January
2024 has started out with the highest number of January attacks we’ve ever recorded, with 76 attacks representing a 130% increase compared to 2022’s figures. Education topped the list of targeted industries, followed by healthcare and manufacturing. LockBit was the most active ransomware group this month, with Akira knocking BlackCat off the second-place spot for the first time. Notably 91% of disclosed attacks involved data exfiltration.
Check out who made ransomware headlines this month:
- Australia’s Court Services Victoria (CSV) revealed that hackers were able to disrupt operations and access its audio-visual archive containing sensitive hearing recordings during an attack. The impacted system was immediately isolated and shut down, but investigations revealed that a breach exposed recordings going as far back as the beginning of November 2023. This incident impacted various courts and jurisdictions including the Supreme Court and Magistrates’ Court. It is not known who was behind the attack or if any ransom was demanded in exchange for the compromised data.
- Swedish supermarket chain Coop fell victim to a Cactus ransomware attack in late December, impacting stores in the county of Värmland. A spokesperson confirmed the cyberattack, stating that upon detection external expertise was engaged to close off “vulnerabilities where intrusions occurred.” According to reports, stores were unable to take card payments on December 22nd but all stores remained open. Cactus ransomware group did not disclose many details on the attacks including what data was stolen.
- A Christmas Day attack that knocked out electronic health systems at Anna Jaques Hospital (AJH) has been claimed by Money Message ransomware group. The gang claimed it exfiltrated 600GB of information including data relating to its parent network Beth Israel Lahey Health. The ransom amount demanded was also not disclosed. The exact nature of the exfiltrated data remains unknown.
- One of Africa’s largest airlines, Kenya Airways, was claimed as a victim by the Ransomexx ransomware group. The ransomware group shared over 2GB of data allegedly stolen from the airline including sensitive information. Compromised data is said to include passenger information, accident reports, investigative activities and plans for the carrier. The organization has not yet made a public announcement acknowledging the claims.
- Fallon Ambulance Service, a now-defunct subsidiary of Transformative Healthcare, suffered a ransomware attack in April 2023 which impacted data of 911,757 individuals. The attackers gained access to the company’s systems from late February and remained there until late April. BlackCat claimed the attack, stating that they had exported 1TB of data including medical reports, paramedic reports, sensitive patient details, and other information. Transformative’s investigation of the incident concluded in late December 2023 when the breach notification was submitted.
- French logistics company Groupe IDEA was added to LockBit’s dark web victim site this month. The post from the group did not disclose any details on the breach and only contained a countdown to a deadline date of January 22nd for an undisclosed ransom demand to be met. It is not known what, or how much data was exfiltrated by the group. Groupe IDEA are yet to make a public comment addressing these claims.
- Gallery Systems, a museum software solutions provider, announced that IT outages were caused by a ransomware attack. The attack, which took place on December 28th, caused the company to take systems offline to prevent further devices from being encrypted, which led to wide-spread disruption for over 800 museums. Law enforcement was notified, and an internal investigation launched to determine the impact of the breach. No ransomware group has yet claimed responsibility for the incident.
- One of the largest insurance companies in the US, First American, confirmed that a cyberattack reported in December was indeed a ransomware attack. The incident forced the company to isolate systems from the internet in an attempt to contain and remediate the incident. Investigations revealed that threat actors accessed certain non-production systems, exfiltrated and encrypted data. It is not known who was behind the attack at this time.
- BlackCat ransomware group added SAED International to its victim list this month, claiming to have infected all systems and affected services. Although no detailed information was provided by the threat actors, the group suggested that the Saudi Closed Joint Stock Company had “tried to hide the attack from clients” It is not clear what impact the attack had on the organization nor what information has been stolen. SAED are yet to publicly address BlackCat’s claims.
- A cybersecurity incident around Christmas caused Eagers Automotive to halt all trading operations until further notice. The incident affected the IT systems and daily operations across dealerships in Australia and New Zealand. Notorious ransomware gang LockBit claimed responsibility and added the Australian car dealership to its leak site.
- US-based transportation provider Estes Express Lines confirmed that it had fallen victim to a cybersecurity incident last year. The attack caused IT outages and affected Estes’ online tracking services. A forensic investigation determined that unauthorized threat actors had accessed systems and exfiltrated data which is said to include names and other personal identifiers belonging to at least 21,184 individuals.
- LockBit began leaking information stolen from the University of Sherbrooke which was stolen during a ransomware attack in December 2023. The attack had no impact on the university’s activities, but a spokesperson did state that the compromised data had come from one research laboratory. The ransomware group added screenshots as proof of claims to the announcement on the dark web.
- Mexico’s largest poultry producer, Bachoco, was hacked by Cactus ransomware group just before the new year. The group posted Bachoco on its leak site but provided little information on the attack and did not post a deadline for payment of an undisclosed ransom. It is suggested that 130GB of data was exfiltrated during the incident. A download link to the proof of claims was included which contained PII of employees, stakeholders, and customers as well as other confidential documents.
- Hunters International ransomware gang breached Bradford Health, causing an operations blackout. The attack resulted in a breach of approximately 770GB of data including agreements, medical records, SQL backups, employee data and business documents. The healthcare facility has made no public comment addressing the claims.
- Hackers targeted Kaunas University of Technology in Lithuania, launching an attack on that led to the disruption of dozens of systems, and ultimately a leak in sensitive information. Information such as employee names, addresses, contact information and car registrations was compromised. Rhysida has claimed the attack and added a number of screenshots, including scanned passports, to its leak site.
- In Louisiana, Tulane University is investigating a potential cyberattack following claims made by Meow. The university launched an investigation of the claim and any impact of the attack but did comment that all network systems were operational. The ransomware group posted the university on its leak site on December 13th but did not include any more information on the attack, with the posting simply stating “soon”.
- Kershaw County School District (KCSD) in South Carolina was the first educational institute claimed by BlackSuit in 2024. Threat actors posted the school district on its leak site earlier this month, alongside claims that 17GB worth of files had been exfiltrated from the KCSD network during the incident.
- In Idaho, Blaine County School District was also targeted by BlackSuit during an attack in late December. BlackSuit alleges to have 12GB of data belonging to BCSD, although no proof of claims was added to the dark web listing.
- Marketing-centered US service provider Televerde fell victim to a cyberattack at the hands of Play. The organization is yet to make a comment on the claims but the group’s posting on its victim site suggests that data was stolen during the attack. Compromised information allegedly includes private and personal confidential data, client documents, budget, IDs, payroll, insurance, taxes, finances, and other company information.
- In Brazil, Agro Baggio was hacked by Knight ransomware group, causing the organization’s website to be knocked offline. The threat actors added Agro Baggio to its leak site, noting that the network is “tightly closed and unavailable. Knight also claimed to have exfiltrated 70GB of files containing “important data.” A threat was also included in the post highlighting that DPO/LGPD fines are high.
- At the beginning of the month, mortgage lender LoanDepot was forced to shut down some of its systems to contain a cybersecurity breach, with payments via the servicing portal and other online portals being taken offline. The organization has confirmed that it was hit with a ransomware attack, with malicious actors also encrypting files on compromised devices. An investigation revealed that sensitive personal information of approximately 16.6 million individuals was accessed by the ransomware group responsible. At the time of writing, no ransomware group has yet taken credit for the incident.
- LockBit claimed responsibility for an attack on the Capital Health hospital network which caused IT system outages and impacted operations for at least one week. LockBit listed the healthcare company on its data leak portal, claiming to have stolen 7TB of sensitive medical information valued at $250,000. The ransomware gang stated that it purposely did not encrypt the hospital’s systems so as not to interfere with patient care.
- The World Council of Churches confirmed that it was contacted by hackers on December 26th, demanding a ransom for information accessed during a cyberattack. All systems were unavailable including the website. The WCC stated that it would never give in to such threats. The WCC attack has not been claimed by any ransomware group.
- The largest zoo in Canada, Toronto Zoo, confirmed that it’s systems had been hit by a ransomware attack but that it had caused no impact to the animals’ care, its website, or its day to day operations. The zoo is investigating whether the incident affected guest, member, or donor records. The incident was reported to the Toronto Police Service and the zoo continues to work with third-party security experts and the City of Toronto’s Chief Information Security Office to determine the extent of the damage. Akira has taken credit for this incident, claiming to have exfiltrated 33GB of data including NDAs, confidential agreements and personal files.
- Offshore and marine organization ES Group (Holdings) saw information on its systems encrypted as a result of a ransomware attack. The company announced the incident stating that it had impacted the “majority” of its data in its servers but that investigations remained ongoing and the “threat had been contained.” ES Group also commented that there had been no significant impact to its business or operations.
- Another Singapore-listed company made headlines when IPS Securex Holdings confirmed that it had encountered a ransomware incident which had rendered its network inaccessible. Based on initial investigations, the organization is yet to see any evidence of data exfiltration from the attack. The threat actors behind the attack remain unknown.
- In Washington, Edmonds School District confirmed that a cyberattack in January last year compromised the sensitive personal information of approximately 250,000 individuals. The school district identified suspicious activities in its internal network and immediately launched an investigation. Compromised data included names and other personal identifiers, financial information and credit and debit card account information. Akira claimed responsibility for the attack in August, allegedly stealing 10GB of data.
- The Paraguay military issued warnings of Black Hunt ransomware after Tigo Business suffered a cyberattack which impacted cloud and hosting services in the company’s business division. Reports suggest that over 300 servers were encrypted, and backups compromised. The organization was not able to provide a lot of information relating to the attack.
- Black Basta published 515GB of data allegedly belonging to Park Holidays UK, a holiday park operator with more than 50 sites in the UK. The compromised data included financial documents, and personal documents such as driving licences and passports. The organization has not made a public announcement acknowledging the leak.
- German engineering company Gräbener Maschinentechnik confirmed that it had also fallen victim to a Black Basta ransomware attack late last year. The organization stated that unauthorized access was gained by threat actors and that it could not rule out data being leaked. The ransomware group has already published the 1.1TB of data exfiltrated from the organization during the attack. Information includes confidential information and company documents.
- TiAuto Investments, the holding company of Tiger Wheel & Tyres, notified suppliers that it was hit by a ransomware attack on December 28th. The organization’s security team detected suspicious activity and immediately disconnected the network, enabling them to contain the attack. The organization launched a full forensic cyber audit to determine the scope of the incident and the outcomes. LockBit claimed TiAuto Investments as a victim, but it is not clear what or how much data was exfiltrated during the attack.
- Over Christmas, Aspiration Training suffered a ransomware attack on part of its network in a data center. Initial investigations revealed that attackers penetrated a small area of the network, encrypting data. Rhysida claimed the incident, demanding 1BTC in exchange for the data exfiltrated. It is not clear at this time what data was compromised in the attack.
- RE&S Holdings, a Japanese multi-food brand, announced on Jan 11 that it had initiated data recovery following an attack which impacted the data on its servers. RE&S activated business continuity plans and seen no significant impact to its business operations. The company reported that it has not observed any evidence of data exfiltration or the compromise of any personal sensitive information following preliminary investigations.
- Sources from Fullerton Joint Union High School District revealed that it suffered a “complete internet shutdown” in November. This month it was announced that there is now evidence that some non-sensitive student information was accessed during the attack. Some feel that the superintendent should have acted sooner in informing the school district community about the data breach. It is not known who was behind the attack.
- Not for profit organization Water for People was targeted by a ransomware attack orchestrated by Medusa. The gang listed Water for People on its darknet site, threatening to publish stolen information unless the organization paid a ransom demand of $300,000. A spokesperson from Water for People commented that the data accessed predates 2021 and did not compromise financial systems or business operations.
- BlackCat claimed US-based general contractor Builcore as a victim, allegedly exfiltrating 250GB of data during the attack. On its victim site, the group stated that data stolen includes past, present and future clients as well as project information. It was also reported that Builcore refused to negotiate with the threat actors. Builcore has not commented on the breach.
- The Lutheran World Federation (LWF) became a victim of cyber extortion at the hands of Rhysida. The ransomware group reportedly exfiltrated 734GB of data in 732,665 files. Screenshots, including passports, were released as proof of claims. 50% of the files that “did not sell” have already been leaked. Rhysida has not publicly announced how much data was stolen during the attack and it is not known if a ransom was demanded from the LWF.
- It has been reported that staff of Australian imaging and diagnostics provider Quantum Radiology were told to tell concerned patients that a November breach was an “operational IT issue.” An unauthorized party breached the company’s IT systems and encrypted its contents including patients’ Medicare numbers, identifying information, claim details and scan reports. A ransomware gang is yet to take credit for this incident.
- The Arrowhead Regional Computing Consortium announced that a 2023 data breach compromised the sensitive personal information of more than 65,000 people. During an attack in February last year, the educational advisory group detected unauthorized activity in its internal network and immediately launched an investigation into the nature and scope of the incident. The investigation concluded on December 7th, revealing that sensitive people information including names, SSNs, health insurance information and medical information had been compromised during the attack. LockBit claimed the attack back in April, giving the group seven days to pay an undisclosed ransom before data was published.
- Personal information from over 7300 individuals was accessed by threat actors during a cyberattack on Carnegie Mellon University (CMU). The university launched an investigation and recovery operation which revealed that unauthorized external actors has accessed its computer systems. Information compromised included names, SSNs and dates of birth.
- Calvià City Council, a major Majorca tourism hotspot, was targeted by a ransomware attack, with threat actors demanding an $11million ransom. The attack caused IT outages and forced the council to form a crisis committee to evaluate the damage done and create impact mitigation plans. The ransomware group behind the attack remains unknown and the mayor of Calvià has stated that the ransom demand will not be paid under any circumstances.
- Hackers who claimed to have passenger data of PT Kereta Api Indonesia (KAI) demanded billions of rupiah in bitcoin to the government. The threat actors claim to be in possession of data belonging to employees and passengers alongside other information but have not disclosed the total amount of data breached. The government was asked to pay a ransom of 11.69BTC but KAI has confirmed that it has seen no evidence that any data was leaked.
- Fortune 500 company, Ashbury Automotive Group, was hacked by the Cactus ransomware gang who published the company’s data on its PR website on January 12th, claiming to have stolen 62GB and stating that less than 1% of the data was published. Confidential documents including passports, driver’s licenses, IDs, private financial data and employee information is among the data taken during the incident.
- BianLian ransomware group claimed Republic Shipping Consolidators as a victim on its leak site, publishing 117GB of confidential data belonging to the organization. Compromised information included financial records, email correspondence, internal company documents, personal details of employees and various other technical data. Republic Shipping Consolidators has not yet publicly commented on claims made by the ransomware group.
- US-based transportation management company Becker Logistics was among Akira’s victims in January, with the ransomware group threatening to release data exfiltrated during an attack. Akira stated that it is in possession of about 43GB of files including personal information, HR, customer info, NDA documents, contracts, and financial information. Becker Logistics has not yet made a public comment addressing the incident.
- 60,871 individuals were recently notified about a July ransomware attack on ConsensioHealth. The cyberattack which was discovered on July 3rd, made the network inaccessible to staff members of the billing service. Steps were immediately taken to prevent the spread of the attack and an investigation was launched to determine whether patient data was accessed or copied. In November, the investigation confirmed files containing patient data was stolen including files from seven entities.
- Memorial University confirmed that a cyberattack on Grenfell Campus during the Christmas break was indeed a ransomware attack. An unauthorized third party gained access to the Grenfell Campus’ network and encrypted data on a number of servers and workstations, rendering IT services unavailable. At this time, the university does not have any evidence that any personal information was compromised. An investigation is ongoing and as of yet, no ransomware group has yet claimed the attack.
- LockBit breached Foxsemicon Integrated Technology Inc, one of Taiwan’s biggest semiconductor manufacturers, demanding a ransom to avoid publishing troves of data. On January 17th LockBit pasted a ransom note on the organization’s website, demanding payment of an unspecified amount. According to claims made by the ransomware group, 5TB of data said to include personal data belonging to customers was exfiltrated. The group also threatened that if management did not get in contact that it was “able to completely destroy Foxsemicon with no possibility of recovery”. The organization has not been added to LockBit’s leak site, suggesting that the victim has entered into ransom negotiations or has already paid the amount demanded.
- Kansas State University announced that it was facing a cybersecurity incident that disrupted certain network systems including VPNs. Impacted systems were taken offline upon detection of the incident. The university engaged third-party IT forensic experts to assist in the ongoing investigation efforts. At the time of writing no ransomware group has taken responsibility for the attack.
- Netherlands-based denim brand DENHAM the Jeanmaker officially acknowledged falling victim to a cyberattack in late December 2023. The cyberattack did not materially impact DENHAM services in stores or online. A spokesperson confirmed that threat actors accessed some data on affected systems but stressed that information accessed did not include the personal data of consumers who visited its webshop. Akira took credit for the attack, stating on its victim site that it is in possession of 100GB of data archive.
- Hunters International launched an attack on Gallup-McKinley County Schools in New Mexico. The cyberattack claim lacks critical details including the nature of the data compromised, the extent of the breach, or the motives driving the attack. With no proof of claims added to the leak site, experts are questioning the validity of the claims made.
- In Maryland, Primary Health & Wellness Center made a public notice regarding a ransomware attack which occurred in October 2023. It stated that ransomware encrypted its network server which contained patient medical records from 2018 to present and included names, addresses, dates of birth, SSNs and medical records. PHWC also claims that it has no evidence to believe that any patient data or protected health information was acquired, exfiltrated or misused. The incident was reported to HHS in December as affecting 4,792 individuals.
- The FBI, Homeland Security and Oregon City Police Department are investigating an incident which impacted staff and students of Clackamas Community College. Several attacks against the college network took place overnight, with employees receiving emergency notifications about an intrusion. The attack on the servers was quickly isolated, with the origin of the hack being traced back to a Russian IP address. An investigation is ongoing to determine the scope the attack and if data was compromised during the attack. LockBit has claimed responsibility for this incident.
- Evidence of a cyberattack on Worthen Industries was posted on the ALPHV, aka BlackCat, leak site. The posting states that should the organization not contact the group in three days, Worthen’s “entire corporate data” including personal and confidential data would become public. The group also taunted the organization asking if it valued the reputation of the company. No further details on the attack have been released.
- Subway restaurant chain has launched an investigation after claims made by LockBit ransomware group. The infamous ransomware group added Subway to its Tor site alongside claims that it had exfiltrated Subways SBS internal system which includes hundreds of gigabytes of data and all financial aspects of the franchise. An undisclosed ransom was demanded with a deadline for payment set as 2nd February, failure to pay means all data will be published.
- Tietoevry, a Cloud hosting service provider, announced that one of its Swedish data centers was “partially subject to a ransomware attack.” The attack affected numerous customers, but it is believed that only services of customers in Sweden were impacted. It has not been announced whether sensitive or personal data was stolen during the incident. According to Tietoevry, Akira ransomware gang are responsible for this attack.
- Ransomware was the culprit behind a cyberattack on Douglas County Libraries in Colorado. The attack which was discovered on January 14th led to temporary catalogue and service outages. The network was quickly taken offline which impacted several other services offered by the libraries. An investigation has been launched but it is not yet known who was behind the attack and if any data was stolen.
- The world’s leading aircraft leasing company AerCap experienced a cybersecurity incident “related to ransomware” but claims it suffered no financial impact as a result of the attack. An investigation continues with an aim to establish the extent to which data may have been exfiltrated or otherwise impacted. Slug ransomware group claimed responsibility for the intrusion and listed AerCap as its first public target. The group claims to have stolen 1TB from the organization.
- LockBit claimed TV Jahn Rheine in Germany as a victim, providing information on substantial amounts of sensitive data stolen, including account information, email conversations and HR records. It is not clear how much information was stolen or what ransom was demanded by the threat actors.
- First Financial Security Inc reported that it had recently fallen victim to a ransomware attack which resulted in an authorized party being about to access consumers’ sensitive information. The organization secured its systems and determined that threat actors were not successful in encrypting the company’s systems, however, investigations revealed that portions of its IT network were accessed. Compromised data includes names, SSNs and other personal information.
- Veolia North America revealed that it suffered a ransomware attack which impacted systems of part of its Municipal Water division and disrupted its bill payment systems. The subsidiary of Veolia implemented defensive measures, taking some systems offline temporarily to contain the breach. The organization is working with forensic specialists to assess impact on its operations and systems. No ransomware group has yet claimed responsibility.
- Japan Foods Holding announced that the company was involved in a ransomware attack during which an unknown third party gained access to its servers and encrypted data. It is believed that there will be no material impact to financial or operational performance. During an initial investigation no evidence of data leakage or exfiltration was found.
- UK water giant Southern Water confirmed that threat actors broke into its IT systems and exfiltrated a “limited amount of data” following a ransomware attack. Black Basta has claimed responsibility, publishing a snippet of 750GB of stolen data including scans of identity documents, HR related information and corporate care leasing documents. Southern Water stated that although a limited amount of data has been leaked, there is no evidence that customer relationship and financial systems were affected.
- In Pennsylvania, Bucks County stated that it dealt with a cyberattack which caused outages and problems for county hospitals, libraries and other local services. The incident disabled the county’s Emergency Communications’ Department’s computer-aided dispatch (CAD) systems, causing issues for the emergency services. The county partnered with state and federal agencies to assist with the ongoing investigation into the attack. Further information on this attack is not currently available.
- The Kansas City Area Transportation Authority (KCATA) announced that it had been targeted by a ransomware attack on January 23rd, impacting all communication systems. Despite call-center disruption, all routes continued to run as usual with no passenger transit operations impacted. Medusa claimed responsibility, posting data samples on its dark web portal as proof of claims. A ransom of $2,000,000 has been demanded.
- A cyberattack on financial technology firm EquiLend forced several of its systems offline and caused several days of disruption. A spokesperson stated that firms would have to move to manual processes while the platform remained offline. EquiLend are working with external cybersecurity firms and other professional advisors to assist with investigations. Some reports suggest that LockBit was behind the attack, but the ransomware group has not yet posted any claims on its leak site.
- The Co-operative Housing Federation of Norway (NBBL) was hit by a “classic ransomware attack” which impacted three of its other companies. In a statement made by NBBL’s Communications Director, it was noted that affected parties were informed and security measures were immediately implemented to minimize the consequences of the attack. NBBL’s CEO commented that NBBL will not be paying any ransom demanded. 8Base has taken credit for the attack, claiming to be in possession of information including financial data, personal data, confidentiality agreements among other confidential information.
- In Ohio, Groveport Madison Schools is in the process of recovering from a ransomware incident. It took the school district a month to restore services after an attack on December 5th. The hackers identified themselves as Black Suit, adding the school district to its leak site. A spokesperson confirmed that the hackers stole some staff data, but no student data was compromised during the incident.
- Akira ransomware group claimed an attack on British bath bomb merchant Lush. The ransomware group claim to have stolen 110GB of data including “a lot of personal documents” such as passport scans. Other company documents relating to accounting, finances, tax, projects and clients is also said to be among the data exfiltrated. There is currently no evidence to suggest that customer data has been impacted. Lush publicly announced a cyberattack in early January but has not publicly acknowledged claims made by Akira.
- LockBit has reportedly claimed responsibility for an incident involving the Caravan and Motorhome Club in the UK. During the cybersecurity incident customers were unable to reach the company or access any of its digital channels. It took the company five days to make a public disclosure, following on from advice given by its external cybersecurity experts. The ransomware group has not added a lot of detail to its posting about the Caravan and Motorhome Club but has given the organization until February 9th to meet undisclosed ransom demands.
- Scottish charity The Richmond Fellowship Scotland was targeted by a ransomware attack which shut down all of its systems for over two weeks. Experts from Police Scotland are investigating but most aspects of the attack are still not known. Medusa has claimed responsibility for the attack, claiming to have stolen an unknown amount of data. A ransom of $300,000 has been set by threat actors in exchange for data stolen.
- Planet Home Lending LLC was a victim of a ransomware attack in November 2023, but the data breach was only announced by the organization recently. In response to the attack, Planet Home contained the incident, terminated unauthorized access and launched an investigation involving third party specialists. Investigations determined that threat actors were able to access sensitive consumer information.
- Cactus targeted energy management and automation giant Schneider Electric, reportedly stealing terabytes of corporate data during the cyberattack. The company’s Sustainability Business division was hit in early January, disrupting some of Schneider Electric’s Resource Advisor cloud platform. At this time, it is not known what data was exfiltrated or what the ransom demand is.
- BlackCat is threatening to release classified documents from numerous U.S. intelligence agencies following an attack on Technica Corporation. The ransomware group added a post on its dark web site claiming to have exfiltrated 300GB of data from the company. The group wrote “documents relate to the FBI and other US intelligence agencies. If Technica does not contact us soon, the data will either be sold or made public.” The posting also included 29 separate documents as a proof of claims which included contracts from the Dept of Defense as well as employee information. Technica are yet to address these claims publicly.
- Lotus Media Group in Oregon, which oversees one newspaper, and five local radio stations faced a ransomware attack in late January. The incident caused disruptions to operations, with employees locked out of their emails and key systems used to design the print newspaper. Staff are working to restore operations and continue reporting the news. It is not clear who was behind the attack or if any data was exfiltrated.
- A December cyberattack on Saint Anthony Hospital has recently been claimed by LockBit ransomware gang. LockBit posted the Chicago hospital on its leak site, giving it two days to pay a nearly $900,000 ransom. Administrators determined that files containing patient information had been copied from the network. LockBit didn’t share a lot of information on its posting but did share how they felt about US hospitals, commenting “always US hospitals put their greedy interest over those of their patients and clients.”
February
In February we recorded 57 publicly disclosed ransomware attacks, a 43% increase over last year’s figures. February saw the temporary takedown of LockBit, which did slow the operation down for a few days, but didn’t stop them from carrying out nine attacks, the same amount as BlackCat. Some attacks dominated headlines this month including Lurie Children’s Hospital, Fulton County, Hipocrate Information Systems in Romania and Epic Games.
Find out who else made the ransomware news headlines during the month:
- Skokie in Illinois experienced unauthorized access to the village’s computer systems which led to a network outage. It was reported that staff were told to keep information regarding the attack to themselves and not reveal details to the public. Investigations revealed that threat actors had acquired certain files and data from the network, but it was not confirmed what information was held in those files. Hunters International claimed the incident.
- The Misbourne, a school in the UK, was forced to close to students following a ransomware attack in late January. The incident impacted some of the school’s IT systems which significantly affected its infrastructure and operations. It was revealed this month that personal data belonging to students, families and teachers were stolen during the attack. LockBit took responsibility and confirmed that it had student data, bank details, salary data, HR information and many other confidential agreements in its possession.
- LockBit also targeted another school systems, causing a district-wide internet outage by compromising its main servers. Groton Public Schools in Connecticut was able to restore 90% of its systems quickly and continued to work through its disaster recovery process in conjunction with local law enforcement. Further details on this incident have not been released.
- Lurie Children’s Hospital in Chicago was forced to take its IT systems offline and postpone some medical care due to a ransomware attack. Email, phone, on-premises internet and other critical services were impacted. Rhysida took credit while claiming to have stolen 600GB of data from the hospital. The ransomware gang is now offering to sell the stolen data for 60 BTC ($3,700,000) to a single buyer. After a seven-day deadline, the gang will then either sell the data to multiple buyers at a lower price or will leak it for free. The nature of the data stolen has not yet been revealed.
- French medical imaging system manufacturer DMS Imaging was added to CUBA ransomware group’s victim list, stating that data was exfiltrated at the end of January. Cuba claimed to have files including financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code in its possession. The organization has not yet made a public comment addressing these claims and it is not clear whether a ransom was demanded.
- Another French organization, Manitou Group, was attacked by LockBit, resulting in systems being encrypted and information exfiltrated. The notorious ransomware group claimed to have stolen 400GB of confidential data including client, employee and financial information from the equipment manufacturer.
- Potenza local Health Authority in Italy began investigating an attack at ASP of Potenza after the hospital network experienced computer system problems. The attack impacted the ASP, the Matera Health Autority, the San Carlo Hospital and the Rionero Regional Oncology Center. Rhysida claimed responsibility and posted images of passports and documents on its dark web site as proof of claims.
- The largest telecom operator in Central and South America revealed that it had been hit by a ransomware attack. Claro Company released this information in response to service disruptions in several regions. Reports suggest that Trigona was behind the attack, but the group has not yet posted the organization on its leak site. At this time, it is not clear if any data was exfiltrated during the incident.
- Although Chicago Extruded Metals has not yet publicly confirmed that it was a victim of a ransomware attack, LockBit has added the organization to its dark web site. The group claimed to have exfiltrated data including financial documents, employee information and client data but has not disclosed how much data it has in its possession.
- Spanish city Teo announced that a January cyberattack “paralyzed administrative activity” for a number of days. The attack impacted computers used in the social services offices and at the Teo Women’s Information Center. The city is coordinating with state officials, the Spanish Data Protection Agency and the national police agencies on the recovery effort. It is not known who was behind the attack or if any data was stolen.
- In Ibiza, Sant Antoni de Portmany fell victim to a ransomware attack which limited the work of city employees after IT equipment was “paralyzed.” Containment measures were instituted while the scope of the attack was analyzed. The incident was reported to relevant authorities including the National Cryptologic Centre. At time of writing no further details were available.
- News outlets have been closely following the fallout from LockBit’s ransomware attack on Fulton County, Georgia. The Fulton County government announced that a “cybersecurity incident” caused widespread systems outages in late January. The outages touched nearly every arm of the government and has since sparked concerns about Fulton County court cases and the overall court systems. LockBit has given multiple deadlines, but Fulton County refused to pay the undisclosed ransom. The group has threatened to leak all data exfiltrated including information linked to Donald Trump’s case, however at time of writing no data has been released. News reports also suggest that a $10.2million upgrade has been approved for the IT infrastructure of the government.
- In Tennessee, Germantown announced a ransomware attack which resulted in all internal on-site servers being impacted. Some services were affected but city officials stated that the impact was minimal. Initial assessments indicated that data related to finance, utilities and payment information had not been compromised. No ransomware group has yet claimed the attack and it is not known if any data was indeed exfiltrated during the incident.
- Medusa announced that it had hacked Egyptian platform solutions provider ArpuPlus this month. The ransom demand was set at $100,00 and it is still not known what type of information the ransomware group was able to steal. ArpuPlus has not yet made a public comment addressing the attack.
- The local government of Washington County in Pennsylvania authorized a ransom payment of $350,000 in response to a cyberattack in January. The incident caused the government to shut down its servers following a warning from the CISA. According to reports the threat actors seized control of the county’s network, “basically paralyzing all of the county’s operations.” It was confirmed that hackers had pilfered large amounts of sensitive data, including information about children in the court system. It is not known who was behind the attack.
- This month, sporting goods company Burton, who is known for its snowboards, recently reported a “sophisticated cyberattack” that happened one year ago in February 2023. The attack caused disruption to certain computer systems and at the time it was believed that a limited number of files and folders had potentially been accessed. The organization confirmed that 5170 individuals had been impacted by the incident during which hackers obtained names or other personal identifiers of customers.
- The municipality of Korneuburg in Austria was hit by a ransomware attack which affected all of the data held by the administration including the backup system. Services were hugely impacted with some reports suggesting that funerals were being cancelled due to necessary paperwork being unavailable. Officials have confirmed that they have received a ransom demand but have not disclosed the details. It has been stated that the administration would not be making the extortion payment.
- Black Basta struck car maker Hyundai Motor Europe in early January, with the group claiming to have stolen three terabytes of corporate data. The attack originally presented itself as IT issues, but investigations began to address claims that a third party had accessed a limited part of the network. The ransomware group added the organization to its leak site, displaying lists of folders as a proof of claims. It is not known what data was stolen by the threat actors.
- Service Employees International Union (SEIU), one of the largest unions in California, confirmed that network disruptions they experienced in January were a result of a ransomware attack. It was revealed that certain data was encrypted during the incident. LockBit claimed to have stolen 308GB of data from the union including employee SSNs, salary information, and financial documents along with other confidential information.
- Omega ransomware group claimed Four Hands LLC, a furniture company based in Texas, however the organization has not made a public comment addressing Omega’s claims. The ransomware group is said to have stolen 1.5TB of data including licenses, confidential financial data, employee salary records, NDAs and more.
- US based non-profit organization Upper Merion Township was hit by a Qilin ransomware attack, during which the threat actors claim to have stolen 500GB of data. On an Instagram post from December, the organization stated that it was experiencing network, email and phone system disruptions, but have not given any further information since then. The leaked information includes employee files, financial charts, email correspondence and private contracts among other confidential documents.
- The Armentières Hospital Center in France was the victim of a cyberattack in early February which saw printers printing a message stating that all data was encrypted. The hospital immediately disconnected the entire network, shutting down all of its services except for maternity emergencies. Although a ransomware group is yet to take credit for the incident, the hospital confirmed that attackers demanded an undisclosed ransom.
- Media monitoring software company Onclusive seen its production systems impacted by a ransomware attack. The organization assured customers that there was no evidence of any data having been compromised and that all CRM, financial and internal systems had not been impacted by the incident. The severity of the attack prevented restoration of services for a number of days. Play ransomware group claimed the attack, stating that it had stolen data including private and personal confidential information, client documents, budget and payroll information, financial information and “a lot of technical information”. It is not clear if a ransom demand was made by the group.
- 8Base ransomware claimed Lili’s Brownies, a French food production company as a victim this month, utilizing a double extortion technique associated with the group. Although the group did not reveal how much data they managed to exfiltrate, it did list the nature of the files which included invoices, receipts, accounting documents, personal data, contracts, and confidential information as well as other sensitive information. The organization has not commented on the event.
- Danbury Schools in Connecticut are asking for help from the local council to fill in a gap unbudgeted for cybersecurity following an attack in July last year. During the incident computer networks were compromised and servers encrypted causing issues for the school district. Although no ransom was paid to the unknown attackers, a cost of $202,274 was incurred during the fallout. It was also discovered, upon trying to make a claim, that its cyber insurance did not cover software or hardware, rendering it relatively useless in the case of a ransomware attack.
- The Office of the Colorado State Public Defender remains crippled two weeks after it suffered a ransomware attack. The attack forced the office to shut down its computer network, locking employees out of critical work systems. It was discovered that the attack also encrypted some data on the network. It is not clear who was behind the attack and if any information was accessed by threat actors.
- Swiss beauty brand La Colline was added to LockBit’s victim list this month, with the ransomware group claiming to have stolen an undisclosed amount of information from the organization. The beauty brand was given a deadline of 3rd March to pay the unknown ransom. La Colline are yet to publicly verify this incident.
- In Romania over 100 hospitals were impacted by a ransomware attack targeting Hipocrate Information Systems (HIS). Twenty-five hospitals confirmed that their data was encrypted with another seventy-five being taken offline while experts evaluate if they too have been impacted. The unidentified hackers demanded 3.5BTC ($170,000) to decrypt the data. The Romanian National Cybersecurity Directorate has asked those affected not to contact attackers and not to pay the ransom. The production servers on which HIS runs was heavily impacted during the attack which has led to the systems being down, and files and databases being encrypted. It is not yet known who was behind the attack.
- In South Africa, Tshwane University of Technology faced a “critical challenge” when it was faced with a ransomware attack in January. Rhysida claimed the attack, demanding 20 BTC (around $61,000) in exchange for exfiltrated data. The nature and amount of stolen data is unknown. Some are criticizing the university’s Vice Chancellor for a delay in the attack being reported to regulators.
- Spanish electricity company SerCide was a victim of a BlackCat ransomware attack in December. The ransomware group added SerCide to its leak site, leaking a total of 69GB of data after “negotiations were refused”. The group also taunted the organization stating, “good luck restoring your resources which have not been restored for more than one month.” SerCide has not publicly acknowledged the leak.
- BlackCat also claimed an attack Canada’s Rush Energy, claiming it has been in the organization’s network for a long time. On the group’s leak site, the post went on to say that the organization’s most valuable data had been stolen and that a backdoor into its network had been created, giving the group the ability to come and go. It also warned the organization that should it avoid making a deal with the group that all data will be made public.
- Lower Valley Energy, who provide energy services to Yellowstone National Park, was also a victim of a BlackCat ransomware attack in late December. The ransomware gang posted the US utility co-op on its leak site but did not include details on what data, if any, was stolen nor if it expected a ransom from the organization. Details on this attack are limited.
- Trans-Northern Pipelines (TNPI) confirmed it had suffered an internal breach in November but in February it began investigating claims made by ransomware group BlackCat on the dark web. The cybersecurity incident impacted a limited number of internal systems and was quickly contained. However, now BlackCat has added TNPI to its leak site and has published 183GB of data allegedly belonging to the organization. Several names of TPNI employees were also added to the dark web site.
- Singapore listed Aztech Global discovered a cybersecurity breach which forced the organization to immediately shut down all servers. An unknown actor gained unauthorized access to its IT systems but it is not clear at this time what data, if any, was impacted by the attack. The incident did not affect operations and has had no material financial impact. It is not clear who is behind this attack.
- Snatch claims to have infiltrated Malabar Gold and Diamonds, exfiltrating around 270GB of information. Among the data stolen is sensitive information about key figures within the organization, with the ransomware gang naming and giving personal information on the CEO and other leaders. Other stolen data is said to include financial performance and turnover of the company.
- Willis Lease Finance Corporation admitted to falling victim to a “cyberattack” following claims made by Black Basta on the group’s dark web site. Upon discovering the incident, swift action was taken to contain, assess and remediate the situation which included taking all systems offline. Black Basta claim to have exfiltrated 910GB of company data including customer information, HR documents and NDAs. Samples were also posted as proof of claims which included accessed file trees and identity documents. The dark web post made no mention of a ransom demand.
- On February 13th, German battery manufacturer Varta announced that it was forced to shut down its IT systems as a proactive measure following a cyberattack on the company. Operations at five production plants and the administration were impacted by the incident. A statement confirmed that at this time the damage or complete impact of the attack cannot be determined as investigations are ongoing. No ransomware group has taken credit for the attack to date.
- Australian organic and health product supplier Kadac was faced with a $100,000 ransom demand following a cyberattack in early February. Medusa claimed the attack, posting the ransom demand and giving the organization a 10-day deadline to pay to prevent stolen data from being leaked. Exfiltrated data includes customer details, correspondence with brands and suppliers, financial information, marketing data and other confidential information.
- LockBit claimed responsibility for hacking one of India’s top brokerage firms Motilal Oswal. The organization claim operations were unaffected by the cyberattack and that it is investigating claims made by LockBit. The notorious ransomware gang allegedly has confidential company data in its possession, but it is not clear how much data it may have or what exactly the information includes.
- Two weeks after an initial attack, Minnesota State University continued to deal with the impact. Reports state that “a few servers” were found encrypted by the university’s IT team at the beginning of February. The university stated that impacted servers did not contain any sensitive information belonging to students or employees. No classes were cancelled as a result of the attack and systems that are integrated with other universities remained unaffected. No ransomware group has yet claimed this attack.
- Prudential Financial announced that BlackCat had breached its network on February 4th and had stolen employee and contractor data. An investigation is currently ongoing to assess the full scope and impact of the cyberattack. The Fortune 500 company is yet to find evidence of any customer data having been affected by the incident. The ransomware gang posted a lengthy announcement on its leak site, giving many “facts” about the incident and what the organization is doing in the aftermath, including a claim that the group remained in the Prudential’s networks long after the breach announcement.
- Trisec, a newcomer to the ransomware landscape, posted Cogans Carrigaline, a Toyota dealership in Ireland, as one of its first victims. The leak site posting did not give much detail on the attack, giving a twenty-day deadline and offering only an email to contact for a ransom price. The automotive retailer has not made a public statement acknowledging an attack or Trisec’s claims.
- The Emirates Telecommunications Group Company, known as Etisalat, fell victim to a LockBit ransomware attack in mid-February. The ransomware group claimed to have stolen “sensitive files” from the state-owned telecom giant in the UAE, posting a $100,000 ransom demand to secure its data. Screenshots were posted as proof of claims alongside the dark web announcement. Etisalat is yet to publicly address LockBit’s claims.
- The Grace Lutheran Foundation posted a notice in early February about a data breach which had taken place earlier in the year. It revealed that patient information including name, address, SSNs and health insurance information had been impacted. BlackCat ransomware group added the organization to its leak site, stating that it had acquired 70GB of data during an attack. The group also stated that after two weeks of failed negotiations, Grace Lutheran Communities “refused to protect data of its employees and patients/customers”, which led to the stolen data being leaked.
- New ransomware group Mogilevich announced that it had successfully breached Infiniti USA’s systems, making the motor manufacturer one of its first victims. The gang claims to have exfiltrated 22GB of data which includes personal information belonging to customers. Inifiniti USA are yet to make a public statement acknowledging these claims.
- A spokesperson from Welch’s, who are known for producing grape juice and jams, stated that recent “system disruption” was actually the result of a cyberattack. The incident forced the company to shut down all operations, with no notification on when workers would return to work. A spokesperson stated that more than 100 cybersecurity and technology experts are working on the systems and the company is coordinating with law enforcement to investigate the incident. Play ransomware group posted Welch’s on its dark web site, claiming to have exfiltrated data including private and personal confidential information. Client documents, budget, payrolls, IDs, taxes, finance and other information.
- Numerous systems belonging to German critical infrastructure software provider PSI Software were disrupted by a ransomware attack last month. Upon identifying suspicious network activity, the company took down all external connections and computer systems. PSI also stated that it had seen no evidence to suggest that customer systems had been compromised by the attack. No further details on this incident have been made public.
- BlackCat ransomware group claimed it hacked KHS&S, adding the US based construction company to its dark web site. The posting on the site gave the organization a 3-day deadline to contact the group before data is released. It also gave names of four KHS&S employees with the note “contacts for journalists.” No other information regarding this attack is available and it seems that KHS&S has not publicly commented on a cyberattack or these claims.
- The City of Oakley in California declared a local state of emergency following a ransomware attack. The city’s IT department took all systems offline and began coordinating with law enforcement and cybersecurity professionals to investigate the nature and scope of the attack. Emergency services including 911, police, fire and ambulances were not impacted by the attack.
- Hessen Consumer Center in Germany was hit by a ransomware attack which caused IT systems to shut down and services to be rendered temporarily unavailable. External IT security experts were brought in to aid the not-for-profit’s efforts to restore the availability of all communications impacted. The data on the server and some backup systems were encrypted but it is not yet clear what data may have been involved in the incident. BlackCat added the organization to its leak site, with a comment suggesting that the organization has “visited the chat multiple times but didn’t say and single word”.
- In February, Aspen Dental filed a notice of data breach relating to a ransomware attack in April 2023. Upon discovery of the incident, Aspen Dental secured its systems and began working with third party data security specialists to investigate the incident. The investigation confirmed that ransomware attackers had gained access to the network and files containing confidential information. Patient and employee details were among those impacted by the attack.
- Pharmaceutical giants Cencora revealed that it had suffered a cyberattack which led to threat actors stealing data from corporate IT systems. The organization contained the incident and are working with law enforcement, cybersecurity experts and external council to investigate it. Although it has not determined if the incident will materially impact finances or operations, Cencora has learned that some data, which may include personal information, had been exfiltrated during the attack. No ransomware group has claimed this attack to date.
- Change Healthcare confirmed that it was experiencing a cybersecurity issue which was orchestrated by BlackCat. Experts are working to address the matter and the organization is working closely with law enforcement and third-party consultants to understand the impact to members, patients and customers. The company stated that based on an ongoing investigation, “there’s no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.” BlackCat’s leak site post, which has now been removed, stated that the gang claims to have stolen millions of Americans’ sensitive health and patient information.
- Gilroy Gardens, a theme park in California, was hit by a ransomware attack in mid-February, locking all on-site servers and machines, including its ticketing systems. Although customer names and credit card information are stored in the impacted systems, Gilroy Gardens, the FBI and third-party security experts do not believe any data was breached or stolen during the attack.
- Mogilevich ransomware gang added Epic Games to its ransomware leak site claiming to have stolen email addresses, passwords, payment information, source code and other data totally 189GB from the game developers. Epic Games has stated that although it is investigating claims there is currently no evidence to suggest that they are legitimate. News reports suggest that the threat actors are selling the stolen data for $15,000 and would only show samples when it was shown “proof of funds” to purchase.
- In late February, Rio Hondo Community College District confirmed that it had experienced a ransomware attack in October last year. Upon discovering that portions of its IT network had been encrypted, Rio Hondo took steps to secure its systems and began working with third-party data security specialists to investigate the incident. Sensitive consumer data including personal information was breached during the incident.
- Black Basta ransomware group has added Australian data management company ZircoDATA to its list of victims. The threat actors claim to have 395GB of data in its possession including financial documents, personal user folders, and confidentiality agreements. The group also posted a large number of documents on its dark web site as proof of the validity of the hack, including passport scans and immigration documents. ZircoDATA are taking the claims seriously and are working with cybersecurity experts to investigate the situation with urgency. At this stage in the investigation there is no evidence to suggest that personal information relating to customers has been impacted.
March
March saw 59 ransomware attacks make headlines with healthcare and government leading. The City of Hamilton and Town of Ponoka in Canada experienced attacks that caused widespread issues across government systems including online payments, while the City of Huntsville had their data held hostage following an attack. In other news Belgian beer producer Duvel halted production at all Belgian sites and its US site after the Stormous ransomware group claimed to have exfiltrated 8 GB of company data. Keep reading to see who else made the list for March.
- Australian retail software vendor GaP Solutions was a victim of a LockBit ransomware attack this month. LockBit disclosed the attack on its website, threatening to publish an undisclosed amount of data within 20 days. The post did not mention how much data was exfiltrated nor did it reveal the amount of its ransom demand. GaP Solutions stated that the organization was aware of the claims made by LockBit and had engaged external cybersecurity experts to assist with the investigation. Initial reports suggest that there is no evidence of customer data or infrastructure being compromised.
- Ward Transport & Logistics experienced a cyberattack on Sunday 3rd March, impacting multiple layers of its network. The carrier was forced to run limited operations to handle freight already in the system. DragonForce was behind the attack in which they claimed to exfiltrate 574.14GB of data.
- A notice on Pacific Cataract and Laser Institute’s website stated that a November ransomware attack resulted in sensitive data being exfiltrated. LockBit launched an attack on PCLI which impacted data including names, medical treatment information, health insurance and claim information, financial account data, SSNs and demographic data. PCLI did not notify individuals within the 60-day window, waiting approximately 109 days before releasing details of the incident.
- Yakima Valley Radiology was added to Karakurt’s leak site in November, but the incident was only recently reported to the Maine Attorney General. The ransomware group claimed the attack in November, stating – without proof- that it had acquired 9.31GB of data including financial reports, client lists with contacts, lists of patients among other sensitive information. It has been revealed that this incident has impacted 235,249 individuals.
- Muscatine Power and Water in Iowa confirmed that a January ransomware attack led to the exposure of sensitive information from nearly all local residents. The utility company discovered the attack had gained access to its corporate network environment and has since sent out letters to all those impacted. 36,955 individuals had their SSNs accessed by the hackers alongside telecommunications subscriber data. No ransomware group has taken credit for the incident.
- In Canada, the City of Hamilton is still recovering from a ransomware attack that impacted nearly every facet of government functions. The incident which was discovered in late February impacted nearly every system used for online payments and caused issues with the website and phone systems. Upon discovery of the incident, the city took swift action to investigate, protect systems and minimize the impact on the community. The timeline for full recovery is not yet known, but the city has advised that it is looking to resolve the situation as quickly and effectively as possible.
- WellNow Urgent Care filed a data breach notice in February relating to an attack which happened almost one year prior. An investigation revealed that in April 2023, WellNow was a target of a successful ransomware attack which resulted in hackers being able to access files containing confidential patient information. After learning sensitive customer information was accessed, the organization reviewed the compromised files to determine what information was leaked and who was impacted. Publicly available breach letters from WellNow do not state what data was affected and no ransomware group has claimed the attack.
- A notable private hospital in Stockholm fell victim to a sophisticated cyberattack which led to a temporary shutdown of its computer systems and disruption to phone services. Sophiahemmet took immediate precautionary measures upon discovering the attack, which proved crucial in mitigating the impact of the incident. The attack was claimed by Medusa but there has been no indication what data, if any, was compromised.
- The town of Ponoka in Canada experienced a cybersecurity breach of its network by an unauthorized party. The breach caused system outages involving government payment systems. The town acted immediately to contain the attack and is working with cybersecurity experts to investigate if any personal information was impacted. Cloak ransomware group took credit for the attack, claiming on its dark web site to be in possession of 110GB of information exfiltrated from Ponoka’s network.
- School District 67 Okanagan-Skaha in British Columbia emailed parents of students informing them of a cyberattack which took place in February. Families learned that personal information of both students and parents may have been compromised. It is not known who was behind the attack or if a ransom was demanded.
- Stormous ransomware group took credit for an attack on major Belgian beer producer Duvel Moortgat Brewery. The brewery decided to switch off services and as a result production was temporarily halted at all Belgian sites and its US site. The ransomware group claimed to have stolen 88GB of data from Duvel but did not disclose a ransom demand.
- Supplier of medical technology products Mediplast was targeted by 8Base ransomware group in March, with the group claiming to have stolen a trove of confidential information. The dark web post stated that information including invoices, receipts, accounting documents, personal data, certificates, employment contracts and personal files were exfiltrated during the attack.
- South St. Paul Public Schools notified staff and families of technical difficulties “that may disrupt certain services” such as online platforms, emails and other digital services. The district was made aware of unauthorized activity within its computer network which forced them to take systems offline to isolate the issue. The district engaged a third-party cybersecurity firm to assist with system recovery and investigate the cause and scope of the unauthorized activity. BlackSuit claimed the attack in mid-March but did not disclose any additional information about the attack.
- In February, IT specialists from the municipality of Bjuv were greeted with a ransom note from Akira following a cyberattack 2 days prior. According to the Director of Municipal Services, hackers used “an old, insecure door” to infiltrate servers which caused several computer systems to stop working. Employees reinstalled several hundred computers and relied on backups of documents that had been encrypted before receiving Akira’s ransom note. Akira claimed to have 200GB of confidential information including contracts, agreements, and HR files.
- Akira announced Infosoft as a victim this month, claiming to have stolen a number of confidential files. Data is said to include operational files, projects and documents containing sensitive information. The dark web post mentioned that data would be published soon, suggesting that negotiations between the threat actors and the New Zealand based software development company had failed. Infosoft are yet to make a public comment addressing the claims.
- Kittery Animal Hospital in Maine announced that it had fallen victim to a ransomware attack which compromised its computer systems making files inaccessible to staff. The clinic was forced to treat animals with the limited technology available. A spokesperson commented that at this point there is no reason to believe that client records had been accessed or exfiltrated. An investigation is ongoing.
- South African officials are investigating claims made by LockBit stating that the ransomware gang exfiltrated and then leaked 668GB of sensitive national pension data. The Government Pensions Administration Agency (GPAA) suffered a cyberattack which hampered its operations and disrupted pension payments. Investigations remain ongoing.
- The tax-free travel retail chain Duty Free Americas (DFA) was added to the Black Basta dark web leak page, with the group claiming to have stolen 1.5TB of sensitive information from corporate networks. Files from multiple departments including financial, legal and HR were among the data stolen during the attack. Black Basta also added 15 sample leak pages filed with dozens of passports, social security cards, driver’s licenses, and credit cards as proof of claims.
- Cactus ransomware group claimed to have infiltrated the networks of Reny Picot, a prominent diary brand in Europe, stealing 350GB of data. Although the leak site post did not specify how much data was stolen, it detailed the type of information compromised. Files included accounting information, HR data, customer data, contracts, R&D documents, corporate correspondence, and personal folders belonging to employees and executive managers. A national ID card belonging to an employee was uploaded as proof of claims. A ransom of $1 million was posted by the group.
- Ammega was another organization to fall victim to Cactus in March, with the group stealing around 3TB of information during an attack. The ransomware group stated that it had possession of data including accounting information, 150GB of HR data, 100GB of customer data, 250GB of R&D information, and 100GB of corporate correspondence. Cactus posted proof of claims in the form of a confidentiality agreement signed by Ammega and a partner firm. The group demanded a ransom of $9 million in exchange for the exfiltrated data.
- The spate of attacks by Cactus also included UK based firm Cleshar as a victim, claiming to have stolen 1TB of information from the company’s cloud storage. Compromised files included 40GB of accounting information, 110GB of HR documentation, 130GB of customer data, 3GB of legal documents and 120Gb of corporate correspondence, a picture of an employee’s passport was used as proof of claim. Cactus demanded a ransom of $1 million to stop the data from being made public.
- In Australia, CHRG, previously known as Castle Hill RSL Group was added to 8Base’s victim list. CHRG issued an advisory on its website in mid-February, warning members of a “cyber incident” that had been detected. The organization stated that ongoing forensic investigations identified that there was no indication of sign-in credentials, membership database or point-of-sale systems having been impacted by the attack. Although statements have been made, CHRG are refusing to comment on 8Base’s claims to avoid impacting the ongoing investigation.
- After discovering a data breach, metal manufacturer Plymouth Tube Company determined that an unauthorized party may have accessed sensitive information in January. The type of information exposed by the breach includes names, SSNs, DOB, driver’s license numbers and plan information. Cactus took credit for this attack, claiming to have exfiltrated 1.83TB of data belonging to the company.
- One of the world’s largest yacht retails MarineMax experienced a cybersecurity attack which forced it to take certain systems offline on March 10th. The organization identified a cybersecurity incident where an unauthorized third party gained access to portions of its internal systems, but an investigation into the nature and scope of the attack is still ongoing. Rhysida added MarineMax to its leak site, giving the retailer just 7 days to pay a ransom demand of 15 BTC. Multiple screenshots of various documentation were posted as proof of claims.
- Reports suggest that Encina Wastewater Authority was targeted by BlackByte ransomware group this month, although no official statement has been made by the organization at time of writing. The dark web posting included a number of sample documents, adding that the company documents were available for deletion or purchase. The group did not reveal how much data was exfiltrated nor did it publicly demand a ransom, urging those interested to get in contact.
- The District of Vancouver announced that its municipality’s networks were hit with an “attempted” ransomware attack in mid-March. According to a spokesperson, the district and its partner agencies were the targets of the attack. The attack was detected quickly and stopped shortly after it began but did leave some systems and business applications affected. The municipality confirmed that no ransom was paid to the attackers and that an investigation into the attack is ongoing. At this time there is no evidence of employee or resident personal data loss.
- The New Mexico Administrative Office of the District Attorneys suffered a cyberattack which impacted two of its servers which serve its offices within 13 judicial districts. Data was encrypted during the attack, making files inaccessible to all staff in impacted areas. It is unclear who was behind the attack and if any information was exfiltrated.
- Hunters International added Ace Air Cargo to its victim list this month, claiming to have exfiltrated 250.4GB of data from the company. Although the nature of the data stolen has not been disclosed, the dark web posting suggested that 272,624 files were impacted. The air transportation provider has not yet publicly addressed the claims made by the ransomware group.
- Felda Global Ventures Holdings Berhad in Malaysia was disclosed as a victim of Qilin following a “successful” ransomware attack. Attackers claimed to have stolen data from the agricultural organization but did not state the volume or nature of the exfiltrated information. Although details on the dark web post remained vague, the group did add 32 screenshots as proof of claims, which included a variety of files suggesting that some private contracts, confidential financial sheets, emails, written records, and internal project information had been compromised.
- Claims made by Stormous suggested that the ransomware group was able to infiltrate networks belonging to the Lebanese Organization for Studies and Trading. The organization has not publicly acknowledged the cyberattack and has not addressed claims made by Stormous. The dark web posting provided no information regarding the nature of the data exfiltrated.
- Consolidated Benefits Resources, a claims administrator based in Oklahoma was added to BianLian’s dark web site. The ransomware group claimed to have exfiltrated 1.2TB of information during a successful cyberattack. Information is said to include financial data, HR documentation, PII records, PHI records and SQL. No ransom demand or proof of claims was disclosed in the listing.
- Donut ransomware claimed to have successfully exfiltrated 4TB of data from Void Interactive, developers of popular video game Ready or Not. The cybercriminals threatened the company, stating that if it remained silent it would post the source code and game related data that was stolen. The group also added a link to proof of claims which included a list of various builds of the game in a dev environment.
- Nevade based Nations Direct Mortgage announced this month that more than 83,000 customers were impacted by a late 2023 data breach. The company stated that it discovered a cybersecurity incident on December 30th which prompted an investigation involving law enforcements and other government agencies. The investigation determined that an unauthorized third party had gained access to and potentially removed data belonging to a number of individuals. Information including names, addresses, SSNs and Nations Direct loan numbers is said to have been obtained. No ransomware gang has yet claimed responsibility for the attack.
- Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the theft of customer information. The company revealed that multiple computers were infected with malware, causing security staff to disconnect impacted systems from the network. A public notice stated that although an investigation is ongoing, it has been discovered that files containing personal information and customer information may have been exfiltrated. The scope of the incident, how many individuals were impacted, and which information was taken remains unclear.
- In Pennsylvania, Scranton School District said it experienced a cybersecurity incident that forced it to take several of its systems offline and delay scheduled classes. The school district announced on social media that a ransomware attack was responsible for the major network outage. All teachers and school staff were asked to refrain from using electronic devices connected to the district’s internal network and uninstall any school-related apps.
- Pharmaceutical development company Crinetics Pharmaceuticals is investigating a cybersecurity incident following claims from LockBit that data was stolen. The company confirmed that it had recently discovered “suspicious activity in an employee’s account.” The notorious ransomware gang demanded a ransom of $4 million from Crinetics but did not disclose the nature or volume of the exfiltrated data.
- Long Island Plastic Surgery Group was a victim to a collaborative attack involving two ransomware groups – BlackCat and Radar. BlackCat was responsible for encrypting files, while Radar exfiltrated the data. While BlackCat was negotiating with the victim, the groups are said to be splitting the ransom amount 50/50. The ransom demand was apparently set at $1 million but the healthcare provider ended up paying just $500,000 for the decryptor key but was not interested in paying for the exfiltrated data to be deleted. The groups claim to have exfiltrated 700GB of internal documents including employee and patient records.
- LockBit leaked 64GB of data allegedly stolen from Egyptian pharma chain El Ezaby Pharmacy after ransom negotiations failed. The data is said to include customer information, financial data, passwords and email archives. Information related to this attack remains vague, with Ezaby Pharmacy yet to publicly address the claims.
- Radiant Logistics was forced to cut off a portion of its business in Canada following a cyberattack in mid-March. The company announced that it was in “the initial stages of a cybersecurity incident.” Upon detection, the company initiated its incident response and business continuity protocols and began taking measures to limit the impact of the attack. It is reported that the incident is not reasonably likely to materially impact financial conditions. No ransomware gang has yet taken credit for the incident.
- Leicester City Council in the UK announced that several of the local authority’s critical services were unavailable due to precautionary measures following a cyberattack. The council published several emergency numbers for affected services, including child protection, adult social care safeguarding and homelessness. This incident has not been claimed by a ransomware group.
- Polycab India claimed that core systems and operations were not impacted by a recent ransomware attack which targeted its IT infrastructure. The incident was claimed by LockBit, with the group stating that it has exfiltrated 500GB of data from Polycab. Threat actors also added 12 screenshots of exfiltrated documents as proof of claims.
- The American Renal Associates became a victim of a Medusa ransomware attack which saw files encrypted and data exfiltrated during the incident. The ransomware group claimed to have thousands of PHI and PII data files from the company’s servers, adding a filetree containing over 200,000 rows of file names as proof of claims. The ransom for the data was set at $1 million. The healthcare provider has yet to publicly address these claims.
- Monmouth College disclosed that it had suffered a ransomware attack over the holiday season last year. An investigation revealed that hackers had access to the school’s systems from December 6th and 44,737 people were impacted by the incident.
- Henry County, located on the border between Illinois and Iowa, dealt with a wide-ranging cyberattack, forcing it to shut down access to multiple impacted systems. The county’s incident response team partnered with outside companies to begin an investigation into the attack. Medusa ransomware group took credit, posting a ransom demand of $500,000 in exchange for exfiltrated data. The nature and volume of data exfiltrated remains unclear.
- Weirton Medical Center fell victim to a cyber incident which saw its networks penetrated and data belonging to nearly 27,000 patients exfiltrated. According to a breach notification letter, an unknown actor gained access to certain systems on its network and acquired files over a four-day period. Weirton believe that data accessed may include names, SSNs, DOBs, medical information, health insurance information, treatment information and medical bill financial information.
- In the Northern Mariana Islands, Commonwealth Healthcare Corporation experienced a “complete data breach from its internal servers.” A posting on an unknown Tor site stated that information including data of all patients, medical histories, personal information, MRI images, and various other sensitive records were stolen during a cyberattack. The listing also shames the institutions, claiming it knows of the incident but is downplaying it and claiming ignorance in the media.
- Hackers have demanded $700,000 from Tarrant Appraisal District following a cyberattack. The incident caused network disruption, shutting down the district’s website. Although it was originally believed that no sensitive data was exfiltrated, unknown hackers have threatened to release information if the ransom demand is not met. The hackers have not identified themselves, but the district believes that Medusa is behind the attack.
- The Emergency Medical Services Authority in Oklahoma City announced that it had been a victim of a cyberattack which saw unauthorized individuals gain access to its network in February. Upon discovery, systems were shut down to prevent further spread. Forensic investigations confirmed that the attackers exfiltrated files containing patient data including PII.
- 500 individuals were impacted by a ransomware attack on Lindsay Municipal Hospital, with BianLian claiming responsibility for the incident. The healthcare provider has not been particularly vocal about the incident, but BianLian has added the hospital to its leak site alongside proof of claims. The listing states that stolen data will be uploaded soon but it is not clear whether Lindsay Municipal Hospital entered into negotiations with the group. The nature of the exfiltrated data is still unknown.
- St Cloud became the most recent city in Florida to fall victim to a cyberattack. The city discovered a ransomware attack in late March which affected city services and departments, forcing some payments for activities and services to be cash-only. Law enforcement is investigating the incident with city officials yet to confirm who the attackers are and if a ransom was demanded. It is also not clear if any data was exfiltrated during the attack.
- California-based Select Education Group experienced a cybersecurity incident that compromised the sensitive information of almost 70,000 individuals. The attack enabled hackers to access portions of SEG’s internal networks. The organization has launched an internal investigation, with assistance from third party cybersecurity experts to determine the scope and nature of the incident. Compromised data included names, SSNs, billing and payment records, and academic records. Black Suit took credit for the attack.
- The City of Jacksonville Beach revealed that a cyber incident in January compromised the sensitive personal information of almost 50,000 individuals. During the attack, the city experienced network security issues which impacted certain City functions. An investigation was immediately launched with the assistance of external experts. Compromised data included the names and other personal identifiers along with SSNs. In February LockBit claimed responsibility, adding the city to its leak site.
- Gilmer County, Georgia, posted an official announcement on its website confirming a ransomware attack on its systems. The incident required the county to take many of its public services offline for precautionary measures. An investigation has been launched, to determine the effects of the incident. It is not clear at this time if any data was compromised as a result of the attack. No ransomware group has yet claimed responsibility.
- Qilin ransomware group claimed responsibility for infiltrating systems of UK-based publisher the Big Issue Group. According to the gang’s dark web site, 550GB of data including personnel information, contracts and partner data, financial statements and investment information was stolen during the attack. 12 screenshots were posted on the listing as proof of claims. A ransom was not included in the dark web claims, but the group did accuse its victim to trying to hide the attack and leakage of personal information. The Big Issue have acknowledged the cyberattack, stating that upon discovery immediate steps were taken to mitigate the issue and an investigation was launched.
- In Canada, the Town of Huntsville shared details of a cybersecurity incident which resulted in digital information being held hostage. The town’s chief administrative officer stated that an unauthorized user infiltrated the town’s systems and data was compromised. It is still unclear if compromised data includes personal information. No ransomware group has yet claimed responsibility for the attack.
- INC ransomware group posted NHS Scotland on its dark web site, alleging it had 3TB of data belonging to the trust, but officials believe that the incident was contained to one health board. NHS Dumfries and Galloway is said to be the board impacted. Information has been leaked already to verify proof of claims. NHS Scotland are working with Police Scotland, the National Cyber Security Centre, the Scottish government and other agencies to investigate the situation.
- Houser LLP announced that investigations into a May 2023 ransomware attack has concluded and found that threat actors were able to gain access to sensitive personal information. The Fortune 500 company discovered that certain files had been encrypted during the incident and immediately launched an investigation. Compromised data included names and other personal identifiers, financial account numbers, credit and debit card information and various other types of files. BlackCat claimed responsibility and at the time claimed to have exfiltrated 1.5TB of information from the law firm. It has now been revealed that the ransomware attack compromised the data of almost 700,000 individuals.
- BSR Infratech India Ltd faced a $80,000 ransom following a ransomware attack in late February. The hackers gained access to business information and data belonging to employees, clients and customers. Data files were also encrypted during the attack. Further information on this attack, including if the ransom was paid are currently unknown.
- The City of Pensacola confirmed that a cyberattack which shut down city networks and phone systems was indeed a ransomware incident. The phone issues were experienced across city departments causing delays in receiving service through the 311 Citizen Support system. The mayor was unable to give in depth information about the incident as the investigation is ongoing.
April
April saw 59 ransomware attacks make global news headlines, with healthcare leading the way with a massive 47% increase over last month. This was followed by the government and retail sectors with increases of 40% and 38% respectively. Notable attacks included Norwegian aluminium producer Norsk Hydro who disclosed financial losses exceeding $40 million following an attack, as well as the the Hoya Corporation who found themselves faced with a $10 million ransom demand after Hunters International exfiltrated 2TB of data. Keep reading to see who made news during the month.
- US-based Partridge Venture Engineering became a victim of a Black Suit ransomware attack in early April, however the firm has not yet acknowledged the claims made by the group. Black Suit’s dark web post was, as always, limited in the information about the attack, simply stating that “information will be released in the next few days.”
- Florida Memorial University (FMU) fell victim to a cybersecurity breach at the hands of INC ransomware. Details of the attack remain unclear, including how hackers gained access and how much data was stolen. A proof pack was uploaded to the dark web containing scans of passports, social security numbers, and copies of contracts. The university has yet to publicly address the claims made by INC.
- One of the largest counties in Missouri, Jackson County, confirmed that it was dealing with a suspected ransomware attack, impacting tax payments and online property, marriage licenses and inmate searches. The county identified significant disruptions within its IT systems, causing operational inconsistences across its digital infrastructure and rendering certain systems inoperable. No ransomware group has yet come forward to claim the incident.
- Medusa claimed to have infiltrated the San Pasqual Band of Mission Indians in California, stating they have exfiltrated 134.4GB of data while demanding a $100,000 ransom. The Native American reservation has not confirmed the attack.
- East Baton Rouge Sheriff’s Office detected an attempted intrusion into the agency network in early April, but claim software was able to stop the threat actors before the attack could advance further. Medusa claimed the attack, posting on its site that it has 92.2GB of data in its possession. The group released documents including employee payroll records, prisoner information and a screenshot of CCTV footage as proof of claims. Medusa demanded a $300,000 in exchange for the stolen information.
- Ernest Health revealed that a data breach that closed more than a dozen rehabilitation hospitals in for 3 weeks at the start of this year was caused by a ransomware attack. LockBit claimed responsibility, stealing information belonging to 97,078 patients. Compromised information included names, contact information, dates of birth, health plan IDs, health data, Social Security, and driver’s license numbers. A lawsuit has since been filed against Ernest Health.
- Indiana based Otolaryngology Associates announced that a February ransomware attack resulted in a breach of data belonging to 316,802 patients. The healthcare provider became aware of the cybersecurity incident with their vendor responding quickly. INC took responsibility for the attack, claiming to have exfiltrated important information including billing records. OA do not believe that threat actors gained access to the medical record system.
- A report regarding a late 2023 attack on City of Hope has been updated, revealing that the ransomware attack impacted 827,149 patients. The cancer center based in California initially told the HHS that 501 individuals were impacted, but at this time the true figure was unknown. Compromised information varied for each patient but PII and PHI details were amongst the information stolen. BlackCat reportedly claimed the attack, but before the group could post details, the leak site was seized. Further information on the nature of the attack remains unknown.
- Daixin Team took credit for the attack on Omni Hotels & Resorts, claiming to have exfiltrated “records of all visitors from 2017 to present”. The attack caused a massive outage which brought down IT systems, impacting reservation, hotel room door lock and point of sale systems. The dark web post made by Daixin does not contain a lot of information about the attack but did post proof of claims which included screenshots of a database dump of 3,539,089 records including sensitive information.
- Global fashion brand Benetton Group was added to Hunters International leak site in early April, with the threat actors claiming to have exfiltrated a total of 433.7GB of data during the attack. A section of the posting stated that the stolen data contained ten files of client data, totalling 33.8MB. Hunters did not post a sample of data or any further information such as a ransom demand. Benetton Group are yet to publicly address the ransomware group’s claims.
- UAE based Seven Seas Technologies allegedly fell victim to a ransomware attack orchestrated by Rhysida. The ransomware gang posted the IT services provider on its leak site, alongside screenshots of passports, maintenance contracts and other confidential information. The organization has not confirmed claims made by Rhysida and further information regarding this attack remains limited.
- It was announced that the island of Palau was targeted by two ransomware groups at the same time. Employees clocking in for the day found two ransom notes, one on a printer from LockBit and one from DragonForce which was found on computers alongside encrypted files. The attack encrypted a financial management information system that mostly contained public data. Some files had names, phone numbers and Palauan Social Security numbers. According to the CISO of Palau’s Ministry of Defense, both links provided to initiate negotiations were dead, making it impossible for the country to spark up conversations with either cybercriminal group. Neither group has the posting on its dark web site.
- A cyberattack on the Department of Science and Technology (DOST) in the Philippines was responsible for the defacement of at least three of the department’s websites. 20 DOST systems were impacted during the incident, and it is believed that at least 3TB of information was compromised. There is an ongoing investigation to determine the damage caused by the attack. Details of the ransomware group behind the attack or the ransom are unknown.
- It has been revealed that a 2023 ransomware attack on Keenan and Associates compromised information belonging to over 1 million individuals. An investigation confirmed that an unauthorized party had gained access to the insurance firm’s network over a six-day period. Compromised information was said to contain names, DOBs, SSNs, passport numbers and health insurance data alongside other sensitive information. It is not clear who was responsible for the attack.
- An investigation was launched by the Delhi Police after ransomware group KillSec claimed to have breached the traffic police website. The threat actors gained access to the site and gained the ability to manipulate pending challan statuses to “paid”. It was reported that KillSec offered individuals the opportunity to change their challan status simply by providing ticket reference numbers. The ransomware group also claimed to have breached the police website, exfiltrating 4GB of data.
- Ransomware has been blamed for a week long outage and IT problems at Panera Bread. The restaurant chain saw the cyberattack impact its internal systems including phone, POS, website and mobile apps. Sources suggested that threat actors encrypted many of the company’s virtual machines preventing access to data and applications. The group behind the attack remains unknown.
- Arizona based On Q Financial announced that 211,650 clients had been impacted by a March ransomware attack. Although the company promptly patched a ScreenConnect software vulnerability, threat actors were able to gain access to and exfiltrate clients’ personal data. BianLian claimed the attack, posting that it had acquired 1TB of data during the incident. Compromised data included technical data, financial documents, contracts and other confidential files. As proof of claims, BianLian leaked some files including individuals’ tax forms and an excel file containing PII of clients.
- DragonForce ransomware gang claimed Aussizz Group as a victim, claiming to have exfiltrated 278.91GB of data. The ransomware group did not reveal what type of data was stolen but did give Aussizz a deadline to meet undisclosed demands. The Australia-based global immigration and education consultancy firm has not made a statement in relation to the attack.
- Norwegian aluminium producer Norsk Hydro dealt with financial losses exceeding $40 million following a cyberattack which disrupted critical segments of its operations. A ransomware attack struck the company in March, forcing them to suspend certain production activities, with one of its primary production units encountering significant difficulties. Further details on the attack remain vague.
- A ransomware attack forced class cancellations and limited access to critical staff systems at New Mexico Highlands University (NMHU). An external cybersecurity firm confirmed that the network outage had been a result of a ransomware attack. The FBI and several state law enforcement agencies are involved in the response and investigation.
- Non-profit healthcare service provider Group Health Cooperative of South Central Wisconsin (GHC-SCW) revealed that a ransomware gang breached its network in January, stealing the confidential documents of over 500,000 individuals. Threat actors known as BlackSuit gained unauthorized access to the organization’s network, with the IT department quickly isolating and securing the network.
- GBI Genios, a database company in Germany, announced that a cybersecurity incident rendered its servers unavailable. The database provider told its users that the outage would last several days following the attack. Further information relating to this attack is not currently available.
- The Hunters International ransomware gang claimed T A Khoury & Co as a victim, claiming to have stolen 63.7GB of data. Although specifics of the compromised data is unknown, Hunters added 2 files into its dark web post named “Client Files” and “Financial Data.” The Sydney-based accounting firm has not yet issued a statement, but sources reported that the firm’s website was inaccessible for some time.
- McAlvain Companies confirmed that a data breach led to confidential human resources info being leaked by threat actors. The notification letter sent to impacted individuals stated that an unauthorized third party compromised MCI’s computer system and that an investigation is currently ongoing. Cactus took credit for this attack, claiming to have exfiltrated around 175GB of information. It is not clear how attackers infiltrated the systems, what type of data was compromised, or whether a ransom was demanded.
- BlackSuit was behind an attack on East Central University in Oklahoma, during which a significant amount of student information was stolen. The school released multiple advisories saying that the attack was largely unsuccessful, only taking down a few campus computers. Investigations determined that a number of individuals names, SSNs were accessible to the cybercriminal group.
- The Epilepsy Foundation of Metropolitan New York (EFMNY) was targeted by a ransomware attack which impacted a part of its network environment, leaving certain systems encrypted. The breach letter revealed that the attack resulted in “unauthorized access and/or acquisition of certain files within the network”. Data involved in the attack included PII and PHI belonging to patients, investigations revealed that its electronic health record database was not affected.
- Hoya Corporation fell victim to a cyberattack impacting production and order processing, with several of its business divisions experiencing IT outages. Hunters International claimed the attack, allegedly stealing 1.74 million files amounting to 2TB of data. The group demanded a $10 million ransom to release the data.
- Nijmegen chipmaker Nexperia was hit with a ransomware attack during which hackers stole hundreds of gigabytes of sensitive information. Threat actors gained access to hundreds of folders containing customer data and published dozens of confidential documents on the dark web as proof of claims. Dunghill ransomware gang took responsibility for the attack.
- NorthBay Health suffered a systemwide cyberattack which led to the healthcare providers website being inaccessible. Upon detecting the incident an investigation was launched, with teams working diligently to restore impacted systems. Newly emerged ransomware group Embargo claimed the attack, posting NorthBay Health on its dark web site. The posting did not contain detailed information about the attack, and it is not known if data was exfiltrated during the incident.
- Hernando County Government experienced an interruption of county-wide IT network as a result of a ransomware attack. The county immediately launched an investigation to determine the nature and scope of the incident. Rhysida ransomware group took credit for the attack, giving the county 7 days to pay the $2,445,000 ransom demand. A number of screenshots were added to the dark web post as proof of claims.
- The Handala threat group claimed an attack on digital media group 99Digital, exfiltrating 5.2 TB of sensitive client conversations and sending over 500,000 threatening text messages to individuals.
- US wheelchair manufacturer Numotion notified 4,190 individuals of a data breach which took place following a Black Basta ransomware attack. Investigations confirmed that an unknown threat actor had accessed the company’s computer systems, encrypting and exfiltrating files. Black Basta claimed the attack but did not reveal any information about the nature of the data compromised or if a ransom has been demanded.
- Medusa caused chaos for Traverse City Area Public Schools when a cyberattack forced the school to take networks offline and cancel classes for a number of days. The ransomware attack impacted the functionality and access to certain systems within the school’s network. Medusa claimed to have stolen 1.2TB of undisclosed data, demanding a $500,000 ransom to stop the data from being leaked.
- The International Trade Commission of South Africa is warning its employees and trade partners of a data breach that occurred following a cyberattack in January 2024. The incident locked employees out of systems and encrypted files, forcing the ITAC to shut down systems. Despite efforts, private information belonging to employees, service providers and importers was among the documents accessed by threat actors. It is still not clear who was behind the attack.
- Solano County Library in California saw computer services, phone lines and WiFi systems down across all 6 of its locations following ransomware attack. Public internet access and the library’s internal record systems were also impacted by the incident. Medusa claimed the attack, stating that it had stolen 85.02GB of data and posting a ransom demand of $100,000.
- The bill drafting system at the New York Bill Drafting Commission was brought down by a cyber incident in mid-April. The commission was forced to revert back to an antiquated system that had been in place since 1994. A spokesperson suggested that the restoration of the system may take some time due to the amount of data held in the computers. Play ransomware gang took credit for the attack, claiming to have exfiltrated an unknown amount of confidential documents. It is not known whether a ransom has been demanded at this time.
- Personally identifiable information of past and current personnel from the United Nations Development Programme was stolen during a ransomware attack, while procurement information relating to some suppliers and contractors was also compromised. 8Base claimed the attack, stating that an undisclosed amount of data had been exfiltrated. Although it is not known if a ransom was demanded, a spokesperson from the UNDP stated that they “do not engage with threat actors” and that “no ransom has or will be paid.”
- LockBit was responsible for an attack on Australian outsourcing provider OracleCMS. Compromised data included corporate records, contracts, invoices and operational workflows. A proof pack of containing seven documents was posted as proof of claims. According to OracleCMS, all attempts to negotiate with the notorious ransomware group were unsuccessful.
- A cyberattack forced the Atlantic States Marine Fisheries Commission (ASMFC) to create a temporary email address and provide a phone number for individuals to contact for information. 8Base claimed the attack, giving the ASMFC four days to pay an undisclosed ransom. The ransomware group claimed to have exfiltrated data including invoices, personal data and contracts.
- US healthcare provider Cherry Health has informed individuals of a “recent data security incident” which took place in December 2023. 185,000 patients were impacted by the ransomware attack. Data including PII and PHI was compromised as a result of the incident. It not yet known who is behind the attack nor if a ransom was demanded in exchange for the data.
- In Tennessee, Lee University began an investigation into a “potential security incident,” managing to contain the suspected incident quickly. Evidence of the attack was visible as several of the school’s websites remained down for some time. Medusa took credit for the attack, claiming to have exfiltrated 387.5GB of data. Although the nature of the data remains unknown, the group is demanding $1 million in exchange for not leaking the information. Lee University has not directly addressed these claims made by Medusa.
- Bağcılar Training and Research Hospital in Istanbul suffered a cyberattack which heavily damaged the visual archive and communications system in the hospital. Confidential medical records including Xray’s and test results from as far back as 2007 have been leaked. It has also been reported that the unnamed threat actors have demanded a ransom of $200,000.
- Swiss plasma donation company, Octopharma Plasma, was forced to shut some of its 180 centers as a ransomware attack disrupted parts of the company’s operations. The organization noticed unauthorized network activity, quickly launching an investigation to understand the impact of the incident. BlackSuit took credit for the attack, claiming to have exfiltrated business and laboratory data belonging to both living and deceased donors.
- Malaysian Industrial Development Finance fell victim to a cybersecurity incident claimed by Rhysida. Upon discovering the incident, immediate corrective action was taken to minimize the potential impact on the organization. Rhysida posted MIDF on its leak site, giving extremely limited information about the attack and did not disclose a ransom demand. The ransomware group did post a number of documents, including screenshots of passports, as proof of claims.
- Hong Kong’s Union Hospital was subjected to a ransomware attack allegedly orchestrated by LockBit in early April. The hospital suffered operational disruptions and activated an emergency response system to contain the threat. LockBit reportedly encrypted a significant number of files including lab reports, warning the hospital not to alter or delete any of the encrypted files. The notorious ransomware gang is demanding $10 million in exchange for not leaking the stolen data. According to the hospital, it appears that no patient data has been leaked as a result of the attack.
- In December 2023, Hunters International claimed Blackstone Valley Community Health Center as a victim, dumping 16.6GB of stolen data, but the healthcare provider did not confirm details of the attack until this month. An investigation, that only concluded in March 2024, revealed that data had in fact been exfiltrated during the attack. It has since been revealed that 34,518 individuals were impacted by the incident.
- Kisco Senior Living experienced a major cybersecurity incident in June 2023, causing substantial network disruption. In April this year it was revealed that an investigation into the incident determined that data including personal identifiers and SSNs belonging to 26,663 individuals had been compromised. BlackByte claimed the attack last year, posting screenshots of documents as proof of claims.
- Medusa allegedly hacked long-standing family-owned music store Ted Brown Music in Washington State. The ransomware gang posted the store on its leak site, claiming to have stolen 29.4GB of unknown data. A ransom demand of $300,000 was also set to either download or delete all stolen data, with the group setting a 7-day deadline. Ted Brown Music are yet to publicly address Medusa’s claims.
- Science and technology museum The Tech Interactive announced “technical issues” which were reportedly connected to a ransomware attack. 8Base added the museum to its leak site, citing that it had stolen “a huge amount of confidential information” alongside account details, employment contracts and invoices. The Tech Interactive was given seven days to pay the undisclosed ransom before all data is leaked.
- Newly emerged Red ransomware group claimed global mobile accessories manufacturers Targus as one of its first victims this month. This claim comes shortly after Targus’ parent company B. Riley Financial announced a cyberattack which prompted the immediate shut down of some systems and caused operational disruption. It is not known if Red’s claim relates to this attack. Information on this attack remains limited, with Red’s dark web posting lacking details.
- Washington DC’s Department of Insurance, Securities and Banking revealed that 800GB of data belonging to them had been obtained through a cybersecurity attack on Tyler Technologies. The third-party software provider confirmed that an isolated portion of its cloud hosting environment had been compromised, allowing the exfiltration of data. It also confirmed that threat actors had encrypted its systems. LockBit took credit for the attack.
- Synlab Italia suspended all medical diagnostic and testing services as a ransomware attack forced the company to take all IT systems offline. Upon discovering the incident, the IT department proceeded to exclude the entire corporate infrastructure from the network and to shut down all the machines in compliance with the company’s IT security procedures. It is believed that some sensitive information may have been accessed during the attack. At this time, no ransomware group has stepped forward to take responsibility.
- A statement on the Optometric Physicians of Middle Tennessee’s website confirmed that it has suffered a cyberattack. The statement revealed that cybercriminals had gained unauthorized access to a server on the OPMT’s computer network and managed to steal certain files including patient identifying information. BianLian has claimed the attack, allegedly stealing 1.5TB of information. According to the group’s dark web post, compromised data includes financial data, HR information, patient PII and biometric data along with a number of other files.
- In the UK, Carpetright experienced a data security incident which disrupted phone lines and forced the company to take all systems offline. Relevant law enforcement was notified and an investigation into the nature and scope of the attack is ongoing. A spokesperson claimed that the malware virus was contained before hackers could exfiltrate any data from internal networks. At this time, it is believed that no customer data has been compromised.
- Systembolaget, Sweden’s sole liquor retailer, feared supply issues following a cyberattack on logistics company Skanlog. A spokesperson from the logistics company stated that it had been centrally attacked by cybercriminals which caused its entire system to be down. Although a ransomware group has not yet claimed the attack, the company itself believes the hackers to be of North Korean origin.
- RansomHouse claimed Spain’s Lopesan Hotels as a victim this month, following an attack in March. According to the cybercriminal gang, files were encrypted during the incident, while 650GB of data was exfiltrated. Lopesan Hotels are yet to publicly acknowledge the claims.
- It was revealed this month that a November 2023 cyberattack on medical technology firm LivaNova resulted in a data breach. An investigation was launched after discovering the unauthorized access, but it was not until recently that the organization discovered that personal information had been compromised. The information varies for each individual, but it is mostly categorized as PII and PHI. LockBit claimed the attack in December, stating that it had stolen 2.2TB of data and would release it if demands were not met. It is not clear at this time if LockBit did in fact leak the data.
- Hunters International added SSS Australia to its victim list, dumping almost 70GB of data belonging to the healthcare product supplier on the dark web. Much of the almost 60,000 individual files were historical data, but some did contain documents relating to customers in general healthcare, aged care, hospitals or specialist healthcare settings. SSS confirmed that it had fallen victim to a cyberattack over the Easter weekend.
- Australian property valuation services, Herron Todd White, was allegedly hacked by BlackSuit ransomware. The group claimed to have exfiltrated a number of files including 279GB of paperwork, 20GB of customer and transaction databases and 3.3GB containing a “list of documents of great value.” No further information relating to this attack has been made public.
May
For the first time this year we saw the monthly total of disclosed attacks fall less than the previous year, if only by one incident! By contrast however, we saw the number of unreported attacks skyrocket and reach the highest level we’ve ever recorded. May saw 65 attacks make news, including Panda Group, the largest Chinese fast food chain in the US, Indian food production company DoubleHorse and Canadian retailer London Drugs who were forced to close 80 stores after an attack by LockBit. Keep reading to see who else made the list during the month.
- At the start of May, Qilin ransomware gang claimed The Watergate Hotel in Washington as a victim, following an alleged attack in April. A dark web post from the group shared ‘proof of hack’ screenshots but did not share how much data had been exfiltrated. Screenshots included passport scans, several personal tax exception cards, a driver’s license, NDAs, and invoices. The hotel has not yet publicly addressed Qilin’s claims.
- Chicago-based Skender Construction fell victim to a ransomware attack which impacted 1,067 individuals. Upon discovering the attack which took place in March, the contractor engaged with experts to restore its systems from backup. Information stolen during the incident included names, addresses, DOBs and SSNs alongside direct deposits, drivers’ licenses, passports and potentially health information. Underground ransomware group took credit for the attack claiming to have stolen over 651GB of data.
- Panda Restaurant Group disclosed a data breach after hackers compromised its corporate systems in March this year. The largest Chinese fast food chain in the US stated that the incident affected some of its corporate systems but left in-store systems, operations and guest experience unaffected. The data impacted is said to include only current and former employee information. It has not yet been announced how many individuals have been impacted by the data breach.
- Irish homelessness charity Extern announced that it had suffered a ransomware attack in mid-April, during which data was stolen and published on the dark web. The charity reported the breach to local police who began an investigation. Extern confirmed that the Police Service of Northern Ireland Cyber Security Unit was able to remove the stolen data from the dark web but did not mention if a ransom had been demanded. It is not clear who was behind this attack.
- Australian mortgage lender Firstmac was targeted by Embargo ransomware group, who leaked stolen information mere days after the initial attack. In a statement the company said that it had become aware of an unauthorized third party breaching one of its internal databases and gaining access to sensitive information. The new ransomware group is said to have leaked over 500GB of information including sensitive customer data such as PII and bank details.
- An April ransomware attack orchestrated by Akira targeted law firm Shook, Lin & Bok, with hackers demanding a hefty ransom of $2million. The incident was discovered in early April, with the law firm engaging a cybersecurity team who were able to contain the attack. A statement also said that there was no evidence that the firm’s core document management systems, which contain client data, were affected. Reports suggest that, following negotiations, a ransom of $1.4 million in BTC was paid to Akira.
- LockBit published confidential data stolen from Simone Veil Hospital in Cannes following an attack in mid-April. The hospital did not disclose what impact or disruption the initial incident had on patient care, but reports suggest that some non-emergency surgeries were cancelled, and some staff were forced to revert back to pen and paper. The extortion demand was not disclosed but a statement was made confirming that “public health establishments never pay ransom.” LockBit claimed to have exfiltrated 61.7GB of data from the hospital’s network.
- US-based Hooker Furniture was allegedly attacked by LockBit, with the group claiming to have exfiltrated customer and company data. The dark web post published by the group did not detail how much data was stolen or what the exact nature of the compromised information was. At this time, Hooker Furniture is yet to publicly address these LockBit claims.
- INC ransomware gang targeted the US-Saudi Arabian Business Council, a non-profit organization connecting businesses in the two countries. Several documents including invoices, files referencing companies, insurance documents, expense reports and a number of passports were added as proof of claims. The group claim to have exfiltrated 200GB of data, of which some has already been leaked. Documents pertaining to current and former employees of the council, along with data belonging to some high-profile companies are among the data that has been impacted.
- LockBit also claimed Deutsche Telekom as a victim this month, but a spokesperson from the company stated that the claims are hearsay. The company did not mention evidence of a cyberattack. The dark web posting made by the group did not give any details on the attack, only noting information about the company itself.
- A ransomware attack forced the City of Wichita in Kansas to shut down portions of its network to prevent the spread of the attack. Hackers encrypted the City’s IT systems during the incident. Online payment systems used by the city were among those services that were impacted. First responders were switched to business continuity measures where appropriate to continue to provide their services. LockBit later claimed the attack but did not disclose any further details.
- Operations of several university services were impacted following a ransomware attack on the University of Siena. The attack resulted in the shutdown of its international admissions website, ticketing services and payment management platforms. LockBit took credit for the attack, claiming to have stolen 500GB of data from the educational institution. Compromised information was said to include board-approved project and tender financing documents, expenses, NDAs and a contractor investment plan.
- Kansas City’s traffic management system, KC Scout, was hit by a cyberattack in April which caused disruption to the company’s website, traffic cameras and message boards. Play ransomware group claimed the attack, stating that it has stolen an undisclosed amount of data containing personal confidential data, client documents, payroll, accounting, contracts and IDs. Although KC Scout acknowledged a cyberattack, it has not yet responded to Play’s claims.
- Medusa demanded $2million in ransom from international headhunting firm Boyden. The gang claimed to have stolen 73.9GB of data giving Boyden eight days to pay the ransom demand. At this time, Boyden has not publicly addressed these claims.
- Philadelphia-based real estate company Brandywine Realty Trust fell victim to a ransomware attack which disrupted some of its business applications. During the attack, file-encrypting ransomware was used on a section of its internal corporate systems. Upon discovering the unauthorized access, an investigation involving external cybersecurity experts was launched. The company stated that there is evidence that the hackers exfiltrated data from certain files on the compromised systems. No ransomware group has yet taken credit for the attack.
- Electric Mirror LLC notified a number of victims that their data had been compromised during a ransomware attack in March this year. It is not clear how many people were impacted nor what impact the attack had on the company’s operations. INC ransomware gang claimed responsibility, adding a number of screenshots as proof of claims. The stolen data was said to include PII, financial account numbers, health insurance policies details and electronic signatures.
- BlackSuit added Nigeria’s largest EPCC company, Nestoil, to its dark web site. Although it named the organization, there are no other details of the attack included in the post. Nestoil are yet to address the claims made by BlackSuit.
- Concord Public Schools and the Concord-Carlisle Regional School District in Massachusetts got hit by a ransomware attack, causing the schools to operate without wireless access and causing some disruption for certain district services. It is not clear what files were accessed by hackers, but some employees have reported data breaches. No ransomware gang has yet claimed the attack.
- A significant cyberattack impacted 11 out of 14 servers and caused disruption for many departments in the Regional Cancer Center in India. Although the attack was credited to Daixin Team, there were allegations that Korean-based cybercriminals infiltrated a data source in the RCC and stole 800,000 patients’ information, demanding a ransom of $100million.
- NRS Health, a manufacturer of independent living aids, was targeted by a ransomware attack that forced the organization to take phone lines, email and websites offline. The March attack was claimed by Ransomhub, who allegedly exfiltrated 600,000 private documents including accounting information, financial reports and contracts. According to the group’s dark web post, all offices in the UK were targeted and attacked, with the total data exfiltrated amounting to 578GB.
- The Administration of the Port of São Francisco do Sul in Brazil posted a note on its website to state that it resumed operations less than 24 hours after a cyberattack. To prevent the spread of the attack, systems were temporarily disabled. Ransomware gang Ransomhub claimed the attack, stating to have compromised 880,000 sensitive documents, with the breach totalling 548.72GB.
- Lactanet fell victim to a ransomware attack in mid-April but suffered only limited damage, avoiding more permanent system damage. Hackers used compromised credentials to access the network through a VPN. Only vague details on the attack are available at this time.
- Mouse cursors were moving remotely, and files opened on screens when staff logged on to computers at Brockington College in the UK, alerting them to a cyberattack. With systems offline, employees had to revert back to pen and paper to complete certain tasks. LockBit added the educational institution to its leak site, with the post including seven screenshots as proof of claims.
- An investigation has been launched into a recent data breach at Lewis Brothers Bakeries in Indiana. The organization discovered that certain files on its servers had been encrypted and launched an investigation into the nature and scope of the activity. It has been revealed that some files were copied and taken from the network during the incident. Medusa claimed the attack, stealing 115.92GB of data. The group demanded a $1million ransom in exchange for deleting the files.
- The attack on Ascension has made headlines for the past few weeks, with 150 hospitals and senior care centers struggling to provide care. The attack forced the shutdown of hospital systems including MyChart electronic health records system, alongside phone systems. Business partners were also advised to disconnect from systems immediately. According to reports, Black Basta was behind the incident.
- Over 8,000 students were impacted by an attack on the Hong Kong College of Technology. The attack which took place in February saw the college’s IT network and file server hacked. RansomHouse were responsible for the attack, claiming to have exfiltrated 450GB of data. The dark web posting also claimed that the systems were encrypted by the ransomware gang.
- The Bureau of Standards Jamaica (BSJ) was hit by a cyberattack which affected some aspects of its service delivery. BSJ are still working to “normalise” its operations following the attack in February. Reports claim that the organization has already spent $231,900 in procuring the services of companies to recover and secure its ICT infrastructure.
- Details from a cyberattack which hit the Tea Group in Italy in April have now become available on the dark web. Compromised systems were isolated in an attempt to contain the attack. Black Basta claimed the incident, confirming that it has stolen information from the company’s databases including personal data belonging to customers. The group also published some of the documents on the dark web as proof of claims.
- Travelite Holdings announced that it had suffered a cyberattack and that hackers were demanding a $250,000 ransom in exchange for stolen data. The attack impacted the company’s IT servers which contained sensitive company, employee and customer information. An investigation has been launched and involves IT and legal experts. It is not clear which ransomware group was behind the attack.
- 8Base claimed to have hacked the Service Public Wallonie (SPW) when in fact they had exfiltrated data belonging to the Walloon Federation of Agriculture (FWA). The FWA confirmed its involvement in a cyberattack, stating that it is working with a specialized team to investigate the nature and scope of the incident. According to reports, around 100GB of information was exfiltrated including mailing lists, contracts, accounting documents and personal data.
- Agricultural machinery specialists LEMKEN saw all of its locations worldwide impacted by a ransomware attack this month. Upon discovery of unauthorized activities, all IT systems were shut down and external specialists were called in to launch an investigation. Production operations were halted and all employees in office locations were told to work remotely. 8Base claimed responsibility for the attack but it is not clear how much data was compromised.
- Employees came into Rockford Public Schools to find technology across the district down and ransom notes across printers in multiple buildings. A ransomware attack forced computers, internet services and hard phone lines offline. The ransom note stated that all data had been stolen and systems encrypted. If the ransom was paid, the unknown hackers claimed that a decryption key would be provided.
- Indian food production company DoubleHorse was the victim of a LockBit ransomware attack. The hackers added proof of claims to its dark web site including screenshots of bank account details and invoices. The company has not yet responded to the incident or claims.
- Garment production company V-Star also fell victim to a LockBit ransomware attack on its attendance system. The ransomware group posted screenshots of supply details, content from computer devices and drivers’ licenses as proof of claims. The company confirmed it had suffered a cyberattack but stated that operations remained unaffected due to using a cloud-based system.
- Medusa claimed technology company Chemring Group as a victim, posting a huge ransom demand in exchange for the deletion of stolen data. The group claimed to have exfiltrated 186.78 GB of information including confidential documents, databases and design files, demanding $3.5million for its deletion. The organization responded to claims stating that an investigation had been launched but no evidence of compromise had been found and no ransom demands had been received. A statement then went on to say that it is believed that a company once owned by Chemring but that is no longer associated with the company, was the victim of the attack.
- Fiskars Group confirmed that a cybersecurity incident had impacted a number of the company’s systems in the US. The company, headquartered in Finland, stated that the attack did not impact operations and business was continuing as usual. Akira took credit for the attack, claiming to have exfiltrated 2TB of “sensitive documents.” It is not known if a ransom was demanded in exchange for the information.
- In New Jersey, the Township of Union School District confirmed that a cyberattack resulted in significant network disruption. The school district was forced to take critical systems offline, bringing in external IT consultants to examine the incident. LockBit added the district to its leak site alongside seven screenshots as proof of claims. The group gave a deadline of June 2nd to pay the undisclosed ransom amount. At this time, it is not clear what data has been compromised.
- In Kansas, Ewing Marion Kauffman School was forced to close its doors on May 3rd, citing technical issues as the reason school was cancelled for the day. It was later confirmed that a ransomware attack was the cause of the disruption, with LockBit claiming the school as a victim. The notorious ransomware group has already leaked some documents which the school is reviewing but has also added four documents to its dark web site as proof of claims. The school is working with law enforcement to assess the fallout from the attack.
- A large-scale ransomware attack targeted Australian private health organization MediSecure this month. The National Cyber Security Coordinator made a statement about the attack but could only share limited details due to the ongoing investigation. At this time no other information relating to the attack is publicly available and no ransomware group has yet claimed the attack.
- Hunters International ransomware group added Formosa Plastics to its dark web site this month. The group claims to have exfiltrated 1.2TB of data including information on lawsuits and previous cyberattacks. There is very limited information available about this attack and Formosa is yet to publicly address these claims.
- No patron information was compromised as a result of a cyberattack on John R Wood Christie’s International Real Estate. The organization claimed that it suffered an “internal security event” and that they are confident that no customer data was impacted. The ransomware gang claimed to have stolen 1TB of information and has demanded a £2million ransom in exchange for the data.
- On May 13th it was disclosed that New Boston Dental has been impacted by a cyberattack orchestrated by 8Base. Compromised data included invoices, receipts, accounting records, certificates, employment contracts and confidential information. A link to download the stolen information is now available on the group’s dark web site.
- A cyberattack targeting London Drugs led to the closing of 80 stores in late April. The company acknowledged that corporate head office files, some of which may have included employee information, was compromised during the incident. LockBit claimed the attack and demanded a massive $25million ransom. Although the company maintained that it was not paying the ransom demand, the post relating to the attack disappeared from LockBit’s dark web site, leading some to believe that London Drugs may have negotiated and made some sort of ransom payment.
- Trego County Lemke Memorial Hospital in Kansas suffered computer network disruption following a “sophisticated attack”. Upon discovering the incident, the hospital activated its incident response plan and launched an investigation into the event. Reports suggest that the hospital and external IT experts are still determining the full scope of the impact of the attack but have no reason to believe that PII and PHI was compromised during the incident.
- The City of Richland in Washington disclosed that it had experienced a “data security incident” which impacted servers and systems at city hall and at the local emergency services. It was also suggested that personal information may have been compromised. Systems were taken offline while an investigation was carried out. INC ransomware gang claimed the attack, adding seven screenshots to its dark web post as proof of claims.
- Major U.S. oil and fuel distributor Atlas Oil was added to Black Basta’s victim list this month, with the threat actors claiming to have exfiltrated 730GB of data. Stolen data included finance, accounts, HR and department data, alongside user and employee details. Black Basta has already exposed payroll payment requests, data sheets and ID cards. Atlas Oil is yet to confirm these claims.
- RansomHouse added Australian printing company Advance Press to its dark web site, threatening to leak stolen information to a third party. The group has allegedly stolen 300GB of information from the organization. Samples posted by the hackers contained files data from 2010-2024. Employment contracts, resumes, insurance documents, expenses, budgets and profit and loss margins were among those files exposed.
- Texas Panhandle Centers discovered that there was unauthorized access to computer systems and exposure of PII and PHI of 16,394 patients. The infiltration is believed to have happened in October 2023. Among the information stolen was patient names, DOBs and diagnosis information. The organization does not believe that there has been any misuse of the data. It is not known who is behind this attack.
- Texas ophthalmology practice Victoria Surgery Centerwas the victim of a cyber incident that resulted in the encryption of files, making some computer systems inaccessible. It was discovered that the PII and PHI of 80,122 individuals was impacted by this attack. It is not clear who is responsible for this incident.
- In Canada, First Nations Health Authority detected a cyber incident on May 13th. FNHA was able to incept the unauthorized entity that had gained access to its corporate network. No servers or systems were encrypted as the result of the attack. An investigation uncovered evidence that certain employee information was accessed. INC ransom gang claimed the attack, adding a number of screenshots as proof of claims.
- RansomHouse claimed the United Urology Group as a victim, allegedly stealing 300GB of data and encrypting its systems. According to the dark web post, the group claims to have multiple types of files in its possession including 10,000 personal records including diagnostic data records, SSNs and radiology reports. The proof of claims included many files containing personal health information.
- Jumbo Group, the Singapore seafood restaurant company confirmed that it suffered a cyberattack but did not disclose the date when the incident took place. The organization took immediate action to identify, contain and address the incident, while letting relevant authorities know. Investigations are still ongoing but preliminary findings suggest that there is no evidence of data exfiltration. The incident had no notable impact on Jumbo Group’s operations.
- Personally identifiable information of patients and employees was compromised during an incident involving Affiliated Dermatologists. Hackers accessed systems and left a ransom note on the company’s network. When the incident was discovered, access to its network was disconnected and cybersecurity specialists were brought in to investigate the incident. It is believed that 370,000 individuals were impacted by the attack. Compromised information includes names, DOBs, addresses, passports, medical treatment info and health insurance claims. BianLian took credit for the attack back in March.
- Startosty County in Poland suffered from a cyberattack with the full scale of the incident not yet known. Information on selected workstations, the electronic documentation circulation system, the ePUAP system, and land and building register has been impacted. Play ransomware gang claimed responsibility for the incident.
- Famous art collector and auctioneer Christie’s was targeted by a cyberattack mere days before its marquee spring sale. Hackers gained access to parts of the network, exfiltrating a limited amount of data relating to some patrons. Christie’s disclosed that no financial or transactional information had been compromised. Ransomhub claimed the attack, adding a number of screenshots as proof of claims. The undisclosed ransom was not paid, with hackers saying that communication broke down mid-way through negotiations.
- Dutch bank ABN AMRO is warning customers that their personal details may be at risk after a ransomware attack at marketing agency AddComm, one its suppliers. ABN Amro reported the data breach to the Dutch Data Protection Authority and regulators, while AddComm is preparing to file a police report.
- CDEK, one of Russia’s largest delivery companies recently experienced disruption due to an attack from a little know Russian speaking gang called Head Mare who claimed to have encrypted the company’s servers while destroying their backups. CDEK has not yet attributed the technical disruption to a cyberattack, but an anonymous source within the company disclosed to a Russian media outlet that the incident was caused by a ransomware attack.
- Kulicke and Soffa Industries confirmed that it had experienced unauthorized access attempts this month. Investigations are yet to reveal if any data was stolen, but the company do not expect the incident to significantly impact the third fiscal quarter performance. LockBit claimed the attack, stealing 20TB of data including 12 million files. The threat actors noted in their dark web post that they have “collected everything”.
- Ransomhub also claimed American Clinical Solutions (ACS) as a victim following an attack in mid-May. The group claimed to have stolen data belonging to 500,000 individuals who had samples tested for prescription or narcotic drugs. Files were also encrypted and approximately 35GB of medical data was accessed. The deadline given to pay the undisclosed ransom has elapsed, but only 67.2MB of data has been published on the leak site.
- In Spain, Ayesa was added to Black Basta’s victim list this month, with the group claiming to have exfiltrated 4.5TB of data. The information is said to include company data, employee data, and project and CAD files. IDs and file trees were among the documents shared as proof of claims. Ayesa has not yet publicly addressed the incident.
- Memorial Day weekend saw Seattle Public Library make news when they were hit by ransomware, shutting down services across 27 branches. Impacted services included the wireless network, online catalogue and computers. At this time there is limited information about this attack available and no ransomware gang has yet taken responsibility.
- All forms of communication were unavailable following a cyber incident at Center Line Public Schools. The school was forced to close for one day while systems were repaired. WiFi and educational software was also impacted by the attack. At the moment, there is no evidence that any personal information was stolen and no one has yet taken credit for the attack.
- Telecommunication equipment supplier Allied Telesis was hit by a LockBit ransomware attack, with sensitive information allegedly stolen. Confidential project details dating back to 2005, passport information and various product specifications is among the data claimed to have been exfiltrated. Proof of claims was posted by the group including blueprints, passport details and confidential agreements. Allied Telesis has been given until June 3rd to pay an undisclosed ransom amount.
- According to a post on BreachForums, ShinyHunters claimed to have stolen data relating to 560 million Ticketmaster Entertainment LLC The compromised information is said to include names, addresses, emails, phone numbers, ticket sale information, event information and order details. ShinyHunters also claim to have credit card details, but these only include the last 4 digits of the card numbers and the expiration dates. The database is up for sale for $500,000. Ticketmaster is yet to address these claims and it is not clear if this information is new or related to previous breaches.
- Newfoundland Broadcasting Company has stated that a recent cyberattack did not impact on-air operations at NTV nor its radio station. The organization revealed that threat actors had accessed part of its systems and they are working alongside law enforcement to understand how information was obtained and what information has been exposed. Play claimed the attack, allegedly stealing private data including budget and payroll information along with client documents from NTV.
June
We’ve recorded 45 publicly disclosed ransomware attacks in June, making this the quietest month for disclosed ransomware attacks this year. This month seen some big stories make the headlines including Qilin’s attack on Synnovis causing major disruption to NHS hospitals in London and BlackSuit’s attack on CDK Global, forcing hundreds of car dealerships across North America offline. LockBit was the most active variant, claiming responsibility for 13% of June’s incidents. Healthcare was the highest targeted industry reporting 12 attacks, closely followed by government with 10 attacks.
Check out who else made ransomware headlines this month.
- In Spain, the City Council of San Lorenzo de El Escorial experienced a cyberattack which has since been claimed by LockBit. The notorious ransomware group added the Spanish city council to its leak site, claiming to have exfiltrated 450GB of data. The dark web post does not state what type of data has been stolen but it is believed to include information belonging to residents.
- Billericay School in Essex fell victim to a cyberattack which led to a “critical incident” in early June. The headteacher of the school announced that the IT systems had been compromised and were rendered inaccessible due to complex encryption. In a letter to parents, it was stated that the attack had significantly impacted the ability to operate the school “safely and effectively.” It is not clear who was behind this incident or if any data was stolen.
- The Town of Westlock in Alberta, Canada announced that it had suffered a ransomware attack in Jan this year which compromised data belonging to 1,633 residents. Upon discovering that personal information was involved, the town “conducted an exhaustive, manual review of the impacted data to identify impacted individuals and the specific types of personal information involved.” It was discovered that individuals and businesses who participated in a pre-authorized payment plan had been affected along with businesses and employees who used EFT. No ransomware group has yet taken credit for this incident.
- One of this month’s biggest news stories is Qilin’s infiltration of Synnovis’ IT systems. The attack caused major disruption of the delivery of services for the London-based pathology service provider, impacting several NHS hospitals in London. A Qilin representative has confirmed that Synnovis was compromised through a zero-day vulnerability. The CEO of the UK’s NCSC stated that Qilin is “simply looking for money,” and did not know that the attack would cause such serious disruption to primary healthcare. A ransom of $50million was demanded by the ransomware group. 394.1GB of data belonging to the company has since been leaked, containing confidential patient information including names, DOBs and descriptions of blood tests.
- Vietnam Post, the Vietnamese government-owned postal service, was hit by a ransomware attack on June 4th, affecting the operation of its postal and delivery services. Upon discovery of the incident, all IT systems were disconnected in an attempt to isolate the breach. Government agencies and local cybersecurity experts worked together to contain the incident, safeguard data, and restore systems. Vietnam Post has not disclosed who is behind the attack or if any ransom was demanded.
- Northern Minerals confirmed that it had suffered a ransomware attack which compromised corporate information and employee data. A filing with the Australian Securities Exchange revealed that corporate, financial and operational data was stolen along with certain information belonging to current and former employees and shareholders. The disclosure came after BianLian leaked information belonging to the company on its dark web site.
- Auckland’s oldest surviving department store, Smith & Caughey’s was given a short deadline to make an undisclosed ransom payment following a LockBit ransomware attack. LockBit did not state how much data was exfiltrated during the incident but did claim to have finance, HR, accounting, management, and IT department data in its possession. No evidence of the attack has been included in the dark web posting. Unfortunately, Smith & Caughey’s is due to stop trading in 2025 due to poor business.
- Medusa issued a $200,000 ransom demand to the City of St Helena in California following a ransomware attack in May. The attack shut down the City’s computer systems and library. The City Manager confirmed the attack, stating that external specialists are investigating the scope of the incident and are working to further bolster the network’s security infrastructure. It is not known what information was stolen by the ransomware group, with third-party experts working to identify individuals whose data may have been impacted.
- An alleged attack on the Government of Dubai was claimed by Daixin Team on its dark web site. The ransomware group claims to have exfiltrated 60-80GB of scans and PDF files from the municipality. The gang also noted that the files lists, containing 33,712 files, had not been “fully analyzed” or “dumped” onto the leak site. The government is yet to publicly acknowledge these claims.
- It was announced that Frontier Communications detected unauthorized access to an internal network in April this year. As a result, certain systems were shut down causing disruption to operations. An investigation was launched into the nature and scope of the incident. Ransomhub took credit for the attack, claiming to have exfiltrated 5GB of data. Following Ransomhub’s claims, the organization has warned 750,000 customers of a potential breach of their personal information. A class action lawsuit has also been filed against Frontier.
- PruittHealth filed a notice of data breach in late May after discovering that its computer system was the target of a cyberattack. The incident, which took place in November 2023, impacted part of the company’s computer network. An unauthorized party was able to access sensitive information belonging to customers, including names, SSNs, DOBs, contact information, bank account numbers and PHI. PruittHealth did not disclose the name of the hackers responsible.
- Leaders at New Hampshire Public Radio are working with cybersecurity experts to establish the extent of data potentially stolen during a cybersecurity attack earlier this month. The CFO of the company stated that there is no evidence that indicates that its donor database or financial systems were impacted by the breach. He also commented that the scope of the incident was believed to be “very minimal.” Akira has taken credit for the attack, claiming to have stolen 35GB of data.
- Panasonic Australia appeared as a victim on Akira’s leak site this month, taunting the organization with claims that its cybersecurity is not very reliable. The leak site does not contain any evidence of its hack, ransom demands or deadlines. Panasonic Australia acknowledged that it had experienced a security incident but claims that there is no evidence to suggest that a third party accessed any business or personal information.
- BlackBasta ransomware claims to have breached Akdeniz Chemson, a major polymer additive and market-leading PVC stabilizer product company. The group claims to have stolen more than 500GB of data including financial and HR information, issuing a deadline of June 13th for payment of the undisclosed ransom amount. Akdeniz Chemson are yet to publicly address these claims made by the ransomware gang.
- Nidec Group issued a statement on its website announcing that Nidec Instruments Corporation had suffered a ransomware attack in late May. The attack, which was claimed by 8Base, resulted in multiple files in the company’s servers being encrypted. An investigation has been launched but the specific extent of the data breach is yet to be identified. 8Base did not specify how much data it has in its possession, nor did it publicly demand a ransom.
- Special Health Resources (SHR) posted a notice on its Facebook page stating that it was experiencing technical difficulties, with centers only able to see patients who are “actively sick.” The technical difficulties were in fact a result of a BlackSuit ransomware attack. The group provided a file tree as evidence, consisting of 18,829 directories with 253,671 files. The dark web leak site also included a message to suggest that the hackers had not had any communication from SHR.
- Medusa has claimed Radiosurgery New York (RSNY) Oncology Center as a victim this month, allegedly possessing 64GB of data belonging to the healthcare facility. The data is said to have been encrypted as well as exfiltrated. A file tree provided as evidence contains over 44,000 lines of data, most of which contains PHI of patients treated by RSNY. One file included confidential information belonging to 1,800 unique patients. A ransom of $150,000 was set by Medusa. At this time, RSNY has not made a statement regarding the alleged cyberattack.
- Hackers attempted to use ransomware to attack a technology testing environment used by the Toronto District School Board (TDSB). It has been confirmed that the environment is separate from the board’s official network, but immediate steps were still taken to secure and preserve data. Operations were not impacted by the incident. The TDSB is conducting an investigation to determine if any personal data was compromised during the attack. No ransomware group has claimed responsibility for the incident.
- After permanently closing the business, civil law firm Santoro Whitmire was hit by a ransomware attack which encrypted all of its computer systems. The law firm notified law enforcement and moved quickly to contain the incident. An investigation was also launched into the extent of the incident. Accessed documents may have contained personal information, but further details on this attack remain vague.
- The City of Newburgh was forced to shut down its City Hall following a cyberattack earlier this month. Staff were unable to process or accept payments for various city services. IT and other professionals were retained to restore operations as quickly as possible. Emergency services were not impacted at any time by the attack.
- Grand Traverse County decided to take all county and city networks offline following the discovery of network irregularities. The county stated that the priority was safeguarding data and ensuring continuity of essential services. The county continues to work with its partners to investigate the true impact of the incident. City and county government websites were hosted on different servers so were not compromised during the attack. No ransomware group has taken responsibility yet.
- Cleveland City Hall confirmed that some of its systems were shut down following the discovery of a cyberattack. Although it was not confirmed exactly which systems were out of operation, the city stated that all emergency services were still fully functioning. A spokesperson explained that all internal systems and software platforms would be shut down until further notice to allow them to get a “better understanding of the situation.”
- Landmark Admin is being investigated for a data breach that took place in May 2024. Through investigation, the organization determined that an unauthorized third-party had accessed sensitive information. The information potentially impacted includes names, SSNs, passport numbers, financial account numbers, life insurance policy numbers and more. Abyss claimed the attack.
- In Australia, The Victoria Racing Club was named as a victim on Medusa’s darknet site. The club confirmed that it had suffered a cyber incident and was communicating with “employees, members, partners and sponsors” to inform them of the incident. An ongoing investigation revealed that an unauthorized third party access its systems. Medusa claims to have more than 100GB of data belonging to the club and is demanding $700,000 in exchange for deleting the data.
- A recent cyberattack on KADOKAWA corporation has been claimed by BlackSuit ransomware gang. At the start of June, the company reported that multiple websites were experiencing service outages following a cyberattack. The incident impacted most of the company’s and its subsidiary’s operations, with information being encrypted by ransomware. BlackSuit claims to have stolen 1.5TB of data including contracts, confidential documents, employee data, business plans, and financial data. A small sample of data was also published.
- Relatively new ransomware group Handala claim to have hacked the computers of kibbutz Ma’agan Michael in northern Israel. 22GB of data stolen during the attack has been dumped online alongside data belonging to 1,400 users. The group also claims to have sent 5000 warning SMS messages.
- Hunters International has allegedly attacked Legrand CRM, a Sydney-based provider of tailored CRM solutions for SMEs. Legrand CRM stated that it had not been the victim of a ransomware attack, but instead a “small data theft.” The CEO of the company is also questioning discrepancies between Hunters’ claims and his company. The company has taken the cyberattack seriously, disconnecting computers from the network and shutting down the compromised server. The company is still determining the extent of the data theft.
- American technology company Keytronic has issued a warning stating that it suffered a data breach in early May. The cyberattack disrupted operations, limiting access to business applications which supported corporate activities. It was also forced to shut down domestic and Mexico operations for two weeks while it responded to the attack. An investigation launched by the company revealed that threat actors stole personal information during the attack. BlackBasta took credit for the attack, leaking 100% of the stolen data just two weeks after the initial incident. The group claims that HR, finance, engineering and corporate data was stolen during the attack, sharing screenshots of employees’ passports and social security cards, presentations, and corporate documents.
- Ransomware group BlackSuit published hundreds of stolen files from the Kansas City, Kansas, Police Department after the agency refused to pay its ransom demands. Screenshots show that the files published contained sensitive files, some dating back to 2016. Folder names including “Drone Pics,” “Evidence Room,” and “Finance” can also be seen.
- Hunters International allegedly stole 55.6GB of data from convenience store chain Circle K Atlanta. Screenshots were added to the dark web posting as proof of claims, with the gang claiming to have exfiltrated at least 3GB of employee data. Circle K Atlanta are yet to publicly address these claims.
- A breach of Oahu Transit Services resulted in personal data of TheBus and Handi-Van users being compromised. Websites belonging to both of the named services were down for a number of days following the attack. DragonForce has taken responsibility for the attack, claiming to have 800,000 pieces of data in its possession. The company did not pay the undisclosed ransom demanded.
- US industrial forklift truck manufacturer Crown Equipment confirmed that a cyberattack was responsible for disruption to its manufacturing operations in early June. The attack, resulting from social engineering, led to the takedown of all of the company’s IT systems. Crown launched an investigation to determine the nature of the information affected but has stated that there is no evidence to suggest that employee information was targeted. The company confirmed that it was “hacked by an international cybercriminal organization,” but a ransomware group has yet to come forward and publicly claim the incident.
- Malama I Ke Ola Health Center in Maui was forced to close its doors for two weeks following a cyberattack. LockBit added the health center to its leak site but did not post proof of claims or sample data. A spokesperson did confirm that the center had been impacted by an IT security issue but did not address the claims made by LockBit.
- It has been revealed that Minnesota-based healthcare services provider Consulting Radiologists experienced a data security incident in February this year. After discovering suspicious activity in its internal network, CRL took steps to contain the spread of the incident and launched an investigation to determine the nature and scope of the incident. It has been confirmed that 511,947 individuals were impacted by the attack, with data including names, addresses, DOBs, SSNs and medical information compromised by threat actors. In April, LockBit claimed responsibility for the attack, with Qilin later claiming to have 94,667 files totalling to 70GB of data in its possession.
- A district-wide email confirmed that Newberg-Dundee School District had been subject to a cyberattack. According to the email, the school district became aware of unusual activity in its computer network and quickly took action to secure the network. Certain systems and data were rendered temporarily inaccessible to staff. It is not clear at this time what, if any, data was compromised during the attack.
- BlackSuit ransomware gang is behind CDK Global’s IT outage and disruption to car dealerships across North America. The ransomware attack led to the encryption of critical files and systems belonging to the company, forcing the shutdown of all its IT systems. It has been reported that during attempts to recover from the initial attack, a second cyberattack hit the company. BlackSuit initially demanded a $10million ransom but has since increased the demand to more than $50million.
- This month LockBit claimed to have hacked the US Federal Reserve however this was not the case. It has been confirmed that Evolve Bank & Trust was the actual victim of the attack which resulted in the compromise of 33TB of data. According to a statement made by Evolve, threat actors released legally obtained data including PII on the dark web. This information includes names, SSNs, DOBs, account information and/or other personal information.
- Several government services were impacted by a cyberattack on Indonesia’s national data centre earlier this month. The attack caused massive delays at airports and ferries as passport verification and immigration systems were among those services impacted. Although the name of a group has not been revealed, reports suggest that a new variant using LockBit 3.0 was responsible. The threat actors have demanded a $8million ransom but it has not been confirmed if the ransom will be paid.
- South Africa’s National Health Laboratory Service (NHLS) confirmed it was dealing with a ransomware attack which significantly impacted lab results as the country responds to an outbreak of mpox. The hackers deleted sections of the lab’s systems including backup servers, requiring a rebuild of many of the affected systems. Initial investigations suggest that databases holding patient information were not lost or compromised.
- INC ransomware group added Maryhaven addiction and treatment centers to its leak site in mid-June. Maryhaven did not confirm a ransomware attack but did state that some of its systems were offline for some time. INC’s dark web claim includes screenshots of a multiple files with personal and protected health information. One file included more than 100 patients’ case ID numbers, names, admission dates and appointment information.
- BianLian allegedly hacked US based nonprofit organization Better Business Bureau, claiming to have exfiltrated 1.2TB of sensitive data. The ransomware group added several taunts to its leak site, stating that the organization is “far from being innocent,” and requesting that contact is made with BianLian in order to protect its data. The information compromised is said to include accounting data, NDAS, operational and business files, among other file types. At this time, no public statement has been made by Better Business Bureau.
- BianLian also claimed an attack on S. Dermatology Partners, stating that the group had stolen 300GB of information. The compromised data allegedly includes personal information, financial details, accounting data, budget information, employee profiles, contracts, and NDAs. Along with claims, the dark web post included contact information for the company’s CEO and CFO.
- Palomar Health Medical Group confirmed that its phone and computer systems are still down after a cyber incident almost two months ago. Suspicious activity was discovered on May 5th, prompting the company to take impacted systems offline in an attempt to prevent the spread of malware. The healthcare system is working with external professionals to investigate the source and restore systems as soon as possible. No ransomware group has claimed the attack yet.
- It has been reported that new ransomware gang dAn0n added Pediatric Urology Associates (PUA) to its leak site in March this year, claiming to have exfiltrated 740GB of information. Not all of the information allegedly stolen has been leaked yet, but the group has exposed a compressed archive 16.76GB in size that includes internal documents and another compressed archive containing 662MB of patient information. A spokesperson from the ransomware group stated that systems were first infiltrated in January 2023, with ransomware deployed in March this year. PUA did not respond to dAn0n’s ransom demands and made no attempt to negotiate. PUA has not made a public statement addressing these claims.
- Reports have revealed that Pinnacle Orthopaedics & Sports Medicine Specialists LLC discovered that it had been a victim of a cyberattack in late April 2024. An investigation was launched, determining that 500 patients had been affected, with a recent press release stating that a detailed review and analysis is still underway to identify potentially impacted individuals. INC ransomware group claimed the attack, adding 12 screenshots to its leak site as proof of access and acquisition. All stolen data has since been leaked.
July
Unlike recent years where July has been a quiet month for ransomware, this year we have recorded 60 publicly disclosed attacks, a 58% increase from last year. Although the US was the highest targeted location, there was a surge of attacks in Australia this month, with 7 recorded. Government topped the targeted industries with 15 attacks, followed by education and healthcare with 9 attacks each. LockBit and Ransomhub were both as equally dominant, clocking up 5 claimed victims. Some of the big news stories this month included attacks on Los Angeles County Superior Court, OneBlood and Southern California’s 911 services.
Find out who else made ransomware headlines in July:
- Patelco Credit Union based in California, became the target of two class-action lawsuits following a ransomware attack. The incident forced the credit union to temporarily shut down customer access to electronic transactions. The company has not yet confirmed whether any of its 450,000 customers have had their personal information exposed, nor has it identified the source of the attack.
- RAM Construction Services is under investigation following a recent incident in which sensitive personal identifiable information in its systems may have been accessed by threat actors. Data including names, SSNs, driver’s licence information and financial account information is believed to be involved in the breach. Underground ransomware group has taken credit for the attack, claiming to have exfiltrated 762.9MB of data.
- Notifications about a June 2023 data breach involving Florida Community Health Centers have recently been sent to 296,635 individuals. FCHC did not publicly disclose what types of data were compromised. According to a statement, initial investigations concluded in September last year, but additional time was required for the forensic analysis to determine other aspects of the incident.
- Cambridge University Press & Assessment (CUPA) was hit by a cyberattack which jeopardized the work of its employees in late June. The incident impacted part of the company’s publishing operations, causing technical disruption. INC ransomware gang claimed the attack, publishing stolen documents on its disclosure page as proof of claims. These leaked documents included supplier invoices, service contracts, and other confidential correspondence.
- LockBit claimed responsibility for an attack on the University Hospital Centre in Zagreb, Croatia, one week after the organization announced it has been a victim of a cyberattack. Networks were incapacitated, forcing emergency patients to be diverted to other hospitals and requiring staff to revert back to pen and paper. A statement from the hospital stated that patient safety was never in jeopardy. LockBit claimed to have stolen a large volume of data including medical records, research papers, employee data, legal documents and much more.
- A cyber incident impacted internal servers in The Harry Perkins Institute of Medical Research in Perth in early July. A statement confirmed that the organization immediately engaged experts and advisers to guide the response efforts and reestablish secure network access. The nature and extent of the data impacted has not yet been determined. Medusa has been credited for the attack, with the group demanding a $500,000 ransom in exchange for 4.6TB of allegedly stolen information.
- Hiap Seng Industries in Singapore confirmed that it was subject to a ransomware attack during which an unknown party gained access to the company’s servers. Upon discovering the incident, containment steps were taken to isolate its servers from the network. There has been no material impact to its business operations. A ransomware group is yet to claim the attack.
- In Singapore, Soon Lian Holdings revealed that it was subject to a ransomware incident. The group took immediate action to identify, contain and address the incident. Investigations involving relevant authorities is still ongoing. The group has stated that there has been no significant impact on its business operation and that no evidence of data exfiltration has been observed.
- The FBI were called in to investigate a ransomware event in the City of Cedar Falls which took place in June. Unauthorized activity was limited and after a short period of controlled downtime all affected services were restored. BlackSuit ransomware group claimed the attack, stating that it has stolen information including business data, employee data, financial information, contracts and other personal folders. It is not clear if the threat actors demanded a ransom.
- Despite “robust protections and protocols” being in place, the Law Offices of the Public Offender in New Mexico fell victim to a ransomware attack. The attack compromised access to critical internal records and impaired its ability to communicate with clients and other members of the criminal justice system. Rhysida claimed the attack, adding a number of screenshots to its dark web page as proof of claims.
- The City of Apex in North Carolina announced that it was the victim of an attempted ransomware attack that resulted in some town services being temporarily suspended. In compliance with North Carolina law, the town did not engage in communication with, negotiate with, nor make payment to the unknown threat actors responsible for the incident. Further information on this attack has not yet been made public.
- It was confirmed that an attempted hack on the Alabama State Department of Education was interrupted by the department’s IT team. Although the attack was stopped, it is believed that some data was breached before the intervention. ALSDE stated that it had taken the position not to negotiate with the threat actors. INC ransomware gang claimed responsibility, posting a proof pack on its leak site. It is not yet known if a ransom was demanded, how INC breached ALSDE systems or what personal data was compromised.
- DragonForce claimed an attack on New Zealand based fitness equipment supplier, Elite Fitness. The organization has confirmed that it was the victim of a ransomware attack, and that employee and customer data was impacted. New Zealand’s Computer Emergency Response team, along with other government agencies were notified. DragonForce added the fitness company to its leak site on July 2nd, claiming to have exfiltrated 5.31GB of the company’s data.
- Japan’s NTT Data Group confirmed that its Romania unit was hit by “an instance of unauthorized access”. The access was detected on an old network that the Romanian unit was no longer using as its main network. Although there was unauthorized activity, the organization claims that there was no ransomware involved in the incident. Ransomhub took credit for the attack, with reports suggesting the group was in possession of 230GB of stolen data.
- Louisiana Special School District employees were notified of a cyberattack more than one month after it was initially discovered. According to the superintendent, the Louisiana State Police’s Cyber Crimes Division was contacted after a breach claimed by Akira was found on May 24. While there was no proof that files had been copied, files had been encrypted with officials stating that the data within those files should be assumed stolen. It is not clear what or how much data was impacted by this incident.
- Ransomhub claims to have published 100GB of data stolen from the Florida Department of Health after it declined to pay an undisclosed ransom. The Florida Department of Health has not yet publicly addressed the claims made by the cybercriminal group. In compliance with guidelines, organizations in Florida do not pay ransom demands. Further information on this attack has not yet been made public.
- LockBit allegedly carried out an attack on US-based Homeland Vinyl. The ransomware group claims to have exfiltrated sales, inventory financial transactions data, and other company records. A deadline of the 19th of July was set to publish the compromised information. A sample of stolen data was posted on LockBit’s dark web site.
- At the start of July, SouthCoast Health and Privia Medical Group revealed that 32,835 South Carolina residents had been impacted by a cybersecurity incident in June 2023. The breach only impacted SouthCoast Health’s network. The notification letter stated that compromised information varied by individual but included name, SSN, passport number, health information and financial information was involved.
- BlackSuit successfully carried out an attack on servers belonging to Monroe County in Indiana. The network “intrusion” caused a week-long shut down of most government offices. Evidence suggests that no employee sensitive information has been misused, but the county does not yet know if vendor or public PII was accessed.
- Clay County announced on social media that it was the victim of a significant data security incident on July 9. The incident, which was confirmed as a ransomware attack, resulted in the inability to provide critical and necessary services. The Clay County Board of Commissioners declared a “local disaster emergency” to allow the county to work on recovering affected systems. LockBit claimed the attack, posting 6 screenshots on its dark web portal as proof of claims.
- A “massive” ransomware attack hit TPS Worldwide’s networks and internal servers, with the card processing company able to contain and control the attack without any financial loss. An investigation is ongoing, but the source or nature of the attack is yet to be determined. TPS has reportedly advised its partners to review their latest patches received from TPS.
- DragonForce claimed to have stolen 120.1GB of data from Victorian landscaping firm Super Gardens. The stolen data allegedly included large amounts of internal documents such as training regimes, invoices, and details of dangerous chemicals and materials used in Super Gardens’ regular landscaping operations, along with numerous folders and documents relating to HR and the company’s employees. Leaked personal data belongs to about 300 Super Gardens casual and full-time employees. A total of 107,120 files were leaked as part of the incident.
- A cyberattack halted some operations at Sibanye Stillwater mining operations in Montana in early July. The cyberattack had limited impact on its core operations, but it did cause temporary system outages which resulted in the implementation of back-up manual processes on certain systems. It is not clear if any data was impacted with no ransomware group yet taking credit for the incident.
- A ransomware attack disabled the Goshen Central School District’s computer services, causing disruption to email and phone communications. Law enforcement was notified, and cybersecurity experts engaged to determine the source of the attack and take necessary steps to repair any problems.
- Rite Aid confirmed a data breach had occurred after suffering a cyberattack in June. The pharmacy giant is currently investigating the cyberattack and is working on sending notifications to customers impacted by the data breach. All compromised systems have now been restored. Ransomhub claimed the attack, reportedly stealing 10GB of customer information equating to around 45 million lines of people’s personal information.
- The American Radio Relay League (ARRL) confirmed that some of its employees’ data was stolen during a ransomware attack in May. A “sophisticated ransomware incident” was detected after attackers breached and encrypted its computer systems, forcing ARRL to take impacted systems offline to contain the incident. Reports suggest that 150 employees were impacted and although not confirmed, sources claim that the Embargo ransomware gang was behind the attack.
- LockBit-linked hacktivist group NullBulge claims to have breached Disney, exposing 1.2TB of data on BreachForums as part of its efforts to ensure artist rights protection. The data dump is said to include messages, files and data sent by Disney’s development team on Slack, containing details of unreleased projects, internal API/web page links, logins and other raw images. Disney has not yet publicly addressed these claims.
- Major U.S. golf organization American Golf fell victim to a Medusa ransomware attack, with the threat actors claiming to have stolen nearly 155GB of data. Compromised information included members’ data, user IDs, passwords, and secret keys, as well as emails, licenses, passports, reports and financial details. A ransom of $2 million was set, with Medusa upping the ransom by $100,000 each day that American Golf does not pay.
- Queensland accounting firm Gibbs Hurley Chartered Accountants was allegedly hacked by Hunters International this month. The ransomware gang added the organization to its dark web site on July 15 but has not set a date or countdown timer for the publication of the stolen data. Gibbs Hurley is yet to publicly acknowledge the incident.
- In the Philippines, the Department of Migrant Workers (DMW) was forced to temporarily shut down its online systems following a ransomware attack. The move was a precautionary measure while efforts were underway to restore affected systems. The organization claims that databases containing OFW data were not impacted by the attack. No ransomware group has yet stepped forward to take responsibility and it is not known if any data was exfiltrated.
- Personal data of members and employees of the Royal Brighton Yacht Club (RBYC) has been exposed following a ransomware attack carried out by Medusa. The ransomware group claimed to have stolen more than 94GB of data from RBYC, posting several documents as evidence of the attack. The RBYC confirmed it was aware of the incident, stating that attackers deployed ransomware through a compromised third-party remote support tool which led to the encryption of its systems.
- Southern California’s 911 services were disrupted by ransomware in mid-July, impacting 6 cities according to the South Bay Regional Public Communications Authority. Affected areas included Manhattan Beach, Culver City, Hermosa Beach and El Segundo, as well as Hawthorne and Gardena. DragonForce claimed the attack, stating that it had stolen 54.43GB of data. Further information on this attack is not currently available.
- In Canada, a cyberattack disrupted web services and thinned grocery stock at Federated Co-operatives. The attack at the end of June impacted internal and customer facing systems including cardlock fuel locations and stock in some grocery stores. The investigation is still ongoing, so few details are currently available regarding the nature and scope of the attack. Akira ransomware group claimed responsibility.
- Pueblo County School District 70 addressed a data breach and ransomware attack which may have compromised personal information belonging to former students, as well as current and former staff. The breach is said to have impacted a number of student records saved between 1991 and 2006. Information accessed included names, phone numbers and DOBs. LockBit took credit for the attack, posting five screenshots of stolen documents as proof of claims.
- Bassett Furniture was forced to shut down its manufacturing facilities following a ransomware attack in mid-July. The furniture manufacturing giant stated that hackers disrupted the company’s business operations by encrypting some data files, forcing the company to activate its incident response plan. It is believed that the attack is likely to continue to have a material impact on business operations until recovery efforts are completed. The full scope, nature and impact of the attack is still being determined and no ransomware group has yet claimed the incident.
- A ransomware attack on Active Learning Trust impacted parts of the organization’s network but did not disrupt the operations at the 19 schools under its management. According to a statement “no pupil, parent and staff information has been compromised.”
- Details of a February ransomware attack on Laurentian University came to light this month in response to a freedom of information request from a local news outlet. Threat actors gained access to the university’s IT systems through a compromised user account. The incident caused significant disruption, with the website offline for an extended period and online courses and other related technologies impacted. Although the university received a ransom demand, it did not negotiate with the hackers or pay the undisclosed ransom amount.
- First Choice Dental recently revealed that an October 2023 ransomware attack compromised the sensitive personal information of more than 200,000 individuals. The attack involved threat actors infiltrating its internal network, encrypting connected systems and leaving a ransom note. Upon discovery of the incident, FCD took the affected network offline and launched an investigation with assistance from external cybersecurity experts. Compromised data included names, DOBs, SSNs, passport numbers and health information among other types of personal information.
- A devastating ransomware attack shut down the Los Angeles County Superior Court as it sought to recover its computer systems. The incident forced the closure of 36 courthouses within the county, with delays expected and potential impacts to services due to limited functionality. Affected systems included My Jury Duty, the court’s website and the court’s case management systems. At this time there is no evidence to suggest that court users’ data was compromised. It is not known who was behind this attack.
- Wattle Range Council fell victim to a LockBit ransomware attack, with the gang threatening to publish more than 40,000 stolen files. LockBit added the council to its leak site along with a number of sample images of documents and file structure as proof of claims. Some of the samples include tax invoices, cash transactions, credit card numbers and more. The group claims to have stolen a total of 103GB of data. Wattle Range Council is aware of the incident and has launched an investigation into the claims made by LockBit.
- The City of Cold Lake in Canada issued a statement on its website addressing a recent cyberattack which breached its online security systems. The city shut down its servers in an effort to isolate the attack and protect unaffected systems. Files were encrypted and damaged across a number of servers. Initial findings suggest that no person data or sensitive information was compromised as a result of the incident. Fog has been credited with the attack.
- Daixin Team ransomware group is threatening to leak sensitive medical information of 10 million patients following an attack on Acadian Ambulance. The organization observed unexpected activity within its network that disrupted the operability of certain computer systems. Affected systems were locked down to prevent further unauthorized activity and backup and redundancy systems were activated to prevent disruption to patient care. Daixin claim to have stolen databases containing more than 11 million rows of patient records as well as more than 28,000 rows of employee data. A ransom of $7 million was demanded but according to hackers, after weeks of negotiation, Acadian claimed that it could only pay less than $173,000.
- Details emerged of a cyberattack orchestrated by Fog ransomware group which left Waupaca County School District crippled in May this year. The district’s wi-fi, printers, phones, student portal and bell system were all impacted by the attack. The school stated that no student or parent information was compromised, however Fog claimed to have stolen 18GB of data from the school.
- Threat actors known as Ghost R claim to have stolen more than 50GB of files from the Singapore MLCB following a third-party server breach. The attack itself targeted Ezynetic Pte Ltd, an IT software company who works with MLCB. Compromised data is said to include borrower’s personal information, loan information, payment and repayment statuses and loan guarantor’s statuses. The Ministry of Law issued a confirming that the breach on Ezynetic Pte impacted 12 moneylenders using its services.
- It was revealed that Compex Legal Services Inc fell victim to a cyberattack which may have impacted the privacy of information relating to certain individuals. In April 2024, Compex discovered suspicious activity on its network, promptly launching an investigation into the nature and scope of the activity which revealed that certain files had been acquired. The types of information potentially impacted included names, DOBs, SSNs, medical diagnosis, treatment information and health insurance information.
- All eight branches of Jefferson County Clerk’s Office in Kentucky were forced to close following a ransomware attack. Upon discovery of the incident, proper authorities were notified and work with a forensic analysis company began to try to figure out where the attack originated from. At this time the office does not believe that any data has been compromised.
- A recent cyberattack on Schneider Regional Medical Center was brought before the Senate Committee of Appropriations, Budget and Finance. Systems were shut down to allow the IT team, federal and mobile authorities to investigate the attack. Threat actors demanded an undisclosed sum to remove impediments place on the systems. The hospital implemented downtime procedures while the investigation continues. Qilin has taken responsibility for the attack, stating that all infrastructure of the organization’s network is blocked. Confidential data stolen during the incident included private contracts, financial documentation and large-scale info about clients.
- The City of Newcastle in Washington told news outlets that it was able to stop a ransomware attack on July 13. A city government spokesperson stated that all systems were returned to normal with no data loss. Ransomhub is claiming to have stolen 500GB of data from the city and has made several threats, criticizing them for refusing to negotiate a ransom.
- Hackers gained access to networks belonging to the city of Forest Park in Georgia, but the city did not see any impact to operations or public safety. The intrusion was quickly identified and isolated to minimize potential damage. The city does not believe that any data or sensitive documents have been breached or compromised, however Monti ransomware gang has claimed the attack and has threatened to leak stolen information next month if an undisclosed ransom is not paid.
- Several resident-facing IT servers were hit with outages as the result of a cyberattack on the City of Columbus. 911 and 311 services remained operational but were not operating as normal, with most staff working on paper following a system shutdown. An investigation into the “abnormality” has been launched but it is believed that a city employee clicked a malicious link sent via email. The Columbus mayor initially declined to say if the city was facing a ransomware attack but has since stated that the encryption attempt was prevented by the city’s IT department and no ransom was demanded. Rhysida has since claimed the attack, allegedly exfiltrating 6.5TB of data. Compromised data is said to include internal logins, passwords and a full dump of servers with emergency services applications information.
- Taiwanese electronic giant, LITE-ON, suffered a cyberattack at the hands of ransomware gang RansomEXX. The cybercriminal gang posted the organization on its DarkNet site, claiming to have stolen 142.7GB of data. LITE-ON are yet to publicly address the claims made by RansomEXX.
- Insula, an IT services firm based in Australia, has refused to pay a ransom demanded by BianLian following a ransomware attack. The gang posted Insula on its dark web site, claiming to have exfiltrated 400GB of data from the Victoria-based company. Compromised data listed included project data, construction data, client data, user folders, file server data and “company source codes.” Insula confirmed the data breach, stating that it was confined to its corporate network. The company stated that it ignored the ransom demanded.
- Australian hospitality and catering firm Reward Hospitality was allegedly hacked by BlackSuit ransomware gang, who claim to have exfiltrated 385GB of material belonging to the organization. No sample data was provided but compromised data is said to include finance documents, HR files, customer data, working documentation and SQL EMAIL. The gang has not set a deadline or disclosed how much the ransom demand is. Reward Hospitality has not publicly addressed these claims.
- South Carolina’s Summerville Police has been claimed as a victim by Embargo ransomware group. The town confirmed that it has been hit by a cyberattack but stated that there was no evidence to suggest that any data or sensitive documents were compromised. Embargo posted SPDSC on its leak site, claiming to have exfiltrated 1.7TB of data during the attack.
- New Jersey Oral and Maxillofacial Surgery announced that a data security incident in May compromised the sensitive personal information of almost 75,000 individuals. An investigation into the incident revealed that unauthorized access and acquisition of certain files had been involved. Compromised data includes PII and PHI. Clop ransomware group claimed responsibility for the attack, but it is not clear whether the firm engaged with the ransomware group.
- Singapore-based Tri-Star Display Pte Ltd suffered a substantial data breach at the hands of Cicada3301 ransomware group. According to the group’s dark web site, it has stolen over 95GB of data, releasing samples to support the claims. Tri-Star Display are yet to respond to these claims.
- New Jersey City University students have been advised to remain vigilant of phishing attempts following a ransomware attack on the school’s computer network. The school’s servers were compromised by Rhysida, who stole SSNs, financial account numbers and credit card numbers. The cybercriminal group demanded 10BTC, roughly $700,000 by August 3rd. School officials are not commenting on whether or not they intend to negotiate with Rhysida.
- A massive ransomware attack on C-Edge Technologies, disrupted banking services for nearly 300 small banks in India. Cybercriminals infiltrated the organization’s networks and encrypted its systems. The National Payment Corporation of India (NPCI) temporarily isolated C-Edge from its payment system as a precautionary measure. The NPCI is also assisting in carrying out an investigation into the attack.
- OneBlood, one of the largest blood centers in the US, was forced to operate at reduced capacity after a ransomware attack shut down part of its system. The organization immediately began an investigation to confirm the attack before kicking off efforts to address the incident. Manual processes were implemented, and 250 hospitals were asked to activate critical blood shortage protocols as a result of the incident. No group has yet claimed responsibility for this attack.
- Promotional products supplier Terry Town was unable to process or ship orders to customers for two weeks following a cyberattack. The organization lost all internal data files during the incident and is still investigating the full scope of the attack but claim that there is no evidence at this time that any customer data taken. Terry Town did not pay the undisclosed ransom demanded by hackers and has now fully restored operations. It is not known who was behind this attack.
August
This month we uncovered 63 publicly disclosed ransomware attacks, making it the highest August we’ve ever recorded, and the third highest month of the year so far. Unsurprisingly healthcare was the worst hit sector with 19 attacks, representing 30% of all reported incidents. In a month where RansomHub took credit for almost a third of attacks, a number of new variants such as Lynx and Helldown also caused chaos for their victims.
Keep reading to find out who made ransomware headlines in August:
- Northeast Rehabilitation Hospital Network disclosed information about a May cyberattack which resulted in unauthorized access to patient information. The healthcare organization confirmed that there had been unauthorized access to its network and files containing patient data may have been acquired. The affected data is said to include names, patient identification numbers and financial account information. Hunters International ransomware group claimed responsibility, adding the organization to its dark web site and stating that it had exfiltrated 410GB of data.
- Texas- based mental health services provider Coastal Plains Community MHMR Center notified 45,357 individuals that some of their sensitive information had been exposed during a November 2023 ransomware attack. During the attack threat actors gained access to some of the provider’s systems before stealing data. Impacted systems contained personally identifiable information alongside some mental health information. It is not known who is responsible for the attack.
- Information has been made available about a ransomware attack in April which encrypted some of Sutton Dental Art’s Cybersecurity professionals who were engaged to help with an investigation determined that there had been unauthorized access to certain systems and files within those systems had been encrypted and accessed by hackers. It is not clear what types of data were compromised but it is believed that private health information belonging to 4,109 patients was involved.
- RansomHub claimed responsibility for a cyberattack on Effingham County Schools in Springfield, Georgia. In July, the school announced a cyberattack on the district’s website after experiencing disruption to its IT network. Upon discovery of the event, internal teams took immediate steps to terminate the access and engage third-party cybersecurity investigators. The district has not yet disclosed whether a ransom was paid, what data was compromised or whether systems were compromised during the attack.
- McDowall Affleck, an Australian engineering firm, confirmed that it was a target of a cyberattack at the hands of RansomHub. A spokesperson from the organization stated that systems were immediately secured once the incident had been discovered and that investigations into the breach had begun. RansomHub claimed to have exfiltrated 470GB of data, giving the engineering firm 4-5 days to meet the group’s undisclosed demands.
- RansomHub claimed Millinocket Regional Hospital as a victim this month, with the threat actors supposedly stealing 10GB of files. The hospital itself has made no public acknowledgement of an attack nor the claims made by RansomHub. The hospital has since been removed from the dark web site, but it is not known whether a ransom was paid or if there is some other explanation for the listing being removed.
- Delhi Hospital (Richland Parish Hospital) was added to RADAR and DISPOSSESSOR’s leak site in late July. The hospital has not publicly addressed any claims or published any information about a cyberattack. The cybercriminal group communicated with databreaches.net, giving some details about a ransom negotiation between the hospital and R&D. The ransomware group initially demanded a $350,000 ransom, but later dropped it to $250,000 before negotiations broke down. Information stolen during the attack includes patient information, internal documents and some financial data.
- Hospital Auxilio Mutuo fell victim to a cyberattack in September 2023 impacting 500 individuals. The Puerto Rican hospital has recently released information relating to the attack stating that a limited amount of personal information was removed from its network. The information included full names, medical records, diagnostic information and other patient care information.
- Global UK-based immigration services provider Sable International had its customers emailed by BianLian ransomware group following a cyberattack. The attack disrupted the firm’s servers, website and other portals. An investigation revealed that some clients from various countries had their data stolen by the hackers. It is believed the emails were sent to customers in an attempt to pressure Sable International to pay an undisclosed ransom.
- According to a recent regulatory filing, Sobha Limited’s IT infrastructure was hit with a ransomware attack on August 4th. The company’s management team responded promptly to the attack and no material impact on its operations was noted. It is not known what, if any, data was exfiltrated during the attack. RansomHub took credit for the incident.
- The Executive Council of Physical Therapy and Occupational Therapy Examiners (ECPTOTE) confirmed that it had fallen victim a cyberattack and was currently notifying an undisclosed number of people about the resulting data breach. The attack caused systems to be temporarily unavailable. Hunters International claimed the attack, stating that they had exfiltrated 195,822 files, amounting to 139GB of data, from the organization.
- French cybercrime police investigated a ransomware attack against the Grand Palais exhibition hall in Paris. At the time of the attack the venue was hosting Olympic events such as fencing and Taekwondo. The central computer system was the target of the attack and although no disruption was caused to the Olympic events, 40 small museums were also impacted. Brain Cipher claimed the attack and demanded payment of an undisclosed ransom within 48 hours.
- City Hall in the city of North Miami was forced to temporarily close following “unexpected issues” in the city’s IT infrastructure. The city’s website described the issues as “a possible breach” affecting network systems, preventing city employees from accessing computer files. A message displayed on the local government’s computers stated that the threat actors specialized in file inscriptions and industrial espionage, describing the crime as “not personal.”
- McLaren Health Care restored its network after weeks of disruption following a ransomware attack. IT and phone systems were down across the 13 hospitals within the network, with reports suggesting that access to patient information databases were lost. INC ransomware gang claimed the attack, with ransom notes stating that systems were encrypted and stolen. These claims have not been confirmed by the hospital itself.
- Vital Bircher, a farmer in Hagendorn, Switzerland, experienced an attack on his computer systems, which sadly resulted in the death of one of the cows on the farm. The farmer could no longer receive milking data for his cows and contacted the milking system manufacturer to alert them of the hack. Unknown threat actors demanded $10,000 to decrypt data on the impacted systems.
- New Zealand VoIP and IT support company Banx was allegedly hacked by Meow ransomware gang. Meow claimed to have stolen over 15GB of data including confidential information, client information and financial documents. Records supposedly could provide “deep insights into the company’s operations and client interactions.” The ransomware group are posting a price of $35,000 for all the data or are willing to sell to multiple buyers for $12,000.
- RansomHub listed Kempe Engineering as a victim on its leak site this month, claiming to have stolen 4TB of data. The sensitive data is said to include financial records, customer data, all internal mail and proprietary business information. A deadline of seven days was set to pay an undisclosed ransom and several internal documents were initially leaked as proof of claims. The Australian organization has not admitted to experiencing a cyberattack or responded to claims made by the threat actors. RansomHub have since published 40 folders of data belonging to the engineering firm.
- In the Philippines, the National Privacy Commission confirmed that JG Summit Holdings fell victim to a ransomware attack which compromised 300GB of data. The attack allegedly led to the encryption of data on more than 40,000 computers within the company’s network. RansomHub took credit for the attack, warning that further encryption, data shredding and deletion would occur if demands were not met. JG Holdings stated that it was aware of the circulating reports and that an investigation was underway.
- Sumter County Sheriff’s Office in Florida became one of Rhysida’s latest victims this month with the attack being announced via a Facebook post. The post stated that the law enforcement agency would work with Florida Dept of Law Enforcement, Florida Digital Services and other IT professionals to conduct an investigation. Law enforcement response was not impacted by the event, but some records were limited. Rhysida gave the Sheriff’s department 7 days to pay a ransom demand which started at 7BTC (around $423,000).
- Delaware-based non-profit health system Bayhealth Hospital was claimed as a victim by Rhysida ransomware gang in mid-August. On its Tor leak site the threat actors threatened to expose data including ID cards and passports if the healthcare organization failed to pay 25BTC before the 7-day deadline expires. Information on this incident remains limited.
- Gramercy Surgery Center in New York was added to Everest ransomware group’s leak site, with the group claiming to have exfiltrated 460GB of data. The attack, which took place in June, resulted in certain documents being copied from Gramercy’s network. An investigation determined that information impacted may have included PII and medical information. Everest did not disclose the type of information it had allegedly stolen and provided only two images of old files as proof of claims.
- Hunters International added Betances Health Center in New York to its list of victims, leaking almost 125GB of data. The ransomware group claimed to have encrypted Betances’ files before exfiltrating data, but there has not confirmed the attack. The leaked data appeared to include sensitive information about patients and their current health journeys.
- Details have recenty been released about a cyberattack in February which impacted the Surgery Center of Mid Florida. SCOMF stated this month that although there is currently no evidence to suggest that patient information was accessed or exfiltrated, the organization is notifying all patients in an abundance of caution. 48,684 patients were impacted by the incident. It is believed that access to SCOMF was achieved through an attack on an unnamed IT vendor. No cybercrime group has yet claimed the incident.
- In Texas, the city of Killeen was hit with a cyberattack which impacted internal system servers and caused delays for some services. The city disabled the utility customer service payment plan and also cut all connections it had to the larger network of Bell County in order to contain the incident. The attack was conducted by BlackSuit, but the ransomware group has not posted details of the incident for public viewing.
- Brookshire Dental became an apparent victim of a Qilin ransomware attack. No information about the attack has been disclosed by Brookshire and as of yet no breach disclosure has been submitted to relevant authorities. Qilin added the organization to its blog on August 12, claiming to have stolen 96GB of data.
- Rhysida claimed Community Care Alliance in Rhode Island as a victim, but this attack has not been publicly disclosed by the organization itself. The ransomware group has allegedly exfiltrated a 2.5TB database during the attack which includes sensitive information. The listing included a sample of scanned passports, driver’s license cards, and other sensitive documents as proof of claims.
- Tasmanian engineering firm Hudson Civil Engineering was added to RansomHub’s victim list in August. The darknet post simply stated that RansomHub had stolen 112GB of data and that it would be published in a week if undisclosed demands were not met. No information has been provided on the nature of the data allegedly stolen, nor has any sample data been provided.
- A ransomware attack was successfully contained at Australian gold mining company Evolution Mining. The organization worked with external cyber forensics experts to investigate the incident but did not confirm who was behind the attack or if a ransom was demanded or paid. The company does not anticipate any material impact on operations. At this time no ransomware group has stepped forward to claim the attack.
- Nilörn, a textile manufacturer in Sweden suffered severe disruption following a cyberattack earlier this month. The incident caused issues for the company’s IT systems, taking a week for some tools and resources back online. Play claimed responsibility, claiming to have exfiltrated private and personal confidential information among other organizational documents.
- The Gadsden Independent School District was hit by a ransomware attack in mid-August, but no student or employee data was impacted. Staff were told to power down computers and disconnect from the network until further notice. Immediate steps were taken to secure all systems and mitigate the impact of the attack.
- Major Swiss industrial manufacturer Schlatter Industries had its IT systems disrupted by a cyberattack this month. A statement from the company revealed that it was blackmailed by its attackers who were demanding monetary payment in exchange for the decryption and non-exposure of stolen data. The organization is investigating whether data was in fact stolen and experts are working to make all systems available and functional again. Helldown, a newly emerged ransomware group claimed the attack and allegedly exfiltrated 53GB of data. The leak site post contains two file trees to download.
- RansomHub claimed to have successfully stolen data from Auckland-based interior design store Allium Interiors. The threat actors revealed that they gained access to all of the company’s files and web mails and encrypted and exfiltrated the server’s private information. The group threatened to leak all of the information if an undisclosed ransom was not paid. There was no sample data shared on the group’s leak site.
- Nidec Corporation stated that on August 12th a data leakage occurred at the company’s Vietnamese subsidiary NPCV. The company was contacted by threat actors claiming to have hacked into the network to steal documents and files and demanding a ransom. The company has been unable to determine the specific extend of the data leak but have launched a thorough investigation into the incident.
- Hug Witschi AG, an IT company in Switzerland, announced that a cyberattack impacted its internal servers, resulting in data loss. Internal staff and outsourced external experts worked to restore access to all systems. An investigation into the nature of the data exposed during the attack is ongoing. Helldown ransomware gang claimed the attack, allegedly stealing 67GB of data. Two files are already available to download on the leak site.
- Northwest Arkansas Community College (NWACC) fell victim to a ransomware attack at the end of July this year. It has been revealed that school officials realized they had been attacked after network printers began printing ransom notes across campus. Officials shared that no student records or other sensitive information had been accessed as part of the attack. An investigation into the incident is ongoing and no ransomware group has claimed the attack to date.
- Details of a significant ransomware attack on Kootenai Health were released this month disclosing that the sensitive information of 464,088 patients had been impacted. The threat actors gained unauthorized access to the healthcare provider’s network and were able to roam through the network for 10 days and steal sensitive data. An investigation revealed that data including PII and medical information was compromised. 3AM ransomware gang claimed the attack and leaked 22GB of information on to its darknet portal.
- NY social services provider Liberty Resources experienced issues with its phone services following a cyberattack. Rhysida has taken credit for the attack, claiming to have stolen an undisclosed amount of data from the organization. The group added a proof pack containing passport scans and other documents to its dark web listing along with a ransom demand of 20 BTC (approximately $1.2 million). The company was given a 7-day deadline to pay the ransom before it was sold on to a third-party.
- PRM Management Company is investigating a breach of its email environment which took place in June. It has been confirmed that there was unauthorized access to a single email account between Jan and June this year, with the email account containing patients’ PHI. Further information on this incident has not yet been disclosed but an interim figure of 500 affected individuals has been suggested.
- A cyberattack on Roseland Community Hospital exposed the protected health information of its patients. The attack was detected in June and steps were immediately taken to secure its systems and block further unauthorized access. External experts launched an investigation which has determined that files were access and/or obtained by the threat actor. At least 500 individuals have been impacted by the breach. It is not yet known who is behind this attack.
- A ransomware attack resulted in a computer outage that left Flint City Hall unable to take payments and conduct other web-based business. The city published a statement saying that it was experiencing internal network and internet outages and that there was no timeline for when systems will be restored. The IT department is still investigating whether resident or employee data was stolen, and no ransomware group has yet taken responsibility for the attack.
- Rhysida ransomware gang claim to be in possession of “exclusive data” belonging to The Washington Times and is auctioning it off online. A deadline of 7-days was set before the auction was to begin, with an asking price of 5 BTC (around $300,000) for the data. The major US news outlet is yet to publicly acknowledge an attack or address the claims made by the ransomware group.
- In South Korea, motor vehicle manufacturing company Hanon Systems fell victim to a ransomware attack at the hands of Hunters International in mid-August. The ransomware group leaked internal data belonging to the organization on its leak site including documents such as job resumes and employee information. 1,632,481 files were stolen during the attack, totalling 2.3TB.
- Charleston County School District in South Carolina was added to RansomHub’s victim list this month. CCSD stated that it was aware of system disruption in mid-July and could now confirm data was acquired. At this time there is no evidence of malicious misuse of any school data. RansomHub added a number of screenshots to its leak site post as proof of claims.
- New York- based Jewish Home Lifecare experienced a data security incident that compromised the sensitive personal information of at least 104,234 individuals. A recent data breach notification stated that the organization identified unauthorized activity in its internal network in January this year. An investigation was immediately launched, with the assistance from external cybersecurity experts to determine the nature and cause of the incident. It revealed that threat actors infiltrated the network and stole personal information belonging to patients and staff. BlackCat claimed the attack back in February.
- CannonDesign confirmed that hackers breached and stole data from its network during an attack in early 2023. Although the firm discovered the intrusion in January 2023, the investigation into the incident only concluded in May this year. Information such as names, addresses, SSNs and driver’s license numbers is believed to have been impacted. Avos Locker claimed the attack back in February 2023, claiming to be in possession of 5.7TB of stolen data. Dunghill Leaks then published 2TB of stolen data from CannonDesign in September 2023. The dataset has since been published numerous times on a number of different forums and leak sites.
- A cyberattack forced Microchip Technology to suspend some of its operations. Microchip detected “potentially suspicious activity” in its IT systems in mid-August, leading to the shutdown of parts of its IT infrastructure. An investigation into the event was launched with the assistance of external cybersecurity advisors. Play ransomware group added the organization to its Tor-based website and started leaking allegedly stolen data on August 29th. Over 5GB of archives storing personal information, IDs, accounting, payroll and contracts documents have already been published.
- Oil and gas services giant Halliburton suffered widespread disruption to its IT systems and business operations following a cyberattack. Upon discovery of the intrusion, the company activated its cybersecurity response plan and launched an investigation internally to assess and remediate the unauthorized activity. Rumours have been circulating that RansomHub was responsible for the attack, with a partial ransom note published on a forum site. Halliburton are not making any further comments at this time.
- Bloom Hearing Specialists in Australia confirmed that a threat actor had stolen data from the audiologist’s network. The national provider of hearing services stated that data including medical and financial records of current, past and prospective patients as well as employees and contractors may have been impacted.
- The BVI Electricity Corporation was forced to estimate customer bills following a ransomware attack that disrupted its operations. The attack compromised BVIEC’s systems, leaving the organization scrambling to restore full functionality while ensuring customers remained connected to their electrical supply. The identity of the attackers remains unknown and negotiations with the cybercriminals are ongoing.
- The City of Timișoara in Romania announced that a cybersecurity incident impacted City Hall, the Tax Directorate of the Municipality and the local police department earlier this month. Some online services within these departments were temporarily unavailable due to the attack. Upon detecting the activity, specialists at city hall triggered radical countermeasures to limit the compromise of the entire system. RansomHub claimed responsibility for the attack.
- Disability support provider Engedi was targeted by Rhysida according to claims made on the ransomware group’s darknet leak site. The details of the attack were published on 22 August alongside documents the gang claim to have exfiltrated. The proof of claims documents included several passport scans and other identity documents. A 7-day deadline was posted, with a ransom sum of 10 BTC demanded.
- Malaysian transportation and logistics company Prasarana Malaysia Berhad confirmed that part of its internal systems had been compromised during a ransomware attack. The company is working with cybersecurity experts to investigate the incident and take mitigation measures. RansomHub claimed responsibility for the attack.
- Myelec Electrical Wholesalers in Australia was listed on new ransomware group Lynx’s dark web site this month. Lynx provided very little information of the nature of the incident or what data may be at risk. The group did however provide screenshots containing names, addresses and confidential information on its posting.
- Data breach notifications are being sent to 954,177 following a ransomware attack on Young Consulting in April 2024. The company’s network was breached on April 10th, but the company discovered it three days later when the attackers encrypted its systems. The investigation into the attack concluded in late June, revealing information including names, SSNs, DOBs, and insurance claim information was compromised. BlackSuit claimed the attack on May 7, leaking the stolen data a few weeks later.
- All Parks Insurance was added to Meow’s victim list, with the gang claiming to have stolen 90GB of data. Information such as employee data and client information are among the data stolen from the Australian underwriting agency. The gang shared several stolen documents as evidence of the successful hack – these included policy details, commission prepayments, Greenslip policy details and a tax file number declaration form. Rather than making a ransom demand, Meow is selling the data outright, asking for $20,000 from one buyer of $10,000 from several.
- The S. Marshals Service denies its systems were breached by Hunters International following the cybercrime group’s claims. In a statement the USMS said it was aware of the allegations and that the materials posted by Hunters on the dark web do not appear to derive from a new or undisclosed attack. Within the dark web posting, Hunters did include a number of files labelling them “gang files,” “confidential,” and “Top secret”.
- Australian not-for-profit community support service Meli confirmed that it had been hit with a cyberattack this month. The organization took steps to secure its system upon detection of the incident and partnered with leading forensic specialists and cybersecurity advisors to investigate what happened. Qilin took credit for the attack, claiming to have stolen 419,617 files totally 215GB of data. The gang also shared 14 screenshots of documents and scans as proof of claims including financial statements, confidentiality agreements and scans of several passports.
- The personal details of employees at UK poultry producer Banham Poultry were stolen in a recent cyberattack. The company disclosed that criminals had remotely accessed its IT systems in the early hours of August 18. The company immediately shut down its systems and engaged external forensic specialists when it became aware of an intrusion. RansomHub claimed the attack, allegedly stealing 50GB of data from the company.
- JAS Worldwide, a global freight forwarder, confirmed that it was targeted by a ransomware attack after experiencing technical disruptions, which impacted its ability to operate and service its customers. Systems were immediately secured, and an investigation was launched upon identification of the issue. It is not clear if any data was stolen during the incident and no ransomware group has yet stepped forward to claim the attack.
- Singapore firm Abecha, who runs Esso’s Corporate Fleet Discount Programme, emailed customers on August 28 to inform them of a cyberattack on its servers and customer database. Abecha swiftly shut down all affected servers and engaged experts to investigate the incident and advise on the security measures to undertake. A spokesperson from the company stated that there is no evidence that any data has been exfiltrated or extracted by the unauthorized third-party.
- Toronto District School Board (TDSB) recently confirmed that data belonging to students was involved in a ransomware attack in June. In including names, school name, grade, email address, student number and DOB were compromised. TDSB has not disclosed the number of students involved in the breach. LockBit took credit for the attack, giving TDSB 13 days to pay an undisclosed ransom.
- Staff and tenants of Albyn Housing Society in Scotland have had their personal details leaked on the dark web following a ransomware attack. The organization originally stated that the incident was a “systems outage” which impacted some of the services it provides. At a later date, the incident was confirmed as a cyberattack, with the Chief Executive of the company revealing that teams were working around the clock to minimize the impact of the attack. RansomHub published 10GB of data belonging to the organization on August 17th.
- The Ministry of Education of Guatemala announced that it was working to fully restore the operations of its computer systems following a cyberattack in late August. Immediate action was taken following the discovery of the attack, with some computer applications suffering damage. The ministry stated that the sensitive data of students and personnel in the sector are safeguarded in the database. RansomHub has claimed the attack, but it is not clear at this time what data was stolen by the group.
September
We recorded 65 publicly disclosed attacks in September, making it the joint second highest month of the year so far. Healthcare was the highest targeted vertical, closely followed by education and government. RansomHub led the way claiming 17% of all attacks recorded, making it the second month this variant has been the highest performer. A few large organizations made ransomware news including Seattle-Tacoma International Airport, Kawasaki Motors and Kuwait Health Ministry.
Keep reading to find out who else made headlines in September:
- It has been confirmed that a malicious actor gained access to the Australian Cancer Research Foundation’s network via a compromised email account. ACRF employees received a fraudulent email which allowed hackers access to a number of email boxes. Possible information compromised includes contact details, donor IDs, payments history and other personal information. The ACRF could not confidently confirm that credit card and bank details were not accessed during the incident. At this time, it is not clear who was behind the attack and information belonging to the ACRF has not appeared on the dark web.
- Further information about an April ransomware attack on Keuka College has been made available. Suspicious activity within the school’s network environment was discovered, prompting steps to be taken to secure and restore impacted systems. A comprehensive investigation has now been completed but the findings could not determine whether personal information relating to current and former students, and employees was impacted by the incident. LockBit however claimed the attack back in May, adding several files as proof of claims. It appeared again on LockBit’s site in August but this time the threat actors leaked 148GB of data.
- The Sarawak Campus of Swinburne University of Technology confirmed that it had fallen victim to a ransomware attack in late August. The Malaysian campus took immediate action to contain the incident and alerted relevant government agencies. RansomHub took responsibility for the attack, claiming to have exfiltrated 366GB of data. There were a number of documents posted on its dark web site as proof of claims.
- Australian backpack manufacturer White Mountain Backpacks was targeted by Rhysida ransomware group. The group has demanded 10BTC, approximately $85,000, in exchange for an undisclosed amount of stolen data. The group set a 7-day deadline for the ransom payment and posted screenshots to support its claims. The organization has not yet publicly addressed the claims made by the ransomware group.
- Bank Rakyat in Malaysia “addressed a possible infringement” that may have involved customer information. According to a spokesperson, proactive measures allowed the financial institution to contain the potential data infringement. Although this statement was made, details on the incident remain vague. Hunters International ransomware group claimed the attack, allegedly exfiltrating 463.2GB of data.
- Rhysida is demanding $6 million in ransom for stolen data belonging to the Seattle-Tacoma International Airport. The attack disrupted ticketing, check-in kiosks and baggage handling within the airport. The FBI are conducting an investigation into the incident, but it has been reported that although the attacks were stopped, some data was encrypted. On Rhysida’s dark web post, eight files stolen from systems belonging to the Port of Seattle, operator of the airport, were included.
- Real Hospital Português, one of largest private health units in Recife, Brazil, had no access to test results or care history following a cyberattack. The attack, which was discovered on August 29th, impacted a server linked to hospital administration and disrupted access to patient records and hospital security services. LockBit has taken credit for the attack, claiming to have information belonging to more than 70,000 patients in its possession along with other data relating to employees, contractors and investors.
- The third largest global hearing aid company, WS Audiology, experienced disruption to its IT systems in Australia, New Zealand, Singapore and New Zealand, following a network intrusion. Upon the discovery of unauthorized access, the organization took immediate steps to contain the attack and secure its systems. WS Audiology is yet to assess the full scope of the data breach or the financial repercussions. BlackSuit claimed the attack, with stolen data said to include PII and health information of patients alongside salary and bank account information of current and former employees.
- In Canada, Park N Fly notified customers of a data breach which involved information relating to 1 million individuals. Compromised data is said to include customer contact information, Aeroplan and CCA numbers. Park N Fly has confirmed that no financial information was accessed. According to RansomHub, who are allegedly responsible for the incident, negotiations between the two parties broke down which is now resulting in the data being sold to a third party.
- Not for profit organization Planned Parenthood of Montana confirmed that it had been targeted by a cybersecurity incident in late August. Incident response plans were implemented, with portions of the network taken offline as a precautionary measure. An investigation is ongoing into the scope and impact of the attack. RansomHub took responsibility for the incident, allegedly stealing 93GB of data.
- Brussels-based software vendor Penbox was a ransomware victim, according to one of its customers. Belfius and DVV claim that data belonging to their clients was compromised during an attack on the third-party provider. The insurers are not clear how much information was stolen but claimed that Penbox should not have been in possession of their data as they no longer work together. Penbox, who works with over 400 insurance companies, has made a very vague comment addressing the claims, stating that its systems were compromised. KillSec are responsible for the attack.
- Performance Control Inc, an amplifier and motor drive manufacturer based in the US, fell victim to a ransomware attack at the hands of RansomHub. Details on this incident remain vague, with RansomHub claiming to have stolen 500GB of information. The organization has not yet publicly addressed these claims.
- RansomHub also claimed to have targeted Northern Ireland based hospitality giant, Galgorm Collection this month. Details on this attack are not clear but it is believed that the ransomware group has 200GB of exfiltrated data in its possession.
- Reports suggest that Tosan, who provide IT services to 45% of Iran’s banks, was the victim of a ransomware attack orchestrated by IR Leaks. The organization is paying the hackers in instalments, with $156,000 already been sent. It is believed that the organization will pay 3BTC per week until a total of 35BTC has been paid. Stolen data includes “complete details of several million bank customers.” The Iranian government is claiming that the hack never took place.
- An August cyberattack resulted in the exposed of sensitive information of almost 300,000 people linked to Avis. Investigations have determined that names and other personal information belonging to customers were accessed by hackers. It is not yet known who was the behind the attack or if the threat actors demanded a ransom.
- In South London, Charles Darwin School was closed for a number of days following a cyberattack. A letter was sent out to parents stating that IT issues experienced by the school were “worse than hoped” and that ransomware was involved. All staff devices were removed to be cleaned but there is a potential that all information held by the school may have been accessed. A forensic investigation is ongoing and the school’s headteacher is making no further comments until it has been completed. BlackSuit claimed the attack, with its dark web post stating that 200GB of data including user data, business information, employee and student data, and financial information was stolen.
- It was recently disclosed that Canadian electronic payment gateway company Slim CD was made aware of suspicious activity in its computer environment back in June. The unauthorized access allowed hackers to view and obtain certain credit card information belonging to clients. It was reported that 1,693,000 individuals were impacted, with data including names, addresses and credit card information compromised. It is not known who is responsible for the attack.
- Highline Public Schools in Washington had to cancel classes for 3 days following the discovery of unauthorized activity on its technology systems. Critical systems were taken offline in an attempt to contain the attack and data analysis commenced. Further information relating to this attack is still unavailable and it is not known who was behind it.
- Spanish fashion company Tendam was faced with a ransom demand of $800,000 after falling victim to a ransomware attack this month. The hackers, Medusa ransomware group, claim to have stolen more than 720GB from the company’s server. Tendam confirmed that attack and stated that although limited, the incident impacted activities.
- RansomHub listed BSG Australia as a victim this month, claiming to have successfully exfiltrated 79GB of data from the organization. The dark web posting does not contain much detail, only sharing a simple description of the company and three documents as proof of claims. Two of the documents relate to finance, with the third being a passport scan. RansomHub has not disclosed the ransom demand.
- Cultura, a popular retail brand with 110 stores in France, confirmed that some of its customers’ data had been breached following an attack on an IT service provider. Following a “malicious intrusion” the company confirmed that 1.5million customers had been impacted, with details such as names, phone numbers, email and postal addresses being compromised. It has been suggested that password and banking details were not involved in the breach.
- Electronics and home appliances retailer Boulanger fell victim to a cyberattack during which hackers accessed customers’ delivery addresses. A statement from the company suggests that the incident was quickly contained and that all affected customers have since been notified. No group has yet claimed the incident.
- The University of Genoa suffered a cyberattack at the hands of RansomHub, who claim to have stolen 18GB of material after targeting a mini-site of the Department of Mathematics. The threat actors gave the university thirteen days to pay the undisclosed ransom amount. At this time, it is not clear what type of information was stolen.
- In mid-September, Cameroon’s National Social Security Fund (CNPS) was the victim of a large-scale security breach orchestrated by SpaceBears. The attack could have potentially affected over 1.5 million individuals connected to the CNPS. According to the hackers, stolen data included employee and employer contribution information, details on social security beneficiaries, financial data and personal information to name a few. The Director General of CNPS stated that the attack involved two CNPS employees who accidently clicked on a malicious link. None of CNPS’ services were impacted by the attack.
- Reports suggest that Great Plains Regional Medical Center in Oklahoma was hit with a ransomware attack which looked the hospital’s computer systems. The hospital stated that although there was an outage in its HER systems, it was still able to provide patient care. Reports state that the hospital has not yet fully assessed the extent of the incident. No ransomware group has claimed the attack to date.
- Hunters International ransomware group allegedly caused a breach at the London Branch of the Industrial and Commercial Bank of China (ICBC) this month. The group claimed to have exfiltrated over 5.2 million files, totalling 6.6TB of data. A deadline of September 13 was set to release all the data unless demands were met. ICBC has not publicly addressed the rumours.
- New Zealand accounting firm Bennett Currie suffered a data breach impacting nearly 1,000 of its customers. RansomHub took responsibility for the incident, claiming to have stolen 375GB of data. A 6-day deadline was set but no ransom demand was made public. The full set of data has now been published, containing details of nearly 1,000 of the firm’s customers. Folders for each of the customers listed contains emails, financial reports, tax and workpapers.
- Belgian clothing retailer Lolaliza confirmed that it was recently a victim of a cyberattack which potentially compromised customer, staff and employee information. The company said that external threat actors infiltrated its IT systems, accessing its databases. An investigation involving cybersecurity experts remains ongoing with the aim to restore normal operations as quickly as possible. BlackSuit claimed the attack, but it is not known what data was stolen during the incident.
- Nevada-based Riverside Resort & Casino stated that a data security incident it suffered earlier this year compromised the sensitive personal information of more than 50,000 individuals. The luxury resort identified suspicious activities in its internal network on July 25th, and immediately launched an investigation with assistance from external cybersecurity experts. Compromised data included names and other personal identifiers along with social security numbers of at least 55,155 individuals. Lynx ransomware group took credit for the attack, claiming to be in possession of confidential corporate data, sharing sample screenshots on the dark web.
- Kawaski Motors Europe announced that it is recovering from a cyberattack that caused service disruptions across all of its country branches. The company stated that the attack targeted its EU headquarters and that it is currently analyzing and cleaning any “suspicious material” that may still be lurking on its systems. RansomHub claimed responsibility for the attack, adding the company to its extortion portal alongside claims of the theft of 487GB of data.
- In Long Island, an attack on the Brunswick Hospital Center was claimed by ThreeAM ransomware group. The inpatient treatment facility was posted on the threat actor’s dark leak blog alongside text reading “files would be available soon.” The “published” section of the blog entry shows the amount of stolen files downloaded to the site as 0%. No other information about the incident is available, including how much or what type of sensitive data was stolen.
- New Hampshire-based healthcare provider Access Sports Medicine & Orthopaedics said it experienced a data security incident that compromised the sensitive personal information of 88,044 individuals. In May the organization identified suspicious activity in its internal network, immediately launching an investigation to determine the nature and scope of the incident. It was recently revealed that compromised data included names, SSNs, financial information, medical information and health insurance information. INC ransomware group claimed the attack however it is not known if the healthcare provider paid a ransom demand.
- Radio Geretsried, a local radio station in Germany, was left broadcasting music from emergency backups following a ransomware attack. Hackers encrypted all music files and demanded a large ransom from the station, causing disruption that lasted a number of days. It is not yet known who is behind the attack.
- In early September, The Physical Medicine & Rehabilitation Center posted a notice on its website about an incident in July that impacted patients at their New Jersey and New York locations. Protected health information was accessed by Meow as a result of the attack. PMRC involved law enforcement in an investigation. PMRC did not mention that threat actors not only accessed files but also exfiltrated 40GB of files containing PHI and PII. A ransom of $15,000 was set, but the organization refused to pay, leaving the threat actors to put the data up for sale.
- Azpired, a leading global outsourcing service provider based in the Philippines, was the victim of a significant breach orchestrated by Medusa. The ransomware group claimed to have exfiltrated 205.7GB of sensitive data from Azpired’s network including company records, HR files, financial documents and potentially client information. Screenshots of employee photos and various internal documents were shared as proof of claims. A ransom of $100,000 was set.
- Medusa has leaked more than 200GB of data stolen from Providence Public School Department in early September. On September 11, irregular activities were discovered within its internal network, with the district following proper security protocols to isolate the issue. An investigation with the assistance of external cybersecurity experts, initially found no evidence that any data was impacted. Medusa claimed the attack saying that it was in possession of 201.4GB of data and demanding a $1million ransom.
- Sydney-based food and support services company Compass Group suffered a significant attack during which 785.5GB of data was allegedly stolen from its systems. Medusa ransomware gang claimed the attack giving the organization eight days to pay the $2million ransom. Several documents including wage declarations, scans of passports and other internal documents were posted as proof of claims. Compass Group have acknowledged the presence of unauthorized access to its IT network on September 4th but have not yet verified what information was compromised.
- Malaysian pharmaceutical firm Duopharma Biotech Berhad was allegedly targeted by new ransomware group Valencia this month. Few details about this attack have been made public, with the ransomware group itself not giving any details of the attack on its dark web post except for declaring that it has 25.7 GB of data in its possession.
- Satia Industries, an Indian paper manufacturer, was also named as a victim of Valencia ransomware gang. Similar to Duopharma Biotech there have been few details released relating to this attack and Satia Industries has not publicly addressed the claims. Valencia claims to have stolen 7.1GB of data from the organization.
- Globe Pharmaceuticals, a drug maker in Bangladesh had sensitive information stolen from its network this month. 200MB of data including dermatology product details, invoices and employee information such as salary information and insurance data, was exfiltrated by Valencia ransomware gang.
- Data belonging to the City of Pleasanton has been leaked on the dark web by new ransomware group Valencia. The gang claims to have stolen 304GB of data during a cyberattack earlier this month. PII, credit card information, company financial data, confidential company documents and other sensitive files were among the data stolen by the group. The Californian municipality is yet to publicly address the claims.
- e-File was targeted by LockBit again for the second time in 18 months. The online tax filing platform was hit by LockBit in 2023 but have once again fallen victim to a ransomware attack at the hands of the notorious group. There is little information available about the incident, but the organization has been given fourteen days to pay an undisclosed ransom. It is not clear what information has allegedly been exfiltrated and e-File has not publicly responded to these claims.
- In California, River Delta Unified School District suffered a data security incident earlier this month which may have compromised sensitive information. Upon discovering suspicious activity on its internal networks in December, the school district launched an investigation into the nature and scope of the incident. Meow has claimed the attack with compromised data said to include personal information of students and employees. The school district has not commented on whether it was contacted by the threat actors or asked to pay a ransom.
- Fylde Coast Academy Trust in the UK fell victim to a cyberattack which compromised the organization’s IT infrastructure and severely limited system accessibility. The Blackpool-based education trust stated that it would take a few days to restore services, and that staff had reverted to non-IT based processes to carry out tasks. No ransomware group has yet taken responsibility for the incident.
- In New York, the Town of Ulster fell victim to a ransomware attack on September 11. It took more than one week to restore municipal computer services, with some still not completely operational. Some of the most critical departments hit included the water and sewage departments. Law enforcement and independent specialists were brought in to investigate the nature, scope and impact of the incident.
- Details of a July ransomware attack on Muskogee City County Enhanced 911 Trust Authority (MCC911) have been released, with those individuals potentially impacted being notified. Upon discovery of the incident, MCC911 immediately launched an investigation and took steps to contain the situation, which included taking certain systems offline. Threat actors accessed the network between April and July this year and exfiltrated data including information on anyone who received emergency medical services from 2011-2023.
- In August, 450 hotels belonging to the German Youth Hostel Association (DJH) suffered disruption after servers went down following a cyberattack. Invoicing and bookings weren’t working, and doors were not able to open due to key card programming faults, leading DJH to report the incident as a “serious technical fault.” Hunters International claimed the attack, allegedly stealing 23.9GB of data, and sharing screenshots as proof of claims. Information stolen includes PII, financial data and some customer information.
- Thirty-five libraries across the state of Delaware battled with IT issues caused by an attack that forced the computer systems and virtual server offline. Delaware Libraries reported an “extended system and internet outage” on its website. RansomHub took responsibility for the attack, demanding a ransom of $1million in exchange for exfiltrated data. It is not clear exactly what information was stolen but the proof of claims includes financial documents and a single folder including more than 80,000 files totalling 56GB.
- In Kansas, 29,690 Franklin County residents were warned that their data may have been impacted by a May ransomware attack. The attack was discovered on May 20th, with the IT professionals responding promptly to the threat. Investigations determined that hackers had gained access to the county poll book records, but county investigators have found no indication that personal information has been released or sold on the dark web.
- MoneyGram International suffered disruption caused by a network outage in mid-September. The network outage impacted connectivity to a number of the company’s system, causing issues for its users. Upon discovering the cybersecurity issue, an investigation was launched, and preventative steps were taken to address the issues. MoneyGram proactively took systems offline which further impacted the connectivity issues. No further information on this attack has been made public and no ransomware group has stepped forward to claim responsibility.
- Staff at Lancaster Royal Grammar School spent the summer holidays rebuilding the entire IT system after a cyberattack forced them to shut it down. The attack, which took place on July 16, caused “pretty serious disruption” but none of the most sensitive systems were impacted. It is not known who was behind the attack, but the school has told news outlets that it did not interact with any ransomware groups or their demands.
- Entourage, the owner of yearbook software web platform Creator Studio Pro, suffered a ransomware attack which impacted 400 of its photography clients. One of the clients, Edge Imaging, reported that 3,500 photos of students taken by them were being held hostage as a result of the incident. A compromised username and password of one of its server accounts caused the breach of the Canadian AWS platform. No personal data was leaked but some metadata belonging to the images was available depending on the device the photo was uploaded from. It is not known who was behind the attack.
- AutoCanada has announced that sensitive employee data may have been compromised following a cyberattack in August. The cyberattack forced the organization to take some internal IT systems offline, causing disruption to certain services including customer service departments. An investigation is ongoing with AutoCanada still in the process of restoring and analyzing the encrypted server content. Hunters took credit for the attack, posting several terabytes of data as proof of claims. This data included databases, network storage images, confidential financial and HR documents, executive details, and employee records.
- Australian interior solutions supplier Nikpol suffered a data breach which resulted in 6GB of information being stolen by RansomHub. The threat actors didn’t provide much information on their dark web post, adding only a brief description of the company and noting the seven-day deadline. Compromised data is said to include internal documents, financial statements and a large amount of employee data.
- The City of Santee paid a ransomware consulting firm $603,000 to help address a cybersecurity incident in August. The incident caused an outage on the computer network that services administration offices for the city. There was no impact to any of the systems supporting emergency services. An investigation is still ongoing to determine whether any information may have been compromised and what triggered the security lapse.
- A cyberattack took down systems at several of Kuwait’s hospitals, along with the country’s Sahel healthcare app. Hackers got into Kuwait Health Ministry’s systems, forcing the organization to shut down certain systems to install necessary updates. Essential databases were not accessed, and the Ministry took initiatives to maintain basic and vital healthcare centers during the attack. Backups were used to restore systems at Kuwait Cancer Control Center and within offices that manage the national health insurance system. It is not clear who is responsible for this attack.
- The FBI and Homeland Security are investigating a ransomware attack on Arkansas City’s Water Treatment Facility. On September 22nd, water systems malfunctioned, and staff received a pop up on their screens with a ransom note and an email address to contact. Following this, the facility contacted authorities and moved the water plant to manual control to ensure safe operations. No further details relating to this attack have been released.
- Siegfried’s Basement, a design services provider, has been hit with a proposed class action over a ransomware attack which happened earlier this year. On July 16, unauthorized cybersecurity incident on its network that compromised sensitive information belonging to current and former employees, employees’ beneficiaries, customers, and vendor.
- Dallas suburb, the City of Richardson, required help from the FBI to resolve a ransomware attack earlier this month. Hackers gained access to government servers and attempted to encrypt files on the network. Automated security systems responded, limiting the impact but internal access to city servers was still shut down as a precautionary measure. It is not clear what specific type of data was compromised by officials suggest that there is no indication that sensitive data was breached.
- One of the largest hospitals in West Texas, University Medical Center Health System (UMC Health) was forced to divert ambulances and other emergency patients due to a ransomware attack. Most clinics remained open but were operating on downtime procedures, causing substantial delays. External experts were engaged to help the hospital navigate and resolve the incident. No ransomware group has come forward to claim the attack.
- The data services network at Richmond Community Schools was targeted by a ransomware attack on September 27th. Student and employee information that was housed in “PowerSchool” was breached, with the total amount of individuals impacted remaining unconfirmed. A spokesperson revealed that it could take a number of days to restore systems and return to normal operations.
- The world’s oldest news agency Agence France-Presse (AFP) reported that part of its delivery service was impacted by a ransomware attack. The company’s website suffered intermittent outages due to the incident, with many pages being routed to the “Under Maintenance” landing page. Technical teams are working on the incident with the support of relevant authorities. It is not clear if any data was accessed during the attack or if a ransom was demanded.
- Records such as property tax and vehicle owner registration stolen from Barbados Revenue Agency were up for sale on the dark web. 230GB of information was made available by a seller who also claimed to have a database containing 8 .xlsx files of personally identifiable information. Pryx ransomware group claimed that a monetary demand was emailed in exchange for deleting the data, but no response was received from the agency.
- Louisiana accounting firm Wright, Moore, DeHart, Dupuis and Hutchinson suffered a data security incident that compromised the personal information of 127,431 individuals. The firm noticed suspicious activity in its internal network and immediately launched an investigation. Personal information may have been affected but it is not clear at this stage what volume of data was compromised.
- Iranian hacker group Handala claimed to have breached the Soreq Nuclear Research Center allegedly stealing 197GB of data. The threat actors have not yet provided proof of their attack and have instead recycled old data to falsely claim the attack. Further information on this incident is not currently available.
October
With 77 publicly disclosed ransomware attacks, October takes the title for highest number of attacks recorded in 2024 so far. This marks a significant 20% rise compared to October 2023. Healthcare continued to top targeted verticals with 23% of attacks, with the services industry following closely behind. New ransomware gang Sarcoma made waves this month, joining RansomHub as the most active variants for the month.
Discover who made ransomware headlines in October:
- ThreeAM ransomware group added Masonic Care Tasmania (MCTas) to its victim list at the beginning of October, claiming to have exfiltrated 393,993 files of data, totalling over 198GB. Data allegedly included passports, credit reports, resumes, medical certificates, emails and Centrelink files. The aged-care organization who now operates under the name Respect, has yet to release a public statement addressing the claims.
- Ashville Arthritis and Osteoporosis Center filed a data breach notice in September after discovering a recent data security incident had exposed patients’ personal information. Threat actors infiltrated the company’s network, gaining access to files and folders containing confidential information including names, addresses, DOBs, telephone numbers, SSNs and medical information.
- Oklahoma City Abstract & Title Co. posted on its Facebook page that it had been hit by a “cyberattack and ransomware.” The post stated that outside IT and attorneys were working on the case and that systems were to be restored soon. RansomHub claimed the attack, allegedly stealing around 480GB of data. A screenshot of a financial statement was among the files upload to the group’s dark web posting as proof of claims.
- Montreal-based video game developer Red Barrels experienced a significant cybersecurity breach at the hands of newly emerged ransomware group Nitrogen. The threat actors reportedly compromised 1.8TB of sensitive data including game source codes and confidential information. The developers, known for the Outlast series, confirmed the attack in a statement acknowledging that their internal systems had been targeted and that an investigation had been launched. Substantial delays were caused to development timelines, but community players were not directly impacted.
- In Michigan, Wayne County was forced to shut down all government websites and limit operations of several offices following a cyberattack. A county spokesperson confirmed that the attack had targeted “some of its internal systems” and that impacted services were transitioned to backup processes to maintain operations. An investigation involving the FBI and Michigan State Police is currently ongoing and at this time it remains unclear whether data was stolen and who was behind the attack.
- Ohio-based medical devices manufacturer PRC-Saltillo experienced a data security incident which compromised sensitive personal information belonging to more than 50,000 individuals. Suspicious activity was identified within the company’s internal networks in late August. An investigation was launched to determine the nature and scope of the incident. A review revealed that data including PII and PHI was accessed by the threat actors responsible. Fog ransomware group took credit for the attack, claiming to have exfiltrated 250GB of data.
- Comcast announced this month that data relating to 237,703 of its customers had been stolen during a cyberattack on a debt collector agency it was using. Financial Business and Consumer Solutions (FBCS) was compromised in February but told Comcast at the time that no data belonging to its customers had been impacted. In July, it came to light that data including PII and Comcast account numbers had in fact been stolen. FCBS has stated that more than 4 million people have had their records accessed during the attack. No ransomware group has publicly claimed the attack.
- Albany College of Pharmacy and Health Sciences confirmed a “network security incident” at the college in September. The college has released no further updates, but Medusa ransomware gang has since taken credit for the attack. Medusa issued the college with a $150,000 ransom and gave less than four days to pay it before data was shared. It is not clear how the college’s system was infiltrated or how many people have been impacted by the attack.
- No water or water waste facilities were affected by the cyberattack on American Water Works in early October. The company’s “MyWater” account system was down, all appointments set up by customers were rescheduled and billing was paused until further notice. The portals were taken offline as a precautionary measure to contain the incident. Law enforcement was notified of the incident and cybersecurity experts were hired to “assist with containment and mitigation activities.”
- Kill ransomware gang leaked sensitive information belonging to ai on the dark web following a recent ransomware attack. The prominent wedding platform based in India discovered the breach on October 5th, but the exact attack timeline remains unknown. Compromised information includes personal and family details, employment and education records, medical data, government-issued identification, and financial records. The ransom demanded was not disclosed nor was any information relating to potential negotiations between the two parties.
- In Spain, technology company Arelance fell victim to a ransomware attack orchestrated by Medusa ransomware group. The cybercriminal group who claimed to have stolen sensitive information demanded a ransom of $100,000 in exchange for not leaking the data. No further information relating to this attack is available at this time.
- 2TB of data was stolen by BianLian ransomware group as the result of a cyberattack on Israeli law firm Pearl Cohen. The firm experienced the cyberattack last month, with the full scope and significance of the breach remaining under investigation. The compromised data is said to include client information, employee details, technical and business data and email correspondence. A ransom amount has not been disclosed but reports have suggested that the firm refused to comply and had no intention of paying.
- Del Valle Independent School District notified the Texas AG of a data breach which impacted 5,214 Texans. PII and financial information were among the data types stolen during the incident. There was no notification of the breach on either the district’s website or social media pages. It is not known who is responsible for this attack.
- In Los Angeles, Vermilion Parish School District were forced to take its network offline during the investigation of a “potential compromise” of its systems. A spokesperson stated that an expert team were brought in to lead the inquiry and advise VPSS on next steps. It is thought that the attack was caught early meaning that the disruption was limited. There are very few details of the attack publicly available.
- Home security giant ADT faced issues as threat actors used a compromised system belonging to a third-party business partner to access its systems. It is not known when the incident occurred, but the company noticed unauthorized activity on its computer network and discovered that threat actors had illegally accessed the network using compromised credentials. The account user was shut down and the business partner was notified of the incident. Employee data was encrypted but ADT does not believe that any customer personal data was exfiltrated during the attack.
- Cactus ransomware gang added Corporate Job Bank to its leak site in October, claiming to have exfiltrated 65GB of data. Compromised information included PII, confidential corporate documents, internal correspondence, personal data of employees and executives, detailed project info, and customer records. The staffing and recruitment firm has not yet publicly acknowledged the claims made by the ransomware group.
- Japanese watchmaker Casio are aiming to have all systems restored by the end of the November, following a cyberattack which rendered several systems unusable. The October 5th attack caused significant delays in delivery of items requested for repair, and many items were backlogged. Underground ransomware group claimed the attack, allegedly stealing 204.9GB of data, and posting samples of the data on the dark web as proof of claims. It is believed that personal information of temporary and contract employees was exfiltrated along with employee information related to affiliated companies and business partners.
- A batch of 29 files samples was uploaded to Meow’s leak site this month following an attack on California’s Superior Court in Sonoma County. The group claims to have stolen a plethora of legal documents alongside employee and client information, payment documents, personal data, and criminal records. The amount of data allegedly totals 5GB. A ransom of $20,000 has been set for one buyer, with an offer of $10,000 if multiple buyers want to purchase the data.
- In West Australia, TPG Aged Care fell victim to a LockBit ransomware attack resulting in 65GB of data being stolen from the aged care provider’s network. Although the organization has not yet publicly addressed the claims, LockBit added several internal documents to its leak site as proof of claims. Strangely, all personal information in the internal documents had been redacted. The types of documents include letterheads, insurance documents, home care assessments, service plan details, and a scan of a driver’s license. A deadline of October 24th was set but a ransom demand was not made publicly available.
- Efforts remain ongoing to restore the Village of Niles’ computer systems following an attack earlier this year. The incident impacted 36 village systems, 17 of which directly impacted the general public. A report suggests that the village has already incurred $398,203 in costs for restoration and forensic investigation of the attack. Officials stated that a ransom demand had not been paid but declined to discuss what the amount was.
- Newly emerged ransomware group Sarcoma launched an attack on real estate company Suntrust Properties Inc. The ransomware group allegedly stole 1TB of data, including personal information and SQL databases. Multiple samples of data were leaked and included PRC IDs of employees and clients, government issued IDs, signed legal documents and SQL databases. It is not clear if a ransom has been demanded by the group.
- R Laurence (CRL) confirmed that it had suffered a ransomware attack on October 1st which led to the disruption of certain systems on its network. Customers were unable to order online and the design and estimating services were down. Upon learning of the incident, action was taken to contain the outage and an investigation was launched. It is not clear at this time who was behind the attack or if any information was exfiltrated.
- Australian produce company Perfection Fresh was added to Sarcoma’s dark web leak site, with the group claiming to have stolen 690GB of data. A proof-of-hack was included in the post showing internal and confidential documents belonging to the company, but a ransom demand was not shared. Perfection Fresh confirmed that it had fallen victim to a cyberattack and stated that an investigation is underway.
- Sarcoma ransomware gang claimed to have exfiltrated 3.6GB of data from Sydney-based manufacturer The Plastic Bag Company. No ransom was disclosed but the group added several documents as proof of claims. These documents included several tax returns, wage details, insurance documents, and several passport scans. A spokesperson for the company confirmed that it had suffered an attack but declined to comment further on the incident.
- The websites of major government departments in Uttarakhand were temporarily unavailable due to a ransomware attack on the Uttarakhand Data Center. The IT Secretary ordered the shutdown of all services to mitigate potential losses. While 11 out of the 1,378 virtual machines in the data center were impacted, it is not immediately clear what, if any, data was lost during the attack. The state’s Information Technology Development Agency (ITDA) are working with officials to address the attack.
- Boston Children’s Health Physicians confirmed that it was the victim of a data breach in September that led to troves of sensitive information being stolen. Officials discovered multiple cases of unusual activity on the organization’s networks, shutting down systems to stop the incident from spreading further. An investigation revealed that threat actors removed files from the network which contained patient information. BianLian ransomware gang has since claimed responsibility for the attack.
- A legal notice was posted addressing a ransomware attack on Family Medical Center in Mount Airy in March 2023. FBI and state officials were notified, and an investigation was launched to determine whether data had been compromised. The medical office paid the cybercriminals to return the encrypted files with an encryption key to unlock them. Patients are now being assured that no data was compromised during the attack.
- Portugal’s Agency for Administrative Modernisation (AMA) was inaccessible to the public for a short time as the result of a ransomware attack. The attack had a substantial impact on various services including the application that allows access to the digital version of Citizen Cards. It is not clear who was behind the attack or if any data was accessed or exfiltrated during the incident.
- New Zealand based accounting firm Advanced Accounting confirmed that it was a victim of a recent Sarcoma ransomware attack. The ransomware group claimed to have stolen 115GB of data from the firm, giving a 15-day deadline to pay an undisclosed ransom. A selection of documents including passport scans and financial documents were posted as proof of claims. A spokesperson from Advanced Accounting stated that the company is “mortified this happened” and that they are doing their best to get everything resolved.
- A post on Axis Health System’s website revealed that it had experienced a cyberattack which led to the patient portal being taken offline. Axis stated that it quickly followed its incident response protocol and launched an investigation into the incident. Rhysida ransomware group took credit for the attack, posting a ransom of 25BTC (approx. $1.5 million) to be paid within a 7-day deadline. It is not clear what type of data was allegedly stolen by the threat actors, but Axis has assured customers that it will notify them if data has been compromised.
- Leading French university Université Paris-Saclay suffered a significant data security incident which had a major impact on its digital services and internal servers. The August attack shut down the intranet and certain business applications. The university announced that threat actors responsible claim to have exfiltrated 1TB of data including 48 CVs, 47 transcripts, 47 recommendation letters, 6 diplomas, 44 certificates and 44 applications for Master’s level courses. The university did not name the cybercriminal group, but RansomHouse has recently taken responsibility.
- The UK data watchdog reprimanded Levales Solicitors LLP after hackers were able to access client details because of insufficient security measures. Unknown threat actors accessed the firm’s secure cloud-based server and later published data including PII on the dark web. 8,234 individuals were impacted by this incident.
- Lynx ransomware gang listed Funlab, an Australian entertainment company, on its leak site in mid-October. Lynx did not share how much data it exfiltrated nor its ransom demand but did post several screenshots and documents as proof of claims. The data appears to have been hosted on a NAS service and screenshots of file trees reveal folders called Payroll, Finance and Gsuite backup. Funlab confirmed the incident with a statement revealing some of its IT systems were impacted. It is believed that guest data was not accessed and that the “limited” information stolen relates of a small number of current and former employees.
- West Australian transport and logistics company Road Distribution Services was added to Sarcoma’s leak site alongside a selection of documents posted as evidence of the attack. The documents exfiltrated include a doctor’s referral for an employee and a client spreadsheet listing several large supermarket chains. No ransom was listed, but Sarcoma gave the organization a 12-day deadline to pay the undisclosed amount.
- India’s biggest health insurer Star Health received an email containing a ransom demand for $68,000 following a “targeted malicious cyberattack.” The stolen data allegedly totals 7.24TB and is said to include names, postal addresses, phone numbers, medical records and insurance claims. Star Health has sought the assistance of Indian cybersecurity authorities in its investigation. As the investigation is ongoing, no further information relating to this attack has been made public.
- ValueMax suffered a cybersecurity incident after the group’s IT servers were hit with a malware attack. The organization and external consultants took immediate and appropriate actions to identify and contain the incident to the affected servers. At this time, ValueMax is not aware of any external leakage of data but Lynx ransomware group has claimed responsibility.
- The Volkswagen Group issued a statement after 8Base ransomware group claimed to have stolen information from the carmaker’s systems. A spokesperson stated that “the incident is known” but that the IT infrastructure was not affected. The company has not shared any other information on the cyberattack. 8Base claims to have exfiltrated vast amounts of confidential information including accounting documents, personal data, employment contracts, and personnel files. The deadline for payment of the undisclosed ransom has passed but none of the stolen files have been made public to date.
- Rudraksha Multispeciality Hospital in Bhopal, India was attacked by Kill ransomware gang who threatened to release sensitive data within six days if a ransom is not paid. Although the amount of data allegedly stolen is unknown, compromised data is said to include names, addresses, contact information, financial details and other PII. Invoices were posted as a sample of evidence.
- Fog has claimed responsibility for an attack on the Central Pennsylvania Food Bank, allegedly stealing more than 20GB of files. Some files include client agreements, accounting and human resources information. Fog also claims it possesses “juicy files and information” including SSNs, passports, and driver’s licenses, although no samples were posted. The non-profit food bank is yet to publicly address these claims.
- The Jędrzejów district of Poland was hit with a cyberattack which led to the security of its residents’ personal information being compromised. The September attack saw threat actors break through security defenses and encrypt data including names, PESEL number, addresses and email addresses. Upon discovering the incident, a decision was made to disconnect access to the network immediately. RansomHub has since claimed the attack.
- Some employee data and sensitive corporate information was stolen during a ransomware attack targeting Japanese restaurant chain Saizeriya. The company said that personal data of its workers, as well as business partners and some job applicants, may have been compromised during the incident. An investigation is ongoing, meaning that the organization will not disclose details on the contents and amount of data possibly leaked. RansomHub has taken credit for the attack and claims to have stolen 23GB of data from Saizeriya.
- Rhysida claimed responsibility for a cyberattack on Henry County Schools in Tennessee. The ransomware group posted samples of confidential documents stolen during the attack. The district has not verified Rhysida’s claims but did post a notice relating to a cybersecurity issue on its website on August 26th. During the cyberattack access to the internet and school platforms was limited to contain the incident.
- Hackers have allegedly stolen the “know your customer” data of more than 300,000 Fractal ID Stormous claimed the attack on its darknet leak site, stating that it had extracted over 10GB of data from the blockchain identity firm. Stolen data is said to include personal photos, bank statements, proof of address, and ETH/BTC addresses.
- Broadband and cable provider OzarksGo confirmed that it was a victim of a data security incident that forced it to take several systems offline this month. The company’s linear TV servers were targeted by the attack, leading to service disruptions for its users and causing OzarksGo to no longer offer the service to customers. Play ransomware group took credit for the attack, giving the company until October 19th to pay an undisclosed ransom amount. It is not clear what data has been stolen during the incident.
- DoctorsToYou had two data security incidents to address in October as RansomHub claimed a ransomware attack and a researcher discovered a data leak. The New York based healthcare provider was added to RansomHub’s leak site alongside several screenshots revealing PII and PHI. The threat actors did not disclose how much data they had exfiltrated nor if a ransom was demanded. The listing was later removed from the leak site.
- Italian fashion company the Teddy Group fell victim a ransomware attack during which hackers encrypted files contained in the company’s servers. Impacted systems were isolated, containing the incident and “preventing data loss.” The cyberattack caused disruption to online sales and logistics at the distribution center. However, BlackSuit, who took responsibility for the attack, claimed to have exfiltrated 1TB of data including user, business and employee data alongside other file type.
- Grupo Aeroportuario del Centro Norte, an operator of thirteen airports in Mexico, was forced to turn to backup systems in an effort to continue running airports in the wake of a cyberattack. The group launched an investigation to determine the nature and scope of the incident, but at this time it appears that there has been no material adverse impact to the company. RansomHub claimed to be responsible for the attack, threatening to leak 3TB of stolen data if an undisclosed ransom was not paid.
- Calgary Library suffered “significant service disruption” due to a cyberattack this month, causing disruption to book returns and all technology and digital services. Service issues continued for a number of days following the attack. It is not yet known who is behind the attack or if any data was stolen during the incident.
- Malaysian pharmacy chain Big Pharmacy was targeted by a RansomHub ransomware attack. Reports suggest that 50GB of information including clinical laboratory reports, medical certificates, prescriptions and invoices was stolen from the organization’s database. The ransom demand remains unknown, and it is not clear if data has been leaked now that the deadline of October 22nd has passed.
- Sensitive personal information of 468,344 individuals was compromised following a ransomware attack on Omni Family Health. In a notice posted on its website, the California-based healthcare provider, said that in August it became aware of claims that information was taken from its internal network and posted on the dark web. An investigation was immediately launched to determine whether it was breached or the impact of a cyberattack. PHI and PII was among the information breached. Hunters International took responsibility for the attack, claiming to be in possession of 2.7TB of information. The leak suggests that a failed ransom negotiation took place.
- Letters were sent out to Birth Choice of San Marcos patients who were impacted by a breach of National Diagnostic Imaging (NDI) earlier this year. NDI revealed that it had been the victim of unauthorized access between February 19th and March 27th this year. On October 15th Birth Choice of San Marcos was provided with the results of the data breach review that identified who was affected, the type of information, and the contact information to notify the patients. At this time, it is not clear exactly how many patients have been impacted.
- Prominent US-based online based vet service AskVet was announced as a victim on Kill ransomware group’s social media this month. The threat actors are claiming to have exfiltrated a substantial amount of sensitive data from the company. Compromised information allegedly includes names, addresses, email addresses, and detailed pet medical histories.
- S insurance company Globe Life stated that unknown cybercriminals have demanded a ransom payment in exchange for not publishing sensitive personal and healthcare information stolen during a cyberattack. Upon receiving the ransom demand, Globe Life immediately launched an investigation to determine the nature and scope of the incident. Based on the investigation it is believed that the customers and leads accessed can be traced back to American Income Life Insurance, a subsidiary of the company. It is believed that approximately 5,000 individuals have been impacted by this incident.
- Berufsbildungszentrum (BBZ), a German speaking education institution in Switzerland, became the victim of a ransomware attack in early October. Cybercriminals blocked access to several systems and demanded a ransom, using encryption malware on BBZ servers. Access was initially gained through a “security gap in the firewall.” Officials are continuing to investigate whether any personal information was stolen in the attack.
- Fog ransomware group added Ultra Tune to its dark web site, claiming to have exfiltrated 3GB of data from the company’s systems. According to claims personal employee data, customer contact data, and databases with internal information was taken during the attack. The Australian mechanic and roadside assistance franchise is yet to publicly address the claims made.
- Black Suit claims to have breached Kansas City Hospice, a non-profit organization in the Kansas City area, but has not provided any further details on the attack on its leak site. The organization identified unusual activity on its IT systems and immediately launched an investigation to understand the extent and scope of the activity. Some systems were disrupted by the incident, but no patient care was impacted.
- Germany based industrial company Schumag AG was targeted by a cyberattack in September, putting it down to “technical difficulties.” The attack resulted in unexpected production losses, delays in revenues and cost burdens. 8Base claimed the attack, stating that it has captured personal data, employee contracts, invoices, accounting documents, and “a large amount of confidential information.”
- Pheim Unit Trusts Berhad (PUTB) added a statement of its website informing customers that it was involved in a ransomware attack orchestrated by Sarcoma. Sarcoma’s post on the dark web claims that the group has clients’ sensitive data in its possession. Upon discovering the breach, all affected servers were disconnected from the network in an effort to contain the threat.
- Paraguay’s Ministry of Education and Culture (MEC) announced that it had experienced issues in its data center, forcing online services offline for hours. An unknown threat actor demanded a ransom of 15BTC but it is not clear if this was in exchange for data or a decryption key.
- Ransomware gang Everest took credit for an attack on Country Inn & Suites by Radisson which resulted in the compromise of thousands of clients’ personal information. Data allegedly stolen from the hotel subsidiary includes credit card information, billing details, internal emails, messages, incidents and calendar details of previous and upcoming bookings. A sample of files were added as proof of claims. Everest has not demanded a ransom publicly but has set a 10-day countdown for negotiations.
- Smile Design Management, a network of dental care offices in Florida, confirmed that a recent cyberattack had resulted in an unauthorized third party being able to gain access to consumers’ sensitive information. After discovering the incident in February this year, Smile Design enlisted third-party cybersecurity experts to assist with an investigation and a review of the compromised data. It is not clear who was behind the attack.
- RansomHub claimed responsibility for an attack on Cardiology of Virginia, allegedly stealing 1TB of data from the healthcare provider. The ransomware group leaked the stolen data which included a file listing, YouTube video and other files. Cardiology of Virginia has not publicly acknowledged the attack or data leak.
- In Fort Wayne, Indiana, staffing company Leaders Staffing revealed that a data security incident earlier this year compromised the sensitive personal information of more than 50,000 individuals. After investigating the January attack, it was determined that certain files were potentially accessed by threat actors who accessed the network. Play ransomware group took credit back in February, claiming to be in possession of confidential company data including client documents, budgets, IDs, payroll, taxes, financial data, and more.
- Autobell, one of the largest car wash networks in the US, fell victim to a “network security incident” earlier this year, leading to over 52,000 individuals’ data being exposed. An investigation revealed that hackers had been roaming its systems for six days in early April. Information compromised by the attack included names, addresses, driver’s license numbers, passport numbers and other confidential information. Medusa took responsibility for the attack claiming to have exfiltrated 183.3GB of data.
- A sophisticated phishing attack led to the compromise of an employee laptop at cryptocurrency payment processor Transak. The compromised credentials led to threat actors gaining unauthorized access to the company’s internal network, including specific user information. Compromised data included the PII of 92,554 users. Stormous claimed the attack, with its dark web post stating that 300GB of data was stolen during the incident.
- Rhysida ransomware group targeted Easterseals, a prominent nonprofit dedicated to supporting disabled individuals. The organization has not commented publicly on the attack, but did file a breach notification in April revealing it had experienced a significant network disruption. An investigation into the attack uncovered unauthorized access to sensitive information impacting 14,855 individuals. Rhysida demanded $1.3 million in ransom from the organization.
- Reports suggest that Everest ransomware gang claimed Aspen Healthcare Services as a victim this month. The group alleged that it had successfully breached the healthcare provider’s systems, exfiltrating over 1,500 medical records. A ransom deadline of November 9th has been set but the ransom amount demand has not been disclosed.
- Bangalore-based prop tech company NoBroker has been claimed as a victim by Kill ransomware group. According to the dark web posting, compromised data includes a range of PII and PAN numbers, financial data and legal agreements. A ransom of $50,000 has been set. NoBroker has yet to publicly address these claims.
- ThreeAM added Carolina Arthritis to its leak site on October 24th alongside a number of screenshots as proof of claims. Reports suggest that during the attack, ThreeAM encrypted the medical practice’s files. Although it is not known how much data was exfiltrated, the types of data compromised include PII, medical histories, medical records and test results, internal business records, and employee information. According to some news outlets, negotiations between the two parties occurred but was deemed “a waste of time” by the threat actors after delay tactics and insufficient monetary offers were used by the healthcare provider. All data has since been leaked by ThreeAM.
- OnePoint Patient Care revealed that 795,916 patients had been impacted by an August ransomware attack. The healthcare provider issued a separate statement on its website indicating that the incident had no impact on its operations. INC took credit for the attack in September, claiming to have encrypted the hospice dispensing pharmacy and pharmacy management service’s files. Not long after the post on its dark web site was published, all of the stolen data was leaked.
- The District 5 City Hall of Bucharest announced that it has been the victim of a cyberattack which targeted its servers. The telephone switchboard was impacted by the attack but according to reports, no departments were affected. A message from attackers appeared on the server’s screens, demanding a $5 million ransom demand. The mayor of the district stated that he would not pay the amount demanded by the “cyber terrorists.” No ransomware group has yet come forward to claim the attack.
- In mid-October, Meow Leaks added The Eye Clinic Surgicenter to its leak site, claiming to have stolen 59GB of files. The ransomware group demanded $50,000 for an exclusive sale or $25,000 for non-exclusive purchase and included a number of files as proof of purchase on the post. The data pack allegedly included employee data, patient data and internal documents. Black Suit also added the same organization to its leak site in June, claiming to be in possession of 52GB of data. The healthcare provider has not publicly addressed either ransomware group’s claims.
- Polish IT services provider Atende rejected ransom demands made by threat actors, leading to a total of 1.2TB of data being leaked. The company announced on October 4th that hackers had accessed its IT infrastructure without authorization and had stolen data belonging to employees and customers. Data leaked contains scans of contracts, email archives, documents containing sensitive information and login data, among other things.
- Interbank, one of Peru’s leading financial institutions, confirmed a data breach following a ransomware attack. Customers reported that the bank’s mobile app and online platforms were unavailable for some time, but most channels are now operational again. The bank itself has not yet disclosed the exact number of customers whose data was stolen. On several hacking forums, threat actors claim to have information on more than 3 million customers, totalling 3.7TB of data.
- Australian steel fabricator Meshworks suffered a ransomware attack at the hands of Sarcoma. The ransomware group’s dark leak site shows that 8GB of files were exfiltrated during the attack. A sample of stolen data appears to contain a number of business documents and some employee data. Meshworks is yet to publicly address these claims.
- Rumpke is continuing to investigate a cyberattack which occurred on Friday Oct 25th. Hunters ransomware group took responsibility for the attack, claiming to have exfiltrated 3.3TB of data. The organization has confirmed the attack, stating that it is collaborating with forensic experts to further investigate the incident.
- Six months after an employee opened a phishing email from Medusa ransomware gang, Summit Pathology Laboratories is notifying more than 1.8 million patients impacted by the ransomware attack. The lab stated that IT systems affected contained demographic and healthcare information. This breach is one of the largest reported by a medical testing lab and has already resulted in eight proposed federal class action lawsuits being filed in one week.
November
November saw 81 publicly reported ransomware attacks, marking the highest monthly total of the year to date. Government took the brunt of the attacks this month with sixteen recorded in total. RansomHub remained the most active ransomware variant, though notably, new groups emerging in November were responsible for 10% of the incidents. While many attacks captured media attention, one of the most extensively covered was the attack on Blue Yonder, due to the ongoing issues with mega retailers such as Starbucks and Morrisons.
See who else made ransomware headlines in November:
- Ransomware gang Qilin claimed an attack on South Carolina utility company Aiken Electric Cooperative, Inc., allegedly stealing over 500GB of data. Aiken Electric confirmed that it detected unusual activity on its network at the beginning of September, indicating that an unauthorized actor may have accessed and stolen certain files. As of now, 4,608 individuals have been affected by the breach, with sensitive information including names, Social Security numbers, financial details, and driver’s license data exposed.
- Australian not-for-profit ANU Enterprise (ANUE) was listed as a victim of ThreeAM on the dark web. The threat actor provided no details about the nature of the incident, stating only that none of the alleged exfiltrated data had been published. The subsidiary of the Australian National University has not yet confirmed the attack.
- Western Sydney University announced that it had suffered its second cyberattack this year, with threat actors exfiltrating personal data. Bad actors gained access to an IT account where they managed to exfiltrate data. Investigations revealed that the compromised data included names, addresses, student ID numbers, enrolment details, and tuition fee information.
- Details have recently emerged about a Black Basta attack on Scullion Law in the UK that took place in February. The company was locked out of its systems, leading to a full disconnection from the internet. In their ransom note, the threat actors instructed the company not to contact the police. The firm’s IT provider was unable to assist with the aftermath of the attack. While Black Basta did steal some information, it turned out that the amount taken was less than initially claimed, resulting in a more limited impact than originally anticipated.
- One of the largest public housing authorities in the US confirmed that cyberattack hit its IT network after claims made by Cactus ransomware gang surfaced. Upon discovering the attack, the Housing Authority of the City of Los Angeles (HACLA) hired external forensic IT specialists to help investigate and respond appropriately. Cactus claimed to have exfiltrated 891GB od files from the compromised network. Information impacted includes PII, database backups, financial documents, employee information, customer personal information and corporate confidential information. An archive containing stolen files was added to the dark web posting as proof of claims.
- AEP, a German pharmaceutical wholesaler was hit by a ransomware attack that resulted in partial encryption of its IT systems. All external connections were immediately disconnected and all affected IT systems shut down when the incident was discovered. No ransomware group has claimed the attack, and it is not yet known if any data was exfiltrated.
- The Australian Nursing Home Foundation was added to the Abyss ransomware group’s leak site this month, with the group claiming to have stolen 1.5TB of uncompressed data. The threat group provided little to no details of the incident other than a ransom deadline of 5th The organization has not yet publicly commented on the claims made by Abyss.
- RansomHouse claimed responsibility for a cyberattack on Sabesp network which occurred on October 17th. The company made a statement confirming that it had suffered an attack but did not provide any other details. Documents available on the group’s leak site display mostly spreadsheets with confidential details, alongside a note claiming that 2,000 servers were encrypted.
- A demand of $125,000 in “Baguettes” was made by a threat actor known as “Grep” following an attack on Schneider Electric. The company confirmed that a developer platform was breached after the threat actor claimed to have stolen 40GB of data from the company’s JIRA server. Schneider Electric’s products and services remained unaffected. Grep stated that compromised data included75,000 unique email addresses and full names belonging to employees and customers.
- The Houston Housing Authority (HHA) confirmed that it had fallen victim to a ransomware attack that resulted in an unauthorized party accessing sensitive information belonging to customers. The HHA originally believed that its firewall had effectively prevented the attack, but one month later, the Department of Homeland Security informed HHA that there was ransomware on one of its computers. Meow claimed the attack, allegedly exfiltrating 38GB of data.
- In Georgia, Memorial Hospital and Manor suffered a significant data security breach which impacted the hospital’s Electronic Health Record system. Although the hospital stated that wait times may be longer due to working with paper records, it assured that the level of patient care would not be affected. Embargo has taken credit for the attack, claiming to have exfiltrated a trove of data totalling 1.15TB. A deadline of November 8th was set to pay an undisclosed ransom.
- The largest fashion retailer in Brazil, Marisa S.A., was first alerted to a cybersecurity incident when customers began to experience website problems. At that time, the company stated that it was “instability in the system” which was impacting some systems. After realizing it had become victim to a ransomware attack, the company adopted appropriate security measures to mitigate the impact of the incident and restore operations. Medusa claimed the attack, setting a ransom of $300,000 to prevent the leak of an undisclosed amount of data.
- After an October 8th attack, it took the Construction Industry Council (CIC) almost one month to completely secure its servers. The ransomware attack, which is yet to be claimed by a cybercriminal group, forced the organization offline for a total of six working days, causing significant disruption. According to statements made by the company, a malicious actor claimed to have exfiltrated information with the intention of leaking it to the public. Possible compromised information includes names and email addresses of staff, but it has not been confirmed what volume of data has been stolen.
- Handala cybercrime group claims to have stolen 3TB of data from Elad Municipality’s The threat actors claim to have gained access through the “air gapped” network and have allegedly wiped all main file and database servers. Exfiltrated information reportedly includes identity details, contracts and geographic coordinates along with various other types of data.
- The personal information of almost 150,000 customers and employees associated with Widex Hong Kong Hearing and Speech Center was compromised during a cybersecurity incident. The attack impacted not only the facility but its subsidiary, Starry Hearing and Speech Center. Internal system data was encrypted by unknown hackers and applications were significantly impacted. The attack potentially exposed sensitive customer information including names, DOBs, genders and healthcare reports.
- A cyberattack targeting the Washington State Administrative Office of Courts (AOC) caused outages across nine counties and impacted municipal courts in several cities. Unauthorized activity was found on the Washington Court network, prompting a swift response to secure critical systems. A statement suggested that there would be intermittent impact to the accessibility of public websites and systems as teams attempted to restore services completely. No ransomware group has yet claimed the attack and it is not known if any information was stolen during the incident.
- Tohoku Gakuin University fell victim to a cyberattack which resulted in the data of 7,085 cases being compromised. Threat actors externally gained access to the network using stolen credentials belonging to a staff member. The compromised device was immediately isolated from the network and the account linked to the stolen credentials was suspended.
- Australian construction company Goodline fell victim to a ransomware attack orchestrated by Ransomhub. The threat actors gained access to the network through stolen credentials, claiming to have exfiltrated 600GB of data. One of Goodline’s Executive Managers stated that the compromised data was only back-end information, and no customer or employee data had been compromised. The company maintained operations with temporary disruption while working through the aftermath of the attack.
- Saint Xavier University recently disclosed that a July 2023 attack compromised the personal information of more than 210,000 individuals. Upon discovering suspicious activity in its network, the university worked with external specialists to investigate the nature and scope of the incident. Compromised information includednames, DOBs, SSNs, passport information, financial information and healthcare data. BlackCat added the university to its leak site last year, claiming to have exfiltrated 1TB of data and providing screenshots as proof of claims.
- Embargo launched an election day attack on Wexford County in Michigan, claiming to have stolen 1TB of data. The ransomware group demanded an undisclosed amount of money be paid before November 11th to prevent the data being leaked on the dark web. Although no details were given relating to the stolen data, Embargo included the names, email addresses and passwords of the County and Deputy County Administrators on the dark web post. The county has confirmed that a cyberattack did compromise the county’s website but did not impact election security or integrity.
- A RansomHub attack caused schools throughout the Interboro School District to be cancelled on October 29 The school district cited “network issues” and “no internet” as reasons for the school closures. A solicitor for the district released a statement confirming that unusual activity was discovered on the networks, impacting the functionality of some of its IT systems. An investigation was immediately launched to discover the nature and scope of the incident.
- DHL and Serco were among the companies impacted by a ransomware attack on UK telematics company Microlise. New ransomware group Safepay claimed the attack, allegedly stealing 1.2TB of data and giving the organization just 24 hours to pay an undisclosed ransom. The company has assured clients that no customer/client information was compromised. The most recent update provided by the organization states that the vast majority of customer systems are back online, with some conducting their own security verifications before enabling users.
- In Nebraska, a cyberattack caused disruption to school days at Winnebago Public Schools for up to three days in late October. On October 21st, the website stated that some services were being periodically shut down while teams work through the restoration process following a cyberattack. Interlock ransomware gang claimed the attack, stealing 223GB of employee and student information.
- The University of Sarajevo used a Cybersecurity Awareness Event to discuss a recent cyberattack on its systems and networks. Although few details on the attack are available, the event revealed that extensive measures were implemented to secure systems following the discovery of the attack, significantly minimizing the overall impact of the incident. Medusa has since taken credit for the attack, posting a ransom demand of $1.8 million in exchange for an undisclosed amount of data.
- A forensic investigation and internal document review revealed that a cyberattack on South West Family Medicine Associates compromised the information of 36,959 individuals. A trove of personal and healthcare information was among the data stolen during the attack orchestrated by BianLian. The healthcare institution is yet to verify the claims made by BianLian.
- It has recently been disclosed that 24,937 individuals were impacted by a ransomware attack on Redwood Coast Regional Center (RCRC),– that’s 24,000 more than what the healthcare institution had originally reported in May 2024. It has since been revealed that names, addresses, patient ID numbers, treatment information and financial data was among the information stolen. LockBit claimed responsibility for the attack when it happened back in March this year.
- Key supplier for oilfields, Newpark Resources, confirmed that it had fallen victim to a ransomware attack, resulting in disruption and limited access to certain business systems. Information on this attack remains limited and no ransomware group has yet stepped forward to claim it.
- Guardian Healthcare was going through a restructuring process when it was hit by a Stormous ransomware attack. When the healthcare organization did not pay an undisclosed ransom, 3GB of information which included PHI was leaked. The files contained a lot of sensitive information which appears to trigger notification requirements under HIPAA. Guardian Healthcare did not confirm the attack but a spokesperson from Stormous stated that initial access was gained through various Office accounts. The group allegedly stole 7GB of data but only leaked 3GB, with the additional 4GB not deemed important. The spokesperson also confirmed that files were encrypted as part of the attack.
- It has been revealed that personally identifiable information belonging to 11,954 individuals was compromised during a ransomware attack on the YMCA of Central Florida earlier this year. A notice to the victim’s stated that an unauthorized third party infiltrated the not-for-profit’s computer network and accessed internal department files. LockBit claimed the attack back in June, adding scans of IDS and other documents to its leak site as proof of claims.
- English Construction Company recently disclosed details of a data breach that compromised former employee information. It was reported that an external cybersecurity company was brought in to remediate and investigate the incident. It seems that files were encrypted and removed as a result of the attack. Lynx ransomware gang claimed the attack back in September but did not disclose any key details.
- The City of Sheboygan in Wisconsin has been dealing with technology outages since late October following a ransomware attack on the city. It was confirmed that threat actors gained unauthorized access to the city’s network and that a request for a ransom payment had been received. The city is working with law enforcement to guide its response to the incident and the ransom request. New ransomware gang Chort, who only emerged in November, claimed the attack, allegedly stealing 200GB of data.
- Japanese manufacturer Yorozu Corporation was forced to apply for an extension to submission deadline for its semi-annual securities report following a cyberattack. The ransomware attack compromised critical systems involved in auditing and report generation, causing significant operational disruption. It was also revealed that several files on internal servers were encrypted, and that sensitive information was accessed by threat actors. RansomHub claimed the attack, allegedly stealing 849GB of data from the company.
- It has been recently disclosed that in January 2024, BBS Financial LLC learned that confidential information stored on its computer system was removed by an unauthorized party. Upon discovering the incident, the company’s network was shut down and an investigation involving external cybersecurity experts was launched. BianLian claimed responsibility for the attack. BBS engaged with the ransomware gang and ultimately paid the undisclosed ransom, and in return received proof that the stolen data was deleted.
- Information relating to a May 2024 ransomware attack on law firm Thompson Coburn came to light this month. The incident resulted in files containing PHI belonging to its client Presbyterian Healthcare Services, being either viewed or taken. 305,088 individuals have reportedly been impacted by the breach. No ransomware gang has stepped forward to claim the attack.
- Barbados Statistical Services (BBS) was hit by a ransomware attack orchestrated by Safepay ransomware group. Within the first 24 hours of the attack, which happened on October 30th, IT teams had contained the incident, taken appropriate systems offline and an investigation had been launched. Initial stages of the investigation revealed that compromised data included only information gathered and collated for survey research. Safepay claimed to have exfiltrated 330GB of data from BBS.
- Queensland-headquartered transport company Followmont Transport allegedly had 230GB of data stolen from its system following an Akira ransomware attack. The company was added to the group’s dark net site, but the posting did not include a date of publication or details of a ransom demand. Compromised information is said to include NDAs, passports, driver’s licenses, medical documents and detailed financial information. Followmont Transport acknowledged the claims and reported them to relevant authorities but confirmed that the company’s systems remain fully operational.
- 5 million people were impacted by a May 2024 attack on US financial services firm Set Forth. The security incident involved suspicious activity from unauthorized users on the company’s network. Initial stages of an investigation revealed that compromised data includes names, SSNs, DOBs and addresses. It has also been noted that customer of the organization’s B2B partner Centrex were impacted by the incident.
- Embargo claims to have stolen 1.49TB of information and encrypted data on American Associated Pharmacies’ IT infrastructure. Although AAP has not confirmed the attack, a notice on its website states that all user passwords have recently been force-reset. Embargo claim that AAP paid $1.3 million to have its systems decrypted but that another $1.3 million has been demanded in exchange for not leaking stolen data.
- INC ransomware group has added screenshots to its leak site as proof of claims of an attack on Hungary’s defense procurement agency VBÜ ZRT. The agency refused to comment on the incident due to the ongoing investigation. Local news reports suggest that the threat actors breached servers and downloaded and encrypted files, with a country official claiming that “the most sensitive data” including plans and information about military procurement may have been accessed. Although not confirmed, it is believed that INC has demanded a ransom of $5 million.
- New ransomware group Termite has taken credit for an attack on Département de La Réunion, causing disruption to its networks. Quick intervention contained the attack, but several digital platforms were rendered temporarily inaccessible and emails suspended. Upon discovering the incident, a crisis unit was immediately set up to assess the extent of the damage and restore networks as quickly as possible. The attack resulted in a data leak but there is little information on what type of data has been impacted.
- Meow ransomware group claims to have stolen data from Australian property valuation firm Heron Todd White, but the organization states otherwise. Meow added the company to its leak site but did mention any details of the incident or what data was stolen. Heron Todd White claim that an investigation provided no evidence that any unauthorized third party had accessed its systems. It also added that the data set Meow is claiming to have stolen is the same data set involved in the cybersecurity incident in April 2024, claimed by BlackSuit.
- The Government of Mexico has fallen victim to a RansomHub ransomware attack, resulting in 363GB of data from the website’s server being compromised. The threat actors gave the government 10 days to pay an undisclosed ransom in exchange for the data not being leaked. The data is said to include contracts, insurance, financials and confidential files. RansomHub also added a cache of 50 files as proof of claims, that all appear to have been exfiltrated from a database of federal employees.
- In Ohio, Marysville Schools was forced to close due to an IT outage caused by a ransomware attack. On the end of October, the school district detected unusual activity on its network, forcing it to immediately initiate a response plan, notify appropriate authorities and engage with cybersecurity experts to assist in its response. BlackSuit claimed the attack, stating that 121GB of data had been stolen from the district’s network. Further information on the attack has not been disclosed at this time.
- Sarcoma ransomware group added Australian office furniture supplier, Micon Office National, to its leak site. The group is claiming to be in possession of 34GB of data and gave the company 11 days to pay an undisclosed ransom amount. Compromised data allegedly includes SQL databases and emails from an Exchange server. Proof of claims added by the group includes three documents: a pair of invoices and a medical letter belonging to an employee. Micon confirmed the attack with a spokesperson stating that no client files were impacted by the incident.
- The Egyptian Tax Authority (ETA) denied claims of a data breach, affirming that its automated tax systems were not targeted by any cyberattack. This statement followed a claim made on X by ransomware group Money Message. The group are claiming they exfiltrated 500GB of data from the ETA.
- Indian financial services platform Buddy Loan was allegedly hacked by Kill ransomware gang, resulting in data being compromised. Kill claims to have exfiltrated a vast trove of sensitive data belonging to platform users including PII, demographic data, financial information and additional personal details. No further information relating to this attack has been revealed.
- New Jersey mortgage firm AnnieMac Home Mortgage confirmed that information belonging to 171,074 individuals was compromised during a cyberattack in August. The organization confirmed that it had identified suspicious activity in its internal systems and that hackers viewed and/or copied files from these systems. An investigation was immediately launched into the nature and scope of the incident, along with an evaluation of its current cybersecurity protocols.
- Rockport Mortgage Corporation confirmed that an unauthorized party accessed part of its computer network containing confidential information belonging to certain customers and employees. An investigation into the October incident revealed that compromised data may include names, SSNs, DOBs, financial account information and government-issued IDs. Breach notification letters have been sent to all of those who may have been impacted by the incident.
- Chort ransomware group claimed that network outages in Edwardsburg Public Schools was due to a ransomware attack. The schools were forced to shut on September 30th due to network outages. When asked about the claims made by Chort, Edwardsburg Public Schools stated that it had no information on the outage as its IT and hosting is handled by various external IT companies.
- Hartwick College in New York was also added to Chort’s dark web site, with the group claiming to have exfiltrated 150GB of data. Very little information on this attack is available, with the school closures on October 28th attributed to technical issues.
- Bartow County School System suffered a week-long outage due to a cyberattack in October. A statement confirmed that an “unauthorized external source” had caused the outage which impacted its emails, websites and internet. The school has not confirmed whether or not the cyber incident was a ransomware attack. Chort has claimed the incident, allegedly stealing 210GB of data.
- Conseil Scolaire Viamond, the French public school board in Ontario confirmed that a cyberattack which disrupted its phone and internet services also resulted in a breach of personal information. The attack exposed information belonging to employees who worked for the school board between 2002 and 2024. Current students were also impacted, with data including names, DOBs, attendance information and school registration numbers compromised during the attack. Termite has claimed responsibility for the incident.
- In Bangladesh, Popular Life Insurance Company fell victim to a ransomware attack this month. According to the Bangladesh Cyber Security Intelligence (BCSI) threat intelligence team, the attackers issued a five-day ultimatum to expose the stolen data unless their undisclosed demands were met. Sarcoma ransomware gang was responsible for the attack, claiming to be in possession of 36GB of data belonging to the company.
- French supermarket Auchan confirmed that personal details of more than 500,000 customers were targeted during a recent cyberattack. Customers were also assured that banking details and passwords were not accessed or stolen during the incident. According to reports, the attack was contained very quickly, and additional security measures have now been put in place. It is not yet known who was behind the attack.
- Houston home healthcare company In-Home Attendant Services notified 22,100 people that their data was compromised as a result of a data breach in October. Compromised data included PII, credit card information, medical information and other data. In late October, the organization stated that technical issues were causing disruption to calls and emails. ThreeAM claimed responsibility for the incident but included no information about the attack on its dark web post.
- Both Meow and INC ransomware gangs exposed data allegedly stolen from San Francisco Ballet Company this month. Meow admitted to having exfiltrated more than 40GB of data which included employee personal details, legal documents, financial files, contracts, commercial agreements and medical records. Samples provided by Meow as proof of claims contained US passports, Department of Homeland Security employee documents and invoices. INC’s data dump included sensitive student information. SF Ballet Company is yet to publicly acknowledge either claim.
- Waive, a Regulatory Technology company in Australia, was listed on the dark web by RansomHub, who claimed to have exfiltrated 30GB of data. The dark web listing included sample data which contained company statements, invoices, and other documents detailing PII and financial information belonging to customers. The ransomware gang gave Waive five days to pay an undisclosed ransom.
- Handala claimed responsibility for a cyberattack on the SSV Blockchain Network, a platform reportedly linked to Israeli intelligence operations. The group revealed that it spent four months infiltrating the network, managing to exfiltrate 8TB of highly sensitive data including developer identities, financial documents, contracts, transaction logs, emails KYC documents, and recordings of meetings and calls. The group also leaked 1TB of data as proof of concept, asserting that the information is valued at over $1 million.
- It was confirmed this month that more than 33,000 people were impacted by a ransomware attack on Bojangles in February this year. The fried chicken fast food chain stated that it identified suspicious activity on its network in March, with an investigation revealing that certain files had been viewed and downloaded by unknown actors between February 19th and March 12th. Compromised data included names, SSNs, government-issued IDs, financial account information and medical information. Ransomware gang Hunters International claimed responsibility for the attack, saying it stole 295GB of data from the company.
- In December 2023, Rockford Gastroenterology Associates (RGA) was added to RA World’s victim list, but details on this attack are only coming to light almost one year later. In October, RGA notified HHS that 147,253 patients were affected by the incident. RA World claimed to have exfiltrated 45GB of data and posted a proof pack. Contracts, CVs, patient accounts and medical records were among the files exfiltrated by the group.
- Saint Thomas Aquinas High School in Fort Lauderdale confirmed it notified 37,064 people of a July data breach which appears to have been the result of a Medusa ransomware attack. The notification stated that information such as PII, financial information and medical information was compromised during the incident. The threat actors claimed to have stolen 104Gb of data, demanding a $200,000 in exchange for not leaking the information. Although it acknowledged the attack, the school has not commented on the claims made by Medusa.
- Illinois-based collection agency, RRCA Accounts Management, announced it had fallen victim to a ransomware attack by Play ransomware group. A forensic investigation confirmed that they majority of files accessed by Play did not include any person information; however, some personal information provided by its healthcare clients had been stolen. Information stolen varied from individual to individual.
- Snow Brand Australia confirmed it was a victim of a recent ransomware attack by Safepay. The dairy supplier was listed on the gang’s darknet leak site, posting only information about the company and links to download the stolen data and file listings. The gang published an archived dataset of almost 24GB. Snow Brand confirmed the incident, stating that an investigation has been initiated to understand what happened.
- Auckland-based importer Triton Sourcing & Distribution also fell victim to a Safepay ransomware attack this month, with the group claiming to have stolen at least 10GB of data. A leak was published to an archive of data and a file listing, which reveals most of the data to be .XML files. A spokesperson from the company confirmed the incident, stating that it disrupted operations for a few days but that the company was able to recover relatively quickly.
- The Pacific Pulmonary Medical Group (PPMG) was added to Everest Team’s dark web leak site in late October. The unencrypted personal and protected health information dumped on the site includes data from 2021-2024. At this time, PPMG had not acknowledged the attack, and no submission has appeared on HHS’s public breach tool.
- Starbucks, Sainsbury’s and Morrisons were three of the big named companies impacted by a ransomware attack on Blue Yonder. The major software supply-chain company experienced disruptions to its managed services hosted environment on November 21st, which was determined to be the result of a ransomware attack. Although steady progress to recovery was being made, there was no timeline for restoration available. The full impact of this attack is not yet known.
- Leading provider of gambling and lottery systems, International Game Technology (IGT), faced an attack which affected parts of its internal IT systems and applications, forcing the company to take certain systems offline to protect its infrastructure. Workarounds were implemented to maintain services for customers while investigating the breach. No ransomware group has yet taken responsibility for this incident.
- BlackSuit launched an attack on Cullman County Commission in Alabama, shutting down phone lines and access to multiple county services. Systems were quickly restored, and the FBI was involved in the investigation. BlackSuit provided little information on its leak site posting so it is not clear what data, if any, was exfiltrated.
- Kill ransomware gang claimed to have stolen personal customer data from NSW-based home builder Vogue Homes. Although the gang has not disclosed the exact volume of data stolen, it did share what types of data it is in possession of. This information includes PII, financial information, consultation information and contractual agreements. A number of scanned documents were added as proof of hack. Vogue Homes has not yet publicly commented on the claims made by Kill.
- More than 600 workers of the National Institute of Agricultural Technology Research in Spain were without internet access or access to the internal network for two weeks following a cyberattack. While resolving the incident, employees were prohibited from accessing their computers with external hard drives. The institute was forced to prioritize essential orders by hand. No ransomware group has come forward to claim the attack.
- A data breach at Greater Lawrence Technical School in Massachusetts, involving 1.1TB of data, was claimed by ransomware gang Abyss. The school announced a “network outage” in mid-November, forcing it to cancel classes for a number of days. The attack took down the school’s PA system, bell system, phone lines and emergency communications. The claims made by Abyss have not been confirmed by the school.
- ATF Services, a fencing and site security firm confirmed that it was aware of a recent cyber incident after INC ransomware gang posted the company on its leak site. The organization immediately engaged independent cybersecurity experts to contain the incident and investigate what occurred. The investigation determined that a limited set of corporate information was impacted. INC claimed to have stolen 1TB of sensitive information, including a proof of hack containing screenshots of file structures, internal contact lists, loan and tax documents, details of debtors and creditors, customer data, and earnings forecasts.
- RansomHub took credit for a damaging attack on the City of Coppell in Texas. The city released public notices of technology issues in late October, stating that it was experiencing an outage with internet and other systems, making several systems unavailable. It took a number of weeks for some city operations to be restored and reopened. RansomHub claimed to have stolen 442GB of city data including accounting documents, invoices, scans and budget info.
- Another incident claimed by RansomHub involved the Minneapolis Park and Recreation Board. The MPRB ITS Department immediately took action to prevent further impact, but despite these efforts phone lines were offline. Staff are working to determine what information was breached or accessed during the attack. RansomHub claimed to be in possession of 235Gb of data including financial documents, insurance certificates, commercial information and personal data of employees.
- The City of Hoboken shut down its government offices after a ransomware attack caused widespread issues. Officials posted messages on city websites and social media warning local residents that the attack would cause a range of outages and service shutdowns ahead of the Thanksgiving holiday. No ransomware gang has yet claimed the attack.
- AC Laser confirmed that it suffered a ransomware attack roughly two months ago following claims made by INC. Upon discovering the breach the company took its servers and systems offline, interrupting the attack. INC ransomware claimed the attack earlier this month. While the group did not specify what was exfiltrated, it posted a sample of company data, which largely contained internal business documents.
- 52,496 individuals were affected by a data breach following a cyberattack on Liberty First Credit Union in Nebraska. The credit union confirmed that threat actors accessed a limited portion of its internal network but that no banking information was compromised. RansomHub claims to have stolen 254GB of data from the company, adding a proof pack to its leak site containing balance sheets, customer account numbers and balances.
- The Wirral University Teaching Hospital (WUTH) disclosed a cyber incident resulting in some procedures being postponed. After detecting suspicious activity the hospital isolated systems as a precaution, resulting in some IT systems being taken offline. Sources suggest that the hospital was forced to resort to manual operations and that there was no access available to files or documents. A ransomware gang is yet to step forward to take responsibility.
- Ransomware gang BlackSuit claimed responsibility for an October 2024 data breach at JTEKT North America, an automotive manufacturing corporation. The group claims to have stolen 894GB of data from the US arm of the Japanese company. JTEKT confirmed that a third party gained unauthorized access to its network, and that it may have led to a leakage of customer information stored on the server.
- INC ransomware group claimed to have stolen data from Liverpool’s Alder Hey Children’s Hospital and Liverpool Heart and Chest Hospital. Alder Hey issued a statement saying that it was aware that data was published online and that it was working with partners to verify the data and understand the potential impact. The National Crime Agency is involved in the response to help secure the systems and confirm next steps in line with law enforcement advice. INC published a limited sample of the allegedly stolen data which includes names and address of patients, donor contributions, medical records and financial documents. It is not clear if any ransom has been demanded at this time.
- RansomHub leaked data belonging to Bologna Football Club 1909 following a ransomware attack in late November. The football club confirmed that it had suffered a ransomware attack which targeted its internal security systems. The club also warned people that it would be a “serious criminal offense” to download this data from the dark web. RansomHub claims to have exfiltrated 200GB of data from the football club including sponsorship contracts, complete financial data of the club’s history, player information, confidential data of fans and employees and other corporate documents.
Related Posts
The Johnson Controls Ransomware Attack – Impact and Key Insights Review
In September 2023, Johnson Controls International suffered a ransomware attack linked to the Dark Angels group, resulting in the theft of 27TB of sensitive data. The breach caused $27 million in losses and disrupted operations, highlighting the critical need for robust cybersecurity defenses.
The 2024 Vulnerability Crisis – Managing Cybersecurity Threats
Learn how organizations can meet the onslaught of cybersecurity vulnerabilities, along with five of the most common vulnerabilities and successful management strategies. Find out why there’s a new vulnerability every 17 minutes.
What is Data Loss Prevention? | A Complete Guide to DLP Security
Data is the most valuable asset today's businesses possess - and volumes are growing all the time. In this article we look at what data loss prevention means heading into 2025 and what should firms be doing to improve their capabilities?
BlackFog: Personal Liability Concerns Impact 70% of Cybersecurity Leaders
70% of cybersecurity leaders face personal liability concerns. Discover how it impacts governance, accountability, and cybersecurity practices.
Ongoing: New Ransomware Gangs in 2024
Ransomware gangs continue to break records and BlackFog will track all new ransomware gangs in 2024.
BlackCat Ransomware: What It Is and How to Defend Against It
Learn how to protect your business from BlackCat ransomware with essential insights, ransomware prevention tips, and actionable defense strategies to mitigate risk.