Ransomware cyberattacks are a big business, so big in fact, that research anticipates a business is attacked by a cybercriminal every 11 seconds and damage costs from these attacks will hit around $20 billion by 2021.
We’ve been keeping track of key trends and myths in the sector in our annual State of Ransomware report, with detailed breakdowns for 2020, 2021, 2022 and 2023.
In 2020, we tracked the publicized ransomware cyberattacks each month to shar with you via this blog. We have also published our 2021 ransomware statistics.
Learn more about how BlackFog protects enterprises from the threats posed by ransomware.
Ransomware Attacks by Industry
Ransomware Attacks by Country
Ransomware Attacks by Month
January
Starting with January, let’s look back at some of the attacks that occurred around the globe.
- Hackers celebrated the last New Year’s Eve of the decade with an attack on Travelex, taking down it’s websites across 30 countries and causing chaos for foreign exchange transactions worldwide during the month of January. The ransom was rumoured to be the sum of $6M.
- Next we head to the Middle East where Oman’s largest insurance company was hit by a ransomware attack causing data loss but no publicized monetary loss.
- To the United States next where Richmond Community Schools in Michigan had to postpone opening after the Christmas break when hackers demanded $10K in Bitcoin to restore access to the server.
- Another US city and another school, as this time students in the Pittsburgh Unified School District of Pennsylvania were left without internet access after a ransomware attack disabled the district’s network systems during the festive break.
- Next we move on to Florida where patients of a medical practice in Miramar reported that they received ransom demands from a cybercriminal threatening to release their private medical data unless a ransom was paid.
- Back to the education sector again as the Panama-Buena Vista School District in California experienced a ransomware attack that caused a technology and phone outage at multiple schools. While the school was working with the FBI regarding the attack, they let parents and students know that they couldn’t access any grades so report cards would be delayed.
- Moving on to the small town of Colonie in New York where cybercriminals hacked into the computer system and demanded $400K in Bitcoin cryptocurrency to unlock it.
- Next up is a synagogue in New Jersey who fell victim to a cyberattack and a ransom demand of around $500K.
- Next we are back to Florida where 600 computers were taken offline after a cyberattack at Volusia County Public Library.
- Back to Europe now where the hackers responsible for the Travelex shut down target the German car parts company Gedia. The group used two Russian-speaking underground forums on the Dark Web to threaten to publish 50GB of sensitive data, including blueprints and employees’ and clients’ details, unless Gedia agreed to pay a ransom.
- France is next as the Bouygues construction company was paralysed by a major cyberattack affecting the entire computer network and shutting down all of the company’s servers. A ransom of €10M was requested by the cybercriminals.
- Back the United States now where Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor suffered a ransomware infection.
- Up next is Oregon, where all of the computer systems for Tillamook County went down. Despite early thoughts that the outages were a technical issue it was later confirmed they suffered a ransomware attack.
- Lastly we head to the City of Racine in Wisconsin where a ransomware attack caused the city’s website, email, voicemail, and payments systems to be knocked offline.
February
February saw the same amount of reported attacks with almost 60% of attacks occurring in the education and public sector verticals. Here’s a roundup of the ransomware attacks we have been tracking.
- The first attack of the new month was reported in Baton Rouge Louisiana on Feb 3rd when ITI Technical College became the victim of a cyberattack via a phishing email sent at the end of January.
- Next up, another school to report as Scotland’s Dundee and Angus College was hit with what they described as a cyber-bomb which took down their entire IT system.
- Deliveries across Australia were stranded in the next reported attack as logistics company Toll Group confirmed they had to shut down their systems because of ransomware.
- Over to the United States now, this time it’s the North Miami Beach Police Department who reported they had become a victim of ransomware.
- Back to the education sector where this time it’s two Texas schools in the same district who were affected. The city of Garrison managed to make a quick recovery but the Nacogdoches Independent School District faced more of a struggle to rebound from the attack.
- To England next where a ransomware attack on Redcar Council forced staff back to pen and paper and 35,000 UK residents were without online public services.
- Next up was a Valentine’s Day cyberattack on INA Group, Croatia’s biggest oil company and its largest petrol station chain. The suspected ransomware attack had a crippling effect on business operations.
- Staying in Europe, the next attack occurred in Denmark where facilities firm ISS World was crippled by a ransomware attack that left hundreds of thousands of employees without access to their systems or email.
- Another US school district is up next, this time it’s The South Adams Schools district in Indiana where an overnight ransomware attack affected all of the schools IT systems.
- The education sector is up again as the Gadsden Independent School District in Alabama suffered a ransomware attack that managed to take down all of their internet and communications systems across all of its 24 school sites.
- Back to Texas again where La Salle County confirmed a ransomware demand was responsible for its ongoing technology issues.
- Jordan Health in New York State, a non-profit organization that operates 9 health centres in Rochester and Canandaigua was the next to suffer at the hands of cybercriminals when they reported a ransomware attack had shut down all of their IT systems.
- Back to Australia for the next incident. This time ransomware affected the Australian wool industry when sales were stopped by a ransomware attack at wool industry software company Talman.
- Closing a month of reported cyberattacks we are back in Kansas where legal services giant Epiq Global reported they had suffered a ransomware attack on the last day of the month. The attack affected the organization’s entire fleet of computers across its 80 global offices.
March
March’s numbers were on par with the first two months of the year with attackers still focusing on the education and public sector verticals. Here’s a roundup of what we uncovered for the month.
- The first ransomware attack of the month took place on March 2nd in La Salle County in Illinois where a cyberattack affected around 200 computers and 40 servers in the county government.
- On the same day hackers targeted Visser, a parts manufacturer for Tesla based in Colorado. Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data.
- On the same day it was revealed that the provincial government in P.E.I. Canada suffered a data breach when internal government documents were posted online following a ransomware attack.
- Next up is Missouri where Three Rivers College were forced to cancel almost all of their classes following a ransomware attack.
- California based defense contractor CPI was the next company to reveal they had been knocked offline by a ransomware attack. Sources say the company who makes components for military devices and equipment paid a ransom of about $500,000 after an attack in January but they were not yet operational.
- Next, we learned that EVRAZ, owned by Roman Abramovich and one of the world’s largest steel manufacturers, suffered a Ryuk ransomware infection that managed to take down its North American branches.
- Durham city was the next target when a Ryuk ransomware attack affected everything from the police to fire services. The county government services were also taken offline when 80 servers were impacted by the attack.
- The Fort Worth Independent School District in Texas was the next to fall victim after a string of cyberattacks took place across several Texas school districts in 2019.
- Next to be hit was the Champaign-Urbana Public Health District in Illinois. Their website was taken down by the NetWalker ransomware attack, hampering the organization’s response efforts amid the Coronavirus pandemic.
- The next attack takes us to the UK where cybercriminals hit London based Hammersmith Medical Research firm who were on standby to carry out trials of a possible future vaccine for the Covid-19 coronavirus.
- Another London based company was the next victim of the month. Finastra, a fintech firm that provides technology solutions to banks were forced to shut down their key systems globally after detecting a cyberattack.
- Next up Connecticut based medical and military contractor Kimchuk who announced they were hit by DoppelPaymer, a newer strain of ransomware that exfiltrates data out of an infected network before encrypting user files.
- Over to Missouri next where TI Power Systems, a supplier of the energy company Ameren Missouri was hit by a ransomware attack that allowed the malicious actors behind the attack to steal information from the firm.
- Finally, we end a month of attacks in South Carolina where Bluffton Fire and Rescue was the next in a long line of government entities in the state to be compromised by cyberattacks in recent months.
April
April had a slow start and it initially seemed that cyberattacks were on a downward trend for the month. But things picked up mid-month starting with a major attack in Portugal. Here’s a roundup of what we uncovered.
- Portuguese Energy giant Energias de Portugal (EDP) were the first to report they had been a victim of a major attack when cybercriminals held them to ransom for a massive 9.9 million Euros!
- On the same day in Canada, the Law Society of Manitoba revealed that two un-named law firms in the province had been locked out of their computer systems after they were infected with ransomware.
- Up next is the small city of Olean in New York. Few details were released but we know that a ransomware attack shut down all of the computers at the Olean Municipal Building.
- Next up was a Maze ransomware attack on information technologies services giant Cognizant . The New Jersey headquartered organization is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.
- Over to Denmark now where Agribusiness group Danish Agro, were the target of a ransomware attack on Sunday, April 19.
- Colorado-based Parkview Medical Center reported that their technology infrastructure was hit with a ransomware attack on April 21, causing a number of IT network outages amid the battle with Covid-19.
- Next is the City of Torrance in the Los Angeles metropolitan area who was allegedly attacked by DoppelPaymer Ransomware. The attackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files.
- Back to Canada next where accounting firm MNP were hit by a cyberattack which forced a company-wide shutdown of its computer systems.
- Next it was reported by the Architects Journal that a hacker had accessed the servers of Zaha Hadid Architects in London and had stolen confidential information in an attempt to extort money from the firm.
- CivicSmart, a Milwaukee, USA based company known for its parking meter technology was the next victim of a ransomware attack that exposed internal files in an attempt to elicit a ransom payment.
- Next up, Pennsylvania headquartered pharmaceutical giant ExecuPharm revealed that ransomware attackers had recently encrypted its servers and had stolen corporate and employee data.
- The final reported attack of the month takes us back to Canada, where the website and email services of the Northwest Territories Power Corporation were shut down after they received a ransomware message from unknown hackers.
May
May was a busy month for cybercriminals with 20 ransomware incidents reported. This month’s ransomware attacks took us around the globe from Taiwan to Texas, here’s a look at what we found.
- On May 5 Toll Group revealed it had found itself at the mercy of cybercriminals for the second time this year. The incident was unrelated to their previous attack in February and was thought to be a relatively new form of ransomware known as Nefilim.
- Taiwan’s state-owned energy company CPC Corp was the next victim. Luckily the attack didn’t affect any energy production, but it did cause some disruption for customers attempting to purchase gas.
- Up next was Fresenius in Germany, Europe’s largest private hospital operator. The company who employ around 300,000 people across more than 100 countries confirmed that a cyberattack had affected every part of the company’s operations around the globe.
- Germany again for the next attack on May 7 Ruhr University Bochum were forced to shut down large parts of their central IT infrastructure, including their backup systems after a ransomware attack occurred overnight.
- Moving to the US now for what was likely the most publicized attack of the month. Grubman Shire Meiselas & Sacks, a NYC law firm with a host of celebrity clients including Elton John, Robert DeNiro and Madonna were a victim of REvil ransomware used to steal the personal information of celebrity clients. Hackers threatened to expose nearly 1TB of private celebrity data unless a ransom was paid in Bitcoin.
- Swiss Rail construction firm Stadler was the next victim. The company disclosed that hackers had threatened to publish sensitive data to harm the firm and its employees if the large ransom was unpaid.
- The seventh attack of the month goes to another repeat victim. Pitney Bowes disclosed that they had been hit by Maze ransomware less than a year after they were hit by a similar attack. The group behind Maze specializes in double extortion, an attack that increases pressure on its victims to pay by threatening to release important data in addition to encrypting systems.
- Elexon, the organization that helps balance and settle the UK’s electricity market was attacked by hackers using the REvil/Sodinokibi ransomware on May 11. Sensitive internal data was stolen in the attack with some posted on the Dark Web to pressure the organization into making the ransom payment.
- Back the US now where the Office of Court Administration in Texas revealed that a ransomware attack was launched against its court system. It’s thought that no sensitive data was stolen, and at the time of writing they insisted that no ransom would be paid.
- Staying in the US, the next attack takes us to Ohio where Diebold Nixdorf, a major provider ATMs and payment technology, disclosed that a ransomware attack had disrupted some of their operations. The company said the hackers didn’t affect the ATMs or customer networks and that the intrusion only affected its corporate network.
- Magellan Health, a major US healthcare provider based in Phoenix, Arizona found themselves a victim of ransomware after falling for a phishing email that appeared to be from a client. The hackers proceeded to exfiltrate records containing personal information before launching ransomware to encrypt files.
- Back to Australia, where this time it was BlueScope Steel who suffered IT disruption that impacted production across its global operations. The ransomware incident was thought to be caused by employees opening contaminated email attachments.
- The next attack takes us to the UK where Bam Construct, a firm that had recently delivered Nightingale Hospitals for the NHS during the Covid-19 crisis had fallen victim to a ransomware attack. The company said that the business “stood up well” after the incident despite being forced to take services offline to mitigate the attack.
- Up next was the Texas Department of Transportation who revealed they has been hit by ransomware just days after the state’s judiciary system suffered the same fate. It appears that Texas is becoming a popular destination for cybercriminals as 22 local governments were targeted by ransomware in a single attack in 2019.
- Anglo-Eastern, one of the largest ship managers based in Hong Kong was hit with a ransomware attack on May 18. The incident was quickly contained, and it was reported that no data was lost.
- Over to New South Wales next where retailer In Sport’s head office hit by ransomware. The firm was unable to confirm what data had been accessed but they revealed that the attackers used REvil/Sodinokibi ransomware.
- Staying in Australia, this time it was customer experience firm Stellar who appeared to have taken a hit from a group of attackers using NetWalker ransomware. Images of data stolen from the company were posted on the Dark Web and according to a countdown timer on the site, the company had just over six days to respond to the hacker’s ransom demands.
- The next incident takes us to Halifax in Canada where the Northwest Atlantic Fisheries Organization (NAFO), an intergovernmental organization that manages fish stocks in international waters in the northwest Atlantic Ocean, was hit by a ransomware attack. The organization who counts a dozen countries as members, including Japan, Norway, Canada, the European Union, and Russia admitted the attack had locked them out of their data systems and knocked their website offline in a letter to stakeholders.
- Back to the US again where this time it’s Michigan State University . The operators of the NetWalker ransomware gang reportedly gave MSU officials seven days to pay the ransom before they planned to leak the stolen university files.
- IT Services Giant Conduent disclosed that a ransomware attack had affected it European operations and although customer data had hit the Dark Web, they had managed to restore their systems in 8 hours.
- We close out the month in Austria where a NetWalker ransomware attack was launched against the city of Weiz. The attack affected the public service system and leaked some of the stolen data from building applications and inspections.
June
Ransomware attacks surged again in the month of June with Covid-19 related phishing techniques still proving popular with cybercriminals. Notable attacks include Honda, who had their European operations significantly affected, and the University of California who reportedly paid $1.14 million to recover academic data related to its Covid-19 research. Here is a roundup of the incidents we uncovered.
- We start the month in South Africa with telecoms firm Telkom SA SOC Ltd. We found limited coverage of the incident, but it was reported that the attack led to outages across several systems with remote staff unable to connect to the servers or VPN.
- Up next is Columbia College in Chicago who were attacked just one week after Michigan State University. On the Netwalker blog the cybercriminals claimed to have exfiltrated very highly- sensitive data during the attack.
- Hackers continued their spree on US colleges when they hit the University of California on the same day. Important Covid-19 research was encrypted during the attack and it was later disclosed that the school paid out $1.14 million to recover the data.
- The City of Florence in Alabama became the next victim on June 5 when a cyberattack shut down the city’s email system. The city reportedly paid over $250K to recover the encrypted data.
- The next attack took place at VT San Antonio Aerospace, the US subsidiary of ST Engineering Aerospace in Singapore. The ransomware attack resulted in the exposure of confidential company data including government contracts.
- Automotive giant Honda suffered a Snake ransomware attack which targeted its offices in the United States, Europe and Japan. The attack forced many offices to shut down in what was likely the most publicized ransomware incident of the month.
- Earlier in the month Australian beverage giant Lion disclosed they had been the victim of a cyberattack, they later confirmed it was ransomware. The company’s data was said to be available on the Dark Web but at the time of writing the company said they did not have any evidence of data being exfiltrated.
- Over to New Mexico next where nuclear missile contractor Westech International was the victim of a Maze ransomware attack. Hackers were able to access sensitive employee information, but it is still unconfirmed whether any classified military information was accessed.
- Next up is Norwegian shipbuilder Vard, Europe’s first attack of the month. Local reports indicate that company servers were hit with an encryption attack which led to disruption and downtime. The overall extent of the damage has not yet been disclosed.
- Fisher and Paykel, a white-goods manufacturer based in New Zealand disclosed they had been targeted by Nefilim ransomware. Although the attack was quickly identified, the hackers did disclose an initial leak of the company’s corporate files on the Dark Web.
- Up next was New York company Threadstone Advisors, a mergers and acquisitions firm whose client list includes Victoria Beckham. The Maze ransomware gang insisted that they had exfiltrated and encrypted sensitive company data.
- An overnight attack hit the City of Knoxville in Tennessee. Fortunately emergency services were not affected in the attack, but by the time it was noticed by the IT department the ransomware had already encrypted multiple systems. Knoxville joins a list of other targeted cities, including Atlanta, Baltimore, Denver and New Orleans.
- Back to Europe now where this time it was European energy giant Enel Group. The incident was the work of the Snake ransomware group who were also responsible for the attack at Honda earlier in the month.
- Rhode Island-based Care New England (CNE) was victim of a cyberattack that hit its servers on June 16. The suspected ransomware attack forced the shutdown of its website and other internal systems.
- Up next is Florida based ConnectWise who hit the headlines when it was revealed that their partners were hit by ransomware through a software flaw in their platform.
- Electronics giant LG is reportedly being threatened by the Maze ransomware gang, however at the time of writing no official statement had been issued by the company.
- Closing out the month is another suspected attack on car giant Mitsubishi. The Doppelpaymer gang are allegedly threatening to leak data from the organization, although at the time of writing there has been no official statement from the company.
July
July was quiet in comparison to other months this year with only 12 ransomware attacks making the list. Although the number of reported attacks was lower for the month, news of the incident at Blackbaud, the cloud computing provider that serves non-profits, foundations, corporations, educational, healthcare, and religious organizations, dominated the headlines as hundreds of their customers were affected by cyberattacks and breaches due to the major ransomware attack that occurred at Blackbaud in May.
- We’ll start the month with Blackbaud. The incident was reported late in July but it has been revealed that the actual ransomware attack occurred in May. At time of writing we don’t know the full extent of the organizations impacted, but reports say the list currently tops 120. Multiple universities, charities and the UK Labour Party on are on the list of those affected.
- Up next is Texas-based government institution, Trinity Metro, a transit agency that operates bus and commuter rail transportation services in Fort Worth. Phone lines and booking systems were down following the attack and a post on the NetWalker gang website showed more than 200 Trinity Metro folders containing information that was apparently exfiltrated from the agency before its systems were disrupted.
- Xchanging, a subsidiary of IT Services giant DXC was the next victim. DXC announced in a press release that certain systems of London based MSP Xchanging had been affected by a ransomware attack. Xchanging offers IT services and business process outsourcing to aerospace, banking, defence and insurance firms.
- Back to Texas again where Cooke County found themselves the next victim of REvil ransomware. The attackers threatened to start releasing data within 7 days of the attack after posting screenshots thought to be documents and data from the county’s police department on the Dark Web.
- Another government attack in the US is up next, this time it’s Chilton County in Alabama who implemented a shutdown after being targeted by an attack on the morning of July 7. The incident which caused a temporary disruption to the County’s computer records systems including the tag office and probate court records was announced via social media.
- New Jersey based IT Staffing firm Collabera were the next firm to find themselves victim of a Maze ransomware attack. Hackers were able to exfiltrate employees’ names, addresses and other personal information and infect its systems during the cyberattack.
- French telecommunications company Orange was the next company to fall victim, this time to Netfilim ransomware. Luckily for Orange and its 266 million customers, the incident was only related to its business services division. Data exfiltrated from Orange customers was later added to the Nefilim Dark Web site that details corporate leaks.
- Next up is yet another telecoms giant, this time in Argentina. Telecom Argentina fell victim to what has been described as a massive ransomware attack with the cybercriminals demanding that $7.5 million be paid in the privacy coin Monero. Twitter posts suggested that the criminal gang demanded payment prior to July 21, if the payment wasn’t made the ransom would double while the systems would remained locked.
- Back to the US now for the attack on state owned New Hampshire Radio. The organization revealed that they had been hit by a ransomware attack but no personal information had been accessed. The organization also revealed that third party supplier Blackbaud had discovered and stopped an attack back in May and had contacted them in July with details.
- Over to Kansas next where a ransomware attack took place at the GPS and smartwatch business Garmin. The attack took the business entirely offline for more than three days and is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.
- Next up was Atlanta based SiteOne, the largest national wholesale distributor of landscape supplies in the United States. The company reacted quickly to the attack and managed to recover its critical business data with little disruption.
- We finish the month in Germany with Dussman Group, a global facility management specialist providing cleaning, catering, security, technical, and commercial services worldwide. The multinational company which employs over 66,000 staff worldwide and makes billions of euros in sales annually was reportedly struck by the Nefilim variant. After the attack the criminal group began posting 16,000 files to the Dark Web as proof of the attack.
August
August was 2020’s second busiest month for ransomware attacks with some well-known brands such as Jack Daniels, Carnival Cruises and Canon hitting the headlines. In the 20 incidents we uncovered manufacturing was the hardest hit sector followed closely by education.
- We start the month in Japan where Konica Minolta was hit by their second ransomware attack which took down company services for almost a week. The group behind the attack reportedly used RansomEXX ransomware, a relatively new malware that needs to be operated manually and does not have the ability to steal files. Meaning whoever was behind the attack needed to compromise the network and infiltrate all of the devices before running the malware.
- Next to make the headlines was Netherlands based travel management company CWT. A ransomware attack knocked 30,000 company computers offline and cost the company a $4.5 million ransom to get up and running again. Hackers allegedly obtained corporate data although this was denied by the company.
- Over to Australia next where aged care operator Regis was the victim of an international cyberattack that led to the loss of personal data. The company told investors that an “overseas third party” was responsible for the attack which resulted in data being copied from its servers and publicly released. Following the incident, the federal Australian government’s cybersecurity centre issued a critical warning that Maze ransomware was threatening aged care facilities across the country.
- Ohio based Muskingum Valley Health Center made the headlines next when they notified more than 7,000 patients that their personal information may have been exposed in a ransomware attack on its EHR system.
- Boyce Technologies, a manufacturer of transit communication systems that pivoted to build ventilators during the COVID-19 pandemic was the next victim of the DoppelPaymer ransomware gang. The gang posted examples of the stolen data on the Dark Web and threatened to release it unless the ransom was paid.
- North Carolina based Cornerstone Building Brands, a top manufacturer of windows in North America was the next reported victim. The company confirmed the attack and launched an investigation. At time of writing the publicly traded company had reportedly recovered many of its critical systems and did not expect the attack to have a material impact on its business.
- Back to Japan next where this time it’s the turn of camera maker Canon whose services division experienced an outage caused by a Maze ransomware attack. Internal applications, email servers, Microsoft Teams, and the US website were impacted.
- Carnival, the world’s largest cruise line operator were the next to disclose they had become a victim of ransomware. With over 150,000 employees and 13 million guests every year, Carnival Corporation is the largest cruise operator in the world. In an 8-K form filed with the Securities and Exchange Commission (SEC), the company disclosed that one of its brands had suffered a ransomware attack and that data was likely to have been stolen.
- Next up is Brown-Forman, the Louisville, Kentucky based manufacturer of Jack Daniels. The company was reportedly able to intervene before attackers could encrypt its systems and is working with law enforcement and third-party experts to mitigate the incident. While there is no confirmation on when the attack took place, a Forbes report indicates the intruders were in Brown-Forman’s environment for more than a month.
- The University of Utah was next to hit the headlines when it was reported that following an earlier ransomware attack they paid a $457K ransom. As data stolen during the attack contained student and employee information, the university decided to work with its cyber insurance provider to pay the ransom to prevent it from being leaked.
- Over to Chicago next where medical debt collection firm R1 RCM suffered a ransomware attack. The company with more than 19,000 employees and revenues of $1.18 billion in 2019 have contracts with at least 750 healthcare organizations nationwide. The company acknowledged they had been targeted in an attack but declined to discuss it further.
- Next up was an attack on South Korea based semiconductor manufacturer SK Hynix. Although the company has yet to comment on the incident the gang behind the attack released screenshots of some of the stolen company documents.
- TFI International, a Canadian transport and logistics company was next to disclose that four of their courier divisions were hit by ransomware just two days after they raised $219 million in a share offering. A company notice stated that they would continue to meet most customer shipping needs that they were not aware of any misuse of client information.
- Haywood County Schools in North Carolina were forced to close following an attack. In a statement released by the school, it was disclosed that school staff discovered the incident and that the third-party attacker has requested a ransom to stop the attack.
- Southeastern Pennsylvania Transportation Authority (SEPTA) were unable to provide real-time transportation information after an attack caused their systems to fail. SEPTA declined to provide further information about the attack but experts speculate that disruption to its systems has been significant.
- Brookfield Residential Properties , the home construction division of one of Canada’s largest publicly-traded companies, was next to fall victim to an attack. Although the organization did not confirm that the attack was ransomware, a threat group known as DarkSide claimed the attack and threatened to release stolen data unless a ransom was paid.
- Back to education where this time it’s the Gosnell School District in Arkansas. Little has been reported about the attack but it was disclosed that ransomware software infiltrated the school’s system and at the time of writing personal data had not been compromised.
- Up next is another attack on the education sector. This time its the Royal Military College in Kingston, Ontario. A cyberattack was reported in July but at the time it was unclear if it was ransomware. Ransomware was later confirmed when hackers posted documents that revealed sensitive personal information online.
- California based MA LABS, one of the leading computer component distributors in the United States was the next company to make the list. The REvil ransomware gang claim to have exfiltrated 949 gigabytes of confidential information from the central servers of the company. REvil said the attack affected more than 1,000 servers, and also claimed that the distributor didn’t tell the public about the attack.
- We finish the month in Fresno, California where back to school was disrupted when a ransomware attack took down the entire network at the Selma Unified School District forcing Fresno-area schools to cancel online classes.
To learn more about ransomware please download our newest eBook, Ransomware in a Pandemic: A Perfect Storm
September
Ransomware gangs seemingly worked overtime this month as we reported the most attacks of the year, a whopping 31 incidents. The most notable attack was on a German hospital which caused a woman to lose her life. The first cyberattack homicide investigation is currently underway and the EU Cybersecurity Agency is calling for countries to consider making company bosses liable for deaths in the future. Here’s a look at what we uncovered for the month.
- We start the month in Australia where workforce design and delivery firm Tandem Corp became a victim of NetWalker ransomware. Screenshots of data allegedly stolen during the attack were published on the Dark Web. The screenshots included files which appeared to contain financial data, personnel information and passport details.
- Next we head to Miami where staff at Key West City Hall were forced to go back to pen and paper when a ransomware attack took their systems offline.
- Boston headquartered cybersecurity and threat detection company Cygilant suffered a NetWalker ransomware attack. In a statement their CFO confirmed that the attack had impacted a portion of the company’s technology environment. At the time of writing it was unclear whether or not a ransom had been paid.
- Next up is another NetWalker attack. This time on Argentina’s official immigration agency, Dirección Nacional de Migraciones. The attack temporarily halted border crossing into and out of the country, and the attackers initially demanded $2 million but this was doubled to $4 million after a 7 day period.
- Staying in South America we next heard about a REvil attack on BancoEstado in Chile. The bank, which is one of Chile’s three largest, was forced to close all of its branches following the attack.
- Next was the first reported education attack of the month. The ransomware attack disrupted the first day back to school for students of Hartford Public Schools in Connecticut when hackers knocked their critical systems offline over Labor Day weekend.
- Newcastle University in the UK was the next reported attack on education. The disruption to the schools systems is ongoing and the DoppelPaymer group has been posting documents it claims to have stolen from its servers to its dedicated “Doppel Leaks” site.
- California based data center giant Equinix was the next firm to reveal they had been hit with a ransomware attack. The organization confirmed that its data centers and managed services remained intact as it was only internal systems affected.
- Saraburi Hospital in Thailand was the next victim. At the time of writing the hospital confirmed they had been hit with ransomware but that no demand for money had been made.
- Attack number 10 takes us to Ukraine where software developer and IT services provider SoftServe suffered a ransomware attack that may have led to the theft of customers source code.
- The Fourth District Court of Louisiana suffered a Conti attack , a relatively new ransomware strain. The administrative infrastructure of the courts was affected which led to the website being breached and internal documents being posted online.
- Students in Fairfax County Public Schools, Virginia’s largest school system were forced to begin the new school year with remote learning after a ransomware attack affected its systems. The hack reportedly didn’t impact distance learning or personal devices.
- Manitoulin Transport, one of Canada’s largest trucking companies was the next to disclose that they had become the latest victim of attacks targeting firms in Canada’s supply chain. The Conti gang posted stolen data but following discussions with the hackers the firm decided not to pay as the information stolen in the attack wasn’t important.
- Up next is Veiligheidsregio Noord- en Oost-Gelderland (VNOG) in the Netherlands. The attack damaged internal systems and it is still unclear who was behind it.
- The Development Bank of Seychelles (DBS) was next to find themselves a ransomware victim. DBS is a joint venture by the Seychelles government and several shareholders and at the time of writing they were reportedly unclear about how the attack occurred and the damage was still being assessed.
- K-Electric, the sole power distributor in Karachi, Pakistan experienced a ransomware attack by the Netwalker gang. The attack led to the disruption of the power utility’s billing and online services and the attackers requested a ransom of $3.8 million.
- Back to education again where this time it was Great Falls Public Schools in Montana. The school district shut down most of its systems to investigate and recover from the attack. At the time of writing they were working with the department of Justice, the National Guard, FBI and other private consultants to remedy the problem and were yet to disclose where the attack came from or what the attackers were requesting as a ransom.
- Newhall School District in California were next to find themselves victimized by ransomware. The attack locked up the systems and led to the cancellation of remote classes as students where told not to log on to the learning systems or use any district device.
- Artech Information Systems, one of the largest IT staffing companies in the US reported their second ransomware attack in nine months. The REvil gang were responsible for the attack which was picked up by the company following reports of suspicious activity on an employee device.
- Duesseldorf University Hospital in Germany suffered an attack which meant they were unable to accept emergency patients. Sadly this resulted in a loss of life after a patient was re-routed to another facility 20 miles away. A German news outlet reported that the cyberattack was not intended for the hospital and that the ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital.
- Massachusetts based IPG Photonics, a leading developer of fiber lasers for cutting, welding, medical use, and laser weaponry was next to suffer a ransomware attack. It was reported that RansomExx was behind the attack that shut down the IT systems worldwide, affecting email, phones, and network connectivity in the offices.
- Over to Canada next where Ontario’s College of Nurses , the organization that oversees 188,000 members, was next to be hit by an attack. At the time of reporting it was disclosed that personal information may have been impacted but a ransom demand had not yet been received.
- Another hospital is up next, this time its University Hospital in New Jersey. It was reported that the institution suffered a massive 48,000 document data breach after the ransomware operation leaked their stolen data. The SunCrypt ransomware gang claimed to be responsible for the attack.
- Sixth Form College in Bolton, UK was the next reported incident in the education sector. Post attack the college engaged a specialist team to launch an investigation and mitigate the impact. At time of writing the forensic investigation was ongoing but it was confirmed that some data had been exfiltrated.
- Italy based Luxottica, the parent company of Ray Ban made the headlines next. The organization reported widespread service outages but claimed that no customer data had been stolen in the incident.
- Anglicare Sydney, a not-for-profit that provides social services such as aged care was next to report they had been hit by a ransomware attack that saw attackers exfiltrate 17GB of data. Once the cyberattack was detected they immediately embarked on remediation and investigation before strengthening their cybersecurity.
- Texas based Tyler Technologies, the largest provider of software to the United States public sector disclosed that they had become a victim of an attack that affected their internal systems. Tyler reported that there had been no impact on the software they host for their clients and at time of writing, the company, the FBI and the Department of Homeland Security all declined to answer questions on the extent of the hack, the risk of related breaches and the suspected identity of the perpetrators.
- French carrier CMA CGM became the latest big name in container shipping to reveal it had become a victim of ransomware, following other leading liners including Maersk, MSC and Cosco in recent years. The Ragnar Locker ransomware gang instructed them to make contact within two days via live chat to pay for the ransom key.
- Universal Health Services, one of the largest healthcare providers in the United States was next to be hit by a ransomware attack. Its speculated that the Ryuk gang was behind the attack and details of how widespread the issue is are still unknown. UHS has 400 hospitals and healthcare facilities in the US and the UK and serves millions of patients each year.
- Our final attack on education for the month goes to Clark County School District in Las Vegas. The attack which activated at the end of August triggered a data breach involving Social Security numbers, student information and other private information according to the Wall Street Journal. An investigation is ongoing and the district has pledged to keep parents, employees and the public informed as new information about the incident becomes available.
- Our final reported ransomware victim of the month is International insurance brokerage firm Arthur J. Gallagher & Co. The company confirmed that the attack had occurred on September 26th and that the incident impacted a “limited portion” of its internal systems. They also said they do not expect it to have a material impact on its operations or finances.
October
October set a new record with a massive 40 attacks recorded at the time of writing. We started the month in healthcare when an attack affected Covid-19 trials and ended the month with warnings that hospitals across the US were under serious attack from the Ryuk ransomware gang. Here’s a look at what we uncovered for the month.
- The first attack of the month was recorded on Oct 5th at Philadelphia based eResearchTechnology (ERT) where a ransomware attack disrupted clinical trials being run to develop tests, treatments, and a vaccine for COVID-19.
- Up next was the UK’s second largest privately owned insurance broker, Jersey headquartered Ardonagh Group. According to reports from The Register, the firm was forced to suspend 200 internal accounts with admin privileges as the incident progressed through its IT estate. The firm didn’t deny that the attack was ransomware but they did not confirm any specifics.
- Next was Texas based customs broker and freight forwarder Daniel B. Hastings. The company, who specialize in U.S.-Mexico cross-border shipments didn’t comment on the attack, but the exfiltrated company files were posted online from the Conti ransomware gang.
- Hall County Government in Georgia was the next victim. While officials didn’t release details of how the attack happened or what was being done to resolve it, government offices including the courthouse, community centers, and the sheriff’s precincts were experiencing issues with phone and email services. It’s thought that no employee or resident data had been compromised.
- Next up is the first education attack of the month. With over 25,000 students, 4500 employees and 60 schools, the Springfield Public Schools district is the third largest school district in Massachusetts. Once the attack was identified the district shut down all systems and closed the schools to prevent spread of the attack.
- Software AG, one of the largest software companies in the world suffered an attack from the Clop ransomware gang who demanded more than $20 million. After negotiations failed the Clop gang published screenshots of the company’s data on the Dark Web, the screenshots showed employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.
- US trucking company Daseke became a victim of the Conti ransomware gang next. Thousands of internal documents exposing the personal information of their drivers and other sensitive data was posted to the Dark Web. Texas-based Daseke declined to offer further information as the investigation into the attack continues.
- The City of Mount Pleasant in Michigan was next to fall victim. According to a press release, a remote ransomware attack was detected on the city’s computer and phone systems. Michigan State Police were conducting an investigation and it’s not thought that any personal data had been breached.
- Australian based facilities services provider Spotless Group was the next company to hit the headlines when a number of their servers were compromised in a ransomware attack. They join other large Australian companies including Toll Group, Lion, BlueScope and Regis Healthcare as 2020 victims of ransomware.
- The next attack was on the Yazoo County School District in Mississippi. Following the attack, the school took its IT systems offline and engaged a cybersecurity firm to help recover data encrypted by threat actors. The school board voted to pay $300,000 to recover the data that was encrypted by malware.
- The Lake George Land Conservancy in New York was the target of a ransomware attack on its internal computer server. The organization revealed that no sensitive donor data was compromised and all data had been backed so they did not intend to pay a ransom.
- Leading global legal firm Seyfarth Shaw disclosed that they had become a victim of a sophisticated and aggressive ransomware attack. At time of writing it’s unknown who was behind the attack and the extent of the incident.
- German based game developer Crytek suffered an attack at the hands of the Egregor ransomware gang. In addition to encrypting the devices, the gang claims they have stolen unencrypted files from Crytek and have leaked a 380MB archive on their data leak site.
- A ransomware attack caused outages at Sports data provider Stats Perform during the college football slate, causing issues at daily fantasy sports sites including FanDuel, DraftKings and others.
- Back to education, New York based Yorktown and Croton-Harmon schools both reported cybersecurity attacks. Croton-Harmon confirmed the incident was a ransomware attack, however Yorktown did not confirm the attack was indeed ransomware.
- Staying in education, Toledo Public Schools (TPS) was next report an incident. The district confirmed that a cyberattack had occurred in September but they were unaware that data had been compromised. It has since been confirmed that Maze ransomware was responsible for the attack and more than nine gigabytes of data were dumped which included social security numbers, addresses and more for employees as well as current and former students.
- India based snacks manufacturer Haldiram’s experienced a ransomware attack on its servers. Hackers left a message on all affected services confirming it was a ransomware attack and that all data, files, applications and systems had been encrypted and a ransom would have to be paid to release the data.
- Major US bookseller Barnes and Noble was the next company to hit the headlines when they experienced a number of outages. This led to some customers being unable to access their Nook libraries while others were locked out of the platform completely.
- Next up is Australia based container logistics platform Containerchain. According to the firm they quickly identified the ransomware cyberattack and immediately implemented an emergency response procedure resulting in limited data loss and downtime.
- The City of Shafter in California announced that its IT system has been compromised by ransomware. In an Instagram post they revealed that the city’s IT system appeared to be frozen and locked. According to the city, it is not believed that any personal information has been obtained and in a follow up post they revealed that they had hired a privacy legal counsel and a forensic investigation firm to determine if any personal information had been compromised.
- Dickinson County Healthcare System were the victim of an attack that disrupted access to computer systems across its hospital and clinics. The hospital is working with third-party forensic experts to determine the full impact of the attack to restore its systems. At time of writing they claimed there was no indication that any data was accessed or taken as a result of this incident.
- Next came Montreal public transport agency The Société de transport de Montréal (STM). Hackers demanded a ransom of US $2.8m to restore normal network operations but according to the agency no data was exfiltrated and they were not intending to pay the ransom. Bleeping Computer reported that the RansomExx gang had been responsible for the attack that knocked the agency’s reservation system and caused an outage that affected around 1,000 of STM’s 1,600 servers.
- The Caribbean’s largest conglomerate, Ansa McAl became the victim of REvil ransomware. It’s understood that work at Tatil, the country’s biggest insurer was stalled for two weeks as the IT department works to find and expel the ransomware from the company’s servers. It is unclear exactly what data and systems were compromised, but Newsday was told whatever was attacked is “very important (mission-critical) data that is crucial to Ansa’s operations.” Clients’ personal data was not compromised, Newsday was told.
- On the same day hackers attacked Boston commuter operator Keolis Commuter Services. The company’s threat detection systems alerted the operator who managed to deactivate its network within a few hours. Passenger data isn’t stored by the company but it is possible that employee data may have been stolen in the attack.
- French-headquartered IT outsourcer Sopra Steria was next to be struck by a cyberattack. At time of reporting the business declined to say what had happened but French media reports indicated that Sopra Steria’s Active Directory infrastructure had been compromised by hackers linked to the Ryuk malware gang.
- In the next reported incident, hackers hijacked and published the mental health records of hundreds of patients from Finland based psychotherapy center Vastaamo. Hackers demanded 450,000 Euros in exchange for ceasing publication of the data which included that of minors. It has been speculated that the ransom was paid after the data leakage ceased.
- Indian news agency Press Trust of India (PTI) was hit by a massive ransomware attack which shut its servers down for hours. The attack disrupted operations and the delivery of news to subscribers but no ransom was paid.
- Staying in India, this time it’s the turn of restaurant chain Mithaas. The case comes within two weeks of the attack at snack company Haldiram’s.
- Michigan based golf and ski resort operator Boyne Resorts was hit by a WastedLocker attack that forced the company to shut down parts of its network. As a result of the attack customers were unable to make online reservations when the booking system was knocked offline.
- Steelcase Furniture, another Michigan based company was next to be hit. Steelcase is the largest office furniture manufacturer globally, with 13,000 employees and $3.7 billion in revenues. The Ryuk gang is thought to be behind the attack which forced the shutdown of their network.
- Sky Lakes Medical Center in Klamath Falls Oregon was victimized by the Ryuk ransomware gang. The attack took computer systems offline and forced clinicians to switch to pen and paper to record patient information. No evidence has been found to indicate patient information was compromised, although the Ryuk gang is known to exfiltrate patient data prior to file encryption.
- Multinational energy company Enel Group were hit by ransomware for the second time this year. The Netwalker gang demanded a $14 million ransom for the decryption key and to not release several terabytes of stolen data.
- Lawrence Health System in New York were forced to divert ambulances at three area hospitals after a ransomware attack. The three hospitals hit included Canton-Potsdam Hospital, Gouverneur Hospital and Massena Hospital.
- Next we head to Australia where media monitoring company Insentia became the next victim. Most government departments and large corporations in the country are clients of the firm. The firm told the Australian Stock Exchange that it was urgently investigating a cybersecurity incident that was disrupting services involving its media portal – a service customers use to see media reporting on them, or issues of interest to them, and find journalists.
- Chenango County in New York found themselves a victim of ransomware when around half of their 400 computers were found locked. The attack primarily targeted the county’s email system. It’s thought the attackers were Hong Kong based according to an investigation by the New York state Department of Homeland Security. The hackers demanded $450 for the release of each machine, making the total bill around $90,000. At time of writing the county claimed they did not intend to pay the ransom.
- The networks of the Hanover Chamber of Crafts experienced ransomware attacks at all four of its locations as well as the wholly owned subsidiary Projekt- und Servicegesellschaft. The Sodinokibi ransomware gang was responsible for the attack.
- Indian company Dr Reddy’s Laboratories admitted to a ransomware attack following a cyberattack earlier this month. The company refused to divulge details of the ransom and said they are working with a third party to recover and restore their data. They don’t believe the attack is connected with the Russian Covid-19 vaccine Sputnik V. that Dr Reddy’s plans to distribute in India.
- More bad news for healthcare as the Ryuk gang strikes again, this time claiming the University of Vermont Health Network as their next victim. An anonymous source who spoke to the press stated that as many as 20 medical facilities have been hit by the recent wave of ransomware. The figure includes multiple facilities within the same hospital chain.
- The city of Salem, New Hampshire announced that they had become the victim of a sophisticated cybersecurity attack involving ransomware. The attack cut off access to internal systems and may have exposed data. Investigators probing the incident learned that data may have been exfiltrated from certain servers.
- The final attack of the month take us to Las Vegas where international casino equipment supplier Gaming Partners International became a victim of the REvil gang. According to a recent interview with a Russian tech blog, REvil hacked and encrypted all servers and working computers at the company. The hackers also exfiltrated more than 500 gigabytes of data during the breach including casino contracts, banking information and technical documents related to GPI products. REvil gave the company 72 hours to respond.
November
November was the third busiest month of the year with 28 attacks uncovered. Our research shows that organizations in the services industry were hit the hardest, followed by the government sector. Education took a back seat this month with only one recorded incident. Here is a roundup of what we uncovered for the month.
- US toymaker Mattel was the first of the month to reveal they had been a victim of a ransomware attack earlier in the year. Mattel claimed that the attack was initially successful and it resulted in the encryption of some of its systems. The toymaker said that a subsequent forensic investigation concluded that the ransomware gang did not steal any data relating to its business, customers, suppliers or employees.
- Sonoma Valley Hospital confirmed that its system-wide computer shutdown in October was due to a ransomware attack. Hackers demanded a ransom to release data but at time of writing the hospital had not paid the ransom. The attack was likely part of the Russia backed campaign that recently targeted as may has 400 healthcare organizations across the US.
- Japanese game developer Capcom fell victim to an attack at the hands of the Ragnar Locker gang who claimed to have stolen 1TB of sensitive data from their corporate networks in the US, Japan, and Canada. The ransom note included screenshots of stolen files, including employee termination agreements, passports, sales reports and bank statements.
- Italian beverage giant Campari Group was the next big-name brand to suffer an attack. An investigation into the attack is ongoing and some researchers suspect the Ragnar Locker gang is responsible.
- Next up was the massive ransomware attack that affected the cyberinfrastructure of the Brazilian Superior Court of Justice (STJ). The ransomware operators behind the attack claimed that the entire STJ database has been encrypted and any attempt to restore the files would be in vain. It is The hackers demanded an unknown amount of ransom to decrypt the encrypted court data.
- The GEO Group, the company best known for operating illegal immigration detention centres and private prisons in the US were next to disclose that they had been victim of an attack earlier in the year. The attack exposed sensitive inmate and resident information. The group said that the incident impacted only a small part of its network of 123 private prisons, processing centres, immigration detention centres and mental health facilities, spanning the US, South Africa, Australia and the UK.
- E-commerce software vendor X-Cart disclosed that they had suffered a ransomware attack that brought down customer stores hosted on the tech company’s platform. The attackers gained access to a small number of servers which they encrypted which effectively shut down X-Cart stores running on top of the impacted systems. Although they claim only a small percentage of the infrastructure was affected, some of the store owners are said to be considering a class-action lawsuit as a result.
- Taiwanese electronics giant Compal, was next to make the ransomware headlines. The company who builds laptops for some of the world’s largest computer brands suffered an attack at the hands of the DoppelPaymer gang. The attack is said to have impacted around 30% of Compal’s computer fleet.
- UK based housing association Flagship Group were forced to take their IT systems offline after the Sodinokibi ransomware strain entered the company via a phishing attack. The association, a landlord for over 30,000 homes in the east of England admitted that there had been some data encryption and some personal customer and staff data has been compromised. It remains unclear how many individuals have been affected.
- Iowa based medical billing company Timberline Billing Service LLC is boosting its cybersecurity after an unknown attack encrypted files and exfiltrated data earlier in the year. The security incident was reported to the Department of Health and Human Services’ Office for Civil Rights as a data breach affecting up to 116,131 individuals.
- Biomedical and clinical research company Miltenyi Biotec suffered a Mount Locker attack that affected the firm’s global IT infrastructure. The company’s 2,500 employees from 28 countries are working to develop cell research and therapy products for clinicians and researchers working on covid-19 vaccines. The company said that it has successfully restored all operational processes impacted but they were still facing issues with email and telephone services in some countries.
- Chilean-based multinational retail giant Cencosud was hit by an Egregor Ransomware attack that impacted services across its stores. Cencosud is one of the largest retail companies in Latin America with revenues of $15 billion and over 140,000 employees.
- Managed.com, one of the biggest providers of managed web hosting solutions was forced to shut down all of its servers following a ransomware attack. The attack impacted the company’s public-facing web hosting systems resulting in some customer sites having their data encrypted.
- A ransomware attack on cold storage giant Americold impacted their operations including, email, phone systems and inventory and order management. The company who manages 183 warehouses worldwide and has around 13,000 employees offers supply-chain services and inventory management for retailers, food service providers, and producers.
- The City of Saint John in Canada was next to confirm that a recent cyberattack against them was indeed ransomware. Officials have declined to say how much money was demanded by the attackers or what systems had been affected.
- Lehigh Valley Library in Pennsylvania was forced to close after falling victim to an attack. Affected servers were taken offline and the library remained closed while the attack was investigated and systems were restored.
- Nexia Australia and New Zealand, a network of solutions-focused accountancy and consultancy firms were next to disclose that they had been hit by REvil ransomware. The attackers claimed to have stolen 76GB of data during the incident, however, Nexia denied this and said that the incident was swiftly dealt with by their IT providers and there was no evidence of any movement of data or files.
- Next up is New Zealand based flower wholesaler New Zealand Bloom. The company stated that they had no intention of paying a ransom as the consequences of the attack were not serious and the data leaked online was not of a sensitive nature.
- Another government attack is next, this time its Jackson County in Oregon. The attack downed the county’s website following the recent ransomware attack on their web-hosting service provider, Managed.com
- South Korean fashion and retail company E-Land was forced to shut down 23 of its 50 branches following a ransomware attack. E-Land is most known for its fashion and apparel line and is one of the most famous companies in South Korea. The company is working with police and cyber experts to investigate the attack.
- Manchester United Football Club made serious headlines this month when it was revealed that they had suffered a cyberattack. Later confirmed to be ransomware, the club disclosed that although the attack was sophisticated, they had extensive protocols and procedures in place for such an event and they were prepared. They maintain their cyber-defenses identified the attack and shut down affected systems to contain the damage and protect data.
- Back to Australia next where this time it’s Law In Order, an Australian supplier of document and digital services to law firms. The company were victims of the Netwalker ransomware gang. It had been initially reported that they had seen no evidence of data exfiltration, however, this was later updated to say a very small proportion of data had been exfiltrated after online accounts linked to Netwalker posted proof of the attack and threatened to publish data online if a ransom was not paid.
- Ritzau, the largest independent news agency in Denmark responsible for delivering news to virtually all major media in in the country, had their editorial systems shut down following a ransomware attack. In a statement they confirmed that they did not intend to pay the ransom. While the ransomware group who successfully encrypted their systems is not yet known, the attack which managed to encrypt around 25% of the servers has been described as “very professional”. Ritzau’s IT department is working on restoring all affected computers and bringing them back online.
- US Fertility, a network of fertility clinics was hit by a ransomware attack that compromised patient information. A security incident had been identified in September after some devices on the network became inaccessible. The company then found multiple systems had been affected by ransomware. Further investigation revealed that an unauthorized party accessed data including patient names, addresses, birthdates and Social Security numbers during August and September.
- Advantech, the industrial automation and IoT chip maker confirmed that a ransomware attack that hit its network and that company data had been exfiltrated. The attack was carried out by the Conti ransomware gang who demanded a $14 million ransom to decrypt the affected systems and to stop leaking stolen company data. Advantech employs 8,000 people in 92 cities globally.
- Delaware County in Pennsylvania were the next reported victim of the DoppelPaymer gang. Systems were taken offline while the organization worked with computer forensic specialists to determine the nature and scope of the event. Emergency services were not affected but the county did opt to pay the $500,000 ransom.
- In the only reported attack on education this month, Baltimore Public Schools was forced to cancel online learning for its 115,000 students after a ransomware affected its systems. Very little information has been released about the attack but county police are working with the FBI.
- The last reported attack of the month hit Endemol Shine, the global production company behind television shows such as “Big Brother,” “MasterChef” and “The Voice”. The company has disclosed that they have reason to believe personal employee data and commercially sensitive information may have been compromised. The attack was claimed by the DopplePaymer who have shared several documents allegedly stolen from the company.
December
We finish 2020 with 27 reported ransomware attacks in December. Several prominent organizations made headlines during the month including electronics giant Foxconn who were hit with a $34 million ransom. Here’s a summary of what we uncovered.
- We start the month with online education vendor K12. Threat actors accessed back office systems during the attack and a press release stated that student and staff information was on the systems. A spokesperson confirmed that a ransom had been paid.
- Translink, Vancouver’s transportation network were next to disclose they had been a victim of ransomware at the hands of the Egregor gang. Payment systems were affected but customers were assured that credit card and payment information had not been accessed.
- Up next is another Egregor attack, this time on US retailer Kmart. The attack resulted in a number of servers on its network becoming encrypted. A ransom note showed that an HR website used by the store had also been brought offline by the hackers. Kmart’s e-commerce site was unaffected.
- Brazilian aerospace giant Embraer reported that they had been a victim of ransomware. The company chose to restore its affected systems and refused to negotiate with the attackers which promoted the RansomExx gang to leak some company data.
- Randstad, the world’s largest staffing agency was the next reported victim of the Egregor gang. Unencrypted files were stolen during the attack and a subset of the data was later published.
- Swiss helicopter manufacturer Kopter fell victim to the LockBit gang who encrypted the company’s files and published a subset of them after they refused to engage. The hackers claimed that they broke into the company’s network by taking advantage of weak password used by a VPN appliance.
- Greater Baltimore Medical Center (GBMC HealthCare) was hit by a ransomware attack that impacted its computer systems and operations. The hospital initially stated they had robust systems in place to deal with the attack. However, a GBMC nurse who spoke to the press anonymously said that the attack had set the facility back decades.
- Electronics giant Foxconn suffered a ransomware attack at a Mexican facility during the Thanksgiving break. Following the attack the DoppelPaymer ransomware gang published files belonging to Foxconn NA on their ransomware data leak site. The attackers demanded a ransom of $34 million.
- Minnesota based Managed IT Services provider NetGain Technologies were forced to take its data centers offline following a ransomware attack. While the company declined to speak to the press about the attack, its clients were informed and were told they were running tools and scans to detect, isolate, and clean-up any affected environments whilst working alongside security specialists.
- Haberdashers’ Monmouth Schools , an independent schools group in Wales was hit by the Sodinokibi ransomware gang. The hackers deleted files belonging to staff and pupils and encrypted onsite backups. The group demanded £500,000 which rose to £1m after six days.
- The town of Independence Missouri revealed that they had been a victim of a ransomware attack that resulted in technical difficulties and disruption to multiple services but it had been halted before the full city network had been infected. The City Council had previously approved over $4 million worth of IT and cybersecurity upgrades designed to prevent these types of attacks, however it was unclear how many upgrades were in place at the time.
- Next, the Conti gang claimed responsibility for the attack on Georgia based payment processing company TSYS. The attackers claimed to have published over 10 gigabytes of TSYS data but the company said the attack only impacted it’s administrative wing and not any payment data. TSYS did not confirm if any ransom had been paid.
- Intel-owned AI processor developer Habana Labs suffered an attack at the hands of the Pay2Key ransomware operation. The hackers leaked company data and in a threat posted to their leaked data site they stated that Habana Labs had 72hrs to stop the data leaking process. It is not known what ransom demands were made.
- Australian automotive services provider Inchcape became the next victim of RansomEXX. The gang leaked data on the Dark Web following the attack.
- Weslaco ISD in Texas reported that the school district’s computer network was attacked by ransomware and that the FBI were investigating the incident. A statement from the organization said they did not know if personal information relating to staff and students had been compromised.
- Norwegian cruise company Hurtigruten disclosed that its systems had been hit by a significant ransomware attack in which the cruise lines global IT infrastructure had been affected. At time of writing it’s not known who was behind the attack.
- Germany based flavor and fragrance developer Symrise were forced to halt production following an attack claimed by the Clop ransomware gang. The attackers allegedly stole 500 GB of unencrypted files and encrypted close to 1000 devices. Images of the stolen files were posted on the attackers data leak site .
- Trucking and logistics firm Forward Air revealed they had been targeted by a ransomware attack and warned that it may defer or lose revenue as a result. This attack is the first we have recorded for the Hades ransomware group.
- The City of Ellensburg in Washington were next to announce they had been the victim of a ransomware attack. Not much is known about the attack but the city is now working with both local and federal law enforcement to investigate.
- Canadian voice over IP hardware and software maker Sangoma Technologies were struck by a ransomware attack involving the Conti gang. Private and confidential data stolen during the attack was later posted online and the company said that it has launched a comprehensive investigation to fully ascertain the extent of the data breach and it’s working closely with outside cybersecurity experts.
- Home appliance giant Whirlpool suffered a ransomware attack by the Netfilim gang who stole data before encrypting their devices. The hackers later published stolen data which included documents relating to employee benefits, medical information requests, and background checks.
- Up next is the City of Cornelia in Georgia. In a press release to local media officials confirmed the attack and disabled the network while they work with law enforcement to investigate.
- General Medical Laboratory (AML) in Antwerp, a laboratory working closely on the management of the Covid-19 pandemic suffered an attack by the Clop ransomware gang. Hackers installed ransomware on the lab’s website which brought it to a standstill. They demanded a ransom before they would release the site from captivity. It remains unclear if the attack was also aimed at data theft.
- Arizona-based healthcare organization GenRx Pharmacy issued a warning to patients over a potential data breach following a ransomware attack earlier in the year. Malicious hackers successfully removed some files that included patient information including first and last name, address, phone number, date of birth, gender, allergies, medication list, health plan information, and prescription information. An entry on the US Department of Health and Human Services’ HIPAA breach portal indicated that more than 137,000 GenRx patients were being informed about the incident.
- New Zealand based financial services firm Staircase Financial Management were the next company to be hit. A post on the NetWalker blog had a countdown clock indicating how much time was left before the data was made public. That clock has since run out and the data was made public across multiple third party file sharing sites.
- Richter Advisory Group Inc., the court-appointed receiver of Canadian company Nygard’s assets confirmed that Nygard was a victim of a ransomware attack in a Dec 30th court document. IT staff identified the ransomware responsible as Netwalker. The initial ransom demand was approximately 99 bitcoins — equivalent to more than $3.6 million but this rose to 198 bitcoins — equivalent to more than $7.2 million when the company failed to respond.
- The last reported attack in 2020 took place in Fergus Falls Minnesota where computer systems at Lake Region Healthcare were affected by a ransomware attack. In a statement released on Dec 30, the CEO of Lake Region Healthcare said federal and local law enforcement, as well as a team of third-party experts were investigating the attack and at that time there was not enough evidence to indicate any data was stolen, or that patients and staff are in danger at this time.
Keep up to date with what’s happening in 2021 in our State of Ransomware 2021 blog!
Related Posts
BlackFog unveils AI based anti data exfiltration (ADX) platform for ransomware and data loss prevention
BlackFog unveils the latest version of its AI based anti data exfiltration (ADX) platform for even more powerful ransomware and data loss prevention. Version 5 introduces new features including air gap protection, real-time geofencing, and baseline activity monitoring to ensure the highest level of cybersecurity protection.
EDR Kill Shifter: Why a Layered Cybersecurity Approach is Required
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
Data Exfiltration Detection: Best Practices and Tools
Data exfiltration, a tactic used in 93% of ransomware attacks, can lead to severe consequences including financial losses, reputational damage, and loss of customer trust. To mitigate these risks, organizations must implement effective detection strategies and technologies.
What Causes Victims to Pay in a Ransomware Attack? The Psychology
Learn the main reasons why victims of a ransomware attack are forced to pay, such as the need to avoid operational disruption or the deceptive methods used by attackers to establish confidence.