services provided by the department are affected,” it said.
- Desert Well Family Medicine in Arizona reported that 35,000 patients were impacted by a breach involving a hack of the network. The organization did not disclose any information relating to a ransom demand or negotiations but the incident was reported as a ransomware attack.
- The Hive ransomware gang shared patient data from Missouri Delta Medical Center who opted to stay silent about the loss of patient data following a ransomware attack. Screenshots of the data dump have been published, but the organization has not confirmed or denied the attack. The criminal gangs website was updated with the following statement ‘MDMC Decided not to protect privacy of their patients or employees. By their greed for money, patients will suffer. There is still time – 4 days until all patient info is dumped.’
- US technology giant TTEC disclosed they had been impacted by a ‘cybersecurity incident’, confirming to employees that it was indeed ransomware. The company who has almost 61,000 employees and billions in annual revenue alerted staff not to click on a link titled “!RA!G!N!A!R!. In a statement to news outlet ZDNet, a spokesperson would not confirm that it was ransomware but did confirm that some of the company’s data had been encrypted and business systems had been impacted.
- NEW Cooperative, a farmers feed and grain cooperative in the US suffered a BlackMatter ransomware attack resulting in a $5.9 million ransom demand which would increase to $11.8 million if the ransom wasn’t paid in five days. The cybercriminals claimed to have exfiltrated 1,000 GB of data which included source code, R&D results, sensitive employee information, financial documents, etc.
- Marketron, a business software solutions company that provides cloud-based revenue and traffic management tools for broadcast and media organizations, became the victim of the BlackMatter gang. Marketron customers learned of the incident in an email from the company CEO, who said that “the Russian criminal organization BlackMatter” was responsible for the attack. He also said the company was communicating with the hackers and the FBI was also involved.
- Web hosting service company Exabytes was next to disclose they had been impacted by a ransomware attack. The Malaysian based company claimed to have most of its systems restored shortly after the attack. Tech portal Amanz reported that the company had tweeted that the attackers were demanding US$900,000 (RM3.77mil) as ransom in cryptocurrency but the tweet was later deleted.
- India’s Tamil Nadu government’s public department discovered their files had been locked following a ransomware attack. When officials tried to access them a message appeared requesting money in exchange for each file. The organization disclosed that no security data had been compromised.
- The next agricultural cooperative to become a victim was Crystal Valley Cooperative in Minnesota. In a Facebook post the company confirmed they had been hit by ransomware. All computer and phone systems were shut down as a result of the attack which was thought to be carried out by BlackMatter.
- Another suspected BlackMatter attack, this time it was publicly traded real estate investment firm Marcus & Millichap. The firm revealed in an 8-K filing with the SEC that it “had been subject to a cybersecurity attack on its information technology systems.” They said there had been no evidence of a data breach and did not identify the attack as ransomware. However, a ransom note was discovered by media outlet LeMagIT suggesting a connection between the data sample and Marcus & Millichap. The BlackMatter ransomware note claimed that 500 GB of data had been stolen.
- Payroll company Giant Group was next to be hacked in suspected ransomware attack. The company admitted that its computer systems which pay thousands of umbrella company contractors each week had been hacked and all systems were offline due to “suspicious activity”. The incident is under investigation and the company noted they were following protocols which meant they could not communicate with customers as openly as they would like.
- A ransomware attack on Coos County Family Health Services in New Hampshire caused an IT outage and forced some of its clinics to shut down. The CEO said the attacks affected all of its systems, such as phone, computer and email. The organization has reopened all of its clinics but its IT systems are still experiencing outages.
- California-based United Health Centers was hit by a ransomware attack which reportedly disrupted all of its locations and resulted in the theft of patient data. Media outlet BleepingComputer was told by a source that the organization was reeling from an attack at the hands of cybercriminal gang Vice Society. BleepingComputer reached out to UHC multiple times but did not receive a response to any requests to confirm the attack. The criminal gang later leaked files allegedly stolen from the health center.
- Debt-IN Consultants, a debt recovery firm in South Africa confirmed they had been a victim of a serious cyberattack resulting in a data breach affecting more than 1.4 million people. The attack which occurred in April of this year only came to light late this month with the discovery that confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers had been posted on “hidden internet sites” that are only accessible by a “specialized” web browser.
- Stonington School District in Connecticut are working with the FBI following a ransomware attack which took the entire districts systems offline. Officials have said that the nature and origin of the attack and whether information was compromised are still being investigated and families would be updated when more information is available.
- Hawaii Payroll Services disclosed that they suffered an attack affecting 4500 customers. Earlier this year the company discovered that its servers and databases had been breached by an unauthorized users. The company believes the attack was carried out by a criminal gang who somehow compromised a client’s account.
- Lufkin ISD in Texas was the next school to make ransomware headlines. The school communicated via social media that the systems were down following an attack that was detected by their cybersecurity systems but they still needed to ensure no data had been compromised.
- An attack on French company TiteLive who provide software for book stores affected 130 Dutch bookstores who had their systems shut down. It’s not yet known who was behind the attack or what the ransom demand was.
- Philadelphia based mental health provider Horizon House just disclosed that almost 28,000 people may have been impacted by a ransomware attack that occurred earlier in the year. In a security notice the organization revealed that data had been exfiltrated during the attack. The unknown criminal gang accessed personal data including names, addresses, Social Security numbers, driver’s license numbers, dates of birth, financial account information, medical claim information, etc.
- The last reported incident of the month goes to multinational electronics company JVCKenwood. The Conti ransomware gang claim to have stolen 1.7 TB of data and are demanding a $7 million ransom! The company disclosed that servers belonging to its sales companies in Europe were breached and threat actors may have accessed data during the attack.
October
In October we recorded 24 reported ransomware incidents, down from 40 in October 2020. This month saw new entries from criminal gangs Everest and Desorden and some notable attacks including Graff Diamonds in the UK. An attack on the Ferrara Candy Co. threatened supplies of Halloween staples such as candy corn, while multi-billion dollar dairy foods company Schreiber also had their production knocked offline following an attack. Here’s a look into what else we uncovered during the month.
- We begin the month with industry publication giant Sandhills Global who were hit by the Marketo criminal gang. The US-based trade publication and hosting company who caters to the transportation, agriculture, air-craft, heavy machinery, and technology industries suffered disruption to their business operations when all of their hosted publications went offline, and their phones stopped working. Sources have said Conti was behind the attack.
- Washington Adventist University, a private college in Maryland were next to report an incident via an official statement in which school officials said that a ransomware incident was discovered by its IT department and Wi-Fi and internet access would not be available to students on campus until further notice. The incident was being investigated by the Montgomery County Cyber Taskforce and the FBI. The gang responsible and the ransom demand have not yet been confirmed.
- Indiana based Johnson Memorial Health suffered a ransomware attack that disabled its computer network. A press release confirmed that the health system was working with the FBI and cybersecurity experts to restore its computer operations.
- Hong Kong marketing firm Fimmick was hit by the REvil gang. The criminal gang breached Fimmick’s databases and claimed to have data from a number of global brands including Cetaphil, Coca-Cola and Kate Spade. The companies were listed in screenshots showing the criminal gangs threatening posts toward the company as evidence of data stolen during the attack.
- Engineering and mining firm Weir Group released a statement confirming it had been the target of a “sophisticated” ransomware attack which forced them to bring an earnings call forward. The Glasgow based company confirmed that their forensic investigation was ongoing and that there was no evidence that any personal or other sensitive data has been exfiltrated or encrypted at this time.
- Pacific City Bank (PCB), one of the largest Korean-American community banking service providers in the US disclosed a ransomware incident that took place at the end of August. An internal investigation revealed that the criminal gang had accessed information including loan application, tax returns, payroll information, social security details, etc. Pacific City Bank did not reveal the name of the ransomware group behind the attack but AvosLocker claimed the attack on their data leak site.
- Around 350,000 patients were notified that their data had been potentially accessed or acquired during a ransomware attack on ReproSource Fertility Diagnostics, a subsidiary of Quest Diagnostics. An investigation into the incident is ongoing, but officials have determined the impacted data which varied by patient could include names, dates of birth, test reports, medical histories, and health insurance details.
- The next reported attack was on Pennsylvania based newspaper publisher Lancaster Online. An unknown criminal gang demanded that the news organization pay an undisclosed amount of money to unlock files critical to the printing of their daily and weekly publications.
- Ecuador’s largest private bank Banco Pichincha was the next organization to be impacted by ransomware. Although not yet confirmed, it’s thought that the Horatus gang was behind the attack which disrupted operations and took the ATM and online banking portal offline.
- An attack on DeKalb County caused havoc when servers were inaccessible and the functionality of County operations were impacted. According to reports from DeKalb county administration it did not appear that any of the county files have been compromised.
- Hillel Yaffe Medical Center in Israel suffered a ransomware attack which forced the hospital to use alternate systems while treating patients, and resort back to pen and paper. The incident was reported to the ministry and National Cyber Directorate and other hospitals were informed about the incident as a preventive measure.
- In the next incident it was reported that government officials in Pottawatomie County, Kansas had paid hackers a reduced ransom after an attack crippled their IT systems for two weeks. In a news release, the county administrator revealed that the ransom was reduced by more than 90 percent from the original demand, “an almost unheard-of outcome, every saved dollar of which is taxpayer revenue the county keeps to serve our citizens.”
- The Sinclair Broadcast Group was next to confirm a ransomware attack. TV stations owned by the group were down across the US following the incident. Its operations include 185 television stations affiliated with channels including Fox, ABC, CBS and NBC. The broadcast giant confirmed that data had been stolen during the attack.
- Los Angeles-based Barlow Respiratory Hospital became a victim of criminal gang Vice Society. The hackers launched a ransomware attack and demanded payment from the hospital according to a news release. At time of writing the hospital had not confirmed if a ransom had been paid.
- Ferrara Candy Co., a major candy and food company whose treats include Halloween staples like candy corn became a victim of a ransomware attack that temporarily froze its production systems. The company is working to resolve the issue but confirmed that Halloween supplies had luckily shipped before the incident so shortages weren’t expected.
- The Italian data protection authority Garante per la Protezione dei Dati Personali (GPDP) announced that they were investigating whether hackers stole the personal data of registered members and employees of SIAE during a ransomware attack. The Everest ransomware gang leaked 60 GB of stolen data which included national ID and driver’s license scans as well as documents relevant to contract agreements between SIAE and its members.
- A ransomware attack on Janesville School District left students and staff unable to login to some of the district’s online programs. In a Facebook post the school shared that the IT department had detected issues with their network and spotted code that appeared to be ransomware. District officials assured families and staff that no data was accessed and none of it has been destroyed.
- Up next is the National Rifle Association (NRA). The Grief ransomware gang claimed that they had attacked the organization and they released exfiltrated data as proof. The criminal gang added the NRA as a new victim on their data leak site with screenshots of Excel spreadsheets containing US tax information and investments amounts. The NRA have not confirmed the incident instead they published a statement saying they do not comment on physical or electronic security of their organization.
- Multi-billion dollar US dairy company Schreiber Foods was the next company to make ransomware headlines. News outlet the Wisconsin State Farmer reported that the criminal gang demanded $2.5 million, however the company did not confirm whether or not they had paid a ransom when asked, saying only “ we don’t want to get into specifics.”
- Washington Central Unified Union School District disclosed in a letter to families that its information systems had been compromised as a result of a suspected, but unconfirmed ransomware attack. At time of writing investigations were in the early stages.
- Thailand based luxury hotel chain Centara hotels said in a statement that they were “made aware” of a cyberattack on the hotel chain’s network. An investigation confirmed that the Desorden criminal gang had breached their system and accessed customer data including names, bookings, phone numbers, email addresses, home addresses and photos of IDs. Operators connected to Desorden said they were negotiating a ransom payment of $900,000, but the company backed out of the deal on Tuesday. The group is now threatening to leak the information.
- Papua New Guinea’s government pay system which manages access to hundreds of millions of dollars in foreign aid money was disabled by a hackers demanding a ransom payment from PNG. Service has since been restored and officials have said no ransom was paid.
- The next reported attack at the hands of the Conti criminal gang was celebrity favorite Graff Diamonds. The Russian hackers have already leaked 69,000 confidential documents on the dark web, including files relating to Donald Trump, Oprah Winfrey, David Beckham and Sir Philip Green. The gang is rumored to be demanding millions to stop the release of further confidential information.
- The last reported incident of the month involves the Toronto Transit Commission (TTC). At time of writing the incident is ongoing and IT staff at the TTC are dealing with the effects of the attack which started at the onset of Halloween weekend. It’s currently unknown if any data was stolen or what gang was behind the attack.
November
For the third consecutive month this year the number of reported attacks was down in comparison to 2020. Notable incidents include an attack on the Newfoundland and Labrador Healthcare System which has been called the worst cyberattack in Canadian history, and German electronics retail giant MediaMarkt who got hit with a whopping $240 million ransom demand from the Hive criminal gang! Here’s a snapshot of what was reported in November.
- We begin this month with Community Medical Centers, Inc CMC a non-profit community health center in Northern California who recently notified 656,047 patients of a ransomware incident. The notice to patients did not confirm ransomware but protected health information including first and last name, mailing address, Social Security number, date of birth, etc. was exfiltrated in the attack.
- The Tax Office in Martin County, Florida was forced to shutdown following a cybersecurity incident. The incident appeared to be a ransomware attack at the hands of new entry – the BlackByte gang. A message from the attackers about the incident was posted on the Dark Web.
- Corry Area School District in Pennsylvania were next to disclose that it would take months to investigate a recent ransomware incident that may have exposed private information from students and staff at the school before 2011. The attack was discovered when the district’s technology director received a notification that the computer server had been compromised and to email the sender for details. Details of the ransom haven’t yet been disclosed.
- Next up is the Newfoundland and Labrador Healthcare System which has been called the worst cyberattack in Canadian history. The cyberattack had a massive impact on the organization and caused widespread disruption relating to appointments and procedures. After refusing to confirm the cause of the disruption for several days, the Health Minister later confirmed they had been a victim of a cyberattack which sources have told CBC News was indeed a ransomware attack.
- German electronics retail giant MediaMarkt suffered an attack at the hands of the Hive gang whose initial ransom demand was a whopping $240 million! The attack caused the shutdown of the IT systems and disrupted retail operations in the Netherlands and Germany.
- Robinhood Markets, Inc., an American financial services company headquartered in California disclosed a data breach that affected around 7 million people, a third of its customer base. In a statement they said that ‘the intruder’ obtained email addresses for around 5 million people as well as full names for a separate group of about 2 million and for some customers personal data including names, birth dates and ZIP codes was exposed. The hacker made threats about what would be done with the data, the organization did not confirm it was a ransomware attack and they declined to say whether or not the firm had paid the cybercriminals.
- Medatixx, a German medical software vendor whose products are used in over 21,000 health institutions notified its customers to change their application passwords following a ransomware attack. It’s not yet confirmed if any data was exfiltrated during the attack which caused significant disruption.
- The next attack impacted the comic book supply chain when IT systems at Diamond Comic Distributors went down following a ransomware attack. In a statement the company confirmed that comic book shops’ data and financial information was not stored on the affected systems and had not been compromised.
- Texas headquartered Madix, Inc., a manufacturer of store fixtures was forced to disable its computers and halt production due to a ransomware attack. Hundreds of employees across two Alabama manufacturing plants were sent home without any specified date of return following the incident which occurred over a weekend.
- British data storage company Stor-A-File made headlines when Russian cyber gang dumped data belonging to the UK’s National Health Service (NHS) on the Dark Web. The data included highly sensitive medical records which were leaked after the Clop gang’s £3million Bitcoin ransom was rejected.
- Singapore based offshore operator Swire Pacific filed a notice on November 25 reporting that its IT systems had been impacted by a cybersecurity incident. They said that the incident had “not materially affected global operations,” however, experts believe the Clop cyber gang was behind the attack which resulted in a significant loss of data, including sensitive company and personnel information.
- Students at Butler County Community College in Pittsburgh had their classes cancelled after the school was hit by ransomware. The college announced that remote and online classes, as well the main campus and other locations would be closed following Thanksgiving weekend while they worked to restore databases, hard drives, servers and other devices that were targeted during the attack.
- Denmark based wind turbine maker Vestas was forced to shut down some of its IT systems to control a ‘cybersecurity incident’ which they later confirmed was ransomware. 10 days post attack the company said systems were back up and running but did not disclose if a ransom had been paid.
- . Next up was Lewis and Clark Community College who were forced to close following a ransomware attack according to a Facebook post from the school. The public community college is based in Illinois and serves around 15,000 students.
- The last reported incident for the month was Queensland Australia government owned energy generator CS Energy. Fortunately the attack did not have an impact on energy supplies. At time of writing the investigation was ongoing.
December
December was the busiest month of 2021 with 33 ransomware attacks being publicly reported. We saw several high profile attacks including car manufacturer Volvo who lost R&D when they were hit with ransomware, and Nordic Choice Hotels whose guests found themselves locked out of their hotel rooms following an attack by the Conti gang. Perhaps the most interesting was an incident at tech company Asurian where a former disgruntled employee stole a company laptop and exfiltrated data before posing as an anonymous ransomware hacker, extorting them out of $300,000! Here’s a look at what else we uncovered in the last month of 2021.
- The first incident reported involved Planned Parenthood in LA. The organization said a ransomware attacked occurred back in October but the incident wasn’t made public until it was confirmed a data breach affecting 400,000 patients had occurred as a result of the attack. Personal patient data including addresses, date of birth, insurance details and clinical information was exfiltrated.
- Next up was Kisters AG in Germany, a critical infrastructure supplier for energy systems. A press release from the company confirmed that data protection authorities had been notified following a ransomware attack. They also shared that they would not engage in such attempts at extortion and the publication of the captured data was to be expected. The Conti gang published 5% of the exfiltrated data to their leak site.
- Riverhead School District in New York shared that they had been hit by a ransomware attack which shut down the district’s computer and technology infrastructure, outages were expected to last for several days.
- The next attack on education hit the French-Public School Board in Canada. They announced that they had been a victim of ransomware and that after re-securing the network it was discovered that some files stored at its board office had been stolen and held for ransom. The board said it had paid the attackers and the data that had been stolen was deleted. It’s not know what gang was behind the attack or how much the ransom was.
- Abiom, a Dutch technology firm that handles sensitive documents for Dutch police and emergency services was hit by the LockBit ransomware gang. The company refused to pay the ransom which resulted in 39,000 documents including ID and invoices to be leaked online.
- Nordic Choice Hotels confirmed they had become a victim of the Conti ransomware gang. The Scandinavian hotel chain has over 200 properties and includes brands such as Comfort, Quality, and Clarion and employs over 16,000 people. The incident left hotel staff without access to reservation systems causing issues at check-in and check-out, whilst guests also found themselves locked out of their rooms. At time of writing there was no ransom demand.
- Staff at the Handa Hospital in Japan knew something was wrong when several of their printers started randomly spewing out streams of paper with the message that the hospital’s “data are stolen and encrypted” and impossible to decode, and that “the data will be published” they refused to pay up. The LockBit ransomware gang claimed responsibility for the attack which forced the hospital to reduce medical services go back to pen and paper. It’s thought it could take months for the hospital to recover from the incident.
- More than 300 locations of the SPAR supermarket chain were affected when they were hit with ransomware. Some stores were forced to close while others managed to operate by switching to cash only. A spokesperson explained that the ransomware attack had impacted all of the company’s IT systems and left staff without access to email. Criminal gang Vice Society claimed responsibility.
- Pellissippi State Community College in Tennessee disclosed that a network system outage appeared to be the result of ransomware. The school managed to contain the incident and was working with forensic experts to get the systems back up and running as quickly as possible. It’s not known who was behind the attack or if any data had been exfiltrated.
- Eldon School District in Missouri was forced to cancel classes after a ransomware attack hit the districts servers. The organization hired a cybersecurity team to do a forensic analysis of the attack and they shared that “at this point, no data has been accessed or destroyed.” The cybersecurity team continues to work to resolve this issue.
- Major energy network, CS Energy, which powers around three million households in Australia was hit by the Conti ransomware gang. The cyberattack could have potentially shut down power to the millions of homes. The CEO of the energy firm shared that the hacking incident did not result in any power outage due to the rapid response of its employees. He went on to say “they worked the extra mile to ensure that Queenslanders will not experience any massive power outage.”
- North American food importer Atalanta disclosed a data breach resulting from an earlier ransomware attack. A forensic investigation concluded that current and former employee data as accessed and acquired as result of this incident however there was no indication to date of any misuse of the information involved.
- Leading HR software company Frontier Software made headlines when a ransomware attack at the hands of the Conti gang put the details of 80,000 government employees at a high risk of personal data theft.
- Car manufacturing firm Volvo admitted that some R&D files were stolen in a ransomware attack. The Snatch group was behind the incident. In a statement the company shared that early investigations confirmed that a limited amount of the company’s R&D property has been stolen during the intrusion and based on information available, there may be an impact on the company’s operations.
- Brazil’s Ministry of Health (MoH) suffered a major ransomware attack. The Lapsus$ Group claimed the attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens. The attackers claimed to have exfiltrated 50TB of data, the ransom request is not yet known.
- Hellmann Worldwide Logistics, a billion-dollar company that operates in 173 countries and offers logistics services for rail, sea freight, air freight, and road transportation admitted to a cyberattack which was later confirmed as ransomware, with the RansomEXX gang claiming the attack.
- The next incident is a first of its kind, ransomware meets insider threat! In this case there was no ransomware gang behind the attack, but rather a disgruntled employee posing as an anonymous ransomware hacker who managed to extort $300,000 from Tennessee-based tech support firm Asurion after he was fired. According to his indictment, the former employee used a stolen laptop to download sensitive internal corporate information. He then got in touch with company executives listing the data he stole—including employee social security numbers, banking information, as well as customers’ names and addresses—and proceeded to demand a ransom.
- HR management platform Kronos made global headlines when they revealed a ransomware attack may have revealed information from several high profile customers. In a statement, their parent company UKG said it “recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud,” which they said “houses solutions used by a limited number of our customers.” The company would not answer questions about which ransomware group was behind the attack.
- Virginia’s Division of Legislative Automated Systems shared that they had been hit by a ransomware attack. A top agency official told Virginia legislative leaders in an email obtained by The Associated Press that hackers using “extremely sophisticated malware” had accessed the system. A ransom note with no specific amount or date was sent, according to the email.
- The Shelley School District in Idaho disclosed they had been a victim of a ransomware attack. In a statement they said “we are told no student information was lost and all of the district’s financial information is also safe. They were able to catch the malware before it got to those servers.” The school district is now working with a forensics team to restore their systems.
- Hawaii’s Oʻahu Transit Services had their services impacted following an attack. In a statement they said “we are meticulously rebuilding and re-configuring all servers and user desktops to ensure no traces of the attack remain before bringing networks back online.” The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Honolulu Police Department, and the U.S. Secret Service are investigating the attack that at time of writing continues to cripple the organization.
- Up next is oil and gas company Superior Plus who provide propane to 780,000 customer locations across the US and Canada. The billion-dollar company shared that the incident started on December 12 but did not answer questions about which ransomware group was behind the attack or which systems were affected.
- Maryland Health Department was hit by a cyberattack which was later confirmed as ransomware, although it’s not yet known what criminal gang was behind it. A government official later described the incident as not as crippling as initially feared but at time of writing the network systems were still offline and the full impact of the attack was not known.
- Portland Oregon hotel and brew pub chain McMenamins were hit by a ransomware attack that left many of its IT systems inoperable. The Conti gang claimed responsibility for the attack which exfiltrated personal employee data going as far back as 1998.
- The Australian Cyber Security Center suffered a ‘significant’ ransomware attack affecting a number of government departments and agencies resulting in widespread disruption to IT services. It’s not yet known who was behind the attack.
- Coombe Women & Infants University Hospital in Dublin was disconnected from the HSE’s national health network following an attack on its IT systems. The hospital confirmed that services were running as normal following the incident and they were working with the HSE to resolve the issue.
- New South Wales IT recruitment firm Finite Recruitment confirmed they had experienced a cyberattack which resulted in a ‘small subset’ of company data being exfiltrated and shared on the Dark Web. The company shared that business operations were not impacted and they were reviewing what data had been stolen in the attack.
- South African industrial construction company Basil Read were forced to take all IT systems offline following a ransomware attack. The group is working with external security experts to determine the extent to which sensitive data has been compromised.
- Orkney Disability Forum’s Dial-a-Bus were hit by a ransomware attack that lead to a ransom note demanding payment in bitcoin.
- Inetum Group, the French IT services company who is active in more than 26 countries experienced a ransomware attack which affected some of its operations in France but did not spread to larger infrastructures used by customers. Inetum Group did not disclose the name of the malware used, but according to the editor-in-chief at French publication LeMagIt, BlackCat ransomware was behind the attack.
- Medical software company CompuGroup reported they had been hit by a ransomware attack after a “technical failure” impacted their internal services including phones and email. Investigations into the attack are ongoing.
- American photography company Shutterfly suffered a ransomware attack that saw “thousands of devices” encrypted and corporate data stolen. The Conti gang is said to be demanding millions in ransom. The criminal group provided a screenshot of exfiltrated data which included legal agreements, bank and merchant account info, login credentials for corporate services, spreadsheets, and “what appears to be customer information, including the last four digits of credit cards”.
- The last reported attack of 2021 was Amedia, a Norway-based media company which publishes more than 70 newspapers for 2 million readers. An attack on the IT systems forced the company to disable its presses. Attackers left a ransom note on the media company’s infected computers but Amedia has said they have no intention of paying a ransom.
Related Posts
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
CDK Global Ransomware: What Happened and How It Impacted Businesses
Here you will learn about the CDK Global ransomware attack, the impact on auto dealerships, relevant recovery steps and general cybersecurity practices for businesses.
Ransomware Containment: Effective Strategies to Protect Your Business
Discover effective ransomware containment strategies for your business. This guide discusses network segmentation, zero trust, and practical best practices for IT managers and cybersecurity professionals to reduce ransomware damage.
Ransomware Meets Retail: Sainsbury’s, Starbucks and Morrisons Feel the Heat from Blue Yonder Attack
The Blue Yonder ransomware attack disrupted major retailers like Sainsbury’s, Starbucks, and Morrisons, highlighting the vulnerabilities of global supply chains and the urgent need for stronger cybersecurity defenses.
Top 5 Cyberattacks During Black Friday and Thanksgiving
Find out about the top five biggest cyberattacks for Black Friday and Thanksgiving, from data breaches and ransomware, to see the risks businesses experience during the holidays.
Healthcare Ransomware Attacks: How to Prevent and Respond Effectively
Learn how to protect yourself from healthcare ransomware attacks. We discuss the main security weaknesses, suggest security steps, and offer possible means of protecting patient information.