In 2020, 2021 and now 2022, BlackFog’s state of ransomware in 2022 measures publicly disclosed attacks globally. We also produced an annual summary of our findings in the 2021 ransomware attack report. In 2022 we will be tracking even more statistics, such as data exfiltration and several others as the year progresses. As usual you can also subscribe to have the report delivered to your inbox every month. You can also check out some of the biggest myths and moments in the history of ransomware, or see more recent statistics for 2023.
Learn more about how BlackFog protects enterprises from the threats posed by ransomware.
January
Ransomware started strong in 2022 with a significant attack on Bernalillo County in New Mexico making headlines. The incident closed most government buildings and impacted education in the area. The cyberattack also had a knock on effect at a county jail when the security camera and automatic doors were knocked offline leaving the inmates in lockdown. Here’s a look at what else we uncovered for the month.
- We start the new year with a reported attack on Portuguese media group Impresa. This attack occurred over the New Year holiday knocking the organization’s websites and online streaming services offline. Little-known ransomware gang Lapsus$ was behind the attack.
- French aerospace giant Thales Group were next to make ransomware headlines. A cyberattack on the firm was later confirmed as ransomware with Lockbit claiming responsibility. In a statement Thales said that “despite the fact that we have not received any direct ransom notification, we take this still unfounded allegation – and whatever its source – seriously. A dedicated team of security experts is currently investigating the situation.” Lockbit then took action by disclosing some of the exfiltrated data.
- A holiday ransomware attack on Crawford County caused havoc with the government computer systems. In a statement they said “our IT guys and the guys at Apprentice (the company that provides IT assistance for the county) have been working day and night to get things back up and running”. They also notes that the computer systems were shut down immediately to prevent the loss of data and files. It’s not known what gang was behind the attack or if there was a ransom demand.
- Montreal Tourism Agency shared that they had been one of the recent Canadian victims of the Karakurt hacking group. A spokesperson for the organization declined to say how the agency was compromised, whether the stolen data had personally-identifiable information, or what the attacker was asking for. The Karakurt posting, dubbed its Winter Data Leak Digest, says “the data amount we have obtained is speaking for itself. Which means there is a big hole in IT department that allowed us to exfiltrate everything we wanted.”
- Canadian heavy equipment maker Weldco-Beales Manufacturing was the next victim of the Karahut gang. At time of writing the company was assessing what if any data had been exfiltrated. Asked if the company had heard from the hackers, a spokesperson said, “they leave a trail on the server of files, they are wanting you to get hold of them and send them bitcoin. And they left a couple of voicemails. The voicemails, he said, told the company “to take this seriously, you know how to contact us.” He couldn’t recall how much was demanded in cryptocurrency.
- Carthage Schools in Missouri confirmed that the ‘cyber event’ they experienced at the end of 2021 was indeed a ransomware attack. In a statement they said, “regrettably, our forensic partners determined the ransomware group behind this attack obtained data from our network and has threatened to publish that information to the Dark Web. At this time, we do not know exactly what data may be at issue; however, we are working as quickly as possible to determine the answer.” Criminal gang Vice Society was behind the attack.
- Bernalillo County in Albuquerque New Mexico was forced to close most government buildings following a ransomware attack. The incident made several headlines this month, notably when the incident left a jail without access to its camera feeds and rendered its automatic door mechanisms unusable leaving inmates in lockdown.
- Leading school website provider FinalSite suffered a ransomware attack that disrupted website access for thousands of schools worldwide. The organization did not initially disclose that they had suffered a cyberattack but simply said that they were experiencing errors and “performance issues” across various services. After three days of disruption they confirmed the disruption was caused by a ransomware attack.
- Bay & Bay Transportation, a Minnesota based trucking and logistics company suffered a second ransomware attack, this time at the hands of the Conti gang. In 2018 a ransomware attack crippled the company forcing them to pay the ransom. On this occasion the organization was better prepared and was able to return to 90% functionality in a day and a half without paying a ransom.
- The ransomware group Ragnar Locker spread claims of a successful hack of telecom analytics firm Subex and its Broomfield-based cybersecurity subsidiary Sectrio later sharing posts condemning the company for failing to protect its own network. An unconfirmed online report stated the firewall, router and VPN configuration data, company passwords, and employee documents had been published.
- Maryland Department of Health was hit with a devastating ransomware attack which left hospitals struggling amid a surge of COVID-19 cases. In a statement they shared that they had not paid any extortion demands. It’s not yet known what criminal gang was behind the attack.
- Japanese auto part manufacturer Denso suffered an attack by a criminal gang known as Rook. In a statement on their website the cybercriminals claimed to have exfiltrated 1.1 terabytes of data from the company. Denso belongs to the corporate group led by Toyota Motor Corp.
- Hensoldt, a German multinational defense contractor confirmed that some of its UK subsidiary’s systems were compromised in a ransomware attack. While the company is yet to issue a public statement regarding this incident, the Lorenz ransomware gang claimed the attack.
- Durham Johnston School in the UK suffered an attack at the hands of the Vice Society ransomware gang. Following the incident sources said that personal data belonging to pupils and teachers was posted on the Dark Web.
- UK based contractor payroll service provider Brookson Group reported that they had been hit by a “extremely aggressive” cyberattack to the UK National Cyber Security Centre. Although not confirmed by the company to be ransomware, the BlackCat gang claimed responsibility for the attack.
- Moncler, the luxury Italian fashion giant was next to make headlines when they confirmed a data breach following an attack by the BlackCat ransomware operation. Moncler confirmed that some data related to customers, current and previous employees, suppliers, consultants and business partners had been impacted.
- RR Donnelly, a leading integrated services company offering communications, commercial printing, and marketing to enterprise clients suffered a Conti ransomware attack. The company initially disclosed that they were not aware of any client data stolen during the attack, the Conti gang later claimed responsibility and began to leak 2.5GB of exfiltrated data. However, a source told news outlet BleepingComputer that the criminal gang soon removed the data from public view after RRD began further negotiations to prevent the release of data.
- Indonesia Central Bank disclosed they had been hit by a ransomware attack but public services were not impacted due to the quick measures taken to mitigate the incident. The Conti gang was behind the attack.
- Griggsville-Perry School District in Illinois, found themselves victim of ransomware gang who were holding their files hostage in return for a ransom. It’s not yet known who was behind the attack or what data was compromised.
- A ransomware attack on Pembroke Pines in Florida caused outages across certain city computers. A spokesperson for the city said so far it appears that no personal information was compromised and emergency services like police and fire remain operational.
- In the next reported incident Belarusian activists launched a ransomware attack on Belarusian Railways in protest of dictatorship. The group known as The Belarusian Cyber-Partisans demanded the release of 50 political prisoners and the removal of all Russian troops from the country to release the data.
- Linn County in Oregon discovered that a number of its computers were infected with ransomware knocking several systems offline including the county’s website which affected their ability to provide services to the public. Officials said at this time there was no evidence of compromised data.
- The Ministry of Justice in France made headlines when the Lockbit ransomware gang claimed that they had successfully hacked the organization, giving them a deadline of February 10th to pay the ransom or have their data leaked on the Dark Web.
- Delta Electronics, a Taiwanese electronics company and a provider for Apple, Tesla, HP, and Dell were next to disclose they had been a victim of a cyberattack which affected only ‘non-critical’ systems. While the company’s statement did not name the group behind the attack, a Conti ransomware sample was found to be deployed on the company’s network.
- New Bedford Police Department in Massachusetts shared that they had been impacted by a ransomware attack affecting some of the department servers and computers, the non-emergency phone network was also out of service as a precautionary measure. It’s not yet known who was behind the attack or if any data was exfiltrated.
- South Africa based investment administration provider Curo Fund Services found themselves unable to access IT systems for 5 days following a ransomware attack. At time of writing the incident was under investigation “to establish the origin, nature and scope of this incident so as to assess any data breaches”.
- John Diefenbaker International Airport in Saskatoon, Canada suffered an attack at the hands of the Snatch ransomware gang. The gang posted what is known as a ‘proof pack’ of some of the exfiltrated data on the Dark Web. Sources have told media outlet IT World Canada that the goal of the criminal gang appears to be to embarrass the Saskatoon Airport Authority (SAA) for being unable to pay the ransom demand.
February
We recorded 28 ransomware attacks this month, with almost half occurring outside of the United States. Notable incidents included an attack on the San Francisco 49ers’ during Super Bowl weekend and an attack on KP Snacks, a well-known UK snack food manufacturer. Here’s a snapshot of the ransomware attacks that made news during the month.
- An attack on German oil company Oiltanking GmbH impacted gas stations across the country. Royal Dutch Shell disclosed that they had been forced to reroute to different supply depots because of the issue, while German newspaper Handelsblatt said 233 gas stations across Germany were impacted and forced to revert to manual processes. The BlackCat ransomware gang was behind the attack.
- KP Snacks, a major producer of popular British snack foods was hit by the Conti ransomware group affecting distribution to leading supermarkets across the UK. The gangs private leak page shared samples of credit card statements, birth certificates, spreadsheets including employee personal data, confidential agreements, and other sensitive documents. The gang allegedly gave the company five days to pay a ransom before leaking even more proprietary data on their public blog.
- US business services company Morley Companies Inc. disclosed that they had been a victim of ransomware in August 2021. After an internal investigation the company determined that the unnamed threat actors exfiltrated the personal information of 521,046 individuals. The company notified affected parties including employees, contractors, and clients in January this year. In a statement the company said, “Morley Companies is not aware of any misuse of your personal information due to this incident.” Although it seems that might not be the case as HackNotice, the cyber-intelligence platform claims to have seen Morley’s data on the Dark Web a week prior.
- An attack on the Neenah School District in Wisconsin disabled the district’s internet, phones, email and other information technology which resulted in a two-day shutdown of schools. A ransom was demanded by the unknown attackers but the school district declined to provide details relating to the amount of the ransom or whether any or all of it had been paid by their insurance company.
- Airport management services company Swissport experienced a ransomware attack that targeted its IT infrastructure. Headquartered in Opfikon Switzerland, the company manages airport ground and cargo handling services for over 300 locations. The BlackCat criminal gang was responsible for the attack.
- Syndicat Intercommunal d’Informatique (SII), an IT service provider based in France experienced a ransomware attack at the hands of the Hive cybercriminal gang. The organization provides IT services and assistance to various other municipalities within the Department of Seine-Saint-Denis in the French region of Île-de-France, at least three other municipalities were impacted.
- Taylor Regional Hospital in Kentucky disclosed on Facebook that their phone lines, email and other IT systems had been taken offline following a ransomware cyberattack. The hospital declined to respond to media queries about the incident and it’s not yet known who was behind the attack.
- New Zealand Uniforms was hit by the Conti ransomware gang who shared the incident on their Dark Web site. A spokesperson said the attack had temporarily impacted some of its systems but that they were “fully operational again within 48 hours, minimizing the impact to customers”. They also confirmed that no ransom had been paid or proposed and that they had not engaged with the criminal gang.
- Ohlone Community College District in California disclosed that the private information of some staff, faculty and current and former students had been compromised in a cyberattack. An investigation is ongoing and it’s not yet known who was behind the ransomware attack.
- Jax Spine and Pain Centers reported a hacking incident to the HHS following a claim from the Avos Locker criminal gang who said they acquired data relating to 260,000 of their patients. On the threat actors leak site they said , “we have the full EHR (Electronic Medical Records) database for 262,000 patients! We are publishing list only for first 100 patients as proof.”
- Emil Frey, Europe’s largest car dealer disclosed that they had been a victim of ransomware after they showed up on the list of Hive ransomware victims. A spokesperson for the Swiss company declined to comment on whether or not customer data had been accessed.
- Optionis Group, a UK based accounting conglomerate had their data dumped on the Dark Web by the Vice Society, a typical response to a lack of cooperation with the criminal gang. Optionis Group houses brands including Parasol Group, Clearsky, SJD Accounting and NixonWilliams.
- The San Francisco 49ers’ made headlines during the Super Bowl weekend when they were hit by ransomware. Confirmation of the attack came after the 49ers were listed on a Dark Web leak site as a victim of the BlackByte ransomware-as-a-service group. The threat actors claimed to have exfiltrated data with an estimated value of $4.175 billion.
- Mizuno, the Japanese sportswear and sporting equipment manufacturer suffered an attack which led to significant business disruption, including phone outages, shipping delays and website issues. The company did not provide a public statement about the cause of their outages and it’s not yet known who was behind the attack.
- The Royal Dublin Society (RDS) issued a warning to its members that their data may have been compromised in a ransomware attack. RDS management confirmed that cybercriminals had “extracted data from our servers”, which included personal data belonging to staff, members, and suppliers. The RDS has 3000 members.
- Centralia College in Washington issued a press release confirming that they had been hit with a ransomware attack. It’s not yet known who was behind the attack or if any employee or student data has been compromised.
- Extend Fertility, a New York based clinic recently notified its patients that their data may have been compromised in a recent ransomware cyberattack. A month-long investigation into the incident revealed that the threat actors had access to servers that stored the protected health information (PHI) and personal data of some of the clinic’s patients. The full extent of the attack is currently unknown as the data analysis is ongoing.
- The Hays USD 489 school district in Kansas experienced disruption across its IT systems following a cyberattack confirmed to be ransomware. The school has not shared information about the attack as the investigation is ongoing.
- The University of Neuchâtel (UniNE) in Switzerland was hit by a ransomware attack by the Conti gang. The school confirmed the incident but at time of writing had not received a ransom demand from the criminal group.
- US cookware giant Meyer informed the U.S. Attorney General offices that they had suffered a data breach affecting thousands of their employees. An investigation into the incident revealed that threat actors gained access to personal information belonging to employees of Meyer and its subsidiaries. The Conti criminal gang shared a ZIP file containing 2% of the exfiltrated data but at time of writing had not followed up to publish the remaining 98%.
- Expeditors, a Seattle based logistics and freight forwarding company was hit by a ransomware attack which forced the company to shut down global operations. The company did not confirm the type of cyberattack, but a tip shared with media outlet Bleeping Computer said it appeared to be a massive ransomware incident.
- India’s only state-owned and operated container terminal Jawaharlal Nehru Port Trust reportedly started turning away ships after suffering what is believed to be a ransomware attack. The Jawaharlal Nehru Port Container Terminal is one of five container terminals in India’s largest container port, Jawaharlal Nehru Port Trust, which accounts for half of all the containers handled in the country.
- Russian cybercriminal gang Snatch claimed to have stolen 500 gigabytes of data from McDonalds, posting their demand for an undisclosed sum on the Dark Web. McDonalds has not yet commented on the attack.
- LA: Spine Diagnostic & Pain was hit by the Conti criminal gang. The hackers added the Louisiana based practice to their leak site, dumping 3351 files that they claimed represented 30% of all the files they had exfiltrated.
- Graphics card manufacturer Nvidia Corp was hit by the Lapus$ ransomware gang. The company released a public statement confirming the attack but did not share details about the extent of the incident. According to reports from the hackers it seems the company decided to retaliate rather than negotiate.
- Cybercriminal gang Lapus$ found the tables turned on them when recent victim Nvidia launched a retaliatory strike against them to prevent the release of the chipmaker’s stolen data. Screenshots from the publicly accessible Lapsus$ Telegram channel were shared on Twitter by several security researchers with the gang claiming the company exfiltrated 1TB of their data.
- iTCo a New Zealand based IT company that specializes in online security was hit by the Conti gang who claimed that they had exfiltrated more than 4 gigabytes of data. An investigation into the incident is ongoing.
- Managers at the Bridgestone-Firestone tire factory in Iowa were forced to send workers home after learning that hackers may have compromised the international corporation’s data systems. A spokesperson for Bridgestone Americas, said in a statement that company officials are investigating the “information security incident.” She also added that Bridgestone managers had disconnected company devices across many Latin American and North American factories.
March
In March we recorded 25 ransomware attacks with Samsung, Microsoft and Bridgestone making headlines. Automotive giant Toyota also made news when they were forced to halt production across all plants in Japan after a ransomware attack on a key supplier. Here’s a look at what else we uncovered during the month.
- We begin the month with insurance giant AON who disclosed that they had been hit by a ransomware attack which reportedly left no significant impact on the company. Little is known about the attack which occurred in late February according to a filing with the Securities and Exchange Commission (SEC).
- Toyota made ransomware headlines when they were forced to halt production across all plants in Japan after a ransomware attack on a key supplier. Also affected were Toyota subsidiaries Hino Motors and Daihatsu Motor.
- Fleetwood Area School District in Pennsylvania sent a letter to families and staff informing them that the technical difficulties the district had been experiencing were the result of a ransomware attack. No further details about the incident were disclosed.
- Electronics giant Samsung made news when the Lapsus$ data extortion gang leaked confidential data which they claimed had been exfiltrated from the company. Following the attack the extortion gang shared a note teasing Samsung about releasing their data with a snapshot of C/C++ directives in Samsung software.
- Rompetrol, Romania’s petroleum provider shared that they were battling a massive cyberattack. News outlet Bleeping Computer revealed that the Hive ransomware gang was behind this attack and they had hit the organization with a multi-million dollar ransom.
- Denso Automotive confirmed they were hit by new ransomware player Pandora after the gang began leaking sensitive data. Denso is one of the world’s largest automotive components manufacturers, supplying brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat, and General Motors. While the company stated that the cyberattack did not impact their operations, the Pandora ransomware gang began leaking 1.4TB of files allegedly exfiltrated during the attack.
- Canadian aluminium manufacturing company Aluminerie Alouette suffered major systems failure due to a ransomware attack at the hands of the Conti gang. The gang shared details of the attack on their leak site, details of the ransom demand are unknown and Aluminerie Alouette did not respond to media requests for information.
- Vodafone appeared to suffer a data breach at the hands of the Lapsus$ ransomware group without even knowing it. The group issued a poll on its Telegram channel asking their subscribers whose stolen data they should dump next – with three options available: Vodafone, Impresa, and MercadoLibre. Vodafone said they were working with law enforcement and investigating the incident but would not comment on the credibility of the claim.
- Buenos Aires-based online marketplace Mercado Libre admitted in an SEC filing that source code and user data were accessed, although it did not reveal how. Although the Lapus$ gang sited them as a victim along with Vodafone on their Telegram channel. The company commented “although data from approximately 300,000 users (out of our nearly 140 million unique active users) was accessed, to date, and according to our initial analysis, we have not found any evidence that our infrastructure systems have been compromised or that any users’ passwords, account balances, investments, financial information or credit card information were obtained. We are taking strict measures to prevent further incident”.
- Data from Altoona Area School District in Pennsylvania shared that the district had suffered an attack on their server in December 2021, after which they started working with a ‘high-end’ security vendor to secure their servers. However, this month district administration was contacted by employees saying their credit monitoring services had been in touch to advise that their social security numbers or medical identification numbers were found on fraudulent trading websites on the Dark Web.
- French video game company Ubisoft confirmed they had suffered a hack at the hands of the Lapus$ gang. In a statement they said “we can confirm that all our games and services are functioning normally and that at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident”.
- The LockBit gang attacked Bridgestone Americas who managed to recover from the attack. Unfortunately, the ransomware gang later threatened to release the data they managed to exfiltrate during the attack. Bridgestone later hired Accenture Security to investigate and understand the full scope and nature of the incident and to determine what data had been stolen.
- East Tennessee Children’s Hospital disclosed that they had been a victim of an “information technology security issue” in the evening hours of Sunday, March 13th. In a statement they said “maintaining the safety and security of our patients and their care is our top priority. We are still able to care for our patients. Our cyber forensics teams and outside agencies are doing everything possible to minimize any disruption. The response is active and still ongoing. We apologize for any inconvenience, and ask for your patience as we address this issue.” No further details were available.
- The South African division of US-based consumer credit bureau TransUnion acknowledged that they had suffered a ransomware attack after a third party gained access to one of its servers through misuse of an authorised client’s credentials. In a statement they said “we have received an extortion demand, and it will not be paid”.
- The National Rifle Association (NRA) finally confirmed that the cyberattack they experienced in October last year was indeed ransomware. The NRA’s political action committee filed a report to the Federal Election Commission to confirm the attack, claiming it was the reason why the organization couldn’t report some of the donations it had received at the time.
- The Scottish Association for Mental Health (SAMH) suffered an attack at the hands of the RansomEXX ransomware gang. The attack impacted its IT systems, including email and some phone lines and unfortunately led to more than 12GB of sensitive data being leaked to the Dark Web.
- Officials from Plainfield County in Connecticut disclosed that hackers were holding the town hall and police department computer files hostage after a cyberattack. A spokesperson could not say how the system was breached or what specific steps were being taken to solve the problem, but did confirm that the affected town hall computers contain some basic resident information, including names, addresses and phone numbers, but no billing information.
- The Bexar County Appraisal District in Texas confirmed they had become the victim of a ransomware attack. A spokesperson said there was a ransom note but the hackers did not demand an amount of money and didn’t leave contact information.
- Lapus$ strikes again, this time San Francisco tech company Okta was the victim. According to the Lapus$ screenshots shared on Telegram, the ransomware group said it did not target Okta’s databases and instead focussed on Okta customer data.
- Hellenic Post (ELTA) the state-owned provider of postal services in Greece disclosed they had suffered a ransomware incident which affected most of the organizations services. The agency’s IT teams determined that the threat actors exploited an unpatched vulnerability to drop malware allowing access to one workstation using an HTTPS reverse shell.
- Microsoft confirmed that the Lapsus$ hacking group had successfully compromised an employee’s user account and had stolen code, days after the group boasted that it had infiltrated the software giant. The company shared that no customer data or code was affected and that the operation was interrupted by its security team. The company made the admission in a blog post describing Lapsus$’s tactics, and offering guidance on how to protect against them.
- Memorial Hospital of Carbon County in Rawlins Wyoming disclosed they had been a victim of ransomware. A hospital spokeswoman did not specify which of the hospital’s systems were targeted in the attack, but added that the hospital’s two electronic health record systems, were not compromised. It’s not yet known who was behind the attack or if any data had been compromised.
- Oklahoma City Indian Clinic had 360 GBs of data including health and financial records stolen during a cyberattack claimed by the Suncrypt ransomware gang. The attack impacted some of the clinics computer systems and their auto-prescription refill system.
- The Rehab Group in Ireland disclosed they had been a victim of a criminal ransomware attack in which the hackers were trying to access patient information and financial data. It’s not yet known who was behind the attack which a spokesperson described as “a plain vanilla ransomware criminal attack, where they were trying to obtain money in exchange for blackmailing Rehab with threats of destroying their data or publishing their debtors”.
- Partnership HealthPlan of California, a non-profit that manages health care for Medi-Cal patients in 14 counties made headlines when the Hive ransomware gang claimed to have stolen private data for 850,000 of its members. A screenshot of the claim stated that “stolen data included…850,000 unique records of name, SSN, date of birth, address, contact, etc.” It also stated that 400 gigabytes of data were stolen from Partnership’s file server. The claim has since been removed and the incident is under investigation.
April
In April the Stormous criminal gang made headlines when they claimed an attack resulting in 161 GBs of data stolen from Coca Cola without the company knowing. Reports say the Russian-linked hackers later put it up for sale for $640,000 or 16 million Bitcoin. The Conti gang was also busy this month with notable attacks on industrial giant Parker Hannifin and Snap On Tools. Newcomers Black Basta also made headlines when they claimed attacks on Deutsche Windtechnik and the American Dental Association. Here’s a snapshot of what organizations made the ransomware list this month.
- HP Hood Dairy, the company behind Lactaid, a brand of lactose-free milk was missing from the shelves in US supermarkets at the beginning of the month due to a ransomware attack. The company declined to share details of the incident, but cyber experts say it was likely ransomware. Hood Dairy is the latest victim in a string of high-profile attacks on food manufacturers in the US which is contributing to shortages amid tight supply chains and high prices.
- The Anonymous hacker group posted on Twitter that they had launched an attack on the Russian Orthodox Church. The group released around 57,500 emails from the data they stole from the organization.
- UK retailer The Works made headlines when a ransomware attack caused by a malicious phishing email forced some of its stores to close. The company who operate 520 stores said that customer data had not been accessed and that they would not speculate about the potential for paying the ransom. The group behind the attack and the ransom demand hasn’t been disclosed as yet.
- Perusahaan Gas Negara (PGN), Indonesia‘s state-backed oil and gas company found themselves a victim of the Hive ransomware gang. The Indonesian government holds a majority stake in PGN, which provides gas to 84 million customers.
- Following a ransomware attack, listed law firm The Ince Group was granted an interim injunction to stop hackers from releasing confidential data on the Dark Web if they failed to pay the ransom. The judge who made the order called it a clear case of blackmail. It’s not yet known who was behind the attack and if they disclosed any of the exfiltrated data.
- Industrial giant Parker Hannifin, a provider of engineered solutions for organizations in the aerospace, mobile, and industrial sectors were hit by the Conti ransomware gang. In a regulatory filing the company disclosed that they had detected a breach and subsequently shut down some systems, an investigation is ongoing. The company confirmed that some information had been accessed including personal employee data. The hackers published 5GBs of data which they claim was 3% of the data they exfiltrated.
- In a campus message Florida International University shared the following message, “today, a ransomware group posted that sensitive FIU data had been exfiltrated. We have been investigating and there is no indication thus far that sensitive information has been compromised. At this time, no further information is available”. Cybersecurity experts who looked at the allegedly stolen data confirmed that it did include sensitive information from staff and students at the university. BlackCat was behind the attack which was the 8th reported attack on US colleges this year.
- Tech company Globant disclosed in an SEC filing that had experienced a data breach after the Lapsus$ ransomware gang claimed to have stolen 70GB of source code from the company.
- American automotive tools manufacturer Snap On announced a data breach after a ransomware attack exposed their associate and franchisee data. The Conti gang was behind the attack which compromised personal data including names, Social Security Numbers, dates of birth, and employee identification numbers.
- A&T University in North Carolina was struck by the BlackCat ransomware gang. The attack which affected online systems and was said to have occurred during spring break. News of the incident followed a post on the criminal gangs darknet site where they name and shame in an attempt to extract a ransom payment.
- Japanese animation studio Toei Animation is experiencing production issues after a ransomware attack. It’s not known what criminal gang was behind the attack which the company is investigating. The company stated they are not sure that they can completely restore what was lost in the attack.
- Vehicle dealer group TrustFord revealed that a ransomware attack by the Conti gang affected their internal systems. TrustFord assured customers that their sites remain open and trading and that the attack did not impact Ford Motor Company Systems.
- Tech giant Panasonic confirmed that its Canadian operations were hit by a cyberattack, less than six months after the company last fell victim to hackers. The Conti gang was behind the attack and claimed to have stolen over 2.8 gigabytes of data from Panasonic Canada. When asked by news outlet TechCrunch, the company did not dispute that the incident was the result of a ransomware attack but they declined to say what data was accessed, or how many people were impacted by the breach.
- Nordex, one of the world’s largest developers and manufacturers of wind turbines was the next victim of the Conti criminal gang. In an announcement the company disclosed that they had suffered a cyberattack that was detected early and that they had shut down their IT systems to prevent the spread of the attack. They did not confirm that the incident was ransomware despite the Conti gang claiming the attack and sharing details on their leak site.
- Funky Pigeon, an online greetings card and gifts business was forced to suspend their business following a cyberattack. The WH Smith-owned company said it had taken its systems offline “as a precaution” and was therefore unable to fulfil any orders. It’s not yet known who was behind the attack.
- A ransomware attack crippled the Costa Rican government computer systems. After refusing to pay a ransom the Conti gang began publishing the stolen information. The Finance Ministry was the first to report problems with a number of its systems including tax collection being impacted. Attacks on the social security agency’s human resources system and on the Labour Ministry, as well as others followed.
- The Rio de Janeiro finance department confirmed they had been hit by a ransomware attack on its systems. The LockBit gang claimed to have stolen 420 GBs of data which they would disclose if the ransom was not paid.
- The American Dental Association (ADA) was hit by a weekend cyberattack which caused them to shut down portions of their network while undertaking an investigation. The organization downplayed the incident and shared that preliminary investigations did not indicate that data had been compromised. However, new ransomware gang Black Basta later claimed the attack and began leaking data.
- Relatively new ransomware gang Stormous made headlines when they claimed an attack on Coca Cola. The criminal gang posted on its website that it had hacked Coca-Cola’s servers and retrieved 161 gigabytes of data which included financial data, passwords and commercial accounts. The group is now trying to sell that data for more than $640,000 or more than 16 million in Bitcoin, Coca Cola is investigating the incident.
- Top 100 law firm Ward Hadaway found themselves blackmailed for up to $6m in bitcoin after confidential documents were obtained in a ransomware attack. The firm detected a cyberattack last month and was told by an unidentified hacker that files and data downloaded from its IT systems would be published online if $3 million was not paid within a week, after which the ransom would double to $6 million. The Lorenz gang was behind the attack.
- German wind turbine giant Deutsche Windtechnik disclosed that some of its systems were hit by a cyberattack earlier this month. The attack forced the company to switch off remote data monitoring connections to the wind turbines. Deutsche Windtechnik did not disclose the attack but experts believe that the firm was hit with ransomware. Our research confirms that newcomer Black Basta was behind the attack.
- Students and staff at Austin Peay State University in Tennessee experienced disruptions after a ransomware attack impacted the schools IT systems. The school administration and APSU Police sent out alerts by email to all students faculty and staff, saying, “APSU ALERT: We are under a Ransomware attack. If your computer is connected to the APSU network, please disconnect IMMEDIATELY.” It’s not yet known who was behind the attack.
- An attack on Wyandotte County in Kansas went undetected for 2 days and unreported for a third according to media reports. The attack which caused havoc across multiple government systems hasn’t been claimed by a gang yet but inside sources say there has been a ransom demand. Sources also said that they were unusually ripe for an attack, with insufficient technology and personnel, and had been warned about it well in advance – by tech experts and by a cyberattack on the county’s Board of Public Utilities a few years ago.
- Becker Law Office, one of Louisville’s best-known law firms was hit by the LockBit gang who threatened to release their data if the ransom wasn’t paid. Media outlet The Courier Journal learned of the attack from a website that provides real time alerts about cyber risks. In a statement from the company they said the attack is under investigation said it is too early to release information.
- A cyberattack that left Elgin County’s IT systems down at the start of the month is now suspected to be ransomware. At the end of the month, data belonging to the county appeared on the Conti gang’s data leak site, shedding new light on the “technical disruption” that had been plaguing the county for the last few weeks. Interestingly the data disappeared from the Conti site soon after indicating that it’s possible the county could be negotiating a ransom with the criminal gang.
May
In May 26 ransomware attacks were publicly disclosed, an increase over both 2020 and 2021. Education and government were the hardest hit verticals for the month, with an attack on Indian airline SpiceJet and farming equipment maker AGCO making the most headlines globally. The Austrian state of Carinthia also made news when the BlackCat criminal gang disrupted their systems and demanded a ransom of 5 million. Here’s a snapshot of what else we uncovered.
- We start the month in Germany where library service Onleihe disclosed that they had been hit by ransomware. Onleihe allows users to rent and borrow e-books, electronic newspapers, magazines, audio books and music from more than 200 libraries across Germany, Austria, Switzerland, Italy, Liechtenstein, Denmark, Belgium and France. Many websites connected to their platform were impacted by the attack which the LockBit criminal gang claimed responsibility for, they also admitted to leaking data indicating that a ransom had not been paid.
- Next up, another library system, but this time in New York. Officials at the Westchester County Library System reported that the library system’s network had been impacted by a ransomware attack but the threat actors were not able to compromise any personal data from its patrons. According to officials, security measures in place managed to curb the attack.
- Kellogg Community College in Michigan was forced to cancel classes and closes campuses following a ransomware attack. It’s not yet known who was behind the attack or if personal data belonging to staff and students have been compromised.
- The LockBit gang, thought to have strong ties with Russia, announced that they would be releasing files they stole from the Bulgarian refugee agency. Nearly 230,000 Ukrainian refugees have made their way to the country since the start of the war. A note on the dark web site belonging to the gang said that all data would be published but there was no mention of a ransom amount.
- Major US farming equipment manufacturer AGCO suffered a ransomware attack which disrupted production. The company confirmed the incident after media in France reported a cyberattack had hit several AGCO sites in the country. Our research indicates that the BlackBasta criminal gang was behind the attack.
- Health-systems and medication-management-solutions provider Omnicell had their systems disrupted by a ransomware attack. A spokesperson commented that “upon detecting the security event, the company took immediate steps to contain the incident and implement its business continuity plans to restore and support continued operations.” The gang behind the incident is still unknown.
- An attack on web hosting server Opus Interactive caused major disruption across several organizations including the Oregon primary election, Myrtle Beach National golf facility and virtual assistant company Ruby Receptionists. It’s not yet known who was behind the attack and if any data was compromised.
- Up next is Canadian fighter jet training company Top Aces. The Montreal based company which is said to be the “exclusive adversary air provider to the Canadian and German armed forces” — showed up on the LockBit ransomware groups data leak site. In a brief statement to press the firm disclosed that they were in the process of investigating the incident.
- Texas based Christus Health was hit by the AvosLocker gang. The good news is that the incident didn’t affect patient care, but the bad news is that the gang made off with sensitive patient and employee data. A notice on their data leak site claimed that all of the stolen data was for sale if the owner didn’t pay the ransom.
- The LockBit ransomware gang claimed an attack on Mercyhurst University in Pennsylvania. The irony of this is that the incident follows the university’s participation in Cyber Impact 2022 where they patted themselves on the back for their work in cybersecurity. The university didn’t confirm the breach but LockBit claimed they would be leaking the stolen data. In a later update the LockBit listing had been taken down, suggesting there may have been a negotiation or payment.
- Auction.com, an online marketplace for buying and selling residential bank owned and foreclosure properties, was among the latest victims of the Conti ransomware group. It was reported that the breach took place on April 13th, with personal financial data and other identifying information being accessed and released on the dark web.
- Bank of Zambia made headlines after an attack from the Hive ransomware gang. A spokesperson for the bank commented that their core systems were still up and running and ‘not much sensitive data has actually been shipped out’. The organization didn’t feel it was necessary to engage in a ransom conversation with the attackers, in fact, they made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination), or read the story in Bleeping Computer!
- Belgian private hospital group Vivalia suffered a LockBit ransomware attack which severely crippled their operating capacity. As a result of the attack, patient records were unavailable and many processes reverted to manual. The cybercriminal gang threatened to publish 400 GBs of hospital and patient data if ransom demands weren’t met.
- Nikkei Inc, a Japanese business news group, reported that its Singapore unit had fallen victim to a ransomware attack. A server at Nikkei Group Asia Pte, containing customer data, first detected unauthorized access on 13th May, according to a company statement. No one has yet claimed responsibility for this attack.
- Fort Summer Municipal schools in New Mexico suffered an attack from the CLOP cybercriminal gang. Sensitive information from students, faculty members and parents, including scanned driver’s licenses later appeared on the ransomware group’s data leak site.
- The CLOP gang also hit Washington Local Schools in Ohio who released a statement saying a cyberattack had affected phone, email, internet and Wi-Fi networks as well as Google Classroom systems.
- Following an attack on the city of Quincy Massachusetts, the mayor shared that the city has spent over $500,000 for an encryption key to regain access to the city’s information service systems. The attack affected the city’s systems but it is believed that no personal information was compromised. A further $150,000 was approved by the city in emergency funds for outside consultants relating to security services, cyber cryptocurrency and ransomware negotiation services.
- India’s SpiceJet airlines announced that their systems had faced an “attempted ransomware attack” causing lengthy delays and passengers stranded at airports with very little communication from staff. According to company statements their IT team were able to contain and rectify the situation with no further information given on the attack or perpetrators.
- An attack on the Austrian state of Carinthia caused massive disruption across government IT systems. The BlackCat ransomware gang demanded $5million in exchange for decryption software and sensitive data which they have claimed to have accessed. However, a spokesperson shared that demands would not be met as there was no evidence of data exfiltration. 3,000 IT workstations were affected, halting the delivery of new passports and traffic fines. The State’s email service, website, Covid contact tracing and social benefits were also affected by the incident.
- The De MontFort School in Eversham UK suffered a cyberattack that affected all of the school’s IT systems including the website, phone and email lines. In a statement released by the school, it was suggested that data, personal or otherwise, was not accessed or stolen during the attack.
- Martin University in Indianapolis disclosed that ‘like many other colleges and universities across the nation’, they too had experienced a recent ransomware attack. The university learned of the suspicious activity on January 3, 2022 and immediately hired security experts and a computer forensic investigator to investigate. The investigation revealed that personal information of some current, former, and prospective students may have been impacted. The university publicly disclosed the incident via a press release on My 26th.
- A ransomware attack in Central New Jersey’s Somerset County disrupted services and forced employees to shut down computers and create temporary Gmail accounts to ensure the public could still email health, emergency and sheriff’s departments. A spokesperson shared that the FBI were investigating the incident, however it is still unclear who is responsible for the attack. This attack marks the 22nd US state or local government to be hit by ransomware in 2022, according to analysts at Recorded Future. Later news suggested that the attack had taken the County back to 1977 as a result of the level of disruption.
- Regina Public Schools was forced to shut down all internet based systems following a ransomware attack. According to the note appearing on the computers, 500GBs of files containing tax reports, health information, social security insurance and passports were been copied and encrypted. The BlackCat gang claimed responsibility.
- North Orange County Community College recently reported that they had suffered a ransomware attack in January of this year. The incident which affected more than 19,000 people involved both Cyprus College and Fullerton College. A notice posted by the school suggested some personal, financial and medical information had been compromised from Fullerton College. Cyprus College were unable to determine whether patient data from their Dental Hygiene Clinic was viewed or taken but felt it necessary to issue a notice. It’s not yet known what gang was behind the incident.
- On the last day of the month all computer systems on the network of Costa Rica’s public health service ( known as the Costa Rican Social Security Fund or CCCS) were offline following a Hive ransomware attack. The CCCS publicly acknowledged the in a statement issued on Twitter. The investigation is ongoing but the Costa Rican government agency says that citizens’ health and tax information stored in the EDUS (Unified Digital Health) and the SICERE (Centralized Tax-Collection System) databases was not compromised.
- American apparel manufacturing giant Hanesbrands disclosed that they had been affected by a ransomware attack in a regulatory filing. At time of writing it’s unclear what effect the ransomware attack had or continues to have on Hanesbrands. In the notice the company said it had “activated its incident response and business continuity plans designed to contain the incident,” and that the forensic investigation into the incident was ongoing.
June
In June we recorded 31 publicly disclosed ransomware attacks, the most we’ve seen this year so far. South Africa’s largest supermarket chain made news when they were hit by the RansomHouse criminal gang, and one of Brazil’s largest retail chains, Fast Shop was also hit. The BlackCat gang claimed an attack on the University of Pisa hitting them with a $4.5 million ransom, while Brooks County in Texas admitted to paying their ransom with tax payer dollars. Here’s a look into what else we uncovered during the month.
- We start the month in Australia where the liquidators for building company Pivotal Homes revealed the company had been hit by ransomware just weeks before it collapsed. The company cited rising costs as the reason for the closure and it seems like the ransomware attack may have been the last straw for the struggling company.
- Up next was a Memorial Day weekend ransomware attack on the Cape Cod Regional Transit Authority. On the Monday following the holiday staff received an email alerting them that files on their servers had been encrypted, rendering them unreadable. A spokesperson commented that staff did not engage with the cybercriminals via email and the incident was being investigated by the authorities.
- The City of Alexandria in Louisiana became a victim of the BlackCat ransomware gang. This isn’t the first time the state of Louisiana has been targeted which was referenced in the note from the criminal gang which read “your servers are lying down again and the network is tightly closed and unavailable. We got more than 80 GB in compressed form of important data city [sic]…Don’t make past mistakes and do the right thing. This time you won’t get away with it.” The gang proceeded to then threaten a local news outlet who was one of the first to report the attack.
- Final exams were cancelled at Tenafly Public Schools in New Jersey after a ransomware attack crippled their computers. The attack meant the school was forced back to basics, relying on overhead projectors, and paper and pencils.
- The City of Palermo in Italy became the next victim of the Vice Society ransomware gang. The attack caused large-scale service outages which impacted 1.3 million people. The criminal gang posted details of the attack on their leak site disclosing that they would be leaking stolen data if a ransom wasn’t paid, however, the gang did not share any sample data.
- Arizona’s Yuma Regional Medical Center (YRMC) disclosed that a ransomware attack had resulted in a data breach affecting 700,000 people. No ransomware gang has claimed the attack as yet.
- Back to Italy where this time the BlackCat ransomware gang held the University of Pisa to ransom for a whopping €4.5 million. The university was given access to a chat thread in a private browser so they could communicate with the hackers and negotiate the ransom payment.
- The RansomHouse ransomware gang claimed an attack on The Shoprite Group, one of South Africa’s largest supermarket chains. The hackers openly touted their attack on the supermarket chain via their Telegram channel. They shared that the company “was keeping enormous amounts of personal data in plain text/raw photos packed in archived files, completely unprotected.” A sample of the exfiltrated data was published and Shoprite was “invited” to pay a ransom.
- Montrose Environmental Group a leading environmental solutions company issued a press release disclosing that they had been the victim of a organized ransomware attack. The press release stated that “the fact patterns of this attack, as well as information from law enforcement and independent cybersecurity experts, lead us to believe that this attack has been carried out by highly sophisticated bad actors.” The BlackBasta gang later claimed responsibility.
- Officials in Kansas City confirmed that a ransomware attack had affected the Unified Government of Wyandotte County and Kansas City over the Easter weekend. The UG said it didn’t pay a ransom because most of its services were supported by software as a service and cloud-based applications and all servers were routinely backed up. No gang has so far claimed the attack.
- Indiana based healthcare provider Goodman Campbell Brain and Spine announced a data breach following an earlier ransomware attack. An investigation confirmed that “initial analysis indicates that both Goodman Campbell patient and employee data had been accessed by an unauthorized party.” The Hive criminal gang claimed the attack.
- Long Island school district Plainedge Public Schools became the next victim of the BlackCat ransomware gang. The criminal gang shared proof of the attack by posting screengrabs including a list of employee contact info including names, phone numbers, email addresses and locations. The gang threatened to leak the data if they did not hear from the district.
- Glenn County Office of Education in California was attacked by the Quantum ransomware gang who hit them with a massive $1m ransom demand. In the ransomware negotiation process it appeared that the cybercriminal gang was negotiating based on a false impression that the county’s assets and cyber insurance was going to be enough to cover the demand, which was excessive for an education victim. It later transpired that the Quantum gang had calculated the ransom based on the total county assets and not the Office of Education. A ransom payment of $400,000 was later sent to the cybercriminals.
- Mainzer Stadtwerke AG (MSW), a municipal company of the city of Mainz in Germany who provide services and products in the core areas of electricity, gas and water supply was impacted by ransomware following an attack on their IT service provider. Following the incident the organization launched a whole new website and e-mail contact accounts in order to be able to provide information and offer contact options. An unconventional approach to ransomware as it involved a completely new infrastructure including a new domain name. The article suggested this process was faster than repairing the old systems.
- A spokesperson from Buncombe County’s Council on Aging, a non-profit organization in North Carolina disclosed they were concerned they had been hit by ransomware and sensitive data may have been accessed. It’s not know what gang was behind the incident.
- Brooks County in Texas made ransomware headlines when it was revealed they paid off hackers with tax payer dollars. The attack which impacted the county’s Justice of the Peace and district courts, and its finance department, cost more than $37,000. A spokesperson for the county said the attack took place after an employee opened an email containing a link that allowed someone to hack their system.
- Japanese automotive hose maker Nichirin Co. disclosed that a U.S. subsidiary had been forced to shut down its computerized production controls due to a ransomware attack. The subsidiary which supplies parts to Japanese auto makers was forced to revert to manual production.
- Grand Valley State University in Michigan was hit by the Vice Society ransomware gang which resulted in some personal student data being leaked online, however, the university remained publicly silent regarding the incident. GVSU informed DataBreaches.net that they first gained access to GVSU’s system on May 24th. Although, they did not reveal how they gained access, they commented that gaining access was “easy enough.” The University has declined to answer any media questions regarding the incident.
- Multimedia giant Arte Radiotelevisivo Argentino Group (Artear) was hit by the Hive ransomware gang who admitted to exfiltrating over 1.4Tb of data. Data stolen in the attack included, contracts, sensitive company data such as budgets, plans and investments, as well as employee details.
- The Hive gang struck again, this time at Pennsylvania-headquartered firm Diskriter, a company that provides health information management services and staffing for a number of state and municipal governments as well as medical facilities. A spokesperson for the Hive gang disclosed that they exfiltrated more than 160 GB of files including contracts, financial records, software source code and personnel information.
- Up next is FastShop, one of Brazil’s largest retailers. The retailer disclosed they had experienced an “extortion cyberattack” that led to network disruption and closure of its online store. The attack didn’t impact the 86 physical locations but it did impact the main website, mobile apps, and online ordering system as the retailer took the systems offline.
- Japanese automotive component manufacturer TB Kawashima, part of the Toyota Group of companies disclosed that one of its subsidiaries, a Thai sales company had been hit by a cyberattack. The LockBit ransomware gang claimed the attack and have begun to leak data, although the company has not confirmed the cyberattack was ransomware.
- The Medical University of Innsbruck disclosed an IT outage on June 20th restricting access to online servers and computer systems. The following day the IT team reset all student and employee account passwords and requested everyone complete a manual process to access new credentials. The university did mention they had been attacked but did not share any additional details. A few days later Vice Society claimed the attack and added the university to its data leak site.
- Fitzgibbon Hospital in Missouri were hit by Daixin Team, a new entry to the ransomware group list. The attackers claimed to have exfiltrated 40 GB of data which they posted on their leak site for the public to access. Exfiltrated data included both patient and employee information.
- Wabtec, a leading global provider of equipment, systems, digital solutions, and value-added services for the freight and transit rail sectors were reported to have been hit by a ransomware attack that impacted the ability of employees to log onto the company network. According to a source, some employees were met at the plant gate and told not to log on to their computers. A Union spokesperson commented “we make locomotives, not computers”.
- Multinational semiconductor company AMD made headlines when the RansomHouse extortion gang claimed them as their latest victim. AMD disclosed that they were investigating a potential data breach following the claims that the criminal gang had exfiltrated data from the U.S. chipmaker.
- A ransomware attack on Napa Valley College caused much disruption and the school was still struggling with it almost 3 weeks post incident. The website and many services remained offline and registration for the fall semester had been impacted. A news article referenced that the school had historically underinvested in IT but that an upgrade had been in progress when the attack was detected. Our research shows the BlackByte cybercriminal gang was behind the attack.
- Wiltshire Fine Foods, a leading UK producer of frozen ready meals disclosed that its systems were down following a serious cyberattack. The company shared that they were unable to make deliveries or contact customers at this time. Although the company has not disclosed that the attack was indeed ransomware, industry insiders have been vocal on social media about their speculations around the attack. The ready meals producer, which is owned by German parent company Apetito, said it hopes to get back quickly.
- Retail giant Walmart made news at month end when they denied being hit by the Yanluowang ransomware gang, a new cybercriminal entry to our blog. In a statement to media outlet Bleeping Computer, Walmart commented that their “Information Security team is monitoring our systems 24/7,” and believe the claims to be inaccurate. An entry on the data leak site claimed that that they breached the retailer and encrypted between 40,000 and 50,000 devices.
- Macmillan Publishers was forced offline due to a ‘cyberattack’ which experts believe to be ransomware, although at time of writing the company has not confirmed this. Staff from the publishing company took to social media to confirm that the incident had been hugely disruptive for its US side of the business, forcing the company to close its New York head office.
- Florida based Geographic Solutions, a company that handles unemployment claims and job placement for state governments in the U.S. was hit by a cyberattack that disrupted online services across the country. At least 9 states were impacted by the incident which the company described as ‘anomalous activity in the company network’. The attack is likely to be ransomware according to cyber experts but the company has yet to confirm this.
July
In July we spotted 21 ransomware attacks in the press including one on an Australian prison when bad actors managed to take control of the computer systems. The LockBit gang was busy this month claiming attacks on Italy’s tax agency, a small Canadian town, a town in Colorado and French telecoms firm, La Poste Mobile. Here’s a look at who else made news during the month.
- We begin the month with Baton Rouge Medical Center who was forced to revert to pen and paper when an attack took its EHR system offline. The hospital is working with authorities and hasn’t share information about the attack yet. However, in a copy of the ransom note shared with the DataBreaches website, the Hive group was clearly behind the attack, but when questioned, a Hive’s spokesperson claimed that DataBreaches had “incorrect info”. The jury is still out on who is responsible for this one.
- Next up is the College of the Desert in California, their second attack in two years. The attack took online services offline, the website and phone lines were also affected while employees were unable to access their email accounts.
- The Port Phillip Prison in Melbourne, one of Australia’s largest prisons was forced to suspend visits following a ransomware attack. It is believed that the unknown hackers took control of the network and requested a ransom to restore it.
- The Mattituck-Cutchogue School District became the latest Long Island district to be the target of a ransomware attack. Upon discovering the attack the district immediately shut down its systems to try and prevent access to data. It’s not yet known who was behind the attack or if data was exfiltrated.
- Lamoille Health Partners in Vermont, a community clinic providing a range of healthcare services became a victim of the BlackByte ransomware gang. The criminal gang shared two folders as evidence of exfiltrated data. One folder contained mostly accounting related information while the other contained sensitive patient information.
- BlackByte struck again, this time at Gateway Rehab, an addiction facility in Pennsylvania. Data was exfiltrated during the attack and the criminal gang leaked data including internal business documents, accounts information and patient details.
- French telecoms operator La Poste Mobile alerted customers that their data may have been compromised in a ransomware attack. The LockBit criminal gang were behind the attack which forced the telco to take company systems offline. A week following the incident the website was still offline and visitors were greeted by a statement in French telling customers to be wary of targeted cyberattacks.
- Mooresville Schools in Indiana shared in a statement that they had experienced a computer network disruption that impacted some of its operations. A group known as BianLian which is a new entry to this blog, claimed to have stolen 4,200 student records containing phone numbers, email addresses, and social security numbers. The school shared that they were aware of the claims but that they were unvalidated.
- Colorado based debt collector Professional Finance Company had over 1.9 million records exposed following a ransomware attack. Following the incident which occurred in February this year, the firm disclosed that they had ‘detected and stopped a sophisticated ransomware attack’ during which criminals accessed files containing data from more than 650 healthcare providers. The company later notified the affected medical centers and individuals whose data may have been stolen during the incident.
- Japanese game publishing giant Bandai Namco confirmed they has been the victim of a cyberattack that may have resulted in the theft of customer data. While the company has not provided any technical details regarding the cyberattack, it has appeared on the BlackCat data leak site. No data has been leaked yet but that can be common pending a ransom negotiation.
- An unknown cybercriminal gang attacked the Water Resource Department (WRD) in Goa, India, the organization responsible for the flood monitoring system across 15 of Goa’s major rivers. The currently unknown ransomware gang encrypted the files and demanded Bitcoin in return for decryption. According to reports the server runs on a 24-7 internet line and an absence of antivirus and outdated firewalls helped facilitate the ransomware attack.
- The Narragansett Bay Commission which runs sewer systems in parts Rhode Island was hit by a ransomware attack that encrypted data on some computers and systems. A spokesperson disclosed that the systems hit by the attack did not control the operation of the sewage system and there had been no disruption to wastewater collection and treatment services.
- The Canadian College MontMorency disclosed that they had been hit by a cyberattack that may have resulted in stolen data. AvosLocker, the gang behind the attack claimed that 8TB of data has been compromised.
- A company operating a ‘call taxi system’ in South Korea suffered a ransomware attack which caused taxi calls through smartphone apps to be blocked. The call system was paralyzed in several cities in the region. The company shared a statement which confirmed the ransomware attack and said “I paid the coin required by the hacker to restore the backup server, and now I have requested the data recovery key.”
- Building materials giant Knauf Group shared that it has been the target of a cyberattack which caused disruption and forced its global IT team to shut down all IT systems in order to isolate the incident. While Knauf’s announcements doesn’t explain the type of cyberattack they suffered, the Black Basta ransomware group claimed the attack via an announcement on their extortion site.
- Waterloo Region District School Board was the target of a cyberattack. Staff and families were informed, but a spokesperson shared that they were unable to say what files, if any had been accessed or if any money was paid to regain access to the system. It’s not yet known who was behind the attack.
- Next up is the small Canadian town of Marys in Ontario. The town of around 7500 residents became a victim of the LockBit ransomware gang. A spokesperson shared that the town was ‘in a state of shock’ and after systems were locked, the town had received a ransom demand from the LockBit ransomware gang but had not paid anything to date.
- Digital security giant Entrust made news when they confirmed that they had become a victim of a cyberattack. Entrust is a security firm focused on online trust and identity management. The gang behind the attack isn’t publicly known yet but unless they pay the ransom we will likely find out when they start leaking the stolen data.
- Italy’s tax office, the Agenzia delle Entrate, made headlines when the LockBit ransomware gang claimed to have stolen 78GB of data, later threatening to leak it if a ransom wasn’t paid by Jul 31st. Officials from the tax office however say everything is fine after a third party investigator said there was no evidence of a breach.
- An attack on email marketing company WordFly impacted some its customers including the US-based Smithsonian, Canada’s Toronto Symphony Orchestra, and the Courtauld Institute of Art in London. The company has said that the exfiltrated data was not sensitive in nature.
- Up next is the Wooton Upper School in the UK. The Hive criminal gang sent messages to students and parents informing them that they had compromised the network weeks ago, and had stolen data including addresses, bank details, student psychological reviews and medial records. The gang demanded a massive £500,000 ransom from the school as they believed the school had cyber insurance to cover the demand. They have threatened to release all of the data unless the trust pays up.
August
In August we recorded 39 ransomware attacks, the second highest month we’ve ever recorded. Healthcare organizations were hit hard this month with 10 different incidents recorded, including an attack on the UK’s NHS as well as an attack on a French hospital which resulted in a massive $10,000,000 ransom demand. Education, government and utilities also seemed to be high on the target list for cybercriminals. South Staffordshire Water’s ransomware incident gained a lot of news coverage when Clop misidentified their organization for another larger water supplier. Yanluowang Group (part of Lapsus$) made headlines when it infiltrated Cisco’s corporate network, publishing 3,100 files of data on the dark web. Take a look at who else made the headlines…
- Creos Luxembourg S.A, part of Encero, a natural gas pipeline and electricity operator in Europe, experienced a ransomware attack at the beginning of this month. The attack rendered customer portals unavailable for some time and during the incident, Creos commented that a “certain amount” of data had been stolen. BlackCat claimed responsibility for the incident and have since published 180,000 files including contracts, agreements, passports, bills and emails on their extortion site.
- 34 healthcare organizations were affected when printing and mailing services provider OneTouchPoint fell victim to a ransomware attack. It is not clear which exact files were accessed but it is believed information including names and healthcare IDs was breached.
- Next up is semiconductor manufacturer Semikron who was hit by LV ransomware. The ransomware partially encrypted the company’s network limiting the use of systems for their 3,000 employees worldwide. It was reported by Bleeping Computer that around 2TB of data has been stolen, the nature of the data is unknown at this time.
- Spinney’s, a supermarket chain in Dubai, was hacked by the Clop gang who stole data from their internal server in July. It has been confirmed that customer data was breached but no personal banking information was exposed. The amount demanded as ransom has not yet been disclosed but it is reported that some files have already been leaked.
- The Spanish National Research Council (CSIC) was hit by a ransomware attack last month which has been reported to be linked to Russian hackers. The council is responsible for research and development for part of the Spanish ministry of science and innovation, working over 120 centres throughout the country. The investigation is still ongoing, but the team has found no indication that sensitive or confidential data was stolen.
- In Iowa, Linn-Mar School District reported to parents that they were suffering “technical difficulties “with their computer system when in fact they had been the victims of a ransomware attack. Vice Society claimed responsibility for the attack and gave the School District 7 days to pay the ransom before leaking data. It is unclear whether they will have systems functioning again for the start of school term in the coming weeks.
- Advanced, a supplier to the UK’s National Health Service suffered a cyberattack causing widespread outages across NHS services. Affected services included patient referrals, ambulance dispatch, out of hours appointments, mental health services and emergency prescriptions. Some systems have already been restored, with others predicted to be out of action for a number of weeks. No-one has yet claimed responsibility and it is not clear whether a data breach has occurred at this point.
- Colosseum Dental Benelux in the Netherlands were victims of an attack which temporarily closed 120 of their dental practices. The attack, which took down their IT systems and removed access to patient history also affected the website. The organization hasn’t commented on the ongoing investigation yet.
- Disabilityhelpgroup.com has been linked to a Florida law firm cyberattack victim this month. The organization who provides advocacy services for those seeking help to secure disability benefits has not commented on the attack, although the data leaked in the “proof pack” by the responsible group appears to have thousands of files detailing personally identifiable information.
- The German Chamber of Industry and Commerce (DIHK) reported a cyberattack on their website on 4th August. Following the discovery of the attack IT systems were shut down as a precautionary measure. General Manager, Michael Bergmann characterised the attack as “massive” but no further details surrounding the nature or impact of the incident have been released yet.
- Sheppard Robson publicly disclosed a ransomware attack that took place in July. The UK based architecture firm disconnected all of their systems from the internet and shut down all systems in operation when the incident was discovered. Sheppard Robson refused to pay the ransom and instead reported the incident to law enforcement. Further information on the attack has not been made public at this time.
- Quebec farmers union (UPA) were targeted by ransomware affecting all of their computer systems. Around 160 employees and 23 client organizations were affected by access limitations as a result of the incident. UPA General Manager, Charles-Felix Ross called it a “major cyberattack.” A ransom was demanded in exchange for a decryption key but it was not disclosed whether the ransom payment was made.
- OSDE, a network of medical care services and providers in Argentina, reported that it suffered a cyberattack earlier in the year. LockBit claimed responsibility for the attack and requested a ransom of $300,000 to purchase or remove all of the exfiltrated data. When ransom was not paid, the group leaked the files, but according to DataBreaches.net they contained very little personal information.
- A ransomware attack caused 7-Eleven in Denmark to close 175 stores. Cybercriminals accessed the network and locked their systems but there was no evidence that the attack has affected customers, partners or suppliers. No-one has claimed responsibility for the attack yet.
- Cisco confirmed that their corporate network had been breached by the Yanluowang ransomware group in May. Threat actors tried to extort them by threatening to leak the information they had exfiltrated, although Cisco was confident that only non-sensitive information had been stolen. The information was accessed through a Box folder linked to a compromised employees account, hijacked through a hacked personal Google account with synced information. 3,100 files (2.75GB) of data associated with this incident has now been published on the dark web. Cisco did not identify any impact on their business following the security breach.
- Computer systems of the Simon-Marius Gymnasium in Guzenhausen, Germany became unavailable after a ransomware attack deleted data on their school server. It is still unclear whether any data has been stolen and who was behind the attack.
- It was reported this month that a ransomware attack in mid-April which targeted Ypsilanti-area Utility Department may have exposed 2,000 customers’ bank payment information. Officials were able to recover the encrypted data and did not pay the ransom.
- Senior care company, Avamere Health Services LLC, revealed they had been targeted by a ransomware attack earlier this year. It is believed that data such as social security numbers, financial and medical information was accessed by hackers. 197,730 people were affected by the breach and have since been notified. No further information regarding the event has been released.
- Valent U.S.A LLC, an agricultural product developer, were victims of a cyberattack which had the characteristics of a ransomware attack. The attack encrypted some files on its network which contained sensitive information for certain individuals including names, social security numbers, passport information, financial accounts and medical data. Individuals who have been affected have been contacted.
- South Staffordshire Water confirmed that it had been a target of a cybercriminal attack. The company released a statement after the Clop ransomware group claimed to have attacked Thames Water. The stolen documents were posted on Clop’s darknet site as part of a cyber extortion effort, which is when it was discovered that the information leaked actually belonged to Staffordshire Water and not Thames Water. It is unclear how the misidentification happened to cause this incident and the Clop criminal gang has since corrected their website.
- Argentinian agribusiness, Aceitera General Deheza, reported they had been a victim of ransomware. Their IT systems were infiltrated but production did not stop whilst the incident was being dealt with. An undisclosed ransom was demanded but AGD refused to pay, stating that none of their data had been “kidnapped” and could be recovered from backups.
- Some public services buildings were forced to close in Fremont County Colorado, after a ransomware attack affected their county computers. Access to their IT systems were cut off and the Sheriff’s office was adversely affected. At this point it is not clear who was responsible for the attack.
- It has been confirmed that Holdcroft Motor Group, one of the UK’s largest family run car dealerships, suffered a ransomware attack last month. The hackers stole two years’ worth of data including employee information, causing damage “beyond repair” of some core systems. No group has yet claimed responsibility for this attack.
- Greek natural gas company DESFA, has reported that they suffered from a ransomware attack which caused a limited scope data breach and IT outage this month. In their public statement they claimed that a quick response from their IT team thwarted the attack, though some data and files were accessed and leaked. Due to their stance against cybercriminals, no ransom negotiations would take place. Ragnar Locker ransomware operation have claimed responsibility and leaked the stolen data from the attack.
- New York based healthcare billing company Practice Resources LLC suffered a ransomware attack which compromised personal and health information of 942,138 individuals. 28 of their organizations were affected by the incident including community hospitals. Since the incident in April, it has been reported that a new series of cybersecurity enhancements have been implemented and rolled out. It has not been confirmed who was behind the attack.
- Onyx Technology in Maryland notified regulators and others about a ransomware attack on behalf of Independent Care Health Plan (iCare). The attack which spanned from March to June this year affected 96,814 patients however it is still unclear whether this reflects the complete scale of the attack. Personal information such as name, date of birth, address and Medicare ID is among the information compromised.
- The Center Hospitalier Sud Francilien (CHSF), a hospital just outside Paris France was a victim of a ransomware attack on 21st August, resulting in the medical center having to refer patients elsewhere and postponing surgery appointments. The infiltration of their network caused IT outages affecting patient admissions and enforced reduced operations. No-one has yet claimed responsibility for the attack, but it was reported that those behind it demanded $10,000,000 in exchange for a decryption key.
- Mansfield Independent School District in Texas was hit by an attack impacting systems that used the internet including websites, email and phone systems. A Raptor identification system, which allows staff to screen those who enter the school, was also affected, meaning the schools are closed to visitors. Classes are continuing without the educational tools and processes facilitated by an internet connection. It is still unclear what data was compromised and who orchestrated the attack.
- Moon Area School District in Pennsylvania also suffered an attack which affected only certain systems within the school. Students are still able to access online programs from outside the school building on their student laptops and iPads. The extent of the attack is still unknown, and the school continues to work with specialists and government officials to assess the impact of the incident.
- Sierra College in California reported an attack two days before the start of their fall semester. The attack caused limited access to technology and data resources throughout the district according to campus officials. Most systems and services have now been restored. The college is working with a professional third-party forensic firm to investigate and determine the scope of the incident.
- A government agency in the Dominican Republic, Instituto Agrario Dominicano (IAD), which is part of the Ministry of Agriculture, suffered a Quantum ransomware attack this month. Multiple services and workstations were encrypted impacting the agency’s operations. A ransom of $600,000 was demanded for the databases, applications and emails which was on four physical and eight virtual servers – virtually all of the organization’s servers.
- US-based digital transformation company Orion Innovation, was hit by a ransomware attack carried out by the LockBit group. At this time it is unclear how much data LockBit have stolen. The organization has been given until 1st September to pay the undisclosed ransom amount. No further information on the incident has been made available.
- Chile’s National Consumer Service (SERNAC) was affected by a ransomware incident which caused their website to go down. The government has not released what type of ransomware attack it was, nor have they commented on what data they believe to have been compromised.
- North Carolina Orthopaedic practice EmergeOrtho, notified 75,200 patients that their protected health information was accessed during a ransomware attack. According to the breach notice it was a sophisticated attack that took place in May and it was confirmed that threat actors accessed files with information including names, addresses and social security numbers. No group has claimed responsibility for the attack.
- General Health System, an Louisiana based company who operates Baton Rouge General Medical Center, confirmed that unauthorized individuals entered their network and exfiltrated files containing patient information. The extent to which patient data has been compromised is still unknown and the nature of the attack has not been disclosed. The Hive ransomware group has claimed responsibility and has begun to add some of the data to their leak site suggesting that the ransom was not paid.
- Montenegro’s parliament suffered a ransomware attack causing issues with the government’s digital infrastructure. The Cuba ransomware group was behind the attack which infected 150 work stations in 10 state institutions. The group claims to have obtained financial documents, correspondence with bank employees, account movements, balance sheets and tax documents. A ransom of $10,000,000 has been requested.
- Baker & Taylor, the world’s largest distributor of books worldwide fell victim to a ransomware attack. It was announced that the incident impacted phone systems, offices, and service centres. There are still some limitations to operations, but their priority is remediating and sanitizing systems. It has not yet been established who carried out the attack or if any information was stolen during the incident.
- Eni, an Italian multinational oil and gas company reported a cyberattack on its computer networks which they say resulted in only minor damage. The organization is working with local authorities to assess the consequences of the attack. No group has claimed responsibility for the attack and at the moment no further information regarding the data accessed has been released.
- We finish the month with a Ragnar Locker ransomware attack on TAP Air Portugal, Portugal’s national airline. The ransomware gang posted a new entry on their leak website stating that they have “reasons” to believe that hundreds of Gigabytes of data have been compromised. In the statement they also threatened to disprove TAP’s claims that no customer data was accessed during the incident. No ransom amount has yet been disclosed
September
We tracked 33 incidents this month, with education being the hardest hit vertical, followed closely by government. LAUSD, the second largest school district in the US made news when an attack caused significant disruption, while a hacker managed to launch an attack on Uber using social engineering tactics. Luxury UK farm shop Daylesford Organic made headlines when data belonging to high profile customers including the Duchess of York was compromised. Here’s a look at who else made ransomware news in September.
1. Minamiboso City Board of Education in Japan confirmed that a malicious third party gained unauthorized access to their school affairs network in July. The attacked server stored personal information for 1,293 children and 724 pupils. Hackers encrypted the system, limiting the schools’ ability to issue grades and letters for closing ceremonies. The ransomware group threatened to post report cards and other information on the internet if the ransom was not paid, however the Education board refused to pay. It has been reported that LockBit was behind the attack, but this claim has not been confirmed.
2. Portugal’s state-owned air carrier, Tap Air Portugal fell victim to ransomware attack which RagnarLocker claimed responsibility for. The airline claimed no data was stolen and that the attack simply affected its website and app. However, RagnarLocker released a screenshot of passengers’ personal information and stated that they believed “hundreds of Gigabytes may be compromised.” It’s unclear if the gang demanded a ransom from the airline.
3. NCG Medical, a medical billing service in Florida found themselves a victim of Hive ransomware at the end of August. Claims have been made that 270GB of information, mostly protected health information was accessed during the attack. One small archive alone stored almost 10,000 insurance coded records with patient names. Hive publicly released information about the attack only 2 weeks after encryption due to the lack of response from NCG.
4. A ransomware attack caused “significant disruption” to the second largest school district in the USA, Los Angeles Unified. LAUSD enrols more than 640,000 students, from kindergarten through to 12th grade. Vice Society claimed responsibility for the attack and report that 500GBs of data was stolen. A ransom amount has not been disclosed at this time.
5. Hotel chain Holiday Inn suffered disruptions on their booking channels and other applications due to a cyberattack. Intercontinental Hotels Group (IHG), who own Holiday Inn and other well-known hotels, did not mention the loss of any data during the “unauthorized access to a number of their technology systems”. Hackers behind the attack, a couple from Vietnam, told the BBC that they accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234 and carried out the attack ‘for fun’.
6. French clothing firm, Damart suffered a cyberattack launched by the Hive ransomware gang. During the attack, data was encrypted, and some services disrupted, with operational issues continuing in 92 stores two weeks after the first issues emerged. It was confirmed that the attack infiltrated Damart’s Active Directory causing them to shut down some of their services temporarily to prevent further intrusion. It is unclear what data was taken during this incident but a ransom of $2million was posted by the group.
7. The AvosLocker ransomware group claimed responsibility for the attack on Savannah College of Art and Design this month. SCAD’s information network systems were accessed by the group with potentially 69,000 files containing student information, personnel files and business data being exfiltrated. The ransomware group allegedly negotiated with the college for an undisclosed ransom which was not paid.
8. Alegria Family Services (AFS), an organization providing residential and community services to adults with developmental disabilities in New Mexico, was targeted by a ransomware attack this month. BianLian was responsible for the attack on the company who are under a contract with the New Mexico Department of Health. Claims have been made that internal records, personnel-related files and client data was exfiltrated, but no proof was provided to substantiate the reports. AFS have stated that they will not be able to pay the undisclosed amount of ransom and have notified all affected by the incident.
9. The City of Bardstown in Kentucky were victims of a cyberattack over the Labor Day Weekend. It is believed that personal information and computers were affected after customers were told to remain vigilant of suspicious activity. The city is working alongside cybersecurity experts and the Federal Bureau of Investigations and National Security to investigate the incident.
10. Oakbend Medical Center in Texas were faced with a system rebuild and communication issues after a ransomware attack. Oakbend’s IT team put systems into “lockdown” once the attack was discovered in an attempt to limit the damage and prioritize the security of patient-centric systems. The Daixin ransomware group claimed responsibility for the incident while the investigation continues.
11. Buenos Aires legislator was affected by a ransomware attack which compromised internal systems and caused WIFI connectivity issues. Necessary measures were taken to ensure continuity while restoration occurred, meaning parliamentary work was not interrupted. It is not yet clear who was behind the attack, several different groups have been responsible for similar government incidents across Central and South America over the last 12 months.
12. Over 75,000 patients have been affected by a ransomware attack targeting Medical Associates of Lehigh Valley in Pennsylvania. Files containing personal information including names, addresses, social security numbers, health insurance providers and detailed medical records were accessed during the sophisticated attack. Cybersecurity and forensic specialists have been consulted to investigate and reinforce security measures.
13. Bell Canada, a subsidiary of Bell Technical Solutions (BTS) was a victim of a cyberattack orchestrated by the Hive ransomware gang. Personal information belonging to residential and small business customers in Ontario and Quebec were reportedly accessed, though BTS claim no financial or banking data was taken during the incident. Immediate steps were taken to secure systems, but their website remained down for several days due to the attack.
14. Uber Technologies Inc reported a network breach that forced the ride-sharing company to shut down several of its internal communications and engineering systems. It is reported that the hacker compromised an employee’s Slack account via a social engineering method and used it to announce the data breach to Uber employees. The hacker claimed to have infiltrated internal systems and gained access to security vulnerability information. Lapsus$ claimed responsibility for the attack and a 17-year-old was arrested in connection with the incident.
15. New York based emergency response and ambulance service provider, Empress EMS (Emergency Medical Services), suffered a ransomware attack that has exposed customer information. A small subset of files containing personal information of the organization’s patients was accessed with around 318,558 individuals being affected by the incident. The Hive ransomware group were responsible for this double-extortion style attack. This is just one of many that the group have carried out this month.
16. The Columbia County Chapter of The Arc New York (NYSARC), the largest family-based provider of services to individuals experiencing disabilities in the United States recently disclosed that an cyberattack detected in July was indeed ransomware. Due to the complexity of the attack the investigation is still ongoing, but the organization did share an update this month that data such as dates of birth, addresses, social security numbers and other info may be involved and those affected will be contacted at a later date. Red Alert, a new entry to our blog is said to be behind the incident.
17. Prosecutors in Bosnia and Herzgovina Government are investigating a wide-ranging cyberattack that managed to cripple the operations of the country’s parliament. The incident caused the website to be offline and a local news outlet spoke to several lawmakers who were barred from accessing their email accounts and official documents and were told to not turn on their devices. The investigation is ongoing and while it hasn’t been claimed by a threat group yet, sources confirmed to media outlet Nezavisne that it involved ransomware.
18. Indian housing finance company Can Fin Homes faced a 15% dip in their share price after a ransomware attack took down their website and the lender’s chief executive officer resigned in quick succession. The company disclosed that the attack had not impacted operations at the company.
19. Suffolk County suffered an attack at the hands of the BlackCat cybercriminal gang. At a press conference a spokesperson said the initial investigation did not indicate a ransomware attack. However, BlackCat claimed responsibility and shared that they had exfiltrated more than 4 terabytes of data. Officials have not disclosed any details of the ransom and the criminal gang did reference they were not in contact they would be publishing sample data that they managed to extract.
20. New York Racing Association, the operator of the three largest thoroughbred horse racing tracks in New York previously disclosed a cyberattack back in June of this year. The incident impacted IT operations, the website and compromised member data which included social security details, health information and driver licence numbers. This month the Hive criminal gang claimed the attack and added the organization to its leak site. The hackers also published a link to freely download a ZIP archive containing all of the files they allegedly stole from NYRA’s system. This is an indicator that ransom negotiations may have reached a dead end.
21. Tift Regional Medical Center in Georgia experienced an attack back in July but it just came to light in September after negotiations with the Hive criminal gang broke off. The attack which spanned over July and August saw the Hive gang exfiltrate around 1TB of data including media records, employee payroll data and private company information. On August 25th the gang emailed the medical center to introduce themselves and to share a link to view some of the stolen data. An interesting conversation between the hackers and a representative from Tiff can be read in the article linked, but in short, the ransom request was $1,150,000.00 which Tift countered with an offer of $100,000. Hive responded to the counteroffer with “thank you for your offer. Tell the board that they can keep 100k for lawyers. We will publish the data.”
22. An attack on South Redford School District in suburban Detroit forced the school board to suspend operations after data involving students across 7 schools was put at risk. More than 3000 students were warned about using any device issued by the board.
23.The City of Wheat Ridge in Denver found themselves a victim of ransomware facing a $5,000,000 ransom. Their response to the BlackCat criminal gang from Eastern Europe was clear and defiant ‘We’ll keep our money and fix the mess you made ourselves.’ Following the attack, Wheat Ridge had to shut down its phones and email servers and close down City Hall to the public for more than a week. Things are slowly returning to normal but there are still unknowns regarding compromised data.
24.In May 2021 Sierra College made news when they disclosed a ransomware attack and it looks like whatever steps they took to prevent becoming a victim again haven’t worked, as the Vice Society criminal gang added them to the victim list this month. It’s not yet known if any data was compromised.
25.Luxury farm shop Daylesford Organic made headlines when data involving high profile customers including the Duchess of York and Jeremy Clarkson was compromised in a ransomware attack. The Snatch criminal was behind the attack that saw data from several celebrity clients posted on the dark web.
26. Australian telecommunications company Optus made headlines after an unknown ransomware gang claimed to have stolen data relating to 11.2. million users. The hackers demanded $1m in Monero cryptocurrency to stop them from selling the exfiltrated data. The Australian federal police are currently investigating.
27. North Macedonia’s Agriculture Ministry disclosed that they were hit by the BlackByte ransomware gang on September 12th, an admission that came after an opposition party accused them of keeping silent about the attack. The ministry has since acknowledged that some documents were compromised but denied having lost any significant data. The Ministry did not clarify whether BlackByte had demanded a ransom or how or if they responded to any demands.
28. The Desorden criminal gang claimed an attack on redONE, a Malaysian telco with over 1.2 million subscribers. According to media statements, when redONE didn’t respond to the hackers demands, they launched a second attack hitting the organizations financial and insurance service offerings known as redCARD and redCARE. The criminal gang is now threatening to sell the data.
29. Elbit Systems of America, a subsidiary of Israeli defense giant Elbit Systems has just disclosed a data breach, a few months after the BlackBasta ransomware gang claimed to have hacked their systems. In a notification to the Maine Attorney General’s office, Texas-based company said the breach occurred on June 8th and it was discovered the same day. It said only 369 people were affected. The Black Basta website only displayed a few documents allegedly stolen which included a payroll report, an audit report, a confidentiality agreement, and a non-disclosure agreement, indicating that a ransom had not been paid.
30. The Chilean Court System was forced to take 150 computers offline following a ransomware attack. A spokesperson for the Supreme Court characterized the incident as ‘not a huge attack’ and said no data had been stolen. The South American Country has had a few cyberattacks recently including its Consumer Protection Agency.
31. Chinese real estate development company Aoyuan Healthy Life Group, was hit by PT_Moisha ransomware, a new entry for our blog. The ransomware group contacted media outlet Suspect File and provided them with a sample of 90 files, a total of around 200 MB of exfiltrated documents. In the documents that SuspectFile was able to view, data included passport details, salary information and financial documents relating to employees based in the firms Sydney, Toronto, and Vancouver offices. The ransomware group tried to negotiate directly with the firm via Telegram but Aoyuan Healthy Life Group has not been responsive.
32. Texas healthcare provider FMC Services recently disclosed that a cybersecurity incident had resulted in a data breach impacting thousands of patients. The Vice Society ransomware gang was behind the attack which impacted approximately 233,948 individuals.
33. NJVC, an IT company supporting the federal government and the US Department of Defense was added to the BlackCat victims list on September 28th. The criminal gang posted proof of the attack but went offline immediately after. Interestingly the leak site was accessible again on Sept 30th but NJVC was no longer listed. The story is still developing.
October
A massive 44 incidents made ransomware news in October, setting a new record since we started collecting our data almost 3 years ago. The previous record was back in October 2020 when we uncovered 40 ransomware attacks in the news. Ferrari made headlines when RansomEXX posted some internal documents following an attack that the company strongly denies. A record breaking ransom of $60 million was demanded from UK car dealer Pendragon by the LockBit gang, while the month finished with an attack on hit ForceNet, the Australian defense communications platform used by military personnel and defense staff. Heres a snapshot of who else made ransomware news last month.
- The Electricity Company of Ghana (ECG), the country’s largest electricity seller, fell victim to a ransomware attack which crippled functionality and left customers unable to buy power whilst others had no power supply for days. Hackers infiltrated some sections of the project site, changed the source code, and took control of certain servers. No group has yet claimed responsibility for this attack.
- Italian luxury car manufacturer, Ferrari, has had some of its internal documents posted online as the result of an attack by RansomEXX. The group claimed to have stolen 7GB of data from the company but have not disclosed the ransom demanded. Ferrari continues to deny the event, claiming there is no evidence of a breach to its systems.
- Simex Defense , a Montreal company who calls itself “Canada’s #1 trusted defence and military contractor” were victims of an ALPHV/BlackCat ransomware attack this month. The company would not comment on what, if any, documents had been exfiltrated during the attack but simply said that any ransomware malware is now gone.
- One of the largest non-profit healthcare providers in the US, CommonSpirit, was hit by a ransomware attack which impacted multiple locations across the country. To mitigate the attack some systems were taken offline, resulting in appointment cancellations, care delays, electronic health record downtime and ambulances being diverted from affected facilities. The incident is still being assessed but is expected to have massive consequences on the health and welfare of patients. No group has yet claimed responsibility for this attack.
- 911 services in Douglas County were impacted by a ransomware cryptovirus earlier this month. The virus affected subsystems preventing the 911 team from utilizing these tools, but no data was accessed during the attack. It was stated that at no point was public safety in jeopardy due to the disruption and that the requested ransom would not be paid.
- Hartnell College in Salinas, California suffered network outages lasting for weeks after a ransomware attack forced a shutdown of their systems. At the time of the attack 2,000 devices were linked to the network which caused the extended duration of the internet outage. Most systems continued with little disruption and classes have been going ahead as scheduled during the investigation.
- The Bank of Brasilia (BRB), a government-controlled Brazil based bank, was attacked by the LockBit ransomware gang who demanded a ransom of 50 BTC in exchange for not leaking user data. The ransom is the equivalent of 5.2 million Brazilian reais. The bank has not officially commented on the demands with the case currently being under investigation by the Federal Police’s Special Police Department for Suppression of Cybercrime.
- A ransomware attack locked down the Indianapolis Housing Agency’s computers and IT systems causing major disruption. During the attack, computers and phones malfunctioned but it is not clear if any personal information was stolen. The investigation is still ongoing with recent news reports suggesting that disruption continues as rent payments are not being made correctly by the organization to landlords.
- It has been revealed in a recent report that the Saskatoon Obstetrics and Gynecology Clinic suffered a ransomware attack in late 2020. The attack was a result of a staff member opening a malicious email attachment at their workstation. Clinic staff were locked out their systems, with hackers demanding payment to unlock the data. The health information of 20,000 patients was accessed during the incident. In early 2021 an external security firm hired by the clinic reached a settlement with the hackers, paying them for the decryption of their systems. The breach was reported in October 2022.
- ID-Ware, an identification and authentication process solution provider, suffered from a ransomware attack carried out by the BlackCat group. The incident caused outages on IT servers with the operation of these servers being quickly restored and security enhanced. It was discovered during an investigation that customer data had been affected by the attack. An undisclosed ransom was demanded but ID-Ware refused to comply with it. It has since been revealed that 3500 employees of central government in the Netherlands have had their personal information leaked.
- South Africa state-owned company ESKOM, was the victim of an attack orchestrated by the Everest ransomware operators. The electricity company, who provides more than 90% of the energy supplied to a wide range of customers in South Africa and the SADC region, reported having some server issues during the incident. The ransomware group published a notice announcing the sale of the company’s root access for $125,000 and claimed that they had access to all servers with root access to many. ESKOM received a ransom demand totalling $200,000 for the return of the stolen data and access. It is unknown at this time if the company intend to pay the ransom.
- Exercise training equipment manufacturer, Johnson Fitness and Wellness, was targeted by DESORDEN Group this month. The group stated that 71GB of data and files had been breached, affecting the company’s suppliers, dealers, customers and employees. Other files containing information on internal operations and financial records were also acquired. The hackers who were in the servers for months are claiming they still have access. A ransom was posted but at this time there has been no communication between the two parties.
- Primary health care provider Pinnacle, announced that hackers managed to infiltrate their systems and steal patient data in various areas of New Zealand. The leaked data related to past and present patients and customers. BlackCat has claimed responsibility for the attack.
- Dialog, an IT provider owned by Optus’ parent company Singtel, has had employee data leaked onto the Dark Web during a ransomware incident. According to a statement “fewer than 20 clients and 1000 current Dialog staff as well as former employees” were affected by the attack. This breach comes just one month after threat actors stole details of nine million Optus users. Cuba ransomware group claimed responsibility.
- Brazilian news channel Record TV, suffered network disruption forcing them to change their scheduling after live transmissions could not be broadcast. These issues were the result of a ransomware attack by the BlackCat criminal gang. Personal data relating to employees, a network map with credentials for local and remote services along with other non-specified data was accessed during the incident. The company itself is yet to make a comment regarding the incident.
- Online retailer Esquimal, had 9.2GB of sensitive data stolen during a ransomware attack. 77,000 entries of personal identifiable information (PII) and plaintext credentials for support emails were amongst the data sets accessed. While no group has claimed responsibility, a ransom of 3,000 Euros to a specific cryptocurrency wallet was posted.
- The State Bar of Georgia confirmed the compromise of member and employee data following a BitLocker ransomware attack in April. It has been disclosed that data of current and former employees, including names, addresses, DOBs, social security numbers and drivers license numbers, were accessed during the incident. Servers and workstations were also impacted by the attack. At this time, it is not known if any monetary demand has been made.
- Aesthetic Dermatology Associates in Pennsylvania recently reported that it was a victim of a cybersecurity incident in August. Following a review, it was determined that sensitive information relating to patients may have been accessed during the attack. The BianLian group claimed responsibility and began leaking the data on Oct 1st. The company has not disclosed how many records were affected but in an incident report to HHS details suggest that 33,793 patients have been impacted.
- Mars Area School District became the latest education victim of Vice Society. MASD, a K-12 district with 3,334 students, suffered internet and email outages during the incident. During the attack, which originally happened in September, only old files were accessed but these did contain personal information. One notable dataset which was accessed contained personnel information relating to 350 employees from 2016-2017.
- Integrated marketing solutions and services company The Hibbert Group, was a victim of a ransomware attack carried out by BlackCat. The New Jersey based company have not released any further information about the incident at this time.
- Marktel, a full BPO company based in Madrid, were targeted by LockBit this month. The company who specializes in intelligent business processes and solutions was given 10 days to pay the undisclosed ransom before data was leaked. At this time no updated information on this attack has been made available.
- British insurer Kingfisher Insurance, along with the company’s vehicle brand Fist Insurance, were victims of a cyberattack during which 1.4TB was reportedly stolen. LockBit, who claimed the attack stated they had stolen personal information relating to employees and customers. The company deny that the threat actors could have stolen as much information as they claim. An investigation is ongoing, but the company stated that there was no ongoing impact to their business operations.
- Oomiya, a Japanese tech firm were involved in a ransomware attack carried out by LockBit. The hackers claimed to have exfiltrated data from the company, but this is yet to be confirmed. Oomiya, who design and manufacture microelectronics and facility system equipment, are part of supply chains for major organizations which could cause furture issues if the LockBit claims are found to be true.
- A German newspaper was forced to launch an e-paper after a ransomware attack crippled its printing systems. Heilbronn Stimme, who distribute 75,000 copies of their newspaper faced major disruption to printing and their website, causing them to temporarily lift their paywall that counts approximately 2 million visitors per month. The parent group, Stimme Mediengruppe, was wholly impacted which created issues for other publications under its umbrella. At this time no ransom demand has been made public.
- Medibank, one of Australia’s largest medical insurance providers suffered temporary outages as a result of a ransomware attack this month. It has since been disclosed that all customer data was accessed during the incident. The company is currently in communication with the threat actors but have not confirmed if they will pay the undisclosed ransom for the return of the information.
- NHS software vendor Advanced, claimed that 16 customers have had sensitive data stolen during a ransomware attack this month. LockBit used legitimate third-party credentials to gain access to servers and then exfiltrated and encrypted all the files on the company’s network. It has been stated that the attack is financially motivated but no ransom amount has yet been publicized.
- Whitworth University in Washington state recently reported a ransomware attack that took place in July. The incident affected thousands of current and former employees and students. Due to state law, it has been reported that around 5,182 residents of Washington state may have been affected, but it is not clear how many people living out of state have been impacted. Information including names, student ID numbers, state identification numbers, passport details, health insurance information and social security numbers were accessed by threat actors. LockBit have claimed responsibility for the attack, but the University would not comment on whether it intends to or has already paid the ransom demanded.
- Waikato based website and software development company Enlighten Designs, confirmed this month that they were victims of a ransomware attack in May. The hackers infected a portion of the company’s operating systems according to their CEO. The investigation surrounding the attack was closed in June with no evidence found that data was exfiltrated during the incident.
- Email systems were down, and certain consultations suspended in a French maternity hospital as a result of a Vice Society ransomware attack. Hôpital Pierre Rouquès – Les Bluets had more than 150GB of their data downloaded and all their files and backups locked according to a LockBit spokesperson. No ransom amount was publicized and an investigation continues into the impact of the attack.
- Massy Stores, based in Trinidad and Tobago experienced technical difficulties when they fell victim to a ransomware attack. The Hive criminal gang exfiltrated around 700,000 files of personal information belonging to staff. The information is said to include salaries, photos, IPP along with company financial information. No further information on this incident is available.
- RansomEXX claimed responsibility for an attack on medical work cooperative and health insurance operator Unimed Belém. The ransomware group later published a sample of 5.6GB, 12 files compressed with documents on the dark web. Currently, the organization has no knowledge of the extent of the attack.
- A ransom of $60million was demanded from UK car dealer Pendragon this month. The company, who has 200 car dealerships across the UK and an umbrella of multiple brands, fell victim to a LockBit attack which according to a company statement did not affect their ability to operate. The company declined to pay the ransom and have since taken out a high court injunction against LockBit.
- In Wisconsin, Kenosha Unified School District reported that they had suffered a ransomware attack. The district, which serves nearly 20,000 students, was forced to take certain portions of its networks offline after the incident and is reviewing the event to mitigate any potential impact to data. The Snatch ransomware gang claimed the attack but have not disclosed the amount of data they exfiltrated. An investigation was launched by an external cybersecurity firm and law enforcement to evaluate the impact of the incident.
- India’s largest integrated power company, Tata Power, were victims of a cyberattack orchestrated by Hive group. Hive operators posted data they claim to have stolen from the company, indicating that the ransom negotiations have failed. Leaked data appears to include employee PII, engineering drawings, financial and banking information, and client information. The attack also impacted some of the organization’s IT infrastructure causing disruption to some internal systems.
- MiTCON, an IT service provider primarily serving non-profit organizations in the Great Lakes Bay Region was hit by a ransomware attack which affected client internet and email services as well as phone lines. Midland police are currently investigating the incident and it’s not yet known what criminal gang was responsible.
- The Ecuadorian Joint Command of the Armed Forces made news when the BlackCat criminal gang claimed an attack on them. The criminal gang claimed to have exfiltrated confidential data including information on soldiers. At time of writing, it’s unknown if a ransom demand was issued or paid.
- Ascension St. Vincent’s Coastal Cardiology in Georgia, USA filed an official data breach notice following a ransomware attack on a legacy computer system. Sensitive data exposed in the breach included patient names, addresses, insurance details, social security information, and clinical information, etc. Affected parties were notified by letter and were given tips on what they could do to protect themselves from identity theft and other frauds following the breach.
- Minnesota broadband company Arvig disclosed that 60,000 of its customers across the state were affected when services went down following a ransomware attack. The company shared this news on its social channels “this attack failed due to the extra layers of protection implemented by Arvig’s cybersecurity team. These additional layers were created to protect our customer’s data, which will always be one of our top priorities.” The incident is still under investigation.
- Next up is American telecommunications giant AT&T who made headlines after the Everest ransomware group claimed an attack on the company. The criminal gang also claimed to be selling access to the company’s corporate network on its data leak site. In response to media inquiries about the incident the company said, “we are currently investigating this, but at this time we have no evidence of a compromise of our systems.”
- The Universidad Piloto de Colombia disclosed that they had disabled some of their services to protect the information of the institution and the university community following a ransomware attack. The university also disclosed that there was no evidence of data loss.
- Cybercriminal gang BlackByte added The Universidad Nacional De Educacion de Peru to its data leak site with a sample of files that included affidavits of employees. Media outlet DataBreaches.net did not receive a response from the university but they were able to have a brief chat conversation with the criminal gang via ToxChat. When DataBreaches asked BlackByte whether they had any negotiations with the university, BBSupport answered, “No they didn’t write Seems like they don’t really care.” When asked how many GB of data BlackByte had acquired from the university, BBSupport said “they could not share information about the university right now.”
- Datanet also shared that the Municipality of Chihuahua in Mexico was also named on the BlackByte data leaks site. A (translated) notice on the site read that “our web portal and telecommunications system are out of service, we continue with the attention as usual in our offices and dependencies. We thank you for your understanding.” The update did not mention if any personal information had been stolen, but BlackByte appears to have exfiltrated data including items such as voting credentials, driver’s licenses, and vaccination documents.
- Japanese manufacturing firm Asahi Group Holdings made news when the BlackByte ransomware groupclaimed an attack on them sharing that they had stolen gigabytes of documents from the firm including financial and sales reports. The criminal gang demanded $500k to buy data and $600k to delete the stolen data.
- In the last attack of the month, hackers hit ForceNet, the Australian defence communications platform used by military personnel and defence staff. The company disclosed that at this time there was no evidence that data had been breached. It’s not yet known who was behind the attack.
November
November was the second busiest month of 2022 with 42 publicly disclosed attacks making the list. LockBit claimed attacks on defense giant Thales and German multinational company Continental. While the food industry in Canada took a hit when grocery chain Sobey’s and major meat provider Maple Leaf Foods both reported attacks. Here’s a snapshot of who else made ransomware news during the month.
- Osaka General Medical Centre in Japan suspended non-emergency outpatient services and operations following a ransomware attack on its electronic medical record system. The facility, with 36 departments and around 865 beds, received an email from the hacker stating all files had been encrypted and demanded a ransom paid in Bitcoin. No one has claimed responsibility for this attack yet.
- French defense and technology firm, Thales was hit with a ransomware attack orchestrated by LockBit ransomware group. The company denied having its systems hacked but did confirm that data had been stolen from a user account. LockBit leaked 9.5GB of archive files which are believed to contain corporate and technical files, with the group claiming that commercial documents, customer files, accounting files and software have also been stolen from the organization.
- Continental became another victim of LockBit ransomware group this month. LockBit compromised the German multinational automotive group’s systems and is reportedly selling stolen files for $50million on their leak site. Negotiations failed between the two parties but the ransom amount requested was not made public.
- Landi Renzo SpA, an automotive fuel supply system manufacturer fell victim to a cyberattack carried out by Hive. In an email received by the Italian company the threat actors claimed to have infiltrated their network where they remained for 11 days, accessing files and documents before encrypting their servers. Hive claimed to have exfiltrated 534GB of data.
- Kearney & Company were added to the list of LockBit 3.0 victims with the group threatening to leak data at the end of the month if the ransom was not paid. The ransomware group demanded £2M to destroy the stolen data or $10K to extend the timer by 24H. A sample of data stolen from the premier CPA firm, including financial documents, contracts, audit reports and billing documents, has been published on Hive’s leak
- Co-educational Baptist institution Kilvington Grammar School was hit by a cyberattack involving unauthorized access to some of its online systems. LockBit has posted data exfiltrated from the the Melbourne school on the dark web. The school notified families of the students that it had suffered a data breach.
- In Oklahoma, Norman Public Schools suffered a ransomware attack which caused significant disruption. Families were warned to discontinue using district-issued devices until they were otherwise advised. The school’s Technology Services Team, third party cybersecurity experts and law enforcement are involved in an investigation of the incident. No one has claimed responsibility
- The Commack School District in New York suffered a network outage that shut down the district’s main phone lines as a result of a ransomware attack. A temporary phone number was posted on the district’s website allowing parents to get in touch with schools. Federal, State and Local authorities were notified of the incident. The school district claimed that there was no evidence at the time of the attack that any student or staff information had been accessed.
- Florida based window and door manufacturer PGT Innovations disclosed in a public filing that they had detected a ransomware infection which caused some disruption to its daily business operations, but they had not found that any personal information had been accessed or acquired. They also noted they were working with cybersecurity experts and legal counsel to resolve the problem and that they had cyber insurance in place.
- One of the UK’s most popular motor racing circuits, Silverstone, was targeted by Royal ransomware gang. The circuit was aware that it had been added to the gang’s victim list and had launched an investigation into the incident.
- Canadian food retail giant Sobeys experienced IT systems issues in their grocery stores and pharmacies after falling victim to a ransomware attack. The organization stated that all stores remain open and that they were “not experiencing significant disruption.” Canadian Press is reporting that due to notifications of a “confidentiality incident” from the retailers, it is very likely that personal information was accessed during the breach. Black Basta has claimed responsibility.
- BlackCat has claimed to have stolen 1TB of data from Conforama, Europe’s second-largest home furnishing retail chain. The threat actors claimed the attack was made possible by “a very low level of security and protection of their users’ data.” The stolen data allegedly contains financial documents and reports, customer credit card data and client personal information, among other sensitive data. The ransomware group threatened to post a public blog containing all of the stolen data if the organization did not contact them within 24 hours. The group also threatened to use financial data for illegal purposes and send internal documentation to competitors.
- Hackers caused significant website downtime for Dallas Central Appraisal District during a cyber incident. The website contains publicly available property valuations and planning maps, with this information being inaccessible substantial issues arose. It is not clear at this time who executed the attack, and an investigation is ongoing.
- Classes across Jackson and Hillsdale counties in Michigan were canceled for 3 days this month due to a ransomware attack. The incident resulted in a system outage impacting a wide range of building operations including heating, telephone, and classroom technology. The school district restored essential systems allowing classes to commence and are in the early stages of investigations which include assistance from the FBI.
- Private information was stolen from Legal Aid ACT during a cybersecurity incident. It is believed that the hack could have exposed the data of some of the organization’s most vulnerable clients, including refugees and victims of family violence. The commission has confirmed that it will not pay the ransom demanded by the threat actors in line with advice from both the Federal and Territory governments. The ransom amount that was demanded has not been disclosed and the identity of the hackers is not yet known.
- Hive Ransomware claimed Lake Charles Memorial Health System (LCMH) in Louisiana as a victim, claiming to have exfiltrated 270GB of files. In an email received by the organization, the ransomware group spent 12 days in the network before exfiltrating the information which contains patient and employee data. According to DataBreaches.net, Hive did not encrypt any of LCMH’s files but did exfiltrate them, demanding $900,000 to delete the files and provide information of the vulnerabilities in the health system’s network. At this time a portion of the information stolen during the incident has been leaked.
- Uponor experienced a ransomware attack which impacted operations in both Europe and North America this month. Investigations revealed that employee, customer, and partner data was breached during the incident. The organization stated that, at this time the breached data had not been leaked. It is unclear who is behind this attack.
- Central Bank of Gambia fell victim to a ALPHV/BlackCat ransomware attack this month. The ransomware group allegedly stole 2TB of highly sensitive data involving personal and confidential information relating to employees, customers and management of the bank. An undisclosed ransom has been demanded but the bank has refused to pay it.
- A ransomware attack brought Vanuatu, a small archipelago of the South Pacific Ocean, to a standstill causing chaos across its islands. Official government emails addresses stopped working, raising the red flag that there was an issue. Websites of the island’s parliament, police and prime minister’s offices were disabled, and intranets and online databases of schools and hospitals were inaccessible. No one has yet claimed responsibility for this attack.
- Gateway Rehab officially announced that they were affected by a data security incident back in June. Sensitive protected health information along with personal identifiable information was involved in the attack orchestrated by BlackByte. The organization claim that there is no evidence that any of the information had been misused, however reports confirm some information has been leaked onto the ransomware group’s s
- Michigan based orthotics and prosthetics provider, Wright & Filippis released a press release this month regarding a cyberattack which occurred in January. The organization claims that their endpoint security detected and terminated the ransomware shortly after it was executed. It has been reported that there was some unauthorized access to files including patient and employee information but the organization’s press release asserts that they have no evidence of the misuse of this data.
- AirAsia, a Malaysian low-cost airline, became a victim of Daixin Team this month. The ransomware group claim to have obtained personal data associated with five million unique passengers and all its employees. Samples of stolen data have been uploaded to Daixin’s leak site containing passenger information and staff personal data.
- The Canadian City of Westmount in Quebec suffered a ransomware attack attributed to LockBit 3.0 that locked up all Westmount services and took down the entire email system. The city of 21,000 residents had 14 terabytes of sensitive data stolen and was given 2 weeks to pay the ransom.
- Relatively new ransomware group Project Relic claimed Doctors Centre Hospital in Puerto Rico as a victim. DCH notified HHS that 1,195,220 patients were been affected by this incident. The ransomware group has leaked 114MB of the alleged 211GB of files which they exfiltrated during their attack. The ransom demanded has not be publicly disclosed.
- Connecticut urgent care and primary care provider, DOCS Medical Group had an unspecified number of patients’ information on their server targeted by a cyberattack. Information accessed included demographic information, medical history, insurance information among other financial information. The medical group were always fully operational during the incident.
- ALPHV/BlackCat ransomware claimed an attack on Thailand-based low-cost airline, Nok Air. The ransomware group has claimed to have exfiltrated over 500GB from the organization and have already posted some of the stolen information on their leak site.
- The Ontario Secondary School Teachers’ Federation announced that it was a victim of a ransomware attack earlier this year. The union representing public high school teachers in Ontario stated that the incident was discovered in late May during which an unauthorized third party accessed and encrypted its systems. It is thought that personal information of current and past members was included in the data accessed during the attack.
- A suspected ransomware attack hit servers at the All India Institute of Medical Science (AIIMS), causing long waits for patients as registrations, sample processing and billing computers went down. All services were forced to run on manual mode during recovery from the incident. An investigation with law enforcement authorities is ongoing and measures are being taken to prevent further attacks.
- A ransomware attack on Cincinnati State and Technical College was recently claimed by the Vice Society criminal gang who shared a list of exfiltrated data on their data leak site. The exfiltrated documents date from several years ago until November 24, 2022, which could indicate that the criminal gang maintain access to the breached systems, this has not yet been verified. The college informed its 10,000 students and 1000 employees of the cyberattack and shared the news that restoring systems to regular operations was going to take some time.
- In a public statement, Southampton County in Pennsylvania disclosed that ‘like many localities and organizations across the country’, they had been the victim of a ransomware incident. The county stated that although they were able to recover from the attack and prevent it from impacting critical operations, the criminal gang did claim that they were able exfiltrate sensitive data during the incident. Free credit monitoring was provided to residents as a matter of caution.
- Files exfiltrated from Argentinean food company La Piamontesa were added to the BlackByte data leak site as evidence of a successful attack. A few files appearing to be internal documents were included, no personal data was posted in the proof pack. The company has not publicized the incident which carried a demand of $150,000 to delete the data they claimed to have.
- UnitedAuto, a Mexican automotive company was added to the LV Blogs data leak site. The cybercriminal gang claimed to have exfiltrated more than 2TB of stolen personal information. The threat actors criticized their victim, stating “United Auto does not have any basic protection for their system. The company has not even bothered to install antivirus on their system, while still working with their customers’ personal data. Also, United Auto has many vulnerabilities on their network, which allowed us to download absolutely all of the critical data.” Data samples included personal and corporate information.
- The Ragnar Locker cybercriminal gang made headlines when they published stolen data from Zwijndrecht, the Belgian police unit in Antwerp. The gang thought the data they exfiltrated was from the municipality of Zwijndrecht when in fact it was police data which reportedly included sensitive data such as crime reports and police investigations. Belgian media outlets called this data leak ‘one of the biggest of this kind that has impacted a public service in the country, exposing all data kept by Zwijndrecht police from 2006 until September 2022.’
- Swedish retail giant Ikea confirmed an attack after the Vice Society criminal gang posted data from its Morocco and Kuwait locations. Samples of the stolen data suggest that the gang managed to exfiltrate confidential business data. File and folder names also indicate that employee data including passport details may have also leaked.
- Hope Health Systems in Maryland formally reported a data breach after the company learned that sensitive patient information stored on its network was leaked following a ransomware attack. According to HHS the breach resulted in the patients’ names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, and medical information being compromised.
- Guilford College in North Carolina disclosed that sensitive student and faculty data has been compromised in a ransomware attack. The Hive criminal gang posted a sample of the exfiltrated data on their leak site. The investigation is ongoing, impacted individuals have been notified by the college.
- Maple Leaf Foods, a major Canadian meat supplier made ransomware news when the Black Basta criminal gang named them as a victim, sharing documents publicly as proof of the attack. The company disclosed they were able to restore systems quickly and that they do not intend to a pay a ransom.
- Colombian healthcare provider Keralty suffered a RansomHouse ransomware attack which disrupted its website and operations. The organization operates an international network of 12 hospitals and 371 medical centers across the US, Asia, Latin America and Spain.
- The Ministry of Foreign Affairs in Guatemala disclosed that it is investigating a ransomware attack that happened earlier in the year. The ministry was added to the data leak site of the Onyx ransomware group, a new entry to our blog. The ministry has not issued any information about the cyberattack as they are still investigating.
- Software company SSP, a provider of software for the insurance industry were hit by the LockBit ransomware gang. After hiring an IT forensic team to investigate it the company confirmed the attack. It’s not yet known which criminal gang was responsible but a $7 million ransom has been
- One Brooklyn Health System has been offline since November 19th, leaving staff unable to access medical records or upload test results. The consortium which comprises 3 medical centers, disclosed that there was an incident which caused network disruption, but they declined to comment when asked if the incident was malware or ransomware. It still hasn’t been confirmed but it bears all of the ransomware trademarks so we feel confident adding to the November list!
- Klinikum Lippe, one of the largest municipal hospitals in Germany detected a major cyberattack in mid-November which impacted all 3 of its locations. In a statement they shared that after an intensive negotiation with the cybercriminals they had received the necessary data to decrypt the systems. It’s not known if the hospital made a ransom payment.
December
We finish the year with 35 reported ransomware attacks, the busiest December recorded in three years. December saw some interesting twists, including an apology and a free decryptor from the LockBit criminal gang after a ‘partner’ launched an attack on the the Toronto Hospital for Sick Children. In another interesting twist, California based toy manufacturer Jakks had their data locked by Hive and BlackCat/ALPHV on the same day. The two groups agreed on a ransom of $5million to prevent either group from leaking data. UK based newspaper publisher The Guardian also made its own headlines when they were the first to report an attack on themselves over the Christmas period. Here’s a look at who else made ransomware news in the last month of 2022.
- HomeTrust Mortgage, a Texas-based lender disclosed in December that they were victims of a ransomware attack in July. During the incident, files containing personally identifiable information were exfiltrated. It was reported that around 17,000 borrowers and co-borrowers plus a few hundred of the firm’s employees were affected by the data breach. BlackCat ransomware group claimed responsibility.
- André-Mignot teaching hospital in Paris was forced to shut down their phone and computer systems due to a cybersecurity incident. Operations had to be partially cancelled and some patients had to be transferred to other healthcare facilities. The hospital stated that they were immediately able to isolate the incident to stop the spread. An undisclosed ransom has been demanded but the hospital does not intend to pay it.
- Royal ransomware group claimed Travis Central Appraisal District as a victim this month, shutting down their phonelines and online chat during the attack. County officials stated that the attack did not affect property tax bills or payments and their website and property search remained online. Ransom details were not disclosed.
- A ransomware attack cost the Little Rock School Board at least $250,000 in December when they opted to enter into a settlement agreement to end their cyberattack as favorably as possible. Details about the incident that affected the 21,000 student school system are currently being withheld as they attempt to protect the data that was taken. It is currently unknown who was responsible for the attack.
- Rackspace confirmed a Hosted Exchange ransomware attack which knocked out email service to its customers. It was later confirmed that the Play ransomware group was behind the attack, details of what data, if any was compromised and whether a ransom was demanded and or paid by the company is currently unknown. To date, two class action lawsuits have been filed against the organization on behalf of those affected.
- A ransomware attack on Mercury IT, a managed service provider in New Zealand disrupted multiple government department and public authorities in November. A data protection regulator said that the incident was an “evolving situation” and that work was underway to understand the number of organizations affected, the nature of the information involved in the attack and if there was any data exfiltrated. Reports from the Ministry of Justice state that the attack prevented them from accessing close to 15,000 files, while the health ministry report at 13,000 files were impacted.
- Cetrogar, an Argentinian appliance chain was forced to stop part of their operations causing delays in product deliveries after suffering a ransomware attack. The company has yet to make a statement, but social media has been reporting various complaints. Play ransomware group, a new entry to our blog is claiming responsibility.
- In Wisconsin, Adams-Friendship Area School District was hit by a cyberattack which disrupted their network and internet services. Almost all operations were restored quickly while student learning opportunities continued without interruption. A team of cybersecurity experts were brought in to determine the extent of the unauthorized activity. Royal ransomware group were responsible for the attack but no ransom demand has been disclosed.
- The Hive ransomware group obtained and posted data belonging to Intersport France, during an incident in November. The information accessed during the attack is said to contain passport details of Intersport employees from Northern France and payslips along with current and former employees’ information and social security numbers from other stores. The hack occurred during Black Friday sales, preventing staff from using cash registers and forced stores to do manual restock. The ransomware-as-a-service group have leaked some information on their dark web leak site and are threatening to release more if the extortion demand is not met.
- Knox College in Galesburg, Illinois suffered system disruption due to a ransomware attack. An investigation involving independent cybersecurity and digital forensic experts is underway to determine if any personal information was accessed during the incident. The Hive group claimed responsibility.
- The Congress of Jalisco was a victim of a cyberattack orchestrated by Play ransomware. It was revealed that some employees were extorted by the cybercriminals in exchange for the decryption of official files, awards, privileged information, and backups of specialized documents. The information encrypted during the attack was mostly legislative, legal, and administrative. It is not yet known if there has been any data exfiltrated during the incident. There has been no communication with the ransomware group and an investigation continues.
- Requena City Council in Valencia announced that they suffered a cyberattack in November. During the incident user data was encrypted and they were forced turn off their systems. Servers were out of operation for over 10 days with the payroll system being affected, causing 200 officials to only receive part of their salary. BlackCat issued a $500,000 and have already leaked a number of files.
- The California Department of Finance was one of LockBit’s victims in December, with the group claiming to have stolen 76GB of data. The haul of stolen data reportedly contained databases, confidential information and financial documents. The government department was given until 24th December to meet the undisclosed ransom demands. The California Cybersecurity Integration Centre Is actively responding to the incident and it has been disclosed that no state funds were compromised.
- The Belgian city of Antwerp was affected by a cyberattack on their IT system provider, Digipolis, disrupting the city’s IT, email and phone services. Almost all services were unavailable or significantly delayed including job applications, use of libraries and new city agreements. Play ransomware group were responsible for the attack which claimed to have stolen 557GB of data including personal information, passports, IDs, and financial documents. The ransom demanded by the group has not been disclosed.
- 2NetworkIT, a Canadian based IT services company fell victim to a Cuba ransomware attack which caused them to lose a day’s worth of email and data. The group encrypted 11 servers and claimed to have exfiltrated financial documents, correspondence with bank employees, tax documents and source code. However, the owner of the company stated that he was “99 per cent sure” nothing had been stolen. He credits a resilient backup strategy for being able to get their systems restored within 48 hours.
- US based childcare provider Bright Horizons Family Solutions, suffered a ransomware attack which impacted and disrupted a number of the organizations operational and IT systems. Upon discovering and containing the incident they launched an investigation involving cybersecurity experts, incident response professionals and outside counsel. At this time, the organization does not believe that any customer, client, family or employee data was compromised during the attack.
- BlackCat/ALPHV ransomware group claimed Empresas Públicas de Medellín (EPM) as a victim in mid-December. The Colombian energy company who provide services to 123 municipalities, told 4,000 employees to work from home as IT infrastructure and the company’s website were impacted by the incident. Reports claim that a sizeable amount of data was stolen and around 40 devices were compromised during the attack, but organization is yet to comment on these claims.
- The Huron-Superior Catholic School District confirmed that it received information notifying them that their board’s computers and phone systems had been hacked. The note, which came through photocopiers in its main office and several schools, told the board that threat actors had been able to access their system. Representatives would not state if a ransom or any other demand was made by the hackers, and no one has claimed responsibility for this attack.
- Files belonging to Events D.C., the sports and convention authority in Washington, were published online in December, following an cyberattack two months prior. BlackCat’s leak site shared 85GB of data, containing several folders of information on the agency’s 400 employees. The organization released a statement stating that they are “evaluating the apparent release of our data.” No information regarding the ransom demanded has been released but it seems, according to the leak site, that they company refused to pay the requested amount.
- German hotel chain, H-Hotels became victims of Play ransomware gang which caused communication outages across the company. Statements claim that IT systems were shut down and disconnected from the internet after the incident was discovered. The attack did not affect guest bookings, but hotel staff could not receive or respond to email requests. The ransomware gang claim to have stolen an undisclosed amount of data including client documents, passports, and IDs. An investigation into the incident is ongoing.
- The Guardian was hit by a serious ransomware attack on 21st December. The attack impacted parts of the company’s technology infrastructure, as well as behind-the-scenes services. Online publishing was largely unaffected by the incident, allowing the company to continue publishing globally online. It is unclear whether any data was exfiltrated during the attack and no group has yet claimed responsibility.
- Hackers demanded $2.25 million worth of Bitcoin in exchange for not leaking internal data taken during an attack on Chinese vehicle manufacturer Nio. The cyberattack exposed confidential customer and vehicle sales related information before August 2021. Measures have been put in place to respond to the incident with the company stressing that it remains committed to safeguarding data security and privacy. The group behind the attack has not been confirmed.
- Queensland University of Technology were forced to shut down multiple IT systems after campus printers started printing ransomware notes in bulk. The notes from Royal ransomware group, stated that critical data was encrypted and copied during the incident. It also warned that this information would be published online unless a “modest royalty” was paid. An investigation is ongoing, however QUT Vice Chancellor believes that none of the “core” student, staff or financial information was involved.
- Toronto’s Hospital for Sick Children was impacted by a ransomware attack orchestrated by Lockbit, causing repercussions that, according to reports, could last for many weeks. The incident impacted internal and corporate systems as well as hospital phone lines and websites. Delays in receiving lab and imagining results were also experienced. LockBit later issued an apology for the attack, claiming the partner who attacked the hospital was in violation of their rules, they also released a decryptor for free.
- Chicago based engineering firm Sargent & Lundy, were victims of a ransomware attack in October during which data belonging to multiple electric utility companies was stolen. The organization works as a US government contractor handling critical infrastructure projects across the country. The firm also handles nuclear security issues, working alongside the departments of Defense, Energy, and other agencies. Federal officials closely monitored the potential broader impact on the US power sector, though it is being reported that no other power-sector firms were involved.
- JAKKS Pacific Inc, a California based toy manufacturer, became the victim of two ransomware groups. The company had their data locked by both Hive and BlackCat on the same day. The two groups agreed on a ransom of $5million to prevent either group from leaking data. JAKKS did not negotiate, and Hive started leaking the exfiltrated data later in the month, however BlackCat are yet to leak any information.
- US telecommunications firm Intrado reportedly fell victim to an attack by the Royal ransomware gang, causing massive outages across all of the organization’s servers. Sources noted that the firm had been compromised and a ransom of $60 million had been demanded. Exfiltrated data reportedly contained internal documents, employee driver’s licences and passports. None of the data has yet been leaked, but the gang shared a 52.8MB archive with scans of the stolen files. Intrado have not yet confirmed the incident.
- Personal data for nearly 27,000 patients and employees of the Lake Charles Memorial Health System have been leaked by Hive ransomware group following an attack in October. Files containing patient names, addresses, birthdates, medical records, health insurance information, clinical information and payment information were stolen during the incident. An investigation continues with a notification going out to those individuals affected. LCMHS declined to pay the ransom before Hive leaked the stolen data on to its leak site.
- Azienda Ospedaliera di Alessandria hospital in Italy reported a ransomware attack on their IT infrastructure. During the incident the hospital’s SQL database was compromised as well as personal information of hundreds of thousands of patients. Ragnar Locker claimed responsibility and have already leaked 37GB of stolen data, claiming this is only 5% of the total data volume exfiltrated. At this time there seems to have been no communication between the hospital and the threat actors.
- ISD 728 in Minnesota was hit with a ransomware attack in November, impacting the personal information of its students. The Independent School District issued letters in December notifying those individuals who may have been affected by the breach. An investigation is ongoing with no group yet claiming responsibility for the attack.
- LockBit ransomware group claimed Portugal’s Port of Lisbon as a victim on Christmas Day. Hackers reportedly compromised the port’s network but did not affect operations. The ransomware group claimed to have exfiltrated data including financial reports, budgets and personal customer data. A ransom of $1.5million was demanded with a deadline of 18th Further threats to leak the exfiltrated data have been made if the Port of Lisbon do not respond before the deadline is reached. The port administration is working with law enforcement to retrieve the exfiltrated data.
- Royal ransomware group was behind the attack on Iowa’s PBS station in November. The organization became aware of suspicious activity and swiftly brought in systems experts to identify the issue. Broadcasting, live streams, and digital platforms remained unaffected, but it was reported that its annual fall fundraising pledge drive was cut short due to the incident. Breach notification letters were sent out, but no comment has been made on how many people were affected or what information was accessed.
- Tomball City Council gave authorization for the necessary funds to be allocated for the recovery of city systems and data following a recent ransomware attack. It is projected that it will cost the city over $50,000. During the attack most city networks were impacted including the police department. All emergency services are now operational, but an issue continues with the city’s online payment system. Outside law enforcement including the U.S. Department of Homeland Security and the FBI are aiding in the investigation of the incident.
- Retreat Behavioral Health (RBH) recently notified those affected by a ransomware attack in July. The organization who runs addiction treatment facilities in Florida, Pennsylvania and Connecticut did not indicate which ransomware group was responsible, whether any files were encrypted, whether a ransom was demanded, and if so, whether RBH paid it. No other information surrounding this incident is currently available.
- Vancouver-based mining company, Copper Mountain Mining Corp, suffered a ransomware attack on December 27th. The attack came 12 days after the sale of its exploration site in Australia, with the deal reportedly worth $230 million. It is unclear if the attack was linked to this announcement. The company has not commented if any corporate or personal data was stolen, nor if a ransom was demanded. No group has yet claimed responsibility for the attack.
Related Posts
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
CDK Global Ransomware: What Happened and How It Impacted Businesses
Here you will learn about the CDK Global ransomware attack, the impact on auto dealerships, relevant recovery steps and general cybersecurity practices for businesses.
Ransomware Containment: Effective Strategies to Protect Your Business
Discover effective ransomware containment strategies for your business. This guide discusses network segmentation, zero trust, and practical best practices for IT managers and cybersecurity professionals to reduce ransomware damage.
Ransomware Meets Retail: Sainsbury’s, Starbucks and Morrisons Feel the Heat from Blue Yonder Attack
The Blue Yonder ransomware attack disrupted major retailers like Sainsbury’s, Starbucks, and Morrisons, highlighting the vulnerabilities of global supply chains and the urgent need for stronger cybersecurity defenses.
Top 5 Cyberattacks During Black Friday and Thanksgiving
Find out about the top five biggest cyberattacks for Black Friday and Thanksgiving, from data breaches and ransomware, to see the risks businesses experience during the holidays.
Healthcare Ransomware Attacks: How to Prevent and Respond Effectively
Learn how to protect yourself from healthcare ransomware attacks. We discuss the main security weaknesses, suggest security steps, and offer possible means of protecting patient information.