The State of Ransomware in 2023
In 2020, 2021, 2022 and now 2023, BlackFog's state of ransomware monthly report measures publicly disclosed attacks globally.
In 2020, 2021, 2022 and now 2023, BlackFog’s state of ransomware monthly report measures publicly disclosed attacks globally. This year we are also introducing some new statistics based upon unreported incidents, which is a growing trend as organizations try to avoid regulatory penalties, reputation damage and class action lawsuits. We are also proud to have received Gold place for Best Cybersecurity Newsletter of the Year in the 19th Annual 2023 Globee® Cybersecurity Awards for this report.
We have also produced an annual ransomware attack report for 2022. In addition, we have also identified some of the key lessons learned from 2022 and what trends and best practices can be used to mitigate these attacks in the future.
As in previous years we will continue to focus on important statistics such as data exfiltration. If you would like this report delivered to your inbox each month please feel free to register using the link below.
January
The first month of 2023 saw 33 publicly disclosed ransomware attacks, the highest number of attacks we have ever recorded for a January. The education sector topped the victim list with 11 attacks, over a third of all incidents recorded this month. Royal Mail, deemed as “critical national infrastructure” in the UK, was hit by a LockBit attack, causing severe disruption to all overseas deliveries. Clop targeted the New York City Bar, exfiltrating 1.8TB of data and posting some “unkind” words regarding their concern for data safety. Let’s take a look at what other attacks were uncovered this month:
- Personal data belonging to Xavier University students and employees was leaked by Vice Society after an attack late last year. The exfiltrated data is reported to include information on payroll, personal finances, social security numbers, disciplinary actions and misconduct allegations. The Louisiana based university refused to pay the ransom demanded by the ransomware group.
- Los Angeles Housing Authority (HACLA) confirmed that they were victims of a data breach, resulting in disruption to their systems. HACLA are unclear how systems were breached and exactly what information had been stolen. LockBit have claimed responsibility for the attack and have posted images of purported HACLA databases containing around 15TB of information.
- Swansea Public Schools was targeted by a ransomware attack which shut down their district network, causing classes to be canceled for a day during the first week of the semester. It is believed that an encrypted download, run by someone with no malice intent within the district, facilitated the attack. Early investigations suggest that no personal staff or student information was compromised during the incident.
- The Saint Gheorghe Recovery Hospital in north-eastern Romania reported a cyberattack which took place in December 2022, stating that medical activity is still impacted due to its encrypted database. The hackers demanded 3 Bitcoin for the decryption of the servers. An investigation involving the National Directorate of Cyber Security and DIICOT has been launched.
- Bristol Community College in Massachusetts is struggling to recover from a ransomware attack which crippled their digital systems. The incident was discovered late December when the college immediately launched an investigation. It remains unclear whether personal information was accessed or stolen during the attack. No group has yet claimed responsibility for the incident.
- Hive ransomware gang have added another healthcare-related victim to its leak site, Consulate Health Care (CHC). The group claim to have acquired information including contracts, NDAs and personal information belonging to employees and customers. CHC could unfortunately not afford the reduced, undisclosed ransom amount as their insurance would not cover any ransom payment – it’s now likely that Hive will leak the exfiltrated information.
- Computer systems belonging to the Controller of Communication Accounts (CCA) were breached during a ransomware attack at the beginning of the month. The office in Vijayawada had basic information accessed but the main server remained intact. Reports confirm that a ransom was demanded though the amount has not been disclosed.
- Pennsylvania- based non-profit health provider, Maternal and Family Health Services, was impacted by a sophisticated ransomware incident. It is reported that the incident initially occurred in April 2022 but could have started months earlier. Personal information belonging to current and former patients and employees was compromised along with vendors sensitive information. The MFHS has not detailed why it took nine months to disclose the attack, with details of the incident including the group behind the attack remaining unclear.
- San Francisco’s Bay Area Rapid Transit fell victim to a ransomware attack which exposed highly sensitive and personal data. Vice Society have claimed responsibility for the attack and have allegedly stolen information including employee data, police reports and crime lab reports among other highly sensitive information. It is not clear if a ransom was demanded by the group.
- Des Moines Public Schools was forced to extend their school year to make up for time lost due to a ransomware attack. The incident which affected the district’s servers, caused major disruption with consultants being brought in to determine the full impact of the cybersecurity attack. The Iowa Department of Education, the local offices of the FBI and the Department of Homeland security are involved in an investigation. No-one has yet claimed responsibility for the attack, and it is unclear if any information has been compromised.
- Hope Sentamu Learning Trust were hit with a ransomware attack which affected nine of their schools across York, Selby and Scarborough. IT systems were taken offline as a precautionary measure, with some remaining disabled while the investigation continues. It is unknown if any data was taken during the incident. The CEO stated that they have not received a ransom demand and if they did that they wouldn’t pay it out of principle.
- Vice Society claimed responsibility for the attack on the Fire Rescue Victoria which led to widespread outages in December last year. The Australian state fire department warned current and former employees and job applicants of the leak. The attack affected a number of FRV’s internal servers, including the email system with the overall IT infrastructure still not fully operational into the New Year. The data set leaked by the ransomware group contains budget documents, job applications and other sensitive information.
- Norwegian software supplier, DNV, reported a ransomware attack impacted around 1000 shipping vessels. The attack affected their ShipManager software that provides services for 12,000 ships and mobile offshore units across the globe. The incident has not affected the vessels’ ability to operate due to onboard, offline functionalities of the software. The organization claim that there are no indications that data or any other servers were affected.
- The City Council of Durango in Mexico suffered a cyberattack which reportedly paralyzed its systems. A news site quoted the city mayor confirming the ‘hacking had been serious’ and would paralyze the systems for a number of weeks. They reportedly received a ransom demand which they are not intending to pay. No gang has claimed the attack as yet.
- LockBit caused severe disruption to Royal Mail’s overseas deliveries during an incident in early January. This incident is highly significant, as Royal Mail is deemed “critical national infrastructure” for the UK. A ransom note sent to the organization read “Your data is stolen and encrypted.” A ransom demand has not yet been reported and it is unclear what information has been exfiltrated during the attack. An investigation involving the National Crime Agency and the National Cyber Security Centre is ongoing.
- Home Care Providers of Texas just disclosed a ransomware incident which occurred between June 25 and June 29 last year. Files were both encrypted and exfiltrated by threat actors. The information stolen included names, addresses, SSNs, treatment information and medication information of patients. The Texas Attorney General report has indicated that 124,363 Texas residents have been affected.
- 8TB of information belonging to the New York City Bar has been stolen by CL0P during an attack in mid-December. The ransomware group posted some “unkind” words on their leak site stating that the NYC Bar is “example of one more institution who do not take their obligation to secure client, employee and case data seriously.” A screenshot of a portion of a file directory has been posted as proof of claims, with the group stating that the data size is so large that it will be shared over some weeks.
- One of Germany’s largest universities, The University of Duisburg-Essen, has fallen victim to a Vice Society ransomware attack. The group listed the university as one of its victims, leaking some of the data stolen during the attack on their dark web site. The university has stated that they refused to comply with the attackers’ demands and did not pay the ransom. Local data protection experts are currently analyzing the published data to uncover which institutions and individuals were affected by the breach.
- Fast food operator of KFC, Pizza Hut, Taco Bell and The Habit Burger Grill chains, Yum! Brands, were forced to temporarily close 300 locations in the UK this month as the result of a ransomware attack. Upon discovering the incident, the company was deployed containment measures which included taking certain systems offline and implementing enhanced monitoring technology. Yum Brands! Have confirmed that data was stolen during the attack but does not believe that any customer information was exposed. An investigation is ongoing.
- Costa Rica’s Ministry of Public Works and Transport suffered a ransomware attack just months after several other ministries were crippled in a wide range attack. Twelve servers were encrypted during the attack. Cybersecurity experts and international organizations have been brought in to support the ongoing investigation into the attack. Conti claimed responsibility for the incident, making it the second major attack from this group on the country in less than a year.
- NextGen Healthcare, an Atlanta-based electronic health record vendor, fell victim to an attack orchestrated by BlackCat ransomware group. BlackCat posted an “alleged sample of NextGen information” on its extortion site but later took down the listing. The forensic review is ongoing, but the organization stated that they have not uncovered any evidence to suggest that threat actors gained access to any client or patient information.
- Wawasee Community School Corporation suffered an attack which impacted all of their windows-based computers, servers and other technology systems. Significant disruption was caused to daily operations as they shut down the network to investigate the breach, which both the Indiana Department of Education and the FBI are involved in. At this time, it is believed that student and employee data was not impacted during the incident.
- One of the UK’s largest car dealer networks, Arnold Clark, was targeted by an attack in the run up to Christmas last year, seeing staff resorting to pen and paper to record transactions and the company unable to complete new vehicle handovers. Play ransomware group have claimed responsibility for the incident and have posted a 15GB tranche of customer data online, with the threat to release more should the ransom not be paid. Although the actual ransom amount has not been disclosed, it is believed to be a multimillion pound demand.
- British Colombia community college, Okanagan College, have announced that an unauthorized entity gained access to some of their technology systems earlier this year. Vice Society took responsibility for the incident and claimed to have exfiltrated 850GB of data. External security experts have been brought in to assist in the response and investigation surrounding this attack.
- Lutheran Social Services of Illinois have recently notified the Maine Attorney General’s Office of a breach affecting 184,183 people this month. It is believed the attack occurred a year ago, in January 2022. It was discovered in December 2022 that certain personal information maintained on their systems was “potentially accessed by an unauthorized party.”
- The South East Regional Health Authority (SERHA) in Jamaica were victims of a cyberattack, affecting their information and communications technology as well as other public services. Details of the incident have not been made public but Junior Opposition Spokesperson on Science and Technology, Omar Newell, has called for more details of the breach to be disclosed including what servers were affected, could patient information have been accessed, was a ransom demanded, and if it was, are SERHA intending to pay it. No group has yet claimed responsibility for the attack.
- In India, the parent company of a private defence contractor, Solar Industries Limited, were victims of a BlackCat attack, leaving their website unavailable for a number of days. The ransomware group released a number of documents on to the dark web and claim to have exfiltrated 2TB of data from the organization. The stolen data is said to include full descriptions of engineering specifications, drawings, and audits for many weapons which they manufacture, alongside other company data and personal information belonging to customers and employees. It is not clear whether a ransom has been demanded by the group.
- In Maryland, Atlantic General Hospital experience network outages due to a ransomware attack. The attack caused some disruption but patient interruption was “limited.” Details on the attack remain vague and no-one has claimed responsibility yet.
- The Instituto Federal Do Pará (IFPA), a public education institution in Brazil, was added to BlackCat group’s leak site on January 30th. The group posted a proof pack consisting of screenshots from a directory of folders. A message from the ransomware group stated, “The guys decided to ignore our ransom demands, so the data of their employees and students will be published and put up for sale.” The ransom amount demanded has not been disclosed and the IFPA have not yet made any statement regarding the attack.
- Japanese electronic product manufacturer, Fujikura Global, have fallen victim to an attack by LockBit 3.0. The group claims to have breached corporate headquarters and infiltrated outposts around the world, exfiltrating 718GB of confidential and critical information. Data is said to include financial records, internal reports, certificates, employee personal information and much more.
- Tucson Unified School District, Southern Arizona’s largest school district, was the target of a ransomware attack at the end of January. The incident shut down the district’s internet and network services, forcing schools to do work offline. Staff discovered letters in their printers, stating that the attack was carried out by Royal ransomware. It also stated that the district’s data was encrypted and copied during the attack. A ransom amount has not been disclosed but according to reports, Royal offered the district a “unique deal” that would see their data decrypted, restored and kept confidential.
- Nantucket Public Schools were victims of a ransomware attack that overtook the entire island’s public school internet system. All student and staff devices were shut down, and security systems, including phones and security cameras were disabled. Students and staff were dismissed for the day and issued a warning not to use school issued devices at home.
- In France, the Association Appui Santé Nord Finistère suffered a crippling ransomware attack which saw the Association unable to access any archived data or their accounting management system. According to reports, data has been encrypted and some archive files deleted. Due to the nature of the organization, the integrity of personal health information belonging to its patients has been affected. There has been no indication relating to the attackers or any potential ransom.
February
A total of 40 ransomware attacks were publicly reported in February, a 21% increase on January. Government was the most heavily targeted sector, closely follow by healthcare. Several large organizations made headlines including, ION, Five Guys and Dole Foods , while we closed out the month with an attack on the US Marshals. Here’s a summary of who else made ransomware news in February.
- ION, the financial trading service group, was hit by a ransomware attack at the beginning of the month, disrupting customers including some of the world’s biggest banks, brokerages and hedge funds. LockBit claimed responsibility for the attack and were paid an undisclosed ransom. Both ION and LockBit declined to clarify who paid the money, with LockBit claiming it came from a “very rich unknown philanthropist.”
- American fast-food chain Five Guys fell victim to a ransomware attack at the hands of BlackCat. A preview shared by the ransomware group included bank statements, international payroll data, information about recruitment and audit information, among other types of data from 2021. No further information has been released regarding to attack, including the ransom amount and whether the organization intends to pay.
- The Hidalgo County Adult Probation Office was hit by a ransomware attack in early February. Only the probation office systems were affected as it runs under a different security system to other county offices. Hidalgo County Judge, Richard F. Cortez stated that the office was able to retrieve the information without having to pay the demanded ransom.
- A ransomware incident took down RSAWeb’s entire network, including its fibre, mobile, hosting VoIP and PBX services. RSAWeb CEO Rudy van Staden stated that ‘there was no reason to believe that any customer or employee data was accessed or misused during the incident’. He also claimed that the sophisticated attack was part of a campaign victimizing many other businesses both in South Africa and globally.
- Tallahassee Memorial HealthCare in Florida remained offline for almost a week after they were targeted by a ransomware attack. Surgeries and procedures were limited, with some emergency patient routed to other hospitals. The hospital had to revert to paper documentation and handwritten patient notes during the downtime. An investigation into the incident is ongoing, with information remaining limited due to security, privacy, and law enforcement considerations.
- Florida’s Supreme Court was one of the victims of the global ransomware attack targeting unpatched VMware ESXi servers. It is believed that there are around 3,800 victims of this fast-spreading digital extortion campaign. Spokesman for Florida Supreme Court, Paul Fleming, stated that ‘the affected infrastructure was segregated from the Supreme Court’s main network and was used to administer other elements of the court system’.
- Regal Medical Group announced that they had experienced a ransomware attack late last year, during which files were exfiltrated. These files contained information including PII, diagnosis and treatment information, SSNs and health plan member numbers, among other health data. HHS has indicated that 3,300,638 individuals were affected by the incident, making it the largest healthcare data breach so far this year. No information has been released regarding those behind the attack and if a ransom was demanded.
- Semiconductor equipment maker, MKS Instruments, saw its product-related systems impacted during an attack. The company elected to temporarily suspend operations at some of its facilities in order to contain the incident. An investigation was launched to assess the impact of the incident while engaging with law enforcement and incident response professionals. It is unclear whether any data was exfiltrated during the attack and it is not yet known who was behind it.
- Lorenz ransomware group added AmerisourceBergen/MWI Animal Health to their leak site, providing a sample list of data suggesting that files are personnel-related and internal files. The organization launched an internal investigation which quickly identified that a subsidiary’s IT system was compromised. The incident was isolated, and an investigation continues to determine whether any sensitive data was compromised. No ransom was posted on the group’s leak site, suggesting that those who want to negotiate must contact the group directly.
- Munster Technological University (MTU) in Ireland was forced to close its four campuses in Cork when they fell victim to a ransomware incident. The campuses were closed to ensure robust student and staff data protection, while core systems remained unaffected with most staff being able to work from home. BlackCat have since claimed responsibility for the attack and data belonging to the University has appeared on the Dark Web.
- Important diagnostic systems and access to medical files were disabled as a result of a suspected ransomware attack on Ross Memorial Hospital. The Canadian hospital declared a code grey as staff were unable to access the systems needed for treatment, with patients saying that even parking machines weren’t functioning correctly. Third-party cybersecurity resources were brought in to work with technical experts within the hospital to investigate the incident according to industry best practices.
- LockBit claimed responsibility for an attack on the global power product manufacturer, Phihong. The ransomware group claimed to have personally identifiable information belonging to Phihong’s employees and customers, along with contracts, financial documents, and a large number of databases. LockBit demanded a ransom of $500,000.
- California-based networking hardware manufacturer A10 Networks fell victim to a ransomware attack orchestrated by the Play ransomware gang. During the incident the gang briefly gained access to shared drives and compromised data relating to human resources, finance, and legal functions. The threat actors claimed to possess confidential files including technical documentation, employee and client documents, agreements, and personal data. It is unclear at this time if a ransom was demanded.
- Sensitive patient information was stolen during an attack on CentraState Medical Center. Stolen data was said to include names, addresses, birthdays, SSNs, health insurance information, medical records and patient account numbers. In a statement it was revealed that the attack not only paralyzed the freehold facility, but it also affected around 617,000 patients.
- An attack on the City of Oakland forced all systems offline until the network was secured and affected services were brought back online. The attack did not affect core services such as 911 dispatch and fire and emergency resources. The Information Technology Department is working with law enforcement to investigate the scope and severity of the attack. It is currently unknown which group was behind the attack. A reporter who broke the story, commented last year on the City’s IT department being understaffed and exposing it to ransomware attacks.
- The Modesto Police Department suffered a breach that disabled patrol vehicle laptops, forcing officers to resort to writing down details from dispatch. The city stated that it was investigating alongside leading cybersecurity experts after it “detected suspicious activity on its digital network.” It is not yet known who is behind the attack or if any data was exfiltrated.
- DarkBit, a new ransomware group that emerged this year claimed Technion – Israel Institute of Technology as one of its first victims. An investigation involving both internal and external experts was launched, and all communication networks were proactively blocked. A ransom note from the threat actors was left on the university’s systems, demanding 80 Bitcoin (roughly $1,745,200) to release the decryptor.
- B&G Foods, a food retailer with more than 50 brands including Green Giant, Cinnamon Crunch Toast and Vermont Maid Syrup, was a victim of a cyberattack orchestrated by Daixin Team. The ransomware group allegedly encrypted an estimated 1,000 hosts and exfiltrated files which were later leaked on their site. The files included internal company documents which did not seem to include any confidential files relating to the organization, its personnel, or its contractors. B&G did not respond to communications from Daixin Team, with the group stating, “maybe they don’t care about the leak, and like to restore systems the hard way.” To date, there has been no information released on what ransom was demanded.
- Atlantic General Hospital in Berlin, Maryland recently disclosed they had been impacted by a ransomware attack in January which affected hospital operations including outpatient walk-in lab, pulmonary function testing, outpatient imagining and RediScripts. As of Feb 13th, the facility was once again fully operational. An investigation is ongoing to determine whether any sensitive data was impacted as a result of the incident.
- The Vice Society ransomware group claimed responsibility for the attack on Mount Saint Mary College, a liberal arts college in New York, which happened at the end of last year. The group claimed they were able to gain access and disable some of the school’s systems during the incident, details which were later shared on their leak site. The college notified relevant law enforcement, including the FBI and did not pay the undisclosed ransom in line with the FBI’s guidance. The school has notified those whose personal information has been compromised.
- Tonga Communications Corporation (TCC) had part of their systems encrypted and locked during a cyber incident. The state-owned telecommunications company stated that the process of connecting new customers, delivering of bills, and managing customer enquiries were affected. Medusa ransomware group was responsible for the attack, and it is still unclear whether any information was exfiltrated during the incident.
- AvosLocker claimed California Northstate University as one of its victims, stating that they have exfiltrated both student and employee data from the university’s network. On their leak site the group claim to have student admissions data along with W-2 statements for all college employees. The proof pack included 393 of these W-2 forms including those belonging to the college’s President and CEO and the Vice-President and CFO. At time of writing no student data had been leaked. In the ransom note AvosLocker called out the college on their cybersecurity, writing “why purchase the cyber-insurance with ransomware coverage policy if you don’t protect your students and staff? Ignoring will not make a problem go away.”
- BlackCat claimed Wawasee Community School Corporation as one of their victims, with the attack causing significant disruption to daily operations. Wawasee did not pay the undisclosed ransom amount resulting in the ransomware group leaking 9.78GB of files on its leak site. It is still unclear what data was exfiltrated during the attack as, at time of writing the download link on the leak site was not working properly.
- Fannin County in Georgia was targeted by a ransomware attack which caused disruption to some computer systems and government business. The Board of Commissioners launched an investigation working alongside nationally recognized third-party cybersecurity consultants. The total impact of the attack is yet unknown, and no details have been released regarding impacted data or who was behind it.
- Reventics LLC, a provider of innovative physician focused technology recently revealed that they detected a cyber incident within their systems late last year. An investigation by external consultants has confirmed that PHI data had been exfiltrated. Royal ransomware claimed responsibility for the attack, later leaking more than 16GB of files. The group claims that this is only 10% of all data they have exfiltrated.
- Lehigh Valley Health Network was targeted by BlackCat ransomware group in mid-February. The attack did not disrupt the networks operations and it is believed the attack was on the network supporting only one physician practice. It is unclear what demands if any were made by the ransomware group and if any data was exfiltrated.
- A disruptive ransomware attack took down several systems and backups belonging to Porsche’s South African Headquarters. It is believed that attackers used a relatively new ransomware strain called Faust to encrypt files and lock the company out of their corporate systems. Porsche South Africa declined to comment on the situation and no further details are available at this time.
- One of Northern Ireland’s biggest construction companies, Lagan Specialist Contracting Group (SCG), fell victim to a LockBit ransomware attack, however the company did not experience downtime and continued to trade normally. The company was given until 28th February to meet the ransom demands before potentially sensitive data was set to be published on the Dark Web or sold onto third parties. Details of the ransom or exfiltrated data is currently unknown.
- BlackBasta claimed KFI Engineers as a victim, exfiltrating 1.1TB of data from servers during a ransomware attack. KFI negotiated with the ransomware group after a $600K ransom was demanded in exchange for their data. After several rejected offers, the organization settled with BlackBasta, agreeing to pay $300,000 in BTC for the decryptor and the guarantee that the threat actors would delete all data exfiltrated and information on how the network was accessed, in order for the organization to prevent another attack.
- Alvaria Inc recently reported a cyberattack which took place in November last year, during which they were targeted by Hive ransomware group. Hive leaked certain information on its Dark Web leak site. During an investigation it was revealed that an unauthorized party had gained access to confidential employee information, however information belonging to customers or employees was not posted on the leak site.
- The City of Lakewood in Pierce County, Washington experienced a ransomware attack during which over 250GB of data was stolen. BlackCat was responsible for the attack and due to the City Council’s “misunderstanding and inability to negotiate”, the group shared a link to download all exfiltrated documents. The ransomware group also issued a warning to those of work with the municipality, stating that their structure is not protected and the vulnerability has not been fixed.
- Indigo Books and Music in Canada restored their online book sales two weeks after a ransomware attack but other items are still unavailable. LockBit was behind the attack which is said to have compromised employee data. They are currently working alongside law enforcement and have notified all those who have been affected. Third-party experts have been brought in to strengthen their cybersecurity practices and enhance data security measures.
- One of the world’s largest distributor of fresh fruit and vegetables, Dole Food Company, suffered a ransomware attack with reports suggesting the company was forced to shut down production plants in North America. Although Dole has characterised the impact as limited, it also appears that they have had to halt shipments to grocery stores. An investigation is ongoing to evaluate the scope of the incident, but it is not yet clear what data, if any, was accessed or exfiltrated during the incident. No group has yet claimed responsibility for the attack.
- Dish Network was hit by a ransomware attack that took down the company’s websites, apps and customer service systems for a number of days. Teams continue to work hard to restore all affected systems as quickly as possible. An internal outage also affected internal servers and IT telephony. Managers were told that the incident ‘was caused by a known threat agent’. It is unclear who is behind the attack and what data, if any, was exfiltrated.
- Major U.S private natural gas and oil producer Encino Energy disclosed that its operations were not impacted by a cyberattack orchestrated by BlackCat. The ransomware group exposed 400GB of data belonging to the organization, but a company spokesperson has refused to confirm the nature of the attack and if a ransom was paid.
- The City of Oregon City experienced significant network disruption as a result of a “sophisticated ransomware attack.” IT staff and third-party specialists were able to restore the network and data recovery continues. The City’s investment in backup technology allowed them to recover from the incident without paying a ransom. It remains the City’s top priority to determine whether any sensitive or personal information was accessed during the attack.
- The US. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack which impacted “a stand-alone USMS system.” Stolen data included employees’ personally identifiable information alongside returns from legal processes, administrative information and PII pertaining to subjects of USMS investigations and third parties. Further information regarding this attack is not yet available, including the threat actors responsible.
- LockBit added White Settlement Independent School District in Texas to their leak site, with a proof pack suggesting that threat actors were able to access and possibly exfiltrate a number of files. No recent files were included in the proof pack, with a number of them dating from 2015 or earlier. An investigation revealed that compromised documents belonged to some staff that was stored in a shared folder.
- Minneapolis Public Schools was disrupted by a ransomware attack in late February. Impacted systems including school internet, cameras and building alarms were taken down by a “encryption event” on Presidents Day. Many of the systems have already been restored and encrypted data was recovered from backups. It has also been disclosed that no personal data was compromised during the incident.
- Pierce Transit became the second Pierce County Government organization to be targeted by LockBit ransomware this month, following the attack on the City of Lakewood in mid-February. The group threatened to leak ‘a huge portion of confidential data’ which is said to include personal data on customers, contracts, postal correspondence, and NDAs. At this stage the ransom demand has not been disclosed nor has there been any indication as to whether the government officials will pay the requested amount.
March
March saw the lowest number so far this year with 28 publicly disclosed attacks, representing a 12% increase over 2021 and 2022. As usual, education was heavily targeted during the month and it continues to be the number one vertical, ahead of both government and healthcare. High profile incidents included Maximum Industries, the company responsible for making parts for SpaceX. The LockBit gang claimed the attack and disclosed that they had managed to exfiltrate blueprints. The Clop gang also made news when they launched attacks using a vulnerability in Fortra’s GoAnywhere software to steal data from around 130 organizations, with new victim names continuing to make the news. Let’s take a look at other attacks that made headlines in March.
- Tennessee State University received ransomware threats against its WIFI network with an attack rendering the university’s IT system temporarily inaccessible. The Medusa gang was behind the incident which compromised several computers on campus.
- Vice Society claimed an attack on molten metal flow engineering company Vesuvius, publishing files on the dark web one month after the attack. Vice Society included a confidentiality notice alongside the stolen files, stating that the ‘confidential files may also be privileged or otherwise protected by work product immunity or other legal rules.’ The statement went on to acknowledge that the company accepted no liability for the content or consequences associated with the leak. The ransom amount demanded was not made public but given the actions of Vice Society it is unlikely that a ransom will be paid.
- According to a tweet from a threat analyst, Waynesboro local government network was infiltrated by BianLian ransomware earlier this month. During the attack the ransomware group managed to exfiltrate 350GB of files which were said to include fileserver data, files from the internal police station fileserver, public relations, and various business files, notes and manuals. The attacker specifically mentioned the Mayor, Vice Mayor, and another council member in their statement.
- Kuwait’s Ministry of Commerce and Industry detected and successfully thwarted a ransomware attack carried out by LockBit. The ransomware attack entered the network through two computers which were quickly disconnected. No important data relating to operations of companies, institutions, transactions, or citizens and residents were encrypted during the attack. The data impacted was from the personal computers, not the ministry’s network.
- Barcelona’s Hospital Clinic fell victim to a ‘complex and transversal’ ransomware attack at the hands of RansomHouse. Information suggests that at this stage there has been no contact between the ransomware group and the hospital and no ransom demanded. The attack caused major disruption, crippling the emergency room, laboratories, and clinics due to the inability to access patient records. Elective surgeries and care appointments were also impacted with emergency patients being diverted to other local hospitals.
- A Facebook post revealed that Southeastern Louisiana University experienced ‘Temporary Network and System Disruption’ as a result of a cyberattack. Many of the university’s computer-based systems were inaccessible. It is not clear at this time who was behind the attack and what, if any, data was impacted during the incident.
- Hamburg University of Applied Sciences recently reported they were affected by a cyberattack late last year. Vice Society claimed responsibility and were able to infiltrate decentralized IT systems, as well as compromise central IT systems. This access allowed threat actors to acquire administrative rights to central storage systems. ‘Significant amounts of data’ including, usernames, email addresses, mobile numbers and “cryptographically secured” passwords was exfiltrated during the attack.
- Indiana based insurance holdings group Group 1001, saw operations of several member companies disrupted as a result of a ransomware attack. System interruptions were caused by the existence of a sophisticated ransomware on their IT infrastructure. The organization worked with outside forensic teams to investigate the incident and plan to make enhancements to their security posture. It is not clear how many customers were impacted and if data was exfiltrated.
- Black & McDonald, a Canadian engineering company with ties to critical military, power, and transportation infrastructure was hit by a ransomware attack in early March. The company has yet to make a comment on the attack with clients continuing to downplay any damage or impact. There are few details available at time of writing and no group has yet taken responsibility.
- Attent Zorg en Behandeling an elderly care facility in the Netherlands, suffered a ransomware attack which caused technical difficulties. The incident rendered internal IT, e-mail, and telephone systems inaccessible. The Qilin ransomware group gained access to the facility’s network and exfiltrated data which included passport information of former and current doctors, nurses, psychologists, and physiotherapists. A total of 74 documents including salary slips, NDAs and confidential internal communications was leaked on the dark web.
- A notice was issued stating that Berkeley County Schools fell victim to a ransomware attack in February and investigations have now determined that data was accessed during the incident. Vice Society added the school district to their leak site and exfiltrated files included personal and sensitive information on students. This information is said to include behavioural assessments, accommodation plans for 504 students with disabilities, and pupils’ emergency contact information from the past decade. At this time, a ransom demand has not been disclosed.
- LockBit boasted that they broke into Maximum Industries, a parts manufacturer for SpaceX. The gang disclosed that they had stolen around 3,000 proprietary schematics developed by the SpaceX engineers. The ransomware gang taunted the organization claiming that a buyer for these confidential documents and drawings would be easy to find. SpaceX and Maximum Industries refused to comment on the claims and no ransom demand has been publicly disclosed.
- Marshall, a British amplifier and speaker-cabinet maker was added to BlackBasta’s leak site. At this time very few details about the incident have been made public and the company has yet to make a comment.
- Bishop Luffa School in Sussex fell victim to a ransomware attack which shut down their computer systems. Medusa claimed responsibility for the attack and threatened to release files from the school’s server. Stolen data is said to contain personal details of staff, students, and parents. There is no indication that their other cloud-based systems were affected. The school’s headteacher stated that they do not have the financial means to pay a ransom and even if they did, they would not pay it as it would be a poor lesson for their students.
- Medusa also launched a ransomware attack on another school based in Chichester on the same day as the Bishop Luffa School attack. Rumboldswhyke Primary School had more data stored on their cloud-based systems and were less affected by the attack. Medusa posted a ransom of $100,000 for the deletion of hundreds of sensitive documents belonging to both schools. An investigation led by Surrey and Sussex’s specialist Cyber Crime Team is ongoing.
- Amazon owned security camera company Ring was added to BlackCats’s list of victims in March. The group posted the company’s name on their leak site alongside the statement, “there’s always an option to let us leak your data.” It is not clear what specific data BlackCat has accessed, and no evidence of data exfiltration has yet been released. A spokesperson from Ring has reported that the company has “no indictors” that they have experienced a ransomware attack.
- Wymondham College in Norfolk England faced disruption this month when its IT systems were targeted by a ransomware attack. The incident left staff unable to use computer resources and students without access to files. The school is working with the Department of Education and the National Cyber Security Centre. Royal ransomware group responsibility for the attack, but it is not yet clear what data was exfiltrated nor if any ransom demands were made.
- Dutch Maritime logistics company Royal Dirkzwager fell victim to a cyberattack which foreced them to take their systems offline and suspend several services. It took the company a week to clean and fully restore their systems. Play ransomware group claimed responsibility for the attack and posted 5GB of data belonging to the company, representing only a portion of the data claimed to be exfiltrated from their systems. The stolen data allegedly contained private and personal data, contracts, employee IDs, passports and more. The threat actors stated that they will publish all data if their demands are not met. At this time the ransom demand is unknown.
- The City of Allen Park was a victim of a ransomware attack at the hands of LockBit this month. The hackers demanded that officials pay up before the city’s data is released. Our research indicates that LockBit was behind the attack while officials are yet to comment on the attack.
- After an attack by Play ransomware group in February the city of Oakland was reported to have been hit by another attack. This time LockBit added the city to its dark web site, giving them until the beginning of April to pay the ransom. The embattled city is still attempting to recover from an earlier attack with a number of non-emergency systems still offline.
- Lumen Technologies suffered two separate cyber incidents in March, one of which was a ransomware attack. The communication and network services organization had to downgrade operations for a small number of its enterprise customers as a result of the incident. There is an ongoing investigation to evaluate whether any PII or sensitive data was exfiltrated. No one has yet claimed responsibility for the attack.
- Vumacam, a security system provider based in South Africa confirmed that it was the victim of a ransomware attack during which a low-priority internal system was breached. The organization claimed that no critical, personal, or sensitive data was impacted and that the breach was remediated immediately. The organization made it clear that they do not negotiate with cybercriminals and that cybersecurity is a priority for them which allowed them to contain the incident quickly. LockBit were responsible but no information regarding ransom demands are publicly known at this time.
- Mumbai based drug company Sun Pharma fell victim to a cyberattack at the beginning of the month with BlackCat claiming responsibility 25 days later. The incident saw certain file systems breached, impacting both company and personal data. The business operations were impacted due to required network isolation and recovery. At this time the organization is unable to determine all of the ‘potential adverse impacts’ of the attack.
- Crown Resorts, Australia’s largest gambling and entertainment company announced that it was a victim of Clop’s ongoing attack on the GoAnywhere vulnerability. The ransomware group claim to have stolen data from the network, but the organization is investigating the validity of the claim. According to reports there is no evidence of a data breach impacting customer data and business operations have not been impacted.
- Tanbridge House School in West Sussex England experienced a ransomware attack at the hands of RansomHouse, locking employees out of their computers. According to the school’s headmaster, the attack had a big impact on the normal every day running of the school. RansomHouse, who have demanded an undisclosed ransom, taunted the school on its leak site stating, ‘we were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company.’ The school previously told parents that there was no evidence of sensitive data having been stolen. However, an evidence pack was later released containing personally identifying information belonging to staff and students.
- Play ransomware group claimed BMW France as one of their latest victims, naming them on their dark web blog. The group threatened to leak data within the next two weeks if the company refused to pay the undisclosed ransom. Data stolen is said to include private and personal confidential data, contracts, financial information, and client documents. BMW Group experts are investigating the case and have not yet identified any system intrusions.
- An attack on the Washington County Sheriff’s Office in northeastern Florida resulted in stolen data which included warrants and employee info being leaked on the dark web by the LockBit criminal gang. The Sheriff’s Office claim to have ‘recovered’ from the incident and stated that they didn’t lose communication lines during the incident. The attack appears to have impacted department apps and took down finance and jail networks. Florida law prohibits government organizations from paying ransoms linked to ransomware attacks so it’s unlikely the criminal gang will profit from this attack. The Sheriff’s Office confirmed that it currently spends less than $20,000 on IT and database recovery systems.
- Lewis & Clark College announced they had been a victim of a ransomware attack orchestrated by Vice Society. The incident which caused widespread outages saw the ransomware group post exfiltrated files including samples of passports and documents including SSNs, insurance files, W-9 forms and contracts on the dark web. A statement released by the school confirmed that after consulting with experts and law enforcement it was not going to pay the undisclosed ransom.
April
April was the quietest month for reported ransomware attacks this year with 27 incidents making the news, up from 25 in the previous year. Data giant Western Digital was held to ransom by the BlackCat criminal gang who extorted them for an 8 figure sum. While luxury German shipbuilder Lüerssen suffered an attack over the Easter break which reportedly caused much of the firm’s operations to come to a standstill as a result. Here’s a look at who else made ransomware headlines during the month.
- Montgomery General Hospital in Virginia was targeted by D#nut Leaks ransomware. The threat actors claimed to have gained access to the hospital’s network via a “Microsoft Exchange exploit.” D#nut’s negotiator stated that due to the nature of the business they did not encrypt or damage the network during the attack. The ransom was set at $750,000 but after failed negotiations, the exfiltrated data was dumped on the leak site.
- During spring break Jefferson County Schools was a victim of a ransomware attack. Upon discovering the incident the district’s technology team took immediate steps to stop the attack while state and local authorities were notified.
- The Californian city of Modesto was a victim of the Snatch ransomware group. The attack which happened earlier in the year made news this month following a data breach notification. An investigation revealed that accessed files contained sensitive personal information including names, addresses, social insurance numbers and driver licence numbers.
- Early in the month, data storage giant Western Digital disclosed that a third party had gained access and breached its systems, alluding that it may be due to a ransomware attack. In a later media report, the hackers behind the attack claimed to have stolen 10 terabytes of data for which they demanded an 8 figure ransom payment in exchange for not disclosing it. The BlackCat gang allegedly exfiltrated ‘reams of customer information’ which they threatened to leak if the organization refused to pay.
- The UK Criminal Records Office (ACRO) experienced a cyber incident which resulted in the shutdown of its customer portal, disrupting several operations for a prolonged period. In an email to users ACRO confirmed it has “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023.” They also stated they had no conclusive evidence that personal data had been affected.
- Money Message ransomware group claimed responsibility for an attack on MSI during which files were stolen from the PC maker. The group claimed that it breached the organization in order to steal source code, including the framework for the BIOS used in MSI products. The organization received communications demanding a $4 million ransom to stop the group from leaking their files. MSI have not disclosed whether customer data was affected but have stated that the breach is having “no significant impact” on its financials or operations.
- Neue Zürcher Zeitung was forced to shut down central systems for newspaper production while they struggled to restart systems and services two weeks after a cyberattack. Reports suggested that a ransom was demanded but a publisher from CM Media, who obtained IT services from NZZ, stated that, to his knowledge, no such request had been made.
- The Police Department of Camden County in New Jersey is investigating a ransomware attack which targeted their agency in March. It was reported that the agency remained operational and no disruption or outages to public safety response services were experienced as a result of the incident. According to sources the attack had been “locking many criminal investigative files and day-to-day internal administration abilities.” An investigation is ongoing.
- Australian consumer lender Latitude Financial suffered a ransomware attack which “lifted” 14 million customer records, including drivers licences, passports, and financial statements. The company has only begun to restore services after initially shutting down their systems to contain the attack. The firm disclosed that they would not pay an undisclosed ransom, in line with Australian government policies.
- German shipbuilder Lüerssen, known for making luxury yachts for the super-rich, suffered a ransomware attack over Easter, with local reports suggesting that the much of the firm’s operations came to a standstill as a result of the incident. In coordination with experts the organization initiated necessary protective measures and informed the responsible authorities. It is not clear at this time who was responsible for the attack and if any sensitive customer information was stolen.
- Retina & Vitreous have issued a press release regarding unusual activity within its networks back in February. It stated that an investigation determined that some personal and protected health information may have been acquired without authorization. BianLian ransomware group have since claimed responsibility, publishing 170GB of files on their leak site. The stolen information included protected health information of patients, financial data of the practice, and human resources files. The incident was reported to the HHS as affecting 35,766 patients.
- A ransomware attack on a data center caused NCR’s Aloha POS platform to suffer an outage which left hospitality services unable to utilize the system. It was reported that some restaurants are still being impacted. Upon discovering the incident, the organization began contacting customers, engaged third party cybersecurity experts and launched an investigation. BlackCat claimed responsibility but it is unclear at this time what information, if any was exfiltrated by the threat actors.
- The Medusa ransomware group claimed Uniondale Union Free School District as a victim, adding them to their leak site with some sample files and a ransom deadline. Three ransom demand options were given by the group: $1,000 to add one day to the deadline or $1 million to either delete or download all of the data. Files published on the site included students’ personal information as well as personnel information. No other information about this incident has been released, with no notice available on their website.
- LockBit added Pineland Schools in New Jersey to their leak site adding a sample of the 65GB of data they claimed to have exfiltrated. The listing on the leak site also did not indicate the ransom amount.
- S. network infrastructure giant CommScope suffered a ransomware attack at the hands of Vice Society, with the hackers publishing a trove of stolen data on their leak site. The stolen data included internal documents, invoices and technical drawings, alongside personal data relating to thousands of CommScope employees. The attackers appeared to gain deep access to networks, exfiltrating backups of data from its customer portal and internal intranet. It is unclear how many employees have been affected by the incident.
- Evide, a company responsible for managing data for around 140 charities and non-profit organizations across the UK and Ireland was targeted by cybercriminals. At least nine organizations, including four who deal with victims and survivors of rape and sexual abuse, were impacted. When made aware of the incident the organization contacted police and engaged cybersecurity specialists to contain the issue and support recovery efforts. At this time no-one has claimed responsibility for the attack and no “highly sensitive or personal information” stolen has appeared on the Dark Web.
- In mid-April, Twitter users began discussing that Banco de Venezuela had been affected by a LockBit ransomware attack. The bank itself issued a statement regarding the spread of information on social media without denying or confirming the news. The attack did not impact the bank’s platform equipment and electronic services continued to function normally. Aside from evidence photos on the leak site, no further information about the nature of the stolen data has been provided. 10th May was given as a deadline to pay the undisclosed ransom amount.
- Point32Health, a leading health insurer and parent company of Harvard Pilgrim Health Care and Tufts Health Plan, suffered a large technical outage due to a ransomware attack. Law enforcement and regulators were notified about the incident and the organization collaborated with third party cybersecurity experts to investigate and resolve it. It is not yet clear whether the incident involved sensitive information from members and at this time no-one has claimed responsibility for the attack.
- Tank storage company Vopack was targeted by a ransomware attack which affected their Pengerang Independent Terminals (PTSB) site in Malaysia. A tweet from the company confirmed that an IT incident resulted in the unauthorized access of some data but that the terminal remained fully operational. Reports point to BlackCat at the culprit for this attack, although the group themselves have yet to confirm this.
- Yellow Pages Group, a Canadian directory publisher confirmed that it had been hit by a ransomware attack. The Black Basta ransomware gang claimed responsibility, later posting sensitive documents and other data exfiltrated during the incident on their leak site. Leaked information included ID documents and tax documents relating to employees, sales and purchase agreements, and company financial information.
- Kenya’s Naivas supermarket chain became a victim of the BlackCat criminal gang with the group claiming to have stolen more than 1TB of data. The organization managed to contain the attack and continue operating as normal. The chain assured customers that certain customer data, such as credit/payment card information was not at risk. Alongside proof claims BlackCat posted a statement on their leak site detailing how data will be sold for money laundering and other criminal activities. It is not yet clear exactly what data was exfiltrated and what ransom was demanded.
- Gateway Casinos was forced to close 14 casinos across Ontario due to a cyberattack that left the organization scrambling to restore its IT systems. Gateway officials were not able to confirm a reopening date for their casinos at this time but confirm that they are working with relevant parties to restore systems, open casinos and get employees back to work. They have also stated that there is no evidence that personal information of their customers was impacted.
- US commercial and defense shipbuilder Fincantieri Marine Group was hit by a ransomware attack in mid-April. The incident caused temporary disruption to certain computer systems on its network, rendering data on network servers unusable which impacted critical CNC manufacturing machines. Upon discovery, systems were immediately isolated, and the incident was reported to relevant agencies and partners, with additional resources brought in to investigate the incident and restore the affected systems. The organization clarified that there was no evidence that employees’ personal information was impacted. No ransomware group has yet claimed responsibility for the attack.
- Spartanburg County in South Carolina issued a statement confirming that it had detected and responded to a ransomware attack. Upon discovering the attack county officials began working to investigate, restore operations and determine the effects of the incident. Third party cybersecurity consultants and law enforcement were aiding in the investigation.
- NYSARC Columbia County recently confirmed that it fell victim to a ransomware attack in July 2022. The latest press notice stated that they would issue notices to those who impacted by the attack. Although the COARC is unaware of the misuse of any personal information, it has been disclosed that data including PII may have been impacted. Details around what data was exfiltrated and any ransom demands or payments have not been made public.
- Hardenhuish School, a large secondary school and sixth form in the UK has confirmed it was the victim of a ransomware attack which disrupted the operations of its IT network, website, local servers, WiFi, printers, and internal phone systems. Hackers took control of IT systems and demanded a ransom to restore access. The school reassured parents that disruption was minimal and returned to paper registers as a result of the incident. Upon discovering the incident, a third-party IT specialist was appointed to investigate and restore the systems. No ransomware group has yet claimed responsibility.
- Boston’s Emmanuel College was added to the AvosLocker data leak site in a note that read “Oh no! 140GB student and staff confidential data exfiltrated. If you value protecting students, pay us instead of shutting down domains.” Although there was no notice of the attack on the college’s website, they did tweet information concerning an IT outage at the end of the month.
May
The month of May was a record-breaker as we recorded a massive 66 publicly disclosed ransomware attacks, the highest we have ever recorded since we started this blog back in January 2020. Royal, LockBit and BlackCat were the most active during the month, while education remained the most heavily targeted sector, with a few attacks on religious organizations also noted which is an uncommon occurrence. Cybersecurity firm Dragos made headlines when they were targeted by a failed extortion attempt, while an attack on health services organization Harvard Pilgrim caused havoc for patient care, and dental insurance provider MCNA informed nearly 9 million patients that their data had been impacted by a cyber incident. Let’s see who else made ransomware headlines in May:
- Penncrest School District in Pennsylvania announced that it had fallen victim to a ransomware attack at the beginning of May. The incident disrupted certain aspects of operations, forcing the district to shut down and disconnect its entire network and technology infrastructure. Network access was limited for up to three weeks. In an update the Superintendent claimed that there was no evident of any data loss, data access or data theft.
- Royal Ransomware Group targeted Montana State University (MSU), claiming to have stolen over 100GB of data. The cyberattack also caused disruption across MSU’s online services. Royal are yet to post any proof of exfiltrated student or faculty data and no further information on the incident is currently available.
- Australian commercial law firm HWL Ebsworth were victims of a BlackCat ransomware attack during which 4TB of data was exfiltrated. Information stolen included IDs, finance reports, accounting data, client documents and credit card details. Reports suggest that the ransom demanded was around $5million and the law firm refused to pay. Sources also revealed that several high-profile clients removed their files from HWLE as they grew concerned about their data.
- Catholic publishing firm Our Sunday Visitor was compromised by the Karakurt ransomware gang and the incident resulted in 130GB of data being exfiltrated from the organization. Stolen data is said to include employee information, accounting files, HR documents, invoices, marketing details and financial contracts. Immediate action was taken to secure its systems after suspicious activity was identified.
- AvidXchange suffered its second ransomware attack of 2023. RansomHouse claimed responsibility for the attack and encouraged the software provider to contact them to prevent confidential data being leaked. A sample of stolen data included non-disclosure agreements, employee payroll information and corporate bank account numbers alongside login details for a variety of the company’s systems. It remains unclear how AvidXchange was compromised, how many individuals were impacted and how much information was exfiltrated.
- Royal ransomware group added the City of Dallas to its victims list this month, forcing them to shut down some IT systems to prevent the spread of the attack. Several functional areas including the police department were impacted, forcing 911 dispatchers to write down reports for officers rather than using computer-assisted dispatch systems. Printers printed ransom notes which seemed to taunt the city stating, “most likely what happened was that you decided to save some money on your security.” Reports included council members agreeing with the cybercriminals messaging, highlighting that they believe there was a significant underinvestment in cybersecurity in recent years. The investigation is still ongoing.
- EdisonLearning, a provider of school management systems for public schools, was infiltrated by the Royal ransomware group who claimed to have stolen 20GB of data. The exfiltrated data is said to include personal information of employees and students. However, the organization’s Director of Communications has stated otherwise, claiming that impacted systems contained no student data. As with other Royal attacks, the group taunted the organization, writing “looks like knowledge providers missed some lessons of cybersecurity. Recently we gave one to EdisonLearning and they have failed.” Reports suggest that a ransom was demanded and that the two parties have entered into negotiations, but no further information is currently available.
- Bluefield University saw its systems crippled by a cybersecurity attack orchestrated by AvosLocker. The ransomware group were able to directly communicate with everyone on the university’s RamAlert system. Communications gave details of the attack, with the cybercriminals claiming that they exfiltrated 1.2TB of files including admissions data from thousands of students and stated that they would continue to attack if BU’s presidents doesn’t pay. The ransom amount has not yet been disclosed. BU released a statement saying that they are currently investigating the incident and “have no evidence that any information involved has been used for financial fraud or identity theft.”
- Play ransomware group targeted the Valais municipality of Saxon at the end of April this year. The ransomware group threatened to publish stolen data which includes “confidential, private and personal data, finance, human resources, contracts and employee documents.” It is not known how long the threat actors had access to the foreign network or how they exfiltrated the data. An investigation into the incident continues.
- Italian water supplier Alto Calore Servizi spA suffered a ransomware attack which rendered all of its IT systems unstable. The company was unable to carry out any operations or provide information that required querying the database. The Medusa ransomware group took credit for the attack, giving the company seven days to pay the ransom of $100,000 in exchange for deleting the data. The threat actors provided samples of stolen data, which is said to include customer data, contracts, reports, expansion documents and more. The organization declined to comment on when systems would be restored or if they intended to pay the ransom.
- Lake Dallas Independent School District was added to the Royal ransomware gang’s leak site after an attack in late April. The threat actors claimed that they had gigabytes of data belonging to students and staff, including hundreds of SSN’s and passport information. They also said that their attack was a “result of being non-progressive in cybersecurity.” The district provided notification to the Texas Attorney General’s Office that 21,982 Texas residents had been affected by the incident.
- Trigona ransomware group listed Unique Imaging on their dark web leak site this month after claiming to have been living in the organization’s network for months. The group listed prices for auction of the data alongside a countdown clock and a data sample. The data included hundreds of scanned PDF files containing protected health information, health insurance cards, driver’s licenses, and purchase orders. Trigona were also able to access the Radiology Information System (RIS), electronic health records specific to radiology. It is not clear how much data was exfiltrated or what the ransom demand was.
- South Carolina-based Relentless Church had employee data stolen by the LockBit ransomware group, the second reported attack on religious organizations during the month. Upon discovering the incident the church’s IT team took immediate action and subsequently hired a top security firm to examine the source of the breach and safeguard the data of both the church and its congregation. No further information about this attack has been made public.
- Crown Princess Mary Cancer Centre in Sydney was breached by the Medusa ransomware gang who threatened to release data after seven days unless the ransom was paid. The proof pack provided by the threat actors included a file tree listing more than 10,000 files on the system, and archive images of specific files revealing medical information. The ransom demanded to delete all of the data was $100,000.
- Canadian diversified software company Constellation Software confirmed that it had fallen victim to a cybersecurity incident during which systems were breached and personal information and business data stolen. BlackCat claimed responsibility saying it had stolen more than 1TB worth of files. The organization stated that a limited amount of both personal and business data has been impacted. At this time, it is not clear what the ransom demand was nor whether Constellation were intending to pay the threat actors.
- A ransomware attack targeting Rochester Public Schools resulted in theft of some employee and student information. The district was forced to shut down its network causing a significant impact on the district’s operations. It has also been confirmed that Minnesota Comprehensive Assessment tests would not be administered to students this year as a result of the incident. The district refused to pay the undisclosed ransom to threat actors and an investigation involving the FBI continues.
- San Bernadino County Sheriff’s Department confirmed that it suffered a ransomware attack which forced it to temporarily shut down computer systems including email, in-car computers, and some law enforcement databases. Officials confirmed that the hackers demanded a ransom of $1.1 million but after negotiations, the county paid $511,852 with its insurance carrier left to cover the rest. The extent of the attack, including whether sensitive information was compromised is still unknown. The name of the ransomware group behind the attack has not been made public but is believed to be based in Eastern Europe with ties to a larger network of Russian hacking operations.
- Bl00dy Gang claimed responsibility for an attack on the Socrates Academy in North Carolina. It’s still unclear what data was stolen but from evidence on the group’s dark web site it seems that Socrates Academy’s entire network could have been impacted. Information said to have been exfiltrated from both victims includes student and employee information and financial documentation. It is even said to include QuickBooks data, giving access to tax info and much more.
- Bl00dy Gang struck again, this time hitting the Movement School in North Carolina. Details of the attack or what data may have been compromised are still known and the school has yet to comment on the attack.
- Murfreesboro Medical Clinic suffered a ransomware attack which caused the clinic to shut down all operations for three days to limit the spread of the attack. It was reported that BianLian was responsible for the attack, with its leak site claiming to have exfiltrated 250GB of files from the victim. Data stolen included HR documentation, financial data, business data, legal cases, and SQL databases.
- Nashua School District in New Hampshire continues to work with experts to determine what records or personal information was stolen during a “sophisticated cyberattack”. Despite the attack schools remained open across the district in PK and K-12 and business carried on as usual. Royal ransomware group claimed responsibility, stating on it’s leak site that the school district “doesn’t need it’s 728GB of data” which contains SSNs, passports and personal information relating to both students and employees.
- Akira ransomware group claimed responsibility for an attack on Mercer University in Georgia. The University detected unauthorized access to its network and immediately launched an investigation with the assistance of law enforcement and outside legal and technical consultants. It was reported that some data, including SSNs and driver’s licence numbers, was stolen during the incident but there has been no evidence that personal financial information was impacted. Mercer are in the process of notifying all of those individuals affected.
- Basel’s Department of Education experienced a ransomware attack during which their main servers were impacted. BianLian gained access to the networks via a malicious email and exfiltrated around 1.2TB of data. The data was published on the dark web when ransom demands were not met. The sensitivity of the data is currently being analyzed.
- Play ransomware claimed the City of Lowell in MA as a victim in May, causing chaos across the City’s computer systems. Phone lines, emails and other systems were brought down by the attack, taking days for these to become fully operational again. The ransomware group exfiltrated 5GB of data, which is said to include sensitive documents such as personal data, financial documents, budgets, and government IDs. The ransom demand has not been made public, but reports suggest that the data has been published, meaning that it is unlikely that the city negotiated with the group.
- Cybercriminals attempted to breach defenses and infiltrate internal networks in Dragos as part of an extortion attempt, but were not successful. They did however gain access to the company’s Sharepoint and other contract management systems. The threat actors gained access through a compromised personal email of a new sales employee prior to their start date, enabling them to complete initial onboarding steps. During the 16 hours that they had access to the systems they downloaded “general use data” and 25 intel reports which are usually only available to customers.
- The National Gallery of Canada spent two weeks recovering after a ransomware attack forced the art museum to shut down its IT systems. Upon discovering the incident the institution attempted to isolate the affected networks whilst hiring a cybersecurity company to conduct a forensic investigation alongside the Canada Centre of Cybersecurity. It has been reported that no customer data was stole but some operational data was lost.
- Essen Medical Association was added to the BlackCat ransomware group’s leak site on April 6th, with a recent update stating “we gave you time and went into a meeting. Our patience has run out!” The group claim to have stolen a total of 2.6TB of data during the attack.
- Mercy Home in New York fell victim to an attack orchestrated by BianLian in May. No notice has been posted on the organization’s website, but the ransomware group claim to have exfiltrated 533GB of data. No further information on this incident is currently available.
- Another healthcare organization breached by BianLian, during the same week as Mercy Home, was Synergy Hematology Oncology Medical Associates. The threat actors claim to have stolen around 200GB of data from the Californian organization, but no proof or further information of the attack has been made public at this time.
- Swiss multinational tech firm ABB was impacted by a ransomware attack, affecting business systems, delaying projects, and impacting factories. Upon discovery of the incident ABB terminated VPN connections with its customers to prevent the spread of the attack. Reports from employees suggest that the organization’s Windows Active Directory was affected, in turn affecting hundreds of devices. An investigation is ongoing, attempting to identify and analyze the nature and scope of the affected data.
- It was revealed that a ransomware attack impacted the data of around 16,000 members of the Law Society of Singapore. A vulnerability in the organization’s VPN is said to be linked to the attack. Threat actors, who have yet to be named, used an easily guessed password for a compromised administrator account to create a new account with full access to servers. The servers were then accessed, and its contents encrypted. Data including names, addresses, DOBs, and NRIC numbers were stolen during the incident. It was also discovered, during the investigation of the attack, that the Law Society had not conducted periodic security reviews for three years.
- Richmond University Medical Center suffered a ransomware attack forcing it to implement network downtime procedures. Although the impact was reportedly limited, clinicians were forced to monitor patients and enter data with manual processes. The organization is investigating the scope of the attack and the impact on patient data with the support of an external cybersecurity firm. No-one has yet claimed responsibility for the attack and no further details are available.
- MoneyMessage exfiltrated 4.7TB of data containing information on 5.8 million patients during an attack on PharMerica. The pharmacy service providers were breached earlier in the year, discovering the incident soon after. The threat actors published the data which included names, addresses, DOBs, SSNs, medication lists and health insurance information. The data was not only leaked on the group’s dark web leak site but was also made available on the Clearnet hacking forum. It is unclear if a ransom was demanded and if the organization entered into negotiations with the cybercriminals.
- Methodist Family Health is in the process of notifying patients in Arkansas of a ransomware incident which occurred earlier in the year. The threat actors spent two days within the systems before they were discovered, and their access terminated. Investigations involving external cybersecurity and privacy specialists found that a variety of documents used to provide pharmacy services, which contain health information, were copied without authorization. No group has yet claimed responsibility for this attack, and it is not yet known how many patients were impacted.
- Non-financial banking company Fullerton India suffered a major ransomware attack and is now notifying stakeholders about the incident that forced the company to take its systems offline. LockBit claimed responsibility for the attack, exfiltrating 600GB of data. Leaked data included loan agreements, data on international transfers, financial documents and sensitive personal information belonging to customers. LockBit demanded a ransom of $2.9million to recover stolen data.
- Utah-headquartered Academy Mortgage saw its systems infiltrated by BlackCat mere months after settling an underwriting fraud case. The threat actors claimed to have been in the network for a long time and are said to have stolen confidential data. It is also claimed that the firm refused to pay the undisclosed ransom. The organization is yet to comment on the incident.
- MásMovil Group suffered a ransomware attack on three of their brands, Euskaltel, R and Telecable, causing issues with its customer service channels and system access. Clients of these three brands were also unable to access the self-management apps. LockBit claims to have exfiltrated 3TB of data from R and another 100GB of data from Euskaltel, which includes sensitive personal information. MásMovil have been given until June 5th to settle the undisclosed ransom demands before their data is published.
- French electronics manufacturer Lacroix Group was forced to shut down three plants over two continents to contain a ransomware attack. The security team managed to intercept the “targeted cyberattack”, however the attackers managed to encrypt local infrastructure in the French, German and Tunisian facilities. It is currently unknown what data was impacted during the incident and no group has claimed responsibility.
- Curry County in South Oregon was left struggling to function after a ransomware attack left it unable to access any of its digital information. The county was the targeted by Royal ransomware group, who demanded an undisclosed ransom in exchange for access to the inaccessible information. The county is collaborating with state police, the FBI, and the Department of Homeland Security in an ongoing investigation.
- The foreign trade agency for the Federal Republic of Germany, GTAI, fell victim to a ransomware attack that impacted its website, email and phone services. The website stated that due to a hacker attack, the agency was only able to be reached to a limited extent. Play ransomware group claimed responsibility for the incident, claiming to have stolen a lot of sensitive information. There is no further information available about the attack.
- Technology provider ScanSource announced that it had suffered a ransomware attack impacting some of its systems, business operations, and customer portals. In mid-May, ScanSource reported that they no longer had access to the company’s customer portal and websites, fearing a cyberattack. The company is working closely with forensic and cybersecurity experts to investigate the extent of the incident, minimize disruption and mitigate the situation.
- KD Hospital in India fell prey to a ransomware attack which blocked the hospital from accessing all its online systems including patient data and hospital files. All server data belonging to the hospital on its online server was encrypted. The attackers, who are still unknown, sent a ransom demand via email, asking for $70,000 in bitcoin for the decryption of the files. Upon discovery of the attack, all linked servers were disconnected to limit the spread and an investigation began to check if the data could be recovered.
- Dunghill ransomware gang claimed responsibility for an attack on Gentex Corporation in April, but Gentex only confirmed the incident this month. The attackers have allegedly exfiltrated 5TB of sensitive corporate information from the Michigan-based technology and manufacturing company. Data is said to include emails, client documents and personal data of 10,000 Gentex employees. As the organization ignored the leak, Dunghill claims to have shared stolen data with competitors in China, India and the U.S. Gentex have acknowledged the attack but has made no further comment.
- Franklin County Public Schools was forced to shut down certain school systems and cancel classes in the wake of a ransomware attack. The authorities initiated an internal investigation, with the third-party experts brought in to resolve the situation. Investigations continue in collaboration with the FBI and law enforcement, but it is yet unknown if any private information was impacted by the incident.
- Harvard Pilgrim Health Care is still feeling the effects of a ransomware attack which took place mid-April. The cyber incident led the company to take nearly all of its systems offline in order to contain the damage. This downtime meant that the health insurance company were unable to confirm patient eligibility, causing disruption for its members. An investigation confirmed that files containing personal data and protected health information was impacted during the attack. No-one has yet claimed responsibility for this attack.
- LockBit orchestrated an attack against Farmalink prescription drug sales system, giving them 28 days to negotiate and make a ransom payment before exfiltrated data is published. Reports suggest that there has been no dialogue between the two parties. During the incident, networked computers stopped working and the software that manages the virtual machines was disconnected. It is not clear at this time what data was exfiltrated by the threat actors.
- 5TB of personal and financial information stolen from Bank Syariah Indonesia was published by LockBit in May. The cyberattack forced the bank to switch off several channels to ensure system security, some of which remained inaccessible for a number of days. LockBit claimed that the bank “brazenly lied to their customers and partners, reporting some kind of ‘technical work’ was being carried out at the bank.” Data exfiltrated during the attack included personal and financial information relating to around 15 million customers and employees. The bank entered into negotiations with the ransomware group offering them $10 million to recover the stolen data. LockBit counter offered with $20 million before going silent.
- Buckley King LPA law firm was reportedly attacked by Black Basta, who managed to enter the firm’s IT systems via a social engineering attack. The data stolen contained over 230,000 directories and more than 76,000 files. Black Basta contacted the law firm stating that they had 110GB of files, demanding $400,000 to delete data, provide a decryptor and provide a “security report.” The negotiations ended, with the group agreeing to accept a ransom payment of $150,000.
- Black Basta supposedly breached Viking Coca-Cola, one of the largest Coca-Cola bottlers in the US. The ransomware group has not disclosed what type of data they exfiltrated and at this time, no data has been leaked. This likely indicates that negotiations are still taking place between the organization and cybercriminals. Viking have yet to comment on the incident.
- Madhya Pradesh Power Management Company in India suffered a ransomware attack which crippled its internal IT system used for communication among different functionaries of the state-run entity. In the aftermath of the attack the organization put an alternative method in place to ensure urgent work was not affected. Reports suggest that those behind the incident did not make a ransom demand at the time but did provide the company with email IDs to contact them. It is not clear exactly what data was stolen during the incident.
- Clarke County Hospital admitted to an attack and data breach following the Royal ransomware gang sharing details of the incident on the dark web. Security researchers noticed that data from the attack was actively being leaked towards the end of April, but the hospital only acknowledged the attack on May 17th. A notification letter suggests that personal information including PII, and some health information may have been acquired by an unauthorized third party, but emphasizes that EMR, SSNs and financial information were not involved in the breach.
- International audit, accounting and consulting firm Mazars Group appeared on BlackCat’s leak page this month. The gang claimed to have stolen over 700GB of data including agreements, financial records, and other sensitive information. The organization are yet to make any comment on the incident.
- Rheinmetall, the German automotive and arms manufacturer was allegedly breached by Black Basta, appearing on the group’s leak site in mid-May. The post on the site included several data samples including NDAs, agreements, technical schematics, passport scans, and purchase orders. The organization confirmed the attack, clarifying that it only affected the civilian department of the business. Details on ransom demands and if negotiations took place have not been made public.
- The Insurance Information Bureau of India fell victim to a ransomware attack at the beginning of April, leaving nearly 30 server systems encrypted and data inaccessible. An internal investigation revealed that hackers stole certain confidential information from the company’s database, with firewall logs indicating the exfiltration of 16GB of data. Police have reported that the threat actors, who are believed to be pro-Russian, have demanded $250,000 in BTC for a decryption key. IBBB refused to pay the ransom as it believed that paying a ransom doesn’t guarantee the deletion of stolen data.
- The notorious Cuba ransomware gang is believed to be behind the cybersecurity incident that severely impacted The Philadelphia Inquirer After discovering the breach, the company took down its IT systems and was able to find a workaround allowing them to continue to post news stories online. According to a post on the gang’s dark web blog, sensitive data including financial documents, account movements, tax documents and source code was stolen during the attack. After reviewing the leaked data, The Inquirer reported that the files did not belong to its company. The entry on Cuba’s site was later removed. An investigation is still ongoing.
- Monti has claimed responsibility for a ransomware attack on Italian Health Authority, ASL 1 Abruzzo. Several services were blocked, making it “impossible” to book an appointment with the health service. Although ASL 1 Abruzzo claims otherwise, the ransomware group claim to have sensitive health information, including that of HIV patients. An investigation involving IT technicians and experts from a cybersecurity task force continues.
- Thomas Hardye School in Dorchester had its screens and systems locked by a cyberattack, leaving the school unable to receive emails or accept payments. The attack was accompanied by a ransom demand but the threat actors behind the attack have not yet been named. The school said it would not be paying the ransom and was working with the National Cyber Security Centre and law enforcement to resolve the issue. The school remained open with teaching and learning adapted accordingly.
- Morris Hospital was added to Royal ransomware group’s leak site in late May, with a small sample of files as proof of claims available to view. An investigation was launched when the hospital detected unusual activity on its network, indicating that an unauthorized third party had gained access. The hospital’s electronic medical records were not compromised during the attack. The incident did not impact patient care or hospital operations. The statement given by the hospital did not indicate whether files were encrypted or whether they received a ransom demand.
- Norton Healthcare in Kentucky and Indiana disclosed a cybersecurity incident in early May but did not label it as a ransomware attack even though they received threats and demands. BlackCat claimed responsibility for the attack a few weeks later, claiming to have exfiltrated 4.7TB of data. The ransomware group released a “public announcement” taunting the healthcare organization, stating that Board Members have failed to protect privacy of their clients and employees. The sample of stolen data includes personal and sensitive information of patients alongside financial information and employee personnel information. An update on this incident, including if the parties entered into negotiations, is not currently available.
- Managed Care of North America (MCNA) Dental informed almost 9 million patients that their personal data was compromised via a data breach notification on its website. The organization became aware of unauthorized access to its computer systems in March, with an investigation revealing that access was first gained as early as February. Hackers stole patient data including PII, health insurance information, bills and insurance claims and care programs. LockBit claimed responsibility and threatened to publish 700GB of sensitive, confidential information unless they received $10 million. Since then, the ransomware group has published all of the data on its website.
- BlackByte has claimed responsibility for the ransomware attack on the City of Augusta, GA. A sample of 10GB of data was released on the dark web, containing PII, contacts and city budget allocation data, with the group claiming to have exfiltrated “much more” during the incident. The group taunted the city with the words “The clock is ticking.” The ransom demanded in exchange for deleting the data was set at $400,000. BlackByte offered to sell the data to interested third parties for $300,000. An investigation continues, with the city stating that they have not yet confirmed that any sensitive data has in fact been compromised.
- Two different ransomware groups claimed successful attacks on Albany ENT & Allergy Services. AENT determined that an unauthorized actor may have gained access to certain systems that stored personnel and protected health information. It is now believed that the breach may have impacted more than 200,000 individuals. BianLian was first to claim responsibility, adding the practice to its leak site and claiming to have exfiltrated 630GB of files. It went on to leak personal, business, and financial data in multiple parts. RansomHouse later claimed to have infiltrated internal systems and siphoned 2TB of data from the attack, which was allegedly leaked a few weeks later. AENT has not commented on the validity of threat actors’ claims.
- Onix Group recently confirmed in a “Notice of Data security Incident” that they were targeted by ransomware in March this year. The press release revealed that an unauthorized party was able to access confidential consumer data held by the healthcare services provider. Information breached includes names, SSNs, DOB, as well as scheduling, billing, and clinical information of those consumers using Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray and Onix Hospitality Group. The organization is in the process of notifying individuals affected. No ransomware group has yet to claim responsibility for this incident.
- Legal technology platform Casepoint is one of BlackCat’s most recent victims, with the well known gang claiming to have over 2TB of the company’s data. Casepoint appeared on the group’s dark web site with the blog post showing sample data which included visa details, a report, and a certificate. From the information we have it is unclear what ransom has been demanded and when the deadline for payment is.
- New York based biosciences and diagnostics company, Enzo Biochem, confirmed that it experienced a ransomware attack. Threat actors gained “unauthorized access to or acquisition of clinical test information of approximately 2,470,000 individuals. The information accessed, and in some cases exfiltrated, included names, test information and approx. 600,000 SSNs. The company is still investigating the incident but has noted that it has and will continue to incur expenses related to the remediation of the attack. No ransomware group has taken credit for the attack to date.
- Mission Community Hospital in California allegedly experienced a ransomware attack which RansomHouse have now claimed responsibility for. The criminal group claimed to have downloaded 2.5TB of data during the incident. From the proof pack provided on the group’s dark web site, it seems they have accessed the imaging system and image files as well as employee related data and some financial reports. The hospital is yet to comment on the incident.
June
June was the second busiest month of 2023 with 46 publicly disclosed ransomware attacks recorded, not including the victims of the MOVEit attack. Education and healthcare continue to remain two of the most targeted sectors, with eleven and nine attacks respectively. Data exfiltration remains the tactic of choice as cybercriminals continue to focus on extortion. Beverley Hills Plastic Surgery, University of Manchester and Reddit all made headlines when threat actors threatened to publish troves of personal information exfiltrated during the attacks.
Clop made the majority of ransomware headlines this month following a vulnerability in MOVEit file transfer software. Many prominent organizations fell victim to this attack including British multinational gas & oil company Shell, global accounting firm PwC and a number of US state governments. Those impacted had until June 21st to negotiate with the ransomware group before data was published. The current victim list is massive and growing, and Clop continues to share new entries every day, you can read the victim list in our dedicated MOVEit blog, which is updated with new information as the story unfolds.
Let’s find out who else made the ransomware headlines in June:
- Some electronic services at Akron-Summit County Public Libraries were offline as a result of a ransomware attack which affected its network. Upon learning of the incident, internal teams and cybersecurity experts acted quickly to investigate and secure the systems. An investigation is still ongoing.
- The University of Waterloo in Ontario, Canada suffered a cybersecurity incident which compromised the on-premises email server. Although the server was compromised, 99.9% of email users were not affected. The attack was interrupted thanks to prompt actions from law enforcement, internal teams and external cybersecurity partners. No group has yet claimed responsibility for this attack.
- The FBI and Department of Homeland Security prompted a joint investigation after a ransomware attack targeted Middlesex County Public Schools in Virginia. Daily operations were minimally impacted but the primary concern was to ascertain whether personal information was compromised. Akira ransomware group later claimed responsibility for the attack stating they exfiltrated 543GB of data.
- Swiss IT company Xplain fell victim to a cyberattack at the start of June, putting the data of many government departments at risk. Play ransomware group quickly took responsibility while publishing data on their leak site. The organization stated that they did not make contact with the threat actors and would not be paying any ransom. Xplain analyzed the data and is taking next steps after consulting with clients directly affected. The extent of the data theft has not yet been disclosed.
- Rhysida, a ransomware group which first emerged in May, was claimed the Government of Martinique as a victim, adding it to its leak site. As soon as the incident was discovered, measures were taken to isolate the affected system, but major disruption was still caused to communities, users, and partners. Teams accompanied by cybersecurity experts were mobilized to identify the cause of the attack and gradually restore activities with priority themes being finance, solidarity, and education. Rhysida released a sample of government related files but have not yet indicated how much data was actually exfiltrated during the attack.
- Major Spanish lender Globalcaja experienced a ransomware attack which impacted computers at several offices but claimed it did not affect transactions of entities. Security protocols were activated, leading the organization to disable some office posts and temporarily limit the performance of some operations. Play ransomware claimed the attack on the bank and are said to have stolen an undisclosed amount of private and personal confidential data including client and employee documents, passports, and contracts. It is unknown whether Globalcaja has met the ransom demands.
- EliTech Group, based in Paris, fell victim to a ransomware attack at the hands of Snatch. The organization sells diagnostic instruments and software to its global partners meaning there could be danger of a supply chain attack if the ransomware gang were able to garner access to the software provided by the company. There are very few details about this attack available at this time.
- London-based consultancy firm The Briars Group were also listed as victims of Snatch ransomware group’s site this month. Details on the attack are vague at the moment, with the organization yet to comment on the incident.
- South Jersey Behavioral Health Resources disclosed that they were hit with a ransomware attack at the beginning of April. The notification states that the investigation is still ongoing and at this time it is not yet known if any data related to individuals was accessed or stolen by an unauthorized user. Personal information held by SJBHR includes PII and medical data. They did not indicate what group attacked them, or what ransom may have been demanded.
- A new group of threat actors known as Nokoyawa added Canopy Children’s Solutions to its leak site in early May, claiming that 150GB of files were exfiltrated. A statement was released admitting that they had experienced an attack which encrypted some of their files. The non-profit behavioral health, educational and social service solutions provider is conducting a comprehensive review to identify any personal information accessed and to whom the information relates. No individuals have yet been contacted.
- A hacker, who goes by the username Bassterlord, breached the luxury watch retailer Cortina which is based in Singapore. The hacker claims to have stolen 2GB of data from the company and states in his Tweet that they don’t believe that “very rich clients will want their addresses to be public.” Sample of the stolen data appears to include contact details such as names and email addresses.
- Self-styled hacktivist group Anonymous Sudan targeted Scandinavian airline SAS in May, knocking the airline’s website and applications offline. The group posted fresh posts on its Telegram channel seemingly mocking and taunting the airline. The amount demanded as ransom was $3,500 in exchange for either telling the organization how to repel the attack or to stop the attack entirely. The group then increased the amount to $175,000 when the airline did not meet the demands, stating it would continue to increase the payment and keep the affected services down until the airline paid up. The amount has since been increased two more times, with the most recent demand totalling $10 million. The organization’s website is now up and running again but customers are still reporting issues. There has been no indication that SAS have any intention of negotiating with the threat actors.
- YKK Group, the world’s largest manufacturer of zippers, was listed on LockBit’s dark web blog with a warning that all available data will be published. The post does not reveal the type of data exfiltrated in the attack. YKK USA contained the threat before any significant damage could be done or sensitive information stolen. The organization stated that there was no evidence that personal or financial information or intellectual property was compromised as a result of the incident.
- Japanese pharmaceutical giant Eisai Co. was hit by a ransomware attack which encrypted a number of its servers. To limit the attack from progressing further, it cut off links with part of its domestic and overseas internal systems. The organization claims to have no knowledge of leaks involving confidential information. Eisai is working with experts and police to investigate the attack and restore the systems. The company is remaining tight lipped regarding ransom demands and it is not known, at this time, who is responsible for the incident.
- It has been known for some time that Pacific Union College were victims of a cyberattack, but it has since emerged that it was targeted by Trigona ransomware group. In April a statement was released on the college’s website notifying students of an ongoing cyber issue affecting internal networks, phone systems and web services. It has now been confirmed as a ransomware attack, with federal authorities and cybersecurity teams involved in the recovery and investigation process. The college have remained silent about Trigona’s claims regarding 120GB of data, stating that they “do not have evidence that personal information has been compromised.” Trigona claims they have exfiltrated data including employees’ and students’ personal information, commercial contracts, NDAs and confidential high-cost information. The ransom demanded was $200,000 for the deletion of data and a security report, if the ransom is unpaid the data will be sold or auctioned off.
- Vaud Promotion immediately set up a crisis team in co-operation with cybersecurity experts when they discovered a third party had gained unauthorized access to its systems. The organization informed authorities and have filed a criminal complaint. A group named Darktrace claimed to have stolen 161GB of files, posting screenshots as proof on the dark web. Documents exfiltrated are said to include association and financial documents along with employee data and copies of ID cards.
- Peachtree Orthopedics based in Atlanta, GA, announced that it fell victim to a cyberattack in April, with forensics evidence confirming that an unauthorized party had gained access to part of its networks. The organization said it has changed account passwords and implemented additional security measures to limit the risk of this situation occurring in future. Karakurt ransomware group have added Peachtree Orthopedics to their leak site, claiming to have exfiltrated 194GB of data including personal information and medical records and is threatening to leak the data is a ransom is not paid. An investigation is ongoing to establish how many patients have been impacted by the attack.
- Columbus Regional Health System in North Carolina was attacked by Daixin Team when the group encrypted the not for profit’s systems after exfiltrating data and deleting backups. According to their leak site, the group exfiltrated 70GB of data including 250,000 files. The ransomware group initially demanded $3 million but the organization entered into negotiations to try and reduce the amount. CRHS stated that it was unable to get their cyber insurance provider to pay out the amount in time and that the organization itself simply could not fund the ransom demand itself. Daixin Team agreed to drop the ransom down to $1million but negotiations soon stopped after that with no money exchanged. It seemed that the organization was never going to pay. The ransomware group stated that CRHS knew that its systems were critically vulnerable at the time of the attack.
- FIIG Securities, an Australian bond broker fell victim to an attack by BlackCat this month, during which 385BG of data was stolen. Upon discovering unauthorized third-party access, the company took IT systems offline to prevent further access. The ransomware group has posted evidence of the breach online including drivers’ licenses, passports, and other commercially confidential data. Impacted clients are being contacted by the organization via email, highlighting what personal data believed to have been accessed.
- Akira ransomware gang is believed to be behind an attack on the Development Bank of Southern Africa (DBSA) during which employees’ personal information was accessed. According to reports various servers, log files and documents were encrypted by the threat actors who have threatened to publish the stolen data on the dark web if ransom demands are not met. An investigation is still ongoing to determine the full extent of to which personal information of employees was compromised.
- Kaiserslautern University of Applied Sciences (HS Kaiserslautern) took its entire IT infrastructure offline when it discovered it had been hit by a ransomware attack. Almost all services were affected, with staff and students warned not to switch on any of their work computers in case they have been impacted by the “encryption attack.” At this time, it is not clear who the perpetrators are, or whether information was stolen from the university’s systems.
- The National Securities Commission (CNV) in Buenos Aires suffered disruption as internal systems remained offline for a number of days following a ransomware attack. The organization managed to contain the attack immediately, but 1.5TB of files were still exfiltrated during the incident. Medusa has claimed responsibility, demanding $500,000 to prevent the leak of the data and another $500,000 to delete the files off the group’s computers.
- Rhysida ransomware group was auctioning off data belonging to Paris High School in Illinois on their leak site. At this time there has been no confirmation from the school itself confirming details of the incident. Rhysida did offer proof of claims as a collage of files and images was made available. No further information on this attack has been made public.
- OSG Hengelo, a school community in the Netherlands are unclear what data was exfiltrated during a ransomware attack. The investigation continues, with parents and students looking for answers on whether their personal data has been impacted by the incident. There are very few details about the attack, but the board is reported to have “closed a deal” with hackers.
- BlackCat/APLHV claimed an attack on Automatic Systems, a subsidiary of French conglomerate Bolloré. The organization acknowledged the attack stating that an intrusion happened on June 3rd, with threat actors targeting “part of its servers.” Upon discovering the incident, specific protection measures were immediately implemented to stop the advance of the attack. The notorious ransomware group posted hundreds of samples of stolen data on their leak site, ranging from NDAs to copies of passports, while also claiming to have “a lot of critical data.” Confidential documents relating to NATO, Chinese retailer Alibaba and French defense contractors Thales are present in the samples.
- TAG Aviation based in Geneva Airport saw some of its system encrypted after its Intrusion Detection System detected an unauthorized attempt to access its network. The company stated that it believed the cyber incident was limited to “Asia.” An external taskforce forensically investigated the incident and data concerned. Although the organization claims it is not sure what data has been impacted as of yet, an unknown ransomware gang has posted several screenshots of passports and other internal or confidential data on the dark web. The group also claims to have exfiltrated “several terabytes” of data.
- Rhysida have leaked online, what they claim to be, documents stolen from the network of the Chilean Army (Ejército de Chile). The Chilean Army confirmed in late May that its systems had been impacted by a security incident. The impacted network was isolated following the breach, with military security experts working to recover the affected systems. Rhysida ransomware group published around 360,000 Chilean Army documents, 30% of all the data they claim to have exfiltrated from the network.
- Walsall Healthcare NHS Trust posted an update on their website this month, disclosing that it had been subject to a cyberattack earlier this year, when a malicious actor attempted to infiltrate the Trust network and execute a ransomware attack. Although the trust was able to “prevent the attack” before it was executed, there is evidence that some data was exfiltrated. Clinical systems were not affected and no financial data belonging to patients or staff is believed to have been compromised. A number of audits were carried out by specialist bodies, but it is still unclear exactly what data may have been transferred. The Trust has issued advice to staff and patients to remain vigilant and observe good cyber practice in wake of the incident.
- LockBit claimed responsibility for a cyberattack on the Indian pharmaceutical giants Granules India. The ransomware group listed Granules India as one of its victims on its leak site and have published portions of data allegedly stolen. The organization is yet to confirm the incident, however the company did disclose a cybersecurity incident to Indian stock exchanges last month. In a statement made by the company, they state that it is “investigating the matter with utmost priority.”
- New Zealand based payments solutions provider Smartpay Holdings faced a ransomware attack this month, becoming one of the latest victims to in a slew of cyberattacks against organizations in the NZ and Australia in the past year. Payment platforms and terminals were not affected by the incident. The company conducted an investigation which revealed that information from customers in Australia and New Zealand had been stolen from its systems.
- Reddit disclosed that its system had been hacked in February this year, but in June BlackCat ransomware gang have claimed responsibility for the incident. Threat actors were able to gain access to Reddit’s systems after an employee fell victim to a phishing attack. The threat actors claim to have exfiltrated 80GB of data including internal documents, source code, employee data and limited data about the company’s advertisers. No user passwords, accounts or credit card information were impacted.
- Iowa’s largest school district Des Moines Public Schools fell victim to a ransomware attack earlier in the year which forced all networked systems offline and caused classes to be cancelled for several days. The school district received a ransom demand from an unnamed ransomware group but have no intention of meeting the groups demands. Around 6,700 individuals were impacted and will be contacted regarding what personal information was exposed.
- Mondelez International announced that 51,000 of past and present employees’ information is at risk after a Bryan Cave Leighton Paisner LLP (BCLP), a law firm hired by them, was hacked. The law firm had copies of and access to sensitive personal information belonging to employees of the Oreo and Ritz Cracker giant.
- The University of Hawai’i confirmed that Hawai’i Community College was targeted by a ransomware attack. The college was made aware of the incident on June 13th, with IT services responding immediately by taking the network offline. There has been no further comment from the educational institution at this time, but the investigation continues. Those responsible for the attack have not been named and it is not clear if any data was exfiltrated during the attack.
- Vincera Institute in Philadelphia is notifying patients who were impacted by a ransomware attack in April. Vincera reported the incident to HHS on June 20th with four entries: Vincera Core Physicians reported 10,000 patients impacted, Vincera Surgery Center reported 5,000 patients impacted, Vincera Rehab reported 5,000 patients impacted and Vincera Imaging reported 5,000 patients impacted. It is believed that some individuals may have been seen by multiple services so numbers may be considerably less than the 25,000 reported. Information stolen during the attack is said to include names, contact details, SSNs, DOBs, medical history and treatment records and insurance information among other information provided to the institute. The ransomware group responsible has not been made public and it is unknown whether any patient records were corrupted during the incident.
- Threat actors emailed students at the University of Manchester warning them that their data will soon be leaked if an extortion demand is not met. The unnamed ransomware operation claimed to have stolen 7TB of data during an attack in early June. The exfiltrated data reportedly includes confidential personal information from staff and students, research data, medical data, police reports, drug test results, databases, HR documents, finance documents and more. The group went on to list professors and university personnel that they hold accountable for the situation. It was later reported that over 1 million NHS users have been impacted by this incident.
- An attack on the French Rugby Federation saw some of their systems affected, with mail servers taking the biggest hit. The organization quickly secured its entire system and restored operations. Play ransomware group claimed the attack, threatening to publish data if the ransom demands are not met. To date, the FFR claim that it has not received a ransom demand from the group. Investigations continue and according to reports the scale of the attack is yet to be determined.
- National Institutional Facilitation Technologies (NIFT) in Pakistan was forced to resort to a manual banking system as a result of a cyberattack. It was forced to shut down its two data centers in Islamabad and Karachi and digital payments remain halted. According to reports the “well organized” incident was detected, isolated and halter swiftly after discovery. A comprehensive assessment and investigation is underway, but it seems too early to say if any data has in fact been lost of exfiltrated during the attack. Some experts have expressed concerns that the data belonging to 67.5 million customers could be impacted.
- BlackCat has claimed that it stole “lots” of highly sensitive medical records from Beverly Hills Plastic Surgery and has threatened to leak patients’ photos if the clinic doesn’t fulfil the ransom demand. The group have bragged about exfiltrating personal information and healthcare records, along with “a lot of pictures of patients that they would not want out there.” Details on this attack remain vague at this time.
- Atlanta Postal Credit Union (APCU) confirmed that a recent ransomware attack compromised the confidential information of some bank customers. In response to disruption to its network, APCU secured its system and launched an investigation into the incident. The investigation revealed that threat actors had orchestrated a ransomware attack which allowed them to access certain customers’ confidential information, though it is believed that the access was limited to March 23, 2023. APCU cannot rule out the possibility that highly sensitive information belonging to bank customers was obtained during the attack. No group has yet claimed responsibility.
- The personal information of 1,244 people has been compromised following a ransomware attack on Chattanooga State Community College. It is believed that the majority of those impacted had taken their GED test at the college’s testing center in 2012 and 2013. Names, phone numbers and email addresses belonging to administrators at the institution were also impacted. Upon discovering the incident, the college took computer systems offline and cancelled classes for two weeks. Snatch claimed the attack, however the college did not engage with the ransomware group on advice from the FBI, Tennessee Board of Regents and cybersecurity experts.
- Major Philadelphia consulting firm Econsult has reportedly suffered a breach that has exposed employees’ financial information. The organization, whose clients include City of Philadelphia, Pew Charitable Trust and other major regional institutions, has revealed internally that the incident was in fact a ransomware attack. An investigation has been launched and the organization continues to work diligently to identify the nature and scope of the information that may have been involved. The spokesperson for the organization stated that specifics could not be provided at this time.
- Lebanon School District in Pennsylvania was hit by a ransomware attack in early June, forcing the district to shut down systems as a precautionary measure. Outside cybersecurity experts were hired to secure the systems and to investigate the nature and scope of the attack. The investigation is ongoing, but at this time the district has not found any evidence to suggest that unauthorized acquisition or misuse of personal information has occurred. It is reported that the letter from the unnamed threat actors did not demand a ransom.
- Peter Mark, a chain of hairdressers based in Ireland, has disclosed that it believes internal HR data was compromised during a cybersecurity incident. The organization is liaising with Gardai from the National Cyber Security Centre to assess what information has been accessed. At this time there is no evidence of personal data belonging to the organization on the dark web, but they are continuing to monitor the situation.
- The world’s largest semiconductor manufacturer TSMC has been listed on LockBit’s dark web site, demanding a whopping $70million for data stolen during the incident. The group has not specified what type of data they have stolen but they have also threatened to publish network entry points as well as login and password details if the ransom is not paid. TSMC has stated that it is aware that one of its IT hardware suppliers was faced with a cyberattack which led to the attack on them. But upon review TSMC commented that the incident did not affect business operations, nor did it compromise TSMC’s customer information.
- The Barts Health NHS Trust in the UK has appeared on BlackCat’s dark web victim blog, with the group claiming to have stolen over 7TB of sensitive data. The exfiltrated data is said to include “citizens confidential information” including personal and financial information alongside internal company data. The gang are threatening to release the data should the trust not engage, with the deadline of 3rd July set. Details of the ransom demanded were not published on the dark web blog.
July
We tracked 38 publicly disclosed ransomware attacks in July, representing an 81% increase on 2022, the busiest July we’ve recorded over the past 4 years. Healthcare was heavily targeted with 14 attacks targeting that sector alone. Many large organizations made news headlines during the month including the Japanese Port of Nagoya who were forced to deal with massive disruption due to a ransomware attack, while 11 million patients were impacted by the incident on HCA healthcare, and cosmetics giant Estee Lauder fell victim to an attack from not one, but two ransomware groups. Here’s a summary of who else made ransomware news during the month.
- Mount Desert Island Hospital reported unauthorized access to its systems in April and May which resulted in a data breach impacting 24,180 patients. Stolen data included personally identifiable information, patient medical information, and financial data. Snatch claimed responsibility for the attack, but no proof of claims or files have been posted on its leak site.
- 8Base listed ClearMedi Health on its leak site in early July, with the post indicating that the information had been exfiltrated from the organization on June 26th. The upload was a 9-part archive with most parts containing 10GB each. The ransomware group stated that stolen files included personal documents, patient data, employee information, financial documents and much more. ClearMedi are yet to comment on the incident.
- The Port of Nagoya, the largest and busiest port in Japan was targeted by a ransomware attack which impacted the operation of its container terminals. The port’s central system controlling all container terminals was down for approximately 24 hours while the port authority worked to restore it. This caused the cancellation of all loading and unloading operations resulting in massive financial losses to the port and severe disruption to the circulation of goods to and from Japan. This is still a developing story with more details emerging.
- A relatively new ransomware group named Cyclops claimed to have attacked Atherfield Medical and Skin Cancer Clinic in Australia. In the listing on the group’s leak site, there is a link to download files and screencaps as proof of claims. The data contains personal and health information of patients as well as banking details of doctors. The clinic has stated that it is aware of the incident and is notifying individuals who may have been impacted.
- Townsquare Media suffered a ransomware attack for the second time in five years. BlackCat took credit for the attack which took place in late June. The group claim to have exfiltrated 215GB of data including files sourced from the company’s servers and workstations. Only files created within the last year have been impacted. The organization were given one week to “resolve the misunderstanding” before their data would be leaked to the public.
- UK independent retail chain, Roys of Wroxham, faced a ransomware cyberattack which impacted IT systems, causing problems in its stores and prevented the dispatch of online orders. The company are undertaking an extensive forensic investigation to assess the full scope of the incident. The retailer has assured customers that it does not store financial information so it will not have been impacted.
- Threat actors brought down four of nine local radio stations owned and operated by Amaturo Sonoma Media Group for at least six hours during an attack. The five other stations remained unaffected as they operate on a different server. The group has chosen not to negotiate with the unknown ransomware group and instead embarked on a two-week rebuilding process of the four hacked stations. The hackers demanded the company’s financial records stating that they would present their “reasonable demand” once these documents had been reviewed.
- The Law Foundation of Silicon Valley disclosed that it was hit by a “sophisticated ransomware attack” which disrupted their systems. One of the foundation’s servers was impacted which compromised the data of 42,525 individuals including clients, staff, and others. Compromised information includes SSNs, medical records, immigration numbers and financial data with the chance that other forms of additional data may have also been accessed.
- The Election Commission of Pakistan issued an alert to all of its employees after emails were received relating to a ransomware attack. They asked staff to kindly ignore the emails and report it as spam/junk. At this time, it has not been confirmed whether threat actors gained access to crucial data. The country is currently preparing for general elections.
- Luigi Vanvitelli hospital in Italy posted a notice on its website on 4th July announcing that it had fallen victim to a ransomware attack. According to reports, cybercriminals have stolen email passwords of university professors, doctors, managers, and employees. During the attack a “computer blackout” occurred which impacted a number of services. The hospital is working to evaluate the extent of the incident and the nature of the data breach but believe that the hackers could be part of a Chinese cybercrime group, with the claim based on the type of email address provided to them for negotiation purposes.
- BM Group Polytec issued a statement on its website to update customers on developments of the ransomware attack which impacted its business. During the incident, there was damage caused to the IT infrastructure and some personal data was exfiltrated. Information on exactly what information was stolen is vague at this time. Rhysida has claimed responsibility for the attack but there is not information on what ransom demands have been made.
- Denver-based manufacturer Gates Corporation has announced that it was a victim of a ransomware attack in February, with details of the incident only coming to light now. The organization assured authorities and the public that it did not pay the ransom demanded and was able to restore systems on its own. Although threat actors were able to access information relating to over 11,000 people, Gates Corporation believe that hacker did not steal information but are notifying the affected parties of the incident “in an abundance of caution.” However, it is believed that threat actors may have exfiltrated HR files that include personally identifiable information. The hackers responsible for this incident have not been named and the company have not released any details on the ransom demanded.
- 8Base claim to have attacked Kansas Medical Center in mid-June, downloading data containing sensitive patient information. This data is said to include personal documents, ID cards, health insurance information, patient PII, employee information, internal documents, accounts information and other financial documents. 8Base has not posted proof of claims on its leak site, but this is not uncommon for this particular ransomware group.
- 11 million patients have been impacted by a cyberattack on HCA Healthcare. The healthcare provider owns and operates 182 hospitals and 2,200 care centres across the US and UK. Threat actors began selling the data belonging to the organization on a forum, claiming in the post that the stolen database contains 17 files and 27.7million database records. HCA has confirmed that the data on the leak site is indeed authentic. Stolen data is said to contain personal patient information, but HCA has stated that it does not believe the data contains clinical or financial information.
- The City of Hayward was forced to temporarily shut down its official website and online municipal portals following a ransomware attack. Although some services were impacted, city officials confirmed that essential services such as 911 and emergency assistance were unaffected. After discovering the incident, city officials took immediate action to mitigate potential risks to its network and data. There is no further information about the attack currently available.
- ZooTampa was hit with a cyberattack which impacted its network environment and involved the theft of employee and vendor data. Upon detecting the incident, swift action was taken, and third-party forensics specialists acquired to secure the network and investigate the extent of the attack. The zoo has notified those whose information may have been accessed but are confident that no personal or financial information of visitors has been affected. BlackSuit, who has links to Royal ransomware group, has claimed responsibility for the attack.
- The Town of Cornelius in North Carolina disconnected all on-site technology from the town’s network in the wake of a ransomware attack. Various services were disrupted including those dependent on phone communications, but a spokesperson emphasized that emergency services remained operational and accessible. Cornelius officials were working closely with law enforcement to mitigate the impact of the attack. It is not yet known who is behind the attack, what their motivations were and if any ransom has been demanded.
- 300 clients were impacted when a ransomware attack shut down Internet Thailand’s hypervisor management system. Those impacted, such as The Bangkok Post, saw their websites inaccessible for a day. According to Inet’s deputy managing director, a hacker obtained credentials from an employee who was working remotely. The organization claimed to have backups which eliminated the need to pay a ransom. It is unclear if any data was exfiltrated during the incident and who might be responsible for the attack.
- The City of West Jordan in Utah announced it was a victim of a ransomware attack at the beginning of June. The city has stated that no personal or financial information was exposed during the attack. An investigation into this incident is still ongoing, with details remaining vague at this time.
- Panorama Eyecare in Colorado fell victim to a LockBit ransomware attack, with the ransomware group claiming to have exfiltrated 798GB of data from four of the organization’s clients. The four clients impacted were Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye & Surgery Center and 2020 Vision Center. Screencaps posted as proof of claims contained patient information. It is unclear what impact the attack has had on business operations and ransom demands have not yet been disclosed.
- ALPHV (aka BlackCat) claimed responsibility for an attack on Highland Health Systems in Alabama. The ransomware group posted proof of claims including employee and patient data and information. Data relating to patients in treatment for substance abuse was also posted on the leak site. The group claim to have patient logs, mental health records, SSNs, drivers’ licenses and employee passwords and have also stated that they will be contacting patients and employees to give them the opportunity to pay to have their data removed from public leaks or darknet sales.
- 355GB of data belonging to Belize Electricity Limited (BEL) was released when the company did not meet ransom demands made by Ragnar Locker. The organization stated that the data exfiltrated was “confidential transactional information pertaining to employees and customers and other network configuration information” that was stored on file servers and employee computers. Teams are currently monitoring and investigating the full extent of the incident and are reporting to the appropriate authorities. The ransom demanded has not been disclosed.
- 3,461 individuals have been affected by a cyberattack on Gary Motykie M.D. during which data was exfiltrated. The incident which took place in May saw data including PII, financial account information, SSNs, health insurance information and medical information stolen as a result of a threat actor gaining unauthorized access to IT systems. The attack also involved the theft of nude images which were used in connection with the services provided by the plastic surgeon. A ransom demand of $2.5million was demanded from unknown threat actors. Patients were contacted by threat actors, pointing them to the leak site and offering them the opportunity to have their images and files removed from the leak site if they paid $800,000.
- Langdale County in Wisconsin suffered a “catastrophic software failure” as a result of a ransomware attack orchestrated by LockBit. On July 11, the county shared news that it was experiencing severe technology failures, causing all phone lines to be non-functioning. This included 911 calls for assistance which were rerouted. The county did not attribute the issues to a cyberattack, but LockBit added the county to their leak site, giving them until August 1st to fulfil undisclosed ransom demands or the data stolen would be leaked. At this time, it is not clear what type of information was exfiltrated during the attack.
- Russian medical lab Helix fell victim to a “serious” cyberattack which left customers unable to receive their test results for several days. According to a statement, hackers attempted to infect the company’s systems with ransomware which led to the service disruptions. Helix also stated that no personal customer data was leaked during the incident and that tech teams were able to partially restore functionality of its website, mobile app, and other e-health services without paying a ransom. It is unclear which group was responsible for the attack and what their motivation might be.
- Not one, but two ransomware groups listed Estee Lauder on their leak sites as a victim of separate attacks. One of the groups was Clop who used a vulnerability in the MOVEit Transfer platform to gain access to the company, claiming to have exfiltrated more than 131GB of data. BlackCat was the second group to claim the cosmetics giant as a victim, opting not to encrypt any of the company’s system, but instead threatening to reveal stolen data if the parties did not enter into negotiations. BlackCat hinted that exfiltrated data could impact customers, company employees and suppliers. It is not clear if either of these attacks caused disruption to the organization or what ransom demands were made.
- George County in Mississippi saw its local government thrown into chaos when a discreet phishing email allowed threat actors to gain deep access into the county’s systems. Hackers made their way through the county’s systems over a weekend, encrypting everything they could. All three servers were encrypted, and all employees were locked out of their personal office computers. While IT workers began their work to restore the servers they came across a file containing a ransom note, providing a Bitcoin wallet address to send the ransom to with a five-day deadline date. The county chose not to pay the ransom due to budgetary constraints and the lack of guarantee that the issues would be resolved.
- Snatch ransomware group reportedly stole sensitive data of more than 1.2 million patients from Tampa General Hospital during a ‘failed’ ransomware attack in May. A statement from the hospital confirmed that it detected unusual activity and quickly contained it preventing encryption which would have significantly disrupted patient care. It was later discovered that the hackers had been in the hospital’s network for more than two weeks and had exfiltrated a significant amount of patient data which is said to include PII, health insurance information and treatment information. The hospital declined to pay the undisclosed ransom amount.
- A ransomware attack orchestrated by DonutLeaks targeted Jackson Township in Ohio, impacting services offered by the Jackson Police Department. Other primary township services including emergency services were not impacted. The incident affected the function of multiple systems with external cybersecurity experts being brought in to work through the problem. An investigation revealed that there was no known access to unauthorized personal or employee data by the hackers.
- Californian authorities were made aware of a cyberattack involving U.S law firm Quinn Emanuel Urquhart & Sullivan which may have resulted in client information being exposed. The law firm stated that a third-party data center used for document management had fallen victim to a ransomware attack last year. The attack did not impact the firm’s network infrastructure, however around 2,000 individuals were affected by the incident. It is not known who the third-party vendor was, what group launched the attack or if a ransom demand was made.
- Yamaha’s Canadian music division encountered a cyberattack which led to unauthorized access to its systems and data theft. According to a statement, the organization swiftly implemented measures to contain the attack and worked alongside external specialists to prevent significant damage or malware infiltration into its network. Two ransomware groups claimed responsibility for the attack on Yamaha – BlackByte posted the company on its leak site in early June, with Akira adding Yamaha to its leak site in mid-July. The nature of the data exfiltrated has not been disclosed and as of yet information on ransom demands from either ransomware group has not been released.
- Italian asset management company Azimut Group became a victim of the BlackCat ransomware group in June, with the threat actors claiming to have stolen over 500GB of potential data. The ransom letter from the gang allegedly included sensitive photographs of customer data and asserted having access to other customers’ complete financial information. Azimut has declined to pay the undisclosed ransom demand stating that attackers did not access personal or financial information of clients.
- Desorden Group, who has been quiet for the past number of months, re-emerged by launching an attack on Ranhill Utilities Berhad, who provide power and water supply in Malaysia. The attack, which stemmed from an initial breach 18 months ago, disrupted billing operations and water supply to over 1 million customers. In July this year the ransomware group stole all of the organization’s databases in its billing system, deleted backups and removed databases entirely. Hundreds of gigabytes of data including sensitive customer and corporate information was stolen. Ranhill does not appear to have made a statement about the incident.
- Rhysida ransomware group put data supposedly stolen from The University of West Scotland (UWS) up for auction on its dark web victim blog. The gang is demanding £452,640 (20 bitcoin) for the data, stating that it will be sold to the highest bidder. UWS announced that it had suffered an attack on July 7th and enlisted the help of NCSC and the Scottish government to deal with the incident which affected a number of digital systems. The university is yet to comment on further on the ransomware attack.
- Family Vision, an optometry center based in South Carolina, was compromised by a ransomware attack. The clinic immediately disabled external access to its systems and launched an investigation into the nature and the scope of the incident. Unknown threat actors were able to install ransomware on the server and as a result the server was encrypted. Sensitive data of around 62,000 patients was compromised during the incident, however Family Vision clarified that no financial information was exfiltrated.
- Karakurt claimed responsibility for an attack on The Chattanooga Heart Institute during which they claim to have stolen 158GB of data. Although no proof of the claim was provided, the gang gave details on their website of the data stolen, which is said to include patient and employee private data, medical records, and treatment information. The incident is said to have taken place between March 8th and March 16th this year, with CHI detecting the attack in April. CHI notified the Main Attorney General’s Office that 170,450 people had been impacted by the incident. At this time no data has been leaked by Karakurt.
- BankCard USA (BUSA) recently paid the Black Basta ransomware group $50,000 ransom in the hopes that the no publication of any kind relating to the incident would be made in exchange for the money. The organization and threat actors negotiated for over a month, with BUSA demanding guarantees and offering the threat actors less than 10% of what was being demanded in exchange for the deletion of the 200GB exfiltrated. Although Black Basta claimed there would be no publication, SuspectFile has reported on the incident. It is not yet clear how many individuals have been impacted by the ransomware attack.
- MHMR Authority of Brazos Valley has issued a press release detailing the outcome of a ransomware attack which reportedly took place in December 2022. The statement revealed that personal and protected health information of some employees and current and former patients may have been compromised during the incident. Hive claimed responsibility for the attack on the Texas mental health and substance abuse treatment provider at the end of last year. Data from the attack was never released by the ransomware group before its demise. It is still unclear how many individuals were impacted as a result of the incident or if they will ever be notified by MHMR.
August
We recorded 59 publicly disclosed ransomware attacks in August, a 51% increase over the same period last year and the second busiest month for disclosed attacks in 2023. LockBit and Medusa were the most active ransomware groups, while education and healthcare were the highest targeted sectors, closely followed by government. A number of organizations made headlines with attacks and breaches causing huge consequences, including Prospect Medical Holdings who were forced to revert back to pen and paper after a system-wide outage, while almost 1.5 million patients were impacted by a data breach on Alberta Dental Service Corporation. Check out who else made ransomware headlines this month:
- Karakurt ransomware gang allegedly stole genetic DNA patient records from McAlester Regional Health Center, threatening to auction them off to the highest bidder. The Oklahoma based hospital has not made a statement about the breach but the threat actors claim to have exfiltrated 126GB of organizational data, with an additional 40GB of DNA test information.
- The Township of Montclair in Essex County, New Jersey suffered a cyberattack in June which led to data loss including information on outside vendors, individuals, and data which affected the township’s ability to respond to some requests. The name of the attackers has not been made public, but it has been reported that the township’s insurer negotiated a settlement of $450,000 to end the attack.
- At the beginning of August St Landry Parish Schools in Louisiana announced that they had been subject to a ransomware attack, first identified on July 25th. Medusa claimed responsibility for the attack and posted various evidence of claims including a $57 cheque, a 2021 training course certificate, an education disability claim form, communications with an insurance department and teacher’s salaries. The ransomware group demanded a $1million ransom to erase the compromised data.
- National Institute of Social Services for Retirees and Pensioners (PAMI) in Argentina was added to Rhysida ransomware group’s victim list on August 12th. The attack claim which was posted on the group’s dark web portal gave PAMI just six days to meet its demands. The ransom demanded by Rhysida was 25BTC. Samples of data including identity cards bearing photos of people was posted as proof of the attack. The full scope of the attack is not yet clear.
- LockBit added West Oaks School in England to its darknet victim site, giving the school two weeks to make the ransom payment or data stolen during the attack would be published. The school which specializes in education for children “with a wide range of needs” is yet to make a statement regarding the incident.
- Prominent component and product manufacturer MW Components filed a notice of a data breach with the Attorney General of Texas after discovering that an unauthorized party had gained access to its computer network. The ransomware attack occurred between March 1st and March 26th this year. Upon discovering the incident, the company took swift action to secure its systems and notified law enforcement. Exposed information included consumer data including names, SSNs, driver’s license numbers, financial account information, health insurance information, and medical records. The company has notified all individuals whose information had been compromised.
- The next attack made several headlines throughout August as the story continued to progress. Prospect Medical Holdings, one of the largest hospital networks in the US, fell victim to a ransomware attack at the start of the month, causing chaos across several of its hospitals. The cyberattack forced hospitals to divert patients to other facilities and put a temporary halt on operations, with some other facilities having to completely revert back to paper records to treat patients. The Rhysida ransomware gang claimed responsibility for the attack in which they said they had exfiltrated a total of 1TB of unique files, as well as a 1.3TB SQL database. The files were said to contain the personal data of more than half a million PMH patients and employees including SSNs, passports, driver’s licenses, patient medical files, and legal and financial documents. The ransom demanded by the group was 50 Bitcoins, payable by September 1st or the data goes up for auction.
- Tempur Sealy, one of the world’s biggest mattress sellers, was forced to shut down parts of its IT systems and activate incident response and business continuity plans due to a cyberattack. BlackCat ransomware group took credit for the attack and claimed to have sensitive documents from senior officials in the company. It is unclear whether customer information was involved but the company said it plans to notify regulators of data leaked.
- Ebert Group, a car dealership based in Weinheim, Germany, announced that it was the target of a “hacker attack” which caused disruption on the company’s servers. There is limited information available relating to the incident, but it has been reported that data belonging to approximately 30,000 customers is now visible on the dark web. A group called Metaencryptor claimed responsibility for the attack.
- On August 1st, Akira added Parathon by JDA eHealth Systems to its leak site with a note stating that 560GB has been taken from their network. The information is said to contain contracts, employee information, and confidential documents, however no proof of claims were posted alongside the note. At this time the company is yet to make a comment on the incident.
- A data breach was announced this month after a June ransomware attack on the Colorado Department of Higher Education. An investigation determined that threat actors had access to CDHE systems between June 11 and June 19 and copied data from company systems during this time. Current and past students, along with teachers were impacted by the incident, with attackers gaining access to names and SSNs or student identification numbers, as well as other education records. The number of individuals impacted has still not been released by the CDHE.
- England based recruitment agency Delaney Brown Recruitment was involved in an attack by 8Base ransomware group. The threat actors claim to have exfiltrated information including invoices, receipts, accounting documents, personal data, employees’ contracts and personal files of employees and clients among other corporate documents. The organization is yet to publicly address the claims made by 8Base.
- Jefferson County Health Center was added to the Karakurt threat actors leak site in July but it was not clear whether it was the facility in Iowa or Jefferson County Hospital in Oklahoma. But in August, Jefferson County Health Centre in Iowa submitted a breach notification to the Vermont Attorney General’s Office, confirming that an investigation determined an unknown actor has accessed their systems earlier this year. The investigation also highlighted that patient files may have been accessed during the incident. The notification did not name Karakurt as the threat actors and did not mention a ransom demand. The ransomware group have yet to leak any of the 1TB of files it claimed to have exfiltrated from JCHC.
- Varian Medical Systems, a company providing software for oncology applications was hit by a ransomware attack at the hands of LockBit. Details on how LockBit breached Varian’s systems or how much data was exfiltrated is yet to be revealed, but the ransomware group has warned its readers to expect private databases and patient medical data belonging to the company if negotiations did not take place within two weeks of the attack. Parent company Siemens Healthineers confirmed an internal investigation is taking place but did not comment further on the incident.
- Thornburi Energy Storage Systems, a prominent battery manufacturer based in Thailand, was added to Qilin ransomware group’s victim list following a cyberattack. The threat actors claimed that the company had chosen not to communicate with them, after which they started publishing various documents. Five screenshots were posted as proof of claims by the group. TESM has not yet made a public comment responding to these claims.
- 8Base added Oregon Sports Medicine to its leak site at the beginning of August. While no files or filetree was posted as proof of claims, the ransomware group claim to have acquired invoices, receipts, accounting documents, personal data along with a “huge amount of confidential information”. The organization has neither confirmed nor denied the claims, remaining tight lipped about the incident. It is not clear how much data was impacted by the attack or if a ransom was demanded.
- Mayanei Hayeshua Medical Center in Bnei Brak saw its administrative computer system damaged and shut down by a ransomware attack. Following the attack, some treatments were stopped, and the emergency room was forced to refer patients to other hospitals. An investigation was launched into the incident and resulted in further services within the hospital being disrupted. Teams from the Cyber Directorate and the Ministry of Health helped the hospital staff to deal with the incident and its consequences. At this time the cyberattack has not been linked to or claimed by any ransomware groups.
- On the same day as leaders met in the Whitehouse to discuss cyberattacks on schools, Emerson Schools in New Jersey was added to Medusa’s “hostage list.” The group claimed to have exfiltrated data from the IT infrastructures of the school district, demanding $100,000 in bitcoin in exchange for the deletion of the stolen information. Information on the nature of the data stolen is yet to be released and other information regarding the attack remains limited.
- The California city of El Cerrito is investigating the potential theft of data after LockBit added it to a list of victims. Assistant to the City Manager stated that the city’s systems were fully operational, and they were not locked out of any devices or data. However, on LockBit’s leak site, multiple screenshots of information belonging to the city’s government were posted as proof of claims alongside a deadline of 19th The city have made no further comment on the incident.
- Akira ransomware gang added The Belt Railway Company of Chicago to its leak site on 10th August, claiming to have stolen 85GB of data. General Counsel for the largest switching and terminal railway in the US acknowledged the claims made by Akira but stated that the event did not impact its operations. The organization has engaged a leading cybersecurity firm to investigate the incident and is working with federal law enforcement.
- A ransomware attack on Alberta Dental Service Corporation has compromised the personal information of around 1.47million individuals. ADSC revealed that individuals enrolled in the Alberta Government’s Dental Assistance for Seniors Plan, the Alberta Government’s Low-Income Health Benefits Plans and Quikcard were impacted as a result of the incident. Threat actors had access to ADSC’s network for more than two months before deploying file-encrypting malware. Among the 1.47 million whose data was accessed, around 7,300 of those records contained personal banking information. ADSC president Lyle Best reportedly told IT World Canada that a ransom payment was made to 8Base ransomware gang, who later provided proof that the stolen data was deleted. The ransom amount was not disclosed but he did reveal that the initial intrusion vector was a phishing email.
- Cummins Behavioral Health Systems (CBHS) announced that they became a victim of a cyberattack sometime between February 2 and March 9 this year. CBHS discovered the incident when they found a ransom note in their environment in early March. There was no encryption of any data and CBHS did not name attackers or mention whether they paid a ransom. Data that may have been accessed or stolen during the incident included personally identifiable information, financial information, and medical information. A notification made by the organization to Maine Attorney General’s Office stated that 157,688 people were affected by the attack.
- The real estate industry suffered widespread disruption to property listings across the United States as a result of a ransomware attack targeting Rapattoni. The California-based data services company hosts multiple listing services (MLS) databases. On August 8 Rapattoni triggered a system outage which was quickly communicated on the organization’s social media channels. Details on this attack continue to be released, no ransomware gang has taken responsibility yet.
- The Municipality of Ferrara in Italy was “brutally” hit by Rhysida ransomware gang this month with investigations still underway to determine the overall extent of the damage caused by the attack. The attack has been strongly condemned and the administration has expressed its refusal to give into the threats made by the perpetrators. The demands made have not been made public and information on what data, if any, was exfiltrated during the incident is still unknown.
- Levare International, headquartered in Dubai, was attacked by Medusa with the group claiming to have exfiltrated data that could harm both the privacy of employees and trade secrets. After negotiations broke down between threat actors and Levare’s negotiators, Medusa knocked Levare offline with DDoS attacks. A ransom of $500,000 was demanded on the group’s dark web leak site alongside screencaps of files as proof of claims. No further information on this incident has been released.
- Freeport-McMoRan reported a cybersecurity incident on 11th August but stated that it did not cause any major impact on production. The American copper miner worked with third-party experts and law enforcement agencies to assess and address the situation. Although impact on production was limited, the company noted that prolonged disruption could impact future operations. BlackCat took responsibility for this incident on its leak site, claiming to have presented the organization with proof of data stolen but the organization “made no attempt to find out what was taken.” The group noted that private information from banks and payroll providers is among the data exfiltrated from FCX.
- Sydney based engineering firm Algorry Zappia & Associates allegedly became a victim of a attack orchestrated by the Play ransomware group. Play’s darknet leak site listed the engineering firm alongside claims that it had exfiltrated “private and personal confidential data, clients and employees’ documents” as well as financial details.
- ToyotaLift Northeast was recently listed on the 8Base ransomware group’s victim list, with the hacker collective claiming to have data belonging to the forklift dealer. The group publicly announced the alleged failed negotiations and the deadline for an unknown ransom payment. Data exfiltrated was reported to include personal correspondence of company clients, financial statements, and other documents with confidential information. The company has not commented on the attack.
- Less than 5% of faculty and staff devices were impacted during a ransomware attack on Cleveland City Schools this month. The school district reassured parents that their student’s sensitive information was secure and stored offsite, also stating that there was “no indication” of student, faculty or parent data being compromised. Homeland Security and local law enforcement are investigating the incident. No ransomware group has yet been linked with the attack and it not known what, if any data, was stolen.
- Australian civil infrastructure firm CB Group was struck by a Medusa ransomware attack, with the data breach announced on the group’s darknet leak site. The group demanded a ransom of $100,000 to delete the data entirely, giving the CB Group a deadline of August 24 to meet the demand. Medusa offered to extend the deadline for 24 hours at the cost of $10,000. The information can be downloaded for the same price as the ransom, allowing anyone online to purchase the data before the deadline has even been reached. Twenty-seven sample files were also posted on the darknet site alongside a directory structure of the stolen data. Proof of claims included images of staff driver’s licenses, invoices, detailed organization structures, and confidential deeds and contracts.
- Postel, a subsidiary of Poste Italiane was another Medusa victim this month. A press release from the organization stated that it “detected anomalous activity on its systems” which caused disruption of some servers and knocked the site offline. An investigation was launched into the incident, with Postel making it known that “currently only data within the company has been affected.” The ransomware group claimed to be in possession of huge amounts of data including the personal documents of employees, tax and administrative files, and payslips. A ransom of $500,000 was posted with the information being made public if the demands are not met.
- 186GB of data, comprised of over 108,000 files were stolen from Optimum Health Solutions during a ransomware attack. Employee data including passport details, and patient files alongside emails and other employee and patient credentials were exfiltrated from the Australian preventative healthcare provider by the Rhysida ransomware group. The group posted the data online, claiming that the information shared was only 85% of the total data stolen, with the rest allegedly sold. There is no information on what ransom was demanded, if any, or if the two parties entered into negotiations before the data was published.
- The Foundation de Verdeil which provides special educational services in the canton of Vaud in Switzerland confirmed that it had been targeted by threat actors. During the incident a server was encrypted, and operations, especially those within the office and communication areas were impacted. The CEO of the organization stated that upon discovering the attack IT service providers were immediately contacted, as well as security specialists and the IT and security department of the canton of Vaud. NoEscape took responsibility, claiming to have exfiltrated 40GB of records. These records were said to include medical certificates, insurance documents, hundreds of photos of children and documents relating to children alongside other sensitive information.
- Sartrouville town hall was “paralyzed” by attacks that shut down all municipal activity for twenty-four hours. The French commune saw all of its data encrypted and all services affected and inoperative, with the exception of the police department and identity cards and passport services. Computers contained financial information about all public contracts, payments to companies, budgets, and payrolls. In addition, medical records from the health center, and data from nurseries and elementary schools were held. The provisional damage is estimated at €200,000. City hall filed a complaint and did not intend to meet the demands of the threat actors. Medusa has taken credit for this attack.
- Rhysida added Prince George’s County School System (PGCPS) to its leak site just three days before the start of the new academic year. The district claimed that only about 4,500 user accounts out of 180,000 were impacted by the attack, but Rhysida has since put sensitive data from those user accounts up for sale. The ransomware group appeared to be auctioning off a sizeable amount of sensitive information which included passports, driver’s licenses and other data, but has not posted a specific amount. The ransom demanded for all the data is 15 Bitcoin which is roughly $390,000.
- Following a ransomware attack in May, threat actors have started releasing sensitive personal information belonging to Raleigh Housing Authority (RHA). The attack crashed the organization’s entire system and stopped its ability to function for several days. State and federal authorities were notified, bringing in National Guard cybersecurity teams to investigate the incident. BlackBasta recently added troves of sensitive information which was stolen during the incident, including government IDs, financial documents, and social security cards. Information on ransom demands or how much data was exfiltrated has not been made available to the public.
- The German Federal Bar (BRAK) Association is investigating an attack which took place at the start of August. The ransomware attack targeted its Brussels office, leading to a failure of IT systems. Once discovered, all network connections were immediately severed, and IT security teams were brought in to clarify the incident and repair the damage. NoEscape ransomware group has claimed the attack, encrypting BRAK’s mail servers and exfiltrating 160GB of data.
- A press release from Bunker Hill Community College revealed that irregular activity, consistent with a ransomware attack, was detected in certain BHCC systems in May. BHCC immediately responded to the situation and was able to contain the incident to a number of systems. Due to existing safeguards, the college was able to continue with its academic calendar with no disruption. An investigation is still ongoing but due to the data collected by the college it is feared that personal and sensitive information may have been impacted as a result of the attack. At this time specific details as to what categories of information were involved is not yet available. BHCC has not disclosed the threat actors responsible or details of any ransom demand.
- The au Domain Administration (auDA) confirmed that it had been a victim of a ransomware attack, after initially suggesting it had found no evidence of a breach. NoEscape claimed the attack on its leak site, noting that it had exfiltrated more than 15GB of data. The ransomware group posted a number of threats to the auDA, including a reduction in deadline due to “bad behaviour” and a note stating, “if you do not contact us, the first step will be to sell access to bank accounts with balances over $4K.” Documents stolen during the incident included powers of attorney and legal documents, passports, personal data, medical reports, access to customer bank accounts and much more. auDA stated that it was taking the claims very seriously and had notified the Australian Cyber Security Center alongside other government organizations and was working with experts to investigate the claim further.
- LockBit took credit for an attack on United Medical Centers based in Southwest Texas. The facility announced issues with its network two weeks prior to the posting on LockBit’s leak site. The ransomware group added twenty-one screenshots to its site as proof of claims, giving the organization a deadline of August 27th.
- India’s largest paint manufacturer Kansai Nerolac Ltd announced that it fell victim to a cyberattack which impacted a few systems within its IT infrastructure. In response to the incident, the organization was working alongside a team to cybersecurity experts to respond and mitigate the impact. The financial impact of the ransomware attack is yet unknown and at this time no ransomware group has been linked to the attack on Kansai Nerolac.
- Respublikinė Vilniaus Psichiatrijos Ligoninė in Lithuania fell victim to a NoEscape ransomware attack this month. As proof of the incident, the ransomware group leaked a filetree but claimed that this information is only part of the total exfiltrated during the attack. NoEscape also noted that “management wants to hide the fact that their services were encrypted and compromised.” Data stolen during the attack included finances, personal and medical information of patients, employee documents and “other confidential information” linked to both clients and the company. It is not clear what, if any, ransom was demanded by the cybercriminals.
- Japanese watch maker SEIKO announced that it was a victim of a cyberattack which resulted in data exfiltration. The organization retained external cybersecurity professionals to investigate the breach but believe that at least one server was impacted during the incident. While SEIKO was working to verify the information involved in the attack, BlackCat claimed responsibility and mocked the well-known brand for bad cybersecurity practices. The criminal group claimed to have exfiltrated at least 2TB of data including lab tests, production plans and product design, which could threaten the integrity of some intellectual property. Other information exfiltrated included corporate data such as invoices, sales reports, and employee personal data. BlackCat threatened to publish or sell the stolen data after SEIKO refused to negotiate.
- The Department of Defence South Africa denied claims that a hacker infiltrated its systems and exfiltrated data. The statement comes after the Snatch ransomware gang published the military organization on its leak site, claiming to have stolen 1.6TB of data. The data is said to include military contracts, internal call signs and personal info which could put employees of the organization at risk.
- St Helens Council in the UK identified a cyberattack this month and immediately reached out to third party specialists to help mitigate and investigate the attack. A statement revealed that internal systems had been affected due to actions put in place to prevent further impact while investigations continue. It has been referred to as a “complex and evolving” situation. The council is telling residents to be mindful of their own online safety and to be wary of suspicious communications from the council. This suggests that personal data may have been exfiltrated, but this has not yet been confirmed. The name of the threat actors responsible have not yet been disclosed.
- CloudNordic notified its customers that they should consider their data as lost following a ransomware attack on the company’s servers, which paralyzed CloudNordic completely. Threat actors shut down the organization’s systems, wiping both company and customers’ websites and email systems. Backups were also impacted as well as production data. The unnamed threat actors posted a ransom demand which CloudNordic stated it “cannot and did not want to meet.” It is unclear if information was exfiltrated for publishing or sale at this time.
- Stockwell Harris Law was added to LockBit’s victim list this month, with the legal firm being given a deadline of August 20th to meet demands. According to a post on the threat actors’ site, the breach was attributed to the firm’s alleged negligence in safeguarding clients’ sensitive data. A sizeable amount of the company’s legal data has been exposed. The law firm is yet to comment on the incident.
- Another Danish cloud hosting company became a ransomware victim this month. AzeroCloud who has the same parent company as CloudNordic, was also forced to shut down all email and customer sites as a result of the combined ransomware attack on the two companies. Unnamed hackers set a ransom of 6BTC, or $157,000 for the data to be restored. The Director of both hosting companies said that consequences are unimaginable and “there is no company left.”
- Almost 7,600 individuals have had their sensitive data exposed as a result of a ransomware attack on the Ohio History Connection. The nonprofit organization had its internal servers targeted and encrypted in early July, with unnamed threat actors demanding millions of dollars in exchange for the encrypted data. The ransomware group exposed the stolen data belonging to employees of the organization between 2009 and 2023, after the OHC refused to pay the ransom demanded. Other compromised files include documents relating to vendors and donor checks since 2020.
- A press release from Île-de-France Nature confirmed that the regional agency had been subject to a ransomware attack in August. As soon as the intrusion was discovered, measures to restore services were implemented. Unfortunately, these measures did not prevent data from being encrypted and stolen. LockBit claimed responsibility for the attack but has not yet released the stolen data even though the deadline has passed. It is not clear what data was allegedly exfiltrated from the organization nor what ransom demands were made.
- Belgian IT service provider Econom fell victim to a cyberattack this month but at the time thought that no sensitive information was stolen during the incident. An ongoing investigation however has already revealed that information has been leaked but that the majority of the data has not been deemed as “sensitive.” Stormous took credit for this attack.
- Dutch electromagnet manufacturer Kendrion reported that it had fallen victim to a LockBit attack. According to a statement on its website, the company reported a “cybersecurity incident” during which an unauthorized third-party gained access to its business systems. The organization has not yet disclosed details surrounding the attack but has not ruled out the possibility that sensitive data may have been exfiltrated as a result. LockBit took responsibility giving Kendrion three days to meet their undisclosed ransom demand. Failure to do so would result in the publication of compromised data. At this time the nature and volume of data exfiltrated is unknown.
- PurFoods warned customers of a ransomware attack which resulted in the exposure of the personal information of 1.2 million customers and employees. Suspicious activity was identified in February when files on its systems were encrypted. Signs of network problems were still evident in early March with employees stating they had missed work and pay for a week due to “internet issues.” An investigation concluded that hackers had accessed data including dates of birth, driver’s licenses, financial account information, payment card information, medical and health information along with other sensitive data. The breach impacted individuals who have received Mom’s Meals packages, current and former employees, and independent contractors.
- Akira ransomware group claimed Jasper High School as one of its latest victims. Although the exact nature of the data has not been revealed, the group claimed to have gained access to 60GB of sensitive information. A message on Akira’s dark web site aired its grievances, stating “Another school that appears to disregard the security of its students’ documents.” Information on this incident is still vague and the school is yet to make a public statement addressing the claims.
- The BlackCat gang took credit for a June attack on Forsyth County in Georgia. According to breach notification letters sent out to 250,000 residents, files had been removed from servers during the attack and it was believed that SSNs and driver’s license numbers were accessed. BlackCat, also known as AlphV claimed to have accessed and exfiltrated more than 350GB of data which including SSNs, financial reports, insurance information, loan applications and business agreements.
- Chambersburg Area School District recently confirmed that their computer systems were impacted by a ransomware attack. The disclosure indicated that they had experienced a network disruption which compromised certain computer systems functionality. The district engaged forensic specialists to understand the scope and ramifications of the attack.
- Highly sensitive personal information was exposed as a result of a ransomware attack on Gaston College. The attack which took place in February, saw an individual gain access to and expose information from the college’s network. Stolen information varied by individual but is thought to include personally identifiable information, financial account information, medical information, and employment information. The unnamed hacker made files from the attack available online on both the dark web and the internet.
- Critical infrastructure belonging to Commission des services électriques de Montréal (CSEM) was targeted by a ransomware attack. LockBit claimed responsibility and initially made a portion of the stolen data public. While condemning this illegal act CSEM emphasized that the exposed data posed minimal risk to public safety or operations. The organization refused to pay the ransom, instead choosing to engage with authorities for assistance. LockBit later provided a link on its dark web site to download 44GB of exfiltrated data.
- Network monitoring company LogicMonitor confirmed that some of the users of its SaaS platform had recently experienced cyberattacks. The organization is in contact with impacted clients and is working with them to mitigate the situation. Sources have revealed that attackers were able to infiltrate customers’ accounts through weak passwords provided by LogicMonitor. Others reported that LogicMonitor was reaching out to other customers proactively explaining that some other accounts monitored by the organization had been compromised which had led to a ransomware attack. Information on this attack remains vague and further details are expected to become available in the coming days.
What's Your Reaction?