We tracked 33 incidents this month, with education being the hardest hit vertical, followed closely by government. LAUSD, the second largest school district in the US made news when an attack caused significant disruption, while a hacker managed to launch an attack on Uber using social engineering tactics. Luxury UK farm shop Daylesford Organic made headlines when data belonging to high profile customers including the Duchess of York was compromised. Here’s a look at who else made ransomware news in September.
1. Minamiboso City Board of Education in Japan confirmed that a malicious third party gained unauthorized access to their school affairs network in July. The attacked server stored personal information for 1,293 children and 724 pupils. Hackers encrypted the system, limiting the schools’ ability to issue grades and letters for closing ceremonies. The ransomware group threatened to post report cards and other information on the internet if the ransom was not paid, however the Education board refused to pay. It has been reported that LockBit was behind the attack, but this claim has not been confirmed.
2. Portugal’s state-owned air carrier, Tap Air Portugal fell victim to ransomware attack which RagnarLocker claimed responsibility for. The airline claimed no data was stolen and that the attack simply affected its website and app. However, RagnarLocker released a screenshot of passengers’ personal information and stated that they believed “hundreds of Gigabytes may be compromised.” It’s unclear if the gang demanded a ransom from the airline.
3. NCG Medical, a medical billing service in Florida found themselves a victim of Hive ransomware at the end of August. Claims have been made that 270GB of information, mostly protected health information was accessed during the attack. One small archive alone stored almost 10,000 insurance coded records with patient names. Hive publicly released information about the attack only 2 weeks after encryption due to the lack of response from NCG.
4. A ransomware attack caused “significant disruption” to the second largest school district in the USA, Los Angeles Unified. LAUSD enrols more than 640,000 students, from kindergarten through to 12th grade. Vice Society claimed responsibility for the attack and report that 500GBs of data was stolen. A ransom amount has not been disclosed at this time.
5. Hotel chain Holiday Inn suffered disruptions on their booking channels and other applications due to a cyberattack. Intercontinental Hotels Group (IHG), who own Holiday Inn and other well-known hotels, did not mention the loss of any data during the “unauthorized access to a number of their technology systems”. Hackers behind the attack, a couple from Vietnam, told the BBC that they accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234 and carried out the attack ‘for fun’.
6. French clothing firm, Damart suffered a cyberattack launched by the Hive ransomware gang. During the attack, data was encrypted, and some services disrupted, with operational issues continuing in 92 stores two weeks after the first issues emerged. It was confirmed that the attack infiltrated Damart’s Active Directory causing them to shut down some of their services temporarily to prevent further intrusion. It is unclear what data was taken during this incident but a ransom of $2million was posted by the group.
7. The AvosLocker ransomware group claimed responsibility for the attack on Savannah College of Art and Design this month. SCAD’s information network systems were accessed by the group with potentially 69,000 files containing student information, personnel files and business data being exfiltrated. The ransomware group allegedly negotiated with the college for an undisclosed ransom which was not paid.
8. Alegria Family Services (AFS), an organization providing residential and community services to adults with developmental disabilities in New Mexico, was targeted by a ransomware attack this month. BianLian was responsible for the attack on the company who are under a contract with the New Mexico Department of Health. Claims have been made that internal records, personnel-related files and client data was exfiltrated, but no proof was provided to substantiate the reports. AFS have stated that they will not be able to pay the undisclosed amount of ransom and have notified all affected by the incident.
9. The City of Bardstown in Kentucky were victims of a cyberattack over the Labor Day Weekend. It is believed that personal information and computers were affected after customers were told to remain vigilant of suspicious activity. The city is working alongside cybersecurity experts and the Federal Bureau of Investigations and National Security to investigate the incident.
10. Oakbend Medical Center in Texas were faced with a system rebuild and communication issues after a ransomware attack. Oakbend’s IT team put systems into “lockdown” once the attack was discovered in an attempt to limit the damage and prioritize the security of patient-centric systems. The Daixin ransomware group claimed responsibility for the incident while the investigation continues.
11. Buenos Aires legislator was affected by a ransomware attack which compromised internal systems and caused WIFI connectivity issues. Necessary measures were taken to ensure continuity while restoration occurred, meaning parliamentary work was not interrupted. It is not yet clear who was behind the attack, several different groups have been responsible for similar government incidents across Central and South America over the last 12 months.
12. Over 75,000 patients have been affected by a ransomware attack targeting Medical Associates of Lehigh Valley in Pennsylvania. Files containing personal information including names, addresses, social security numbers, health insurance providers and detailed medical records were accessed during the sophisticated attack. Cybersecurity and forensic specialists have been consulted to investigate and reinforce security measures.
13. Bell Canada, a subsidiary of Bell Technical Solutions (BTS) was a victim of a cyberattack orchestrated by the Hive ransomware gang. Personal information belonging to residential and small business customers in Ontario and Quebec were reportedly accessed, though BTS claim no financial or banking data was taken during the incident. Immediate steps were taken to secure systems, but their website remained down for several days due to the attack.
14. Uber Technologies Inc reported a network breach that forced the ride-sharing company to shut down several of its internal communications and engineering systems. It is reported that the hacker compromised an employee’s Slack account via a social engineering method and used it to announce the data breach to Uber employees. The hacker claimed to have infiltrated internal systems and gained access to security vulnerability information. Lapsus$ claimed responsibility for the attack and a 17-year-old was arrested in connection with the incident.
15. New York based emergency response and ambulance service provider, Empress EMS (Emergency Medical Services), suffered a ransomware attack that has exposed customer information. A small subset of files containing personal information of the organization’s patients was accessed with around 318,558 individuals being affected by the incident. The Hive ransomware group were responsible for this double-extortion style attack. This is just one of many that the group have carried out this month.
16. The Columbia County Chapter of The Arc New York (NYSARC), the largest family-based provider of services to individuals experiencing disabilities in the United States recently disclosed that an cyberattack detected in July was indeed ransomware. Due to the complexity of the attack the investigation is still ongoing, but the organization did share an update this month that data such as dates of birth, addresses, social security numbers and other info may be involved and those affected will be contacted at a later date. Red Alert, a new entry to our blog is said to be behind the incident.
17. Prosecutors in Bosnia and Herzgovina Government are investigating a wide-ranging cyberattack that managed to cripple the operations of the country’s parliament. The incident caused the website to be offline and a local news outlet spoke to several lawmakers who were barred from accessing their email accounts and official documents and were told to not turn on their devices. The investigation is ongoing and while it hasn’t been claimed by a threat group yet, sources confirmed to media outlet Nezavisne that it involved ransomware.
18. Indian housing finance company Can Fin Homes faced a 15% dip in their share price after a ransomware attack took down their website and the lender’s chief executive officer resigned in quick succession. The company disclosed that the attack had not impacted operations at the company.
19. Suffolk County suffered an attack at the hands of the BlackCat cybercriminal gang. At a press conference a spokesperson said the initial investigation did not indicate a ransomware attack. However, BlackCat claimed responsibility and shared that they had exfiltrated more than 4 terabytes of data. Officials have not disclosed any details of the ransom and the criminal gang did reference they were not in contact they would be publishing sample data that they managed to extract.
20. New York Racing Association, the operator of the three largest thoroughbred horse racing tracks in New York previously disclosed a cyberattack back in June of this year. The incident impacted IT operations, the website and compromised member data which included social security details, health information and driver licence numbers. This month the Hive criminal gang claimed the attack and added the organization to its leak site. The hackers also published a link to freely download a ZIP archive containing all of the files they allegedly stole from NYRA’s system. This is an indicator that ransom negotiations may have reached a dead end.
21. Tift Regional Medical Center in Georgia experienced an attack back in July but it just came to light in September after negotiations with the Hive criminal gang broke off. The attack which spanned over July and August saw the Hive gang exfiltrate around 1TB of data including media records, employee payroll data and private company information. On August 25th the gang emailed the medical center to introduce themselves and to share a link to view some of the stolen data. An interesting conversation between the hackers and a representative from Tiff can be read in the article linked, but in short, the ransom request was $1,150,000.00 which Tift countered with an offer of $100,000. Hive responded to the counteroffer with “thank you for your offer. Tell the board that they can keep 100k for lawyers. We will publish the data.”
22. An attack on South Redford School District in suburban Detroit forced the school board to suspend operations after data involving students across 7 schools was put at risk. More than 3000 students were warned about using any device issued by the board.
23.The City of Wheat Ridge in Denver found themselves a victim of ransomware facing a $5,000,000 ransom. Their response to the BlackCat criminal gang from Eastern Europe was clear and defiant ‘We’ll keep our money and fix the mess you made ourselves.’ Following the attack, Wheat Ridge had to shut down its phones and email servers and close down City Hall to the public for more than a week. Things are slowly returning to normal but there are still unknowns regarding compromised data.
24.In May 2021 Sierra College made news when they disclosed a ransomware attack and it looks like whatever steps they took to prevent becoming a victim again haven’t worked, as the Vice Society criminal gang added them to the victim list this month. It’s not yet known if any data was compromised.
25.Luxury farm shop Daylesford Organic made headlines when data involving high profile customers including the Duchess of York and Jeremy Clarkson was compromised in a ransomware attack. The Snatch criminal was behind the attack that saw data from several celebrity clients posted on the dark web.
26. Australian telecommunications company Optus made headlines after an unknown ransomware gang claimed to have stolen data relating to 11.2. million users. The hackers demanded $1m in Monero cryptocurrency to stop them from selling the exfiltrated data. The Australian federal police are currently investigating.
27. North Macedonia’s Agriculture Ministry disclosed that they were hit by the BlackByte ransomware gang on September 12th, an admission that came after an opposition party accused them of keeping silent about the attack. The ministry has since acknowledged that some documents were compromised but denied having lost any significant data. The Ministry did not clarify whether BlackByte had demanded a ransom or how or if they responded to any demands.
28. The Desorden criminal gang claimed an attack on redONE, a Malaysian telco with over 1.2 million subscribers. According to media statements, when redONE didn’t respond to the hackers demands, they launched a second attack hitting the organizations financial and insurance service offerings known as redCARD and redCARE. The criminal gang is now threatening to sell the data.
29. Elbit Systems of America, a subsidiary of Israeli defense giant Elbit Systems has just disclosed a data breach, a few months after the BlackBasta ransomware gang claimed to have hacked their systems. In a notification to the Maine Attorney General’s office, Texas-based company said the breach occurred on June 8th and it was discovered the same day. It said only 369 people were affected. The Black Basta website only displayed a few documents allegedly stolen which included a payroll report, an audit report, a confidentiality agreement, and a non-disclosure agreement, indicating that a ransom had not been paid.
30. The Chilean Court System was forced to take 150 computers offline following a ransomware attack. A spokesperson for the Supreme Court characterized the incident as ‘not a huge attack’ and said no data had been stolen. The South American Country has had a few cyberattacks recently including its Consumer Protection Agency.
31. Chinese real estate development company Aoyuan Healthy Life Group, was hit by PT_Moisha ransomware, a new entry for our blog. The ransomware group contacted media outlet Suspect File and provided them with a sample of 90 files, a total of around 200 MB of exfiltrated documents. In the documents that SuspectFile was able to view, data included passport details, salary information and financial documents relating to employees based in the firms Sydney, Toronto, and Vancouver offices. The ransomware group tried to negotiate directly with the firm via Telegram but Aoyuan Healthy Life Group has not been responsive.
32. Texas healthcare provider FMC Services recently disclosed that a cybersecurity incident had resulted in a data breach impacting thousands of patients. The Vice Society ransomware gang was behind the attack which impacted approximately 233,948 individuals.
33. NJVC, an IT company supporting the federal government and the US Department of Defense was added to the BlackCat victims list on September 28th. The criminal gang posted proof of the attack but went offline immediately after. Interestingly the leak site was accessible again on Sept 30th but NJVC was no longer listed. The story is still developing.