In 2020, 2021, 2022 and now 2023, BlackFog’s state of ransomware monthly report measures publicly disclosed attacks globally. This year we are also introducing some new statistics based upon unreported incidents, which is a growing trend as organizations try to avoid regulatory penalties, reputation damage and class action lawsuits. We are also proud to have received Gold place for Best Cybersecurity Newsletter of the Year in the 19th Annual 2023 Globee® Cybersecurity Awards for this report.
We have also produced an annual ransomware attack report for 2022. In addition, we have also identified some of the key lessons learned from 2022 and what trends and best practices can be used to mitigate these attacks in the future.
As in previous years where we’ve identified the major myths and moments in ransomware, we will continue to focus on important statistics such as data exfiltration. If you would like this report delivered to your inbox each month please feel free to register using the link below, or learn more about how BlackFog protects enterprises from the threats posed by ransomware here.
January
The first month of 2023 saw 33 publicly disclosed ransomware attacks, the highest number of attacks we have ever recorded for a January. The education sector topped the victim list with 11 attacks, over a third of all incidents recorded this month. Royal Mail, deemed as “critical national infrastructure” in the UK, was hit by a LockBit attack, causing severe disruption to all overseas deliveries. Clop targeted the New York City Bar, exfiltrating 1.8TB of data and posting some “unkind” words regarding their concern for data safety. Let’s take a look at what other attacks were uncovered this month:
- Personal data belonging to Xavier University students and employees was leaked by Vice Society after an attack late last year. The exfiltrated data is reported to include information on payroll, personal finances, social security numbers, disciplinary actions and misconduct allegations. The Louisiana based university refused to pay the ransom demanded by the ransomware group.
- Los Angeles Housing Authority (HACLA) confirmed that they were victims of a data breach, resulting in disruption to their systems. HACLA are unclear how systems were breached and exactly what information had been stolen. LockBit have claimed responsibility for the attack and have posted images of purported HACLA databases containing around 15TB of information.
- Swansea Public Schools was targeted by a ransomware attack which shut down their district network, causing classes to be canceled for a day during the first week of the semester. It is believed that an encrypted download, run by someone with no malice intent within the district, facilitated the attack. Early investigations suggest that no personal staff or student information was compromised during the incident.
- The Saint Gheorghe Recovery Hospital in north-eastern Romania reported a cyberattack which took place in December 2022, stating that medical activity is still impacted due to its encrypted database. The hackers demanded 3 Bitcoin for the decryption of the servers. An investigation involving the National Directorate of Cyber Security and DIICOT has been launched.
- Bristol Community College in Massachusetts is struggling to recover from a ransomware attack which crippled their digital systems. The incident was discovered late December when the college immediately launched an investigation. It remains unclear whether personal information was accessed or stolen during the attack. No group has yet claimed responsibility for the incident.
- Hive ransomware gang have added another healthcare-related victim to its leak site, Consulate Health Care (CHC). The group claim to have acquired information including contracts, NDAs and personal information belonging to employees and customers. CHC could unfortunately not afford the reduced, undisclosed ransom amount as their insurance would not cover any ransom payment – it’s now likely that Hive will leak the exfiltrated information.
- Computer systems belonging to the Controller of Communication Accounts (CCA) were breached during a ransomware attack at the beginning of the month. The office in Vijayawada had basic information accessed but the main server remained intact. Reports confirm that a ransom was demanded though the amount has not been disclosed.
- Pennsylvania- based non-profit health provider, Maternal and Family Health Services, was impacted by a sophisticated ransomware incident. It is reported that the incident initially occurred in April 2022 but could have started months earlier. Personal information belonging to current and former patients and employees was compromised along with vendors sensitive information. The MFHS has not detailed why it took nine months to disclose the attack, with details of the incident including the group behind the attack remaining unclear.
- San Francisco’s Bay Area Rapid Transit fell victim to a ransomware attack which exposed highly sensitive and personal data. Vice Society have claimed responsibility for the attack and have allegedly stolen information including employee data, police reports and crime lab reports among other highly sensitive information. It is not clear if a ransom was demanded by the group.
- Des Moines Public Schools was forced to extend their school year to make up for time lost due to a ransomware attack. The incident which affected the district’s servers, caused major disruption with consultants being brought in to determine the full impact of the cybersecurity attack. The Iowa Department of Education, the local offices of the FBI and the Department of Homeland security are involved in an investigation. No-one has yet claimed responsibility for the attack, and it is unclear if any information has been compromised.
- Hope Sentamu Learning Trust were hit with a ransomware attack which affected nine of their schools across York, Selby and Scarborough. IT systems were taken offline as a precautionary measure, with some remaining disabled while the investigation continues. It is unknown if any data was taken during the incident. The CEO stated that they have not received a ransom demand and if they did that they wouldn’t pay it out of principle.
- Vice Society claimed responsibility for the attack on the Fire Rescue Victoria which led to widespread outages in December last year. The Australian state fire department warned current and former employees and job applicants of the leak. The attack affected a number of FRV’s internal servers, including the email system with the overall IT infrastructure still not fully operational into the New Year. The data set leaked by the ransomware group contains budget documents, job applications and other sensitive information.
- Norwegian software supplier, DNV, reported a ransomware attack impacted around 1000 shipping vessels. The attack affected their ShipManager software that provides services for 12,000 ships and mobile offshore units across the globe. The incident has not affected the vessels’ ability to operate due to onboard, offline functionalities of the software. The organization claim that there are no indications that data or any other servers were affected.
- The City Council of Durango in Mexico suffered a cyberattack which reportedly paralyzed its systems. A news site quoted the city mayor confirming the ‘hacking had been serious’ and would paralyze the systems for a number of weeks. They reportedly received a ransom demand which they are not intending to pay. No gang has claimed the attack as yet.
- LockBit caused severe disruption to Royal Mail’s overseas deliveries during an incident in early January. This incident is highly significant, as Royal Mail is deemed “critical national infrastructure” for the UK. A ransom note sent to the organization read “Your data is stolen and encrypted.” A ransom demand has not yet been reported and it is unclear what information has been exfiltrated during the attack. An investigation involving the National Crime Agency and the National Cyber Security Centre is ongoing.
- Home Care Providers of Texas just disclosed a ransomware incident which occurred between June 25 and June 29 last year. Files were both encrypted and exfiltrated by threat actors. The information stolen included names, addresses, SSNs, treatment information and medication information of patients. The Texas Attorney General report has indicated that 124,363 Texas residents have been affected.
- 8TB of information belonging to the New York City Bar has been stolen by CL0P during an attack in mid-December. The ransomware group posted some “unkind” words on their leak site stating that the NYC Bar is “example of one more institution who do not take their obligation to secure client, employee and case data seriously.” A screenshot of a portion of a file directory has been posted as proof of claims, with the group stating that the data size is so large that it will be shared over some weeks.
- One of Germany’s largest universities, The University of Duisburg-Essen, has fallen victim to a Vice Society ransomware attack. The group listed the university as one of its victims, leaking some of the data stolen during the attack on their dark web site. The university has stated that they refused to comply with the attackers’ demands and did not pay the ransom. Local data protection experts are currently analyzing the published data to uncover which institutions and individuals were affected by the breach.
- Fast food operator of KFC, Pizza Hut, Taco Bell and The Habit Burger Grill chains, Yum! Brands, were forced to temporarily close 300 locations in the UK this month as the result of a ransomware attack. Upon discovering the incident, the company was deployed containment measures which included taking certain systems offline and implementing enhanced monitoring technology. Yum Brands! Have confirmed that data was stolen during the attack but does not believe that any customer information was exposed. An investigation is ongoing.
- Costa Rica’s Ministry of Public Works and Transport suffered a ransomware attack just months after several other ministries were crippled in a wide range attack. Twelve servers were encrypted during the attack. Cybersecurity experts and international organizations have been brought in to support the ongoing investigation into the attack. Conti claimed responsibility for the incident, making it the second major attack from this group on the country in less than a year.
- NextGen Healthcare, an Atlanta-based electronic health record vendor, fell victim to an attack orchestrated by BlackCat ransomware group. BlackCat posted an “alleged sample of NextGen information” on its extortion site but later took down the listing. The forensic review is ongoing, but the organization stated that they have not uncovered any evidence to suggest that threat actors gained access to any client or patient information.
- Wawasee Community School Corporation suffered an attack which impacted all of their windows-based computers, servers and other technology systems. Significant disruption was caused to daily operations as they shut down the network to investigate the breach, which both the Indiana Department of Education and the FBI are involved in. At this time, it is believed that student and employee data was not impacted during the incident.
- One of the UK’s largest car dealer networks, Arnold Clark, was targeted by an attack in the run up to Christmas last year, seeing staff resorting to pen and paper to record transactions and the company unable to complete new vehicle handovers. Play ransomware group have claimed responsibility for the incident and have posted a 15GB tranche of customer data online, with the threat to release more should the ransom not be paid. Although the actual ransom amount has not been disclosed, it is believed to be a multimillion pound demand.
- British Colombia community college, Okanagan College, have announced that an unauthorized entity gained access to some of their technology systems earlier this year. Vice Society took responsibility for the incident and claimed to have exfiltrated 850GB of data. External security experts have been brought in to assist in the response and investigation surrounding this attack.
- Lutheran Social Services of Illinois have recently notified the Maine Attorney General’s Office of a breach affecting 184,183 people this month. It is believed the attack occurred a year ago, in January 2022. It was discovered in December 2022 that certain personal information maintained on their systems was “potentially accessed by an unauthorized party.”
- The South East Regional Health Authority (SERHA) in Jamaica were victims of a cyberattack, affecting their information and communications technology as well as other public services. Details of the incident have not been made public but Junior Opposition Spokesperson on Science and Technology, Omar Newell, has called for more details of the breach to be disclosed including what servers were affected, could patient information have been accessed, was a ransom demanded, and if it was, are SERHA intending to pay it. No group has yet claimed responsibility for the attack.
- In India, the parent company of a private defence contractor, Solar Industries Limited, were victims of a BlackCat attack, leaving their website unavailable for a number of days. The ransomware group released a number of documents on to the dark web and claim to have exfiltrated 2TB of data from the organization. The stolen data is said to include full descriptions of engineering specifications, drawings, and audits for many weapons which they manufacture, alongside other company data and personal information belonging to customers and employees. It is not clear whether a ransom has been demanded by the group.
- In Maryland, Atlantic General Hospital experience network outages due to a ransomware attack. The attack caused some disruption but patient interruption was “limited.” Details on the attack remain vague and no-one has claimed responsibility yet.
- The Instituto Federal Do Pará (IFPA), a public education institution in Brazil, was added to BlackCat group’s leak site on January 30th. The group posted a proof pack consisting of screenshots from a directory of folders. A message from the ransomware group stated, “The guys decided to ignore our ransom demands, so the data of their employees and students will be published and put up for sale.” The ransom amount demanded has not been disclosed and the IFPA have not yet made any statement regarding the attack.
- Japanese electronic product manufacturer, Fujikura Global, have fallen victim to an attack by LockBit 3.0. The group claims to have breached corporate headquarters and infiltrated outposts around the world, exfiltrating 718GB of confidential and critical information. Data is said to include financial records, internal reports, certificates, employee personal information and much more.
- Tucson Unified School District, Southern Arizona’s largest school district, was the target of a ransomware attack at the end of January. The incident shut down the district’s internet and network services, forcing schools to do work offline. Staff discovered letters in their printers, stating that the attack was carried out by Royal ransomware. It also stated that the district’s data was encrypted and copied during the attack. A ransom amount has not been disclosed but according to reports, Royal offered the district a “unique deal” that would see their data decrypted, restored and kept confidential.
- Nantucket Public Schools were victims of a ransomware attack that overtook the entire island’s public school internet system. All student and staff devices were shut down, and security systems, including phones and security cameras were disabled. Students and staff were dismissed for the day and issued a warning not to use school issued devices at home.
- In France, the Association Appui Santé Nord Finistère suffered a crippling ransomware attack which saw the Association unable to access any archived data or their accounting management system. According to reports, data has been encrypted and some archive files deleted. Due to the nature of the organization, the integrity of personal health information belonging to its patients has been affected. There has been no indication relating to the attackers or any potential ransom.
February
A total of 40 ransomware attacks were publicly reported in February, a 21% increase on January. Government was the most heavily targeted sector, closely follow by healthcare. Several large organizations made headlines including, ION, Five Guys and Dole Foods , while we closed out the month with an attack on the US Marshals. Here’s a summary of who else made ransomware news in February.
- ION, the financial trading service group, was hit by a ransomware attack at the beginning of the month, disrupting customers including some of the world’s biggest banks, brokerages and hedge funds. LockBit claimed responsibility for the attack and were paid an undisclosed ransom. Both ION and LockBit declined to clarify who paid the money, with LockBit claiming it came from a “very rich unknown philanthropist.”
- American fast-food chain Five Guys fell victim to a ransomware attack at the hands of BlackCat. A preview shared by the ransomware group included bank statements, international payroll data, information about recruitment and audit information, among other types of data from 2021. No further information has been released regarding to attack, including the ransom amount and whether the organization intends to pay.
- The Hidalgo County Adult Probation Office was hit by a ransomware attack in early February. Only the probation office systems were affected as it runs under a different security system to other county offices. Hidalgo County Judge, Richard F. Cortez stated that the office was able to retrieve the information without having to pay the demanded ransom.
- A ransomware incident took down RSAWeb’s entire network, including its fibre, mobile, hosting VoIP and PBX services. RSAWeb CEO Rudy van Staden stated that ‘there was no reason to believe that any customer or employee data was accessed or misused during the incident’. He also claimed that the sophisticated attack was part of a campaign victimizing many other businesses both in South Africa and globally.
- Tallahassee Memorial HealthCare in Florida remained offline for almost a week after they were targeted by a ransomware attack. Surgeries and procedures were limited, with some emergency patient routed to other hospitals. The hospital had to revert to paper documentation and handwritten patient notes during the downtime. An investigation into the incident is ongoing, with information remaining limited due to security, privacy, and law enforcement considerations.
- Florida’s Supreme Court was one of the victims of the global ransomware attack targeting unpatched VMware ESXi servers. It is believed that there are around 3,800 victims of this fast-spreading digital extortion campaign. Spokesman for Florida Supreme Court, Paul Fleming, stated that ‘the affected infrastructure was segregated from the Supreme Court’s main network and was used to administer other elements of the court system’.
- Regal Medical Group announced that they had experienced a ransomware attack late last year, during which files were exfiltrated. These files contained information including PII, diagnosis and treatment information, SSNs and health plan member numbers, among other health data. HHS has indicated that 3,300,638 individuals were affected by the incident, making it the largest healthcare data breach so far this year. No information has been released regarding those behind the attack and if a ransom was demanded.
- Semiconductor equipment maker, MKS Instruments, saw its product-related systems impacted during an attack. The company elected to temporarily suspend operations at some of its facilities in order to contain the incident. An investigation was launched to assess the impact of the incident while engaging with law enforcement and incident response professionals. It is unclear whether any data was exfiltrated during the attack and it is not yet known who was behind it.
- Lorenz ransomware group added AmerisourceBergen/MWI Animal Health to their leak site, providing a sample list of data suggesting that files are personnel-related and internal files. The organization launched an internal investigation which quickly identified that a subsidiary’s IT system was compromised. The incident was isolated, and an investigation continues to determine whether any sensitive data was compromised. No ransom was posted on the group’s leak site, suggesting that those who want to negotiate must contact the group directly.
- Munster Technological University (MTU) in Ireland was forced to close its four campuses in Cork when they fell victim to a ransomware incident. The campuses were closed to ensure robust student and staff data protection, while core systems remained unaffected with most staff being able to work from home. BlackCat have since claimed responsibility for the attack and data belonging to the University has appeared on the Dark Web.
- Important diagnostic systems and access to medical files were disabled as a result of a suspected ransomware attack on Ross Memorial Hospital. The Canadian hospital declared a code grey as staff were unable to access the systems needed for treatment, with patients saying that even parking machines weren’t functioning correctly. Third-party cybersecurity resources were brought in to work with technical experts within the hospital to investigate the incident according to industry best practices.
- LockBit claimed responsibility for an attack on the global power product manufacturer, Phihong. The ransomware group claimed to have personally identifiable information belonging to Phihong’s employees and customers, along with contracts, financial documents, and a large number of databases. LockBit demanded a ransom of $500,000.
- California-based networking hardware manufacturer A10 Networks fell victim to a ransomware attack orchestrated by the Play ransomware gang. During the incident the gang briefly gained access to shared drives and compromised data relating to human resources, finance, and legal functions. The threat actors claimed to possess confidential files including technical documentation, employee and client documents, agreements, and personal data. It is unclear at this time if a ransom was demanded.
- Sensitive patient information was stolen during an attack on CentraState Medical Center. Stolen data was said to include names, addresses, birthdays, SSNs, health insurance information, medical records and patient account numbers. In a statement it was revealed that the attack not only paralyzed the freehold facility, but it also affected around 617,000 patients.
- An attack on the City of Oakland forced all systems offline until the network was secured and affected services were brought back online. The attack did not affect core services such as 911 dispatch and fire and emergency resources. The Information Technology Department is working with law enforcement to investigate the scope and severity of the attack. It is currently unknown which group was behind the attack. A reporter who broke the story, commented last year on the City’s IT department being understaffed and exposing it to ransomware attacks.
- The Modesto Police Department suffered a breach that disabled patrol vehicle laptops, forcing officers to resort to writing down details from dispatch. The city stated that it was investigating alongside leading cybersecurity experts after it “detected suspicious activity on its digital network.” It is not yet known who is behind the attack or if any data was exfiltrated.
- DarkBit, a new ransomware group that emerged this year claimed Technion – Israel Institute of Technology as one of its first victims. An investigation involving both internal and external experts was launched, and all communication networks were proactively blocked. A ransom note from the threat actors was left on the university’s systems, demanding 80 Bitcoin (roughly $1,745,200) to release the decryptor.
- B&G Foods, a food retailer with more than 50 brands including Green Giant, Cinnamon Crunch Toast and Vermont Maid Syrup, was a victim of a cyberattack orchestrated by Daixin Team. The ransomware group allegedly encrypted an estimated 1,000 hosts and exfiltrated files which were later leaked on their site. The files included internal company documents which did not seem to include any confidential files relating to the organization, its personnel, or its contractors. B&G did not respond to communications from Daixin Team, with the group stating, “maybe they don’t care about the leak, and like to restore systems the hard way.” To date, there has been no information released on what ransom was demanded.
- Atlantic General Hospital in Berlin, Maryland recently disclosed they had been impacted by a ransomware attack in January which affected hospital operations including outpatient walk-in lab, pulmonary function testing, outpatient imagining and RediScripts. As of Feb 13th, the facility was once again fully operational. An investigation is ongoing to determine whether any sensitive data was impacted as a result of the incident.
- The Vice Society ransomware group claimed responsibility for the attack on Mount Saint Mary College, a liberal arts college in New York, which happened at the end of last year. The group claimed they were able to gain access and disable some of the school’s systems during the incident, details which were later shared on their leak site. The college notified relevant law enforcement, including the FBI and did not pay the undisclosed ransom in line with the FBI’s guidance. The school has notified those whose personal information has been compromised.
- Tonga Communications Corporation (TCC) had part of their systems encrypted and locked during a cyber incident. The state-owned telecommunications company stated that the process of connecting new customers, delivering of bills, and managing customer enquiries were affected. Medusa ransomware group was responsible for the attack, and it is still unclear whether any information was exfiltrated during the incident.
- AvosLocker claimed California Northstate University as one of its victims, stating that they have exfiltrated both student and employee data from the university’s network. On their leak site the group claim to have student admissions data along with W-2 statements for all college employees. The proof pack included 393 of these W-2 forms including those belonging to the college’s President and CEO and the Vice-President and CFO. At time of writing no student data had been leaked. In the ransom note AvosLocker called out the college on their cybersecurity, writing “why purchase the cyber-insurance with ransomware coverage policy if you don’t protect your students and staff? Ignoring will not make a problem go away.”
- BlackCat claimed Wawasee Community School Corporation as one of their victims, with the attack causing significant disruption to daily operations. Wawasee did not pay the undisclosed ransom amount resulting in the ransomware group leaking 9.78GB of files on its leak site. It is still unclear what data was exfiltrated during the attack as, at time of writing the download link on the leak site was not working properly.
- Fannin County in Georgia was targeted by a ransomware attack which caused disruption to some computer systems and government business. The Board of Commissioners launched an investigation working alongside nationally recognized third-party cybersecurity consultants. The total impact of the attack is yet unknown, and no details have been released regarding impacted data or who was behind it.
- Reventics LLC, a provider of innovative physician focused technology recently revealed that they detected a cyber incident within their systems late last year. An investigation by external consultants has confirmed that PHI data had been exfiltrated. Royal ransomware claimed responsibility for the attack, later leaking more than 16GB of files. The group claims that this is only 10% of all data they have exfiltrated.
- Lehigh Valley Health Network was targeted by BlackCat ransomware group in mid-February. The attack did not disrupt the networks operations and it is believed the attack was on the network supporting only one physician practice. It is unclear what demands if any were made by the ransomware group and if any data was exfiltrated.
- A disruptive ransomware attack took down several systems and backups belonging to Porsche’s South African Headquarters. It is believed that attackers used a relatively new ransomware strain called Faust to encrypt files and lock the company out of their corporate systems. Porsche South Africa declined to comment on the situation and no further details are available at this time.
- One of Northern Ireland’s biggest construction companies, Lagan Specialist Contracting Group (SCG), fell victim to a LockBit ransomware attack, however the company did not experience downtime and continued to trade normally. The company was given until 28th February to meet the ransom demands before potentially sensitive data was set to be published on the Dark Web or sold onto third parties. Details of the ransom or exfiltrated data is currently unknown.
- BlackBasta claimed KFI Engineers as a victim, exfiltrating 1.1TB of data from servers during a ransomware attack. KFI negotiated with the ransomware group after a $600K ransom was demanded in exchange for their data. After several rejected offers, the organization settled with BlackBasta, agreeing to pay $300,000 in BTC for the decryptor and the guarantee that the threat actors would delete all data exfiltrated and information on how the network was accessed, in order for the organization to prevent another attack.
- Alvaria Inc recently reported a cyberattack which took place in November last year, during which they were targeted by Hive ransomware group. Hive leaked certain information on its Dark Web leak site. During an investigation it was revealed that an unauthorized party had gained access to confidential employee information, however information belonging to customers or employees was not posted on the leak site.
- The City of Lakewood in Pierce County, Washington experienced a ransomware attack during which over 250GB of data was stolen. BlackCat was responsible for the attack and due to the City Council’s “misunderstanding and inability to negotiate”, the group shared a link to download all exfiltrated documents. The ransomware group also issued a warning to those of work with the municipality, stating that their structure is not protected and the vulnerability has not been fixed.
- Indigo Books and Music in Canada restored their online book sales two weeks after a ransomware attack but other items are still unavailable. LockBit was behind the attack which is said to have compromised employee data. They are currently working alongside law enforcement and have notified all those who have been affected. Third-party experts have been brought in to strengthen their cybersecurity practices and enhance data security measures.
- One of the world’s largest distributor of fresh fruit and vegetables, Dole Food Company, suffered a ransomware attack with reports suggesting the company was forced to shut down production plants in North America. Although Dole has characterised the impact as limited, it also appears that they have had to halt shipments to grocery stores. An investigation is ongoing to evaluate the scope of the incident, but it is not yet clear what data, if any, was accessed or exfiltrated during the incident. No group has yet claimed responsibility for the attack.
- Dish Network was hit by a ransomware attack that took down the company’s websites, apps and customer service systems for a number of days. Teams continue to work hard to restore all affected systems as quickly as possible. An internal outage also affected internal servers and IT telephony. Managers were told that the incident ‘was caused by a known threat agent’. It is unclear who is behind the attack and what data, if any, was exfiltrated.
- Major U.S private natural gas and oil producer Encino Energy disclosed that its operations were not impacted by a cyberattack orchestrated by BlackCat. The ransomware group exposed 400GB of data belonging to the organization, but a company spokesperson has refused to confirm the nature of the attack and if a ransom was paid.
- The City of Oregon City experienced significant network disruption as a result of a “sophisticated ransomware attack.” IT staff and third-party specialists were able to restore the network and data recovery continues. The City’s investment in backup technology allowed them to recover from the incident without paying a ransom. It remains the City’s top priority to determine whether any sensitive or personal information was accessed during the attack.
- The US. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack which impacted “a stand-alone USMS system.” Stolen data included employees’ personally identifiable information alongside returns from legal processes, administrative information and PII pertaining to subjects of USMS investigations and third parties. Further information regarding this attack is not yet available, including the threat actors responsible.
- LockBit added White Settlement Independent School District in Texas to their leak site, with a proof pack suggesting that threat actors were able to access and possibly exfiltrate a number of files. No recent files were included in the proof pack, with a number of them dating from 2015 or earlier. An investigation revealed that compromised documents belonged to some staff that was stored in a shared folder.
- Minneapolis Public Schools was disrupted by a ransomware attack in late February. Impacted systems including school internet, cameras and building alarms were taken down by a “encryption event” on Presidents Day. Many of the systems have already been restored and encrypted data was recovered from backups. It has also been disclosed that no personal data was compromised during the incident.
- Pierce Transit became the second Pierce County Government organization to be targeted by LockBit ransomware this month, following the attack on the City of Lakewood in mid-February. The group threatened to leak ‘a huge portion of confidential data’ which is said to include personal data on customers, contracts, postal correspondence, and NDAs. At this stage the ransom demand has not been disclosed nor has there been any indication as to whether the government officials will pay the requested amount.
March
March saw the lowest number so far this year with 28 publicly disclosed attacks, representing a 12% increase over 2021 and 2022. As usual, education was heavily targeted during the month and it continues to be the number one vertical, ahead of both government and healthcare. High profile incidents included Maximum Industries, the company responsible for making parts for SpaceX. The LockBit gang claimed the attack and disclosed that they had managed to exfiltrate blueprints. The Clop gang also made news when they launched attacks using a vulnerability in Fortra’s GoAnywhere software to steal data from around 130 organizations, with new victim names continuing to make the news. Let’s take a look at other attacks that made headlines in March.
- Tennessee State University received ransomware threats against its WIFI network with an attack rendering the university’s IT system temporarily inaccessible. The Medusa gang was behind the incident which compromised several computers on campus.
- Vice Society claimed an attack on molten metal flow engineering company Vesuvius, publishing files on the dark web one month after the attack. Vice Society included a confidentiality notice alongside the stolen files, stating that the ‘confidential files may also be privileged or otherwise protected by work product immunity or other legal rules.’ The statement went on to acknowledge that the company accepted no liability for the content or consequences associated with the leak. The ransom amount demanded was not made public but given the actions of Vice Society it is unlikely that a ransom will be paid.
- According to a tweet from a threat analyst, Waynesboro local government network was infiltrated by BianLian ransomware earlier this month. During the attack the ransomware group managed to exfiltrate 350GB of files which were said to include fileserver data, files from the internal police station fileserver, public relations, and various business files, notes and manuals. The attacker specifically mentioned the Mayor, Vice Mayor, and another council member in their statement.
- Kuwait’s Ministry of Commerce and Industry detected and successfully thwarted a ransomware attack carried out by LockBit. The ransomware attack entered the network through two computers which were quickly disconnected. No important data relating to operations of companies, institutions, transactions, or citizens and residents were encrypted during the attack. The data impacted was from the personal computers, not the ministry’s network.
- Barcelona’s Hospital Clinic fell victim to a ‘complex and transversal’ ransomware attack at the hands of RansomHouse. Information suggests that at this stage there has been no contact between the ransomware group and the hospital and no ransom demanded. The attack caused major disruption, crippling the emergency room, laboratories, and clinics due to the inability to access patient records. Elective surgeries and care appointments were also impacted with emergency patients being diverted to other local hospitals.
- A Facebook post revealed that Southeastern Louisiana University experienced ‘Temporary Network and System Disruption’ as a result of a cyberattack. Many of the university’s computer-based systems were inaccessible. It is not clear at this time who was behind the attack and what, if any, data was impacted during the incident.
- Hamburg University of Applied Sciences recently reported they were affected by a cyberattack late last year. Vice Society claimed responsibility and were able to infiltrate decentralized IT systems, as well as compromise central IT systems. This access allowed threat actors to acquire administrative rights to central storage systems. ‘Significant amounts of data’ including, usernames, email addresses, mobile numbers and “cryptographically secured” passwords was exfiltrated during the attack.
- Indiana based insurance holdings group Group 1001, saw operations of several member companies disrupted as a result of a ransomware attack. System interruptions were caused by the existence of a sophisticated ransomware on their IT infrastructure. The organization worked with outside forensic teams to investigate the incident and plan to make enhancements to their security posture. It is not clear how many customers were impacted and if data was exfiltrated.
- Black & McDonald, a Canadian engineering company with ties to critical military, power, and transportation infrastructure was hit by a ransomware attack in early March. The company has yet to make a comment on the attack with clients continuing to downplay any damage or impact. There are few details available at time of writing and no group has yet taken responsibility.
- Attent Zorg en Behandeling an elderly care facility in the Netherlands, suffered a ransomware attack which caused technical difficulties. The incident rendered internal IT, e-mail, and telephone systems inaccessible. The Qilin ransomware group gained access to the facility’s network and exfiltrated data which included passport information of former and current doctors, nurses, psychologists, and physiotherapists. A total of 74 documents including salary slips, NDAs and confidential internal communications was leaked on the dark web.
- A notice was issued stating that Berkeley County Schools fell victim to a ransomware attack in February and investigations have now determined that data was accessed during the incident. Vice Society added the school district to their leak site and exfiltrated files included personal and sensitive information on students. This information is said to include behavioural assessments, accommodation plans for 504 students with disabilities, and pupils’ emergency contact information from the past decade. At this time, a ransom demand has not been disclosed.
- LockBit boasted that they broke into Maximum Industries, a parts manufacturer for SpaceX. The gang disclosed that they had stolen around 3,000 proprietary schematics developed by the SpaceX engineers. The ransomware gang taunted the organization claiming that a buyer for these confidential documents and drawings would be easy to find. SpaceX and Maximum Industries refused to comment on the claims and no ransom demand has been publicly disclosed.
- Marshall, a British amplifier and speaker-cabinet maker was added to BlackBasta’s leak site. At this time very few details about the incident have been made public and the company has yet to make a comment.
- Bishop Luffa School in Sussex fell victim to a ransomware attack which shut down their computer systems. Medusa claimed responsibility for the attack and threatened to release files from the school’s server. Stolen data is said to contain personal details of staff, students, and parents. There is no indication that their other cloud-based systems were affected. The school’s headteacher stated that they do not have the financial means to pay a ransom and even if they did, they would not pay it as it would be a poor lesson for their students.
- Medusa also launched a ransomware attack on another school based in Chichester on the same day as the Bishop Luffa School attack. Rumboldswhyke Primary School had more data stored on their cloud-based systems and were less affected by the attack. Medusa posted a ransom of $100,000 for the deletion of hundreds of sensitive documents belonging to both schools. An investigation led by Surrey and Sussex’s specialist Cyber Crime Team is ongoing.
- Amazon owned security camera company Ring was added to BlackCats’s list of victims in March. The group posted the company’s name on their leak site alongside the statement, “there’s always an option to let us leak your data.” It is not clear what specific data BlackCat has accessed, and no evidence of data exfiltration has yet been released. A spokesperson from Ring has reported that the company has “no indictors” that they have experienced a ransomware attack.
- Wymondham College in Norfolk England faced disruption this month when its IT systems were targeted by a ransomware attack. The incident left staff unable to use computer resources and students without access to files. The school is working with the Department of Education and the National Cyber Security Centre. Royal ransomware group responsibility for the attack, but it is not yet clear what data was exfiltrated nor if any ransom demands were made.
- Dutch Maritime logistics company Royal Dirkzwager fell victim to a cyberattack which foreced them to take their systems offline and suspend several services. It took the company a week to clean and fully restore their systems. Play ransomware group claimed responsibility for the attack and posted 5GB of data belonging to the company, representing only a portion of the data claimed to be exfiltrated from their systems. The stolen data allegedly contained private and personal data, contracts, employee IDs, passports and more. The threat actors stated that they will publish all data if their demands are not met. At this time the ransom demand is unknown.
- The City of Allen Park was a victim of a ransomware attack at the hands of LockBit this month. The hackers demanded that officials pay up before the city’s data is released. Our research indicates that LockBit was behind the attack while officials are yet to comment on the attack.
- After an attack by Play ransomware group in February the city of Oakland was reported to have been hit by another attack. This time LockBit added the city to its dark web site, giving them until the beginning of April to pay the ransom. The embattled city is still attempting to recover from an earlier attack with a number of non-emergency systems still offline.
- Lumen Technologies suffered two separate cyber incidents in March, one of which was a ransomware attack. The communication and network services organization had to downgrade operations for a small number of its enterprise customers as a result of the incident. There is an ongoing investigation to evaluate whether any PII or sensitive data was exfiltrated. No one has yet claimed responsibility for the attack.
- Vumacam, a security system provider based in South Africa confirmed that it was the victim of a ransomware attack during which a low-priority internal system was breached. The organization claimed that no critical, personal, or sensitive data was impacted and that the breach was remediated immediately. The organization made it clear that they do not negotiate with cybercriminals and that cybersecurity is a priority for them which allowed them to contain the incident quickly. LockBit were responsible but no information regarding ransom demands are publicly known at this time.
- Mumbai based drug company Sun Pharma fell victim to a cyberattack at the beginning of the month with BlackCat claiming responsibility 25 days later. The incident saw certain file systems breached, impacting both company and personal data. The business operations were impacted due to required network isolation and recovery. At this time the organization is unable to determine all of the ‘potential adverse impacts’ of the attack.
- Crown Resorts, Australia’s largest gambling and entertainment company announced that it was a victim of Clop’s ongoing attack on the GoAnywhere vulnerability. The ransomware group claim to have stolen data from the network, but the organization is investigating the validity of the claim. According to reports there is no evidence of a data breach impacting customer data and business operations have not been impacted.
- Tanbridge House School in West Sussex England experienced a ransomware attack at the hands of RansomHouse, locking employees out of their computers. According to the school’s headmaster, the attack had a big impact on the normal every day running of the school. RansomHouse, who have demanded an undisclosed ransom, taunted the school on its leak site stating, ‘we were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company.’ The school previously told parents that there was no evidence of sensitive data having been stolen. However, an evidence pack was later released containing personally identifying information belonging to staff and students.
- Play ransomware group claimed BMW France as one of their latest victims, naming them on their dark web blog. The group threatened to leak data within the next two weeks if the company refused to pay the undisclosed ransom. Data stolen is said to include private and personal confidential data, contracts, financial information, and client documents. BMW Group experts are investigating the case and have not yet identified any system intrusions.
- An attack on the Washington County Sheriff’s Office in northeastern Florida resulted in stolen data which included warrants and employee info being leaked on the dark web by the LockBit criminal gang. The Sheriff’s Office claim to have ‘recovered’ from the incident and stated that they didn’t lose communication lines during the incident. The attack appears to have impacted department apps and took down finance and jail networks. Florida law prohibits government organizations from paying ransoms linked to ransomware attacks so it’s unlikely the criminal gang will profit from this attack. The Sheriff’s Office confirmed that it currently spends less than $20,000 on IT and database recovery systems.
- Lewis & Clark College announced they had been a victim of a ransomware attack orchestrated by Vice Society. The incident which caused widespread outages saw the ransomware group post exfiltrated files including samples of passports and documents including SSNs, insurance files, W-9 forms and contracts on the dark web. A statement released by the school confirmed that after consulting with experts and law enforcement it was not going to pay the undisclosed ransom.
April
April was the quietest month for reported ransomware attacks this year with 27 incidents making the news, up from 25 in the previous year. Data giant Western Digital was held to ransom by the BlackCat criminal gang who extorted them for an 8 figure sum. While luxury German shipbuilder Lüerssen suffered an attack over the Easter break which reportedly caused much of the firm’s operations to come to a standstill as a result. Here’s a look at who else made ransomware headlines during the month.
- Montgomery General Hospital in Virginia was targeted by D#nut Leaks ransomware. The threat actors claimed to have gained access to the hospital’s network via a “Microsoft Exchange exploit.” D#nut’s negotiator stated that due to the nature of the business they did not encrypt or damage the network during the attack. The ransom was set at $750,000 but after failed negotiations, the exfiltrated data was dumped on the leak site.
- During spring break Jefferson County Schools was a victim of a ransomware attack. Upon discovering the incident the district’s technology team took immediate steps to stop the attack while state and local authorities were notified.
- The Californian city of Modesto was a victim of the Snatch ransomware group. The attack which happened earlier in the year made news this month following a data breach notification. An investigation revealed that accessed files contained sensitive personal information including names, addresses, social insurance numbers and driver licence numbers.
- Early in the month, data storage giant Western Digital disclosed that a third party had gained access and breached its systems, alluding that it may be due to a ransomware attack. In a later media report, the hackers behind the attack claimed to have stolen 10 terabytes of data for which they demanded an 8 figure ransom payment in exchange for not disclosing it. The BlackCat gang allegedly exfiltrated ‘reams of customer information’ which they threatened to leak if the organization refused to pay.
- The UK Criminal Records Office (ACRO) experienced a cyber incident which resulted in the shutdown of its customer portal, disrupting several operations for a prolonged period. In an email to users ACRO confirmed it has “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023.” They also stated they had no conclusive evidence that personal data had been affected.
- Money Message ransomware group claimed responsibility for an attack on MSI during which files were stolen from the PC maker. The group claimed that it breached the organization in order to steal source code, including the framework for the BIOS used in MSI products. The organization received communications demanding a $4 million ransom to stop the group from leaking their files. MSI have not disclosed whether customer data was affected but have stated that the breach is having “no significant impact” on its financials or operations.
- Neue Zürcher Zeitung was forced to shut down central systems for newspaper production while they struggled to restart systems and services two weeks after a cyberattack. Reports suggested that a ransom was demanded but a publisher from CM Media, who obtained IT services from NZZ, stated that, to his knowledge, no such request had been made.
- The Police Department of Camden County in New Jersey is investigating a ransomware attack which targeted their agency in March. It was reported that the agency remained operational and no disruption or outages to public safety response services were experienced as a result of the incident. According to sources the attack had been “locking many criminal investigative files and day-to-day internal administration abilities.” An investigation is ongoing.
- Australian consumer lender Latitude Financial suffered a ransomware attack which “lifted” 14 million customer records, including drivers licences, passports, and financial statements. The company has only begun to restore services after initially shutting down their systems to contain the attack. The firm disclosed that they would not pay an undisclosed ransom, in line with Australian government policies.
- German shipbuilder Lüerssen, known for making luxury yachts for the super-rich, suffered a ransomware attack over Easter, with local reports suggesting that the much of the firm’s operations came to a standstill as a result of the incident. In coordination with experts the organization initiated necessary protective measures and informed the responsible authorities. It is not clear at this time who was responsible for the attack and if any sensitive customer information was stolen.
- Retina & Vitreous have issued a press release regarding unusual activity within its networks back in February. It stated that an investigation determined that some personal and protected health information may have been acquired without authorization. BianLian ransomware group have since claimed responsibility, publishing 170GB of files on their leak site. The stolen information included protected health information of patients, financial data of the practice, and human resources files. The incident was reported to the HHS as affecting 35,766 patients.
- A ransomware attack on a data center caused NCR’s Aloha POS platform to suffer an outage which left hospitality services unable to utilize the system. It was reported that some restaurants are still being impacted. Upon discovering the incident, the organization began contacting customers, engaged third party cybersecurity experts and launched an investigation. BlackCat claimed responsibility but it is unclear at this time what information, if any was exfiltrated by the threat actors.
- The Medusa ransomware group claimed Uniondale Union Free School District as a victim, adding them to their leak site with some sample files and a ransom deadline. Three ransom demand options were given by the group: $1,000 to add one day to the deadline or $1 million to either delete or download all of the data. Files published on the site included students’ personal information as well as personnel information. No other information about this incident has been released, with no notice available on their website.
- LockBit added Pineland Schools in New Jersey to their leak site adding a sample of the 65GB of data they claimed to have exfiltrated. The listing on the leak site also did not indicate the ransom amount.
- S. network infrastructure giant CommScope suffered a ransomware attack at the hands of Vice Society, with the hackers publishing a trove of stolen data on their leak site. The stolen data included internal documents, invoices and technical drawings, alongside personal data relating to thousands of CommScope employees. The attackers appeared to gain deep access to networks, exfiltrating backups of data from its customer portal and internal intranet. It is unclear how many employees have been affected by the incident.
- Evide, a company responsible for managing data for around 140 charities and non-profit organizations across the UK and Ireland was targeted by cybercriminals. At least nine organizations, including four who deal with victims and survivors of rape and sexual abuse, were impacted. When made aware of the incident the organization contacted police and engaged cybersecurity specialists to contain the issue and support recovery efforts. At this time no-one has claimed responsibility for the attack and no “highly sensitive or personal information” stolen has appeared on the Dark Web.
- In mid-April, Twitter users began discussing that Banco de Venezuela had been affected by a LockBit ransomware attack. The bank itself issued a statement regarding the spread of information on social media without denying or confirming the news. The attack did not impact the bank’s platform equipment and electronic services continued to function normally. Aside from evidence photos on the leak site, no further information about the nature of the stolen data has been provided. 10th May was given as a deadline to pay the undisclosed ransom amount.
- Point32Health, a leading health insurer and parent company of Harvard Pilgrim Health Care and Tufts Health Plan, suffered a large technical outage due to a ransomware attack. Law enforcement and regulators were notified about the incident and the organization collaborated with third party cybersecurity experts to investigate and resolve it. It is not yet clear whether the incident involved sensitive information from members and at this time no-one has claimed responsibility for the attack.
- Tank storage company Vopack was targeted by a ransomware attack which affected their Pengerang Independent Terminals (PTSB) site in Malaysia. A tweet from the company confirmed that an IT incident resulted in the unauthorized access of some data but that the terminal remained fully operational. Reports point to BlackCat at the culprit for this attack, although the group themselves have yet to confirm this.
- Yellow Pages Group, a Canadian directory publisher confirmed that it had been hit by a ransomware attack. The Black Basta ransomware gang claimed responsibility, later posting sensitive documents and other data exfiltrated during the incident on their leak site. Leaked information included ID documents and tax documents relating to employees, sales and purchase agreements, and company financial information.
- Kenya’s Naivas supermarket chain became a victim of the BlackCat criminal gang with the group claiming to have stolen more than 1TB of data. The organization managed to contain the attack and continue operating as normal. The chain assured customers that certain customer data, such as credit/payment card information was not at risk. Alongside proof claims BlackCat posted a statement on their leak site detailing how data will be sold for money laundering and other criminal activities. It is not yet clear exactly what data was exfiltrated and what ransom was demanded.
- Gateway Casinos was forced to close 14 casinos across Ontario due to a cyberattack that left the organization scrambling to restore its IT systems. Gateway officials were not able to confirm a reopening date for their casinos at this time but confirm that they are working with relevant parties to restore systems, open casinos and get employees back to work. They have also stated that there is no evidence that personal information of their customers was impacted.
- US commercial and defense shipbuilder Fincantieri Marine Group was hit by a ransomware attack in mid-April. The incident caused temporary disruption to certain computer systems on its network, rendering data on network servers unusable which impacted critical CNC manufacturing machines. Upon discovery, systems were immediately isolated, and the incident was reported to relevant agencies and partners, with additional resources brought in to investigate the incident and restore the affected systems. The organization clarified that there was no evidence that employees’ personal information was impacted. No ransomware group has yet claimed responsibility for the attack.
- Spartanburg County in South Carolina issued a statement confirming that it had detected and responded to a ransomware attack. Upon discovering the attack county officials began working to investigate, restore operations and determine the effects of the incident. Third party cybersecurity consultants and law enforcement were aiding in the investigation.
- NYSARC Columbia County recently confirmed that it fell victim to a ransomware attack in July 2022. The latest press notice stated that they would issue notices to those who impacted by the attack. Although the COARC is unaware of the misuse of any personal information, it has been disclosed that data including PII may have been impacted. Details around what data was exfiltrated and any ransom demands or payments have not been made public.
- Hardenhuish School, a large secondary school and sixth form in the UK has confirmed it was the victim of a ransomware attack which disrupted the operations of its IT network, website, local servers, WiFi, printers, and internal phone systems. Hackers took control of IT systems and demanded a ransom to restore access. The school reassured parents that disruption was minimal and returned to paper registers as a result of the incident. Upon discovering the incident, a third-party IT specialist was appointed to investigate and restore the systems. No ransomware group has yet claimed responsibility.
- Boston’s Emmanuel College was added to the AvosLocker data leak site in a note that read “Oh no! 140GB student and staff confidential data exfiltrated. If you value protecting students, pay us instead of shutting down domains.” Although there was no notice of the attack on the college’s website, they did tweet information concerning an IT outage at the end of the month.
May
The month of May was a record-breaker as we recorded a massive 66 publicly disclosed ransomware attacks, the highest we have ever recorded since we started this blog back in January 2020. Royal, LockBit and BlackCat were the most active during the month, while education remained the most heavily targeted sector, with a few attacks on religious organizations also noted which is an uncommon occurrence. Cybersecurity firm Dragos made headlines when they were targeted by a failed extortion attempt, while an attack on health services organization Harvard Pilgrim caused havoc for patient care, and dental insurance provider MCNA informed nearly 9 million patients that their data had been impacted by a cyber incident. Let’s see who else made ransomware headlines in May:
- Penncrest School District in Pennsylvania announced that it had fallen victim to a ransomware attack at the beginning of May. The incident disrupted certain aspects of operations, forcing the district to shut down and disconnect its entire network and technology infrastructure. Network access was limited for up to three weeks. In an update the Superintendent claimed that there was no evident of any data loss, data access or data theft.
- Royal Ransomware Group targeted Montana State University (MSU), claiming to have stolen over 100GB of data. The cyberattack also caused disruption across MSU’s online services. Royal are yet to post any proof of exfiltrated student or faculty data and no further information on the incident is currently available.
- Australian commercial law firm HWL Ebsworth were victims of a BlackCat ransomware attack during which 4TB of data was exfiltrated. Information stolen included IDs, finance reports, accounting data, client documents and credit card details. Reports suggest that the ransom demanded was around $5million and the law firm refused to pay. Sources also revealed that several high-profile clients removed their files from HWLE as they grew concerned about their data.
- Catholic publishing firm Our Sunday Visitor was compromised by the Karakurt ransomware gang and the incident resulted in 130GB of data being exfiltrated from the organization. Stolen data is said to include employee information, accounting files, HR documents, invoices, marketing details and financial contracts. Immediate action was taken to secure its systems after suspicious activity was identified.
- AvidXchange suffered its second ransomware attack of 2023. RansomHouse claimed responsibility for the attack and encouraged the software provider to contact them to prevent confidential data being leaked. A sample of stolen data included non-disclosure agreements, employee payroll information and corporate bank account numbers alongside login details for a variety of the company’s systems. It remains unclear how AvidXchange was compromised, how many individuals were impacted and how much information was exfiltrated.
- Royal ransomware group added the City of Dallas to its victims list this month, forcing them to shut down some IT systems to prevent the spread of the attack. Several functional areas including the police department were impacted, forcing 911 dispatchers to write down reports for officers rather than using computer-assisted dispatch systems. Printers printed ransom notes which seemed to taunt the city stating, “most likely what happened was that you decided to save some money on your security.” Reports included council members agreeing with the cybercriminals messaging, highlighting that they believe there was a significant underinvestment in cybersecurity in recent years. The investigation is still ongoing.
- EdisonLearning, a provider of school management systems for public schools, was infiltrated by the Royal ransomware group who claimed to have stolen 20GB of data. The exfiltrated data is said to include personal information of employees and students. However, the organization’s Director of Communications has stated otherwise, claiming that impacted systems contained no student data. As with other Royal attacks, the group taunted the organization, writing “looks like knowledge providers missed some lessons of cybersecurity. Recently we gave one to EdisonLearning and they have failed.” Reports suggest that a ransom was demanded and that the two parties have entered into negotiations, but no further information is currently available.
- Bluefield University saw its systems crippled by a cybersecurity attack orchestrated by AvosLocker. The ransomware group were able to directly communicate with everyone on the university’s RamAlert system. Communications gave details of the attack, with the cybercriminals claiming that they exfiltrated 1.2TB of files including admissions data from thousands of students and stated that they would continue to attack if BU’s presidents doesn’t pay. The ransom amount has not yet been disclosed. BU released a statement saying that they are currently investigating the incident and “have no evidence that any information involved has been used for financial fraud or identity theft.”
- Play ransomware group targeted the Valais municipality of Saxon at the end of April this year. The ransomware group threatened to publish stolen data which includes “confidential, private and personal data, finance, human resources, contracts and employee documents.” It is not known how long the threat actors had access to the foreign network or how they exfiltrated the data. An investigation into the incident continues.
- Italian water supplier Alto Calore Servizi spA suffered a ransomware attack which rendered all of its IT systems unstable. The company was unable to carry out any operations or provide information that required querying the database. The Medusa ransomware group took credit for the attack, giving the company seven days to pay the ransom of $100,000 in exchange for deleting the data. The threat actors provided samples of stolen data, which is said to include customer data, contracts, reports, expansion documents and more. The organization declined to comment on when systems would be restored or if they intended to pay the ransom.
- Lake Dallas Independent School District was added to the Royal ransomware gang’s leak site after an attack in late April. The threat actors claimed that they had gigabytes of data belonging to students and staff, including hundreds of SSN’s and passport information. They also said that their attack was a “result of being non-progressive in cybersecurity.” The district provided notification to the Texas Attorney General’s Office that 21,982 Texas residents had been affected by the incident.
- Trigona ransomware group listed Unique Imaging on their dark web leak site this month after claiming to have been living in the organization’s network for months. The group listed prices for auction of the data alongside a countdown clock and a data sample. The data included hundreds of scanned PDF files containing protected health information, health insurance cards, driver’s licenses, and purchase orders. Trigona were also able to access the Radiology Information System (RIS), electronic health records specific to radiology. It is not clear how much data was exfiltrated or what the ransom demand was.
- South Carolina-based Relentless Church had employee data stolen by the LockBit ransomware group, the second reported attack on religious organizations during the month. Upon discovering the incident the church’s IT team took immediate action and subsequently hired a top security firm to examine the source of the breach and safeguard the data of both the church and its congregation. No further information about this attack has been made public.
- Crown Princess Mary Cancer Centre in Sydney was breached by the Medusa ransomware gang who threatened to release data after seven days unless the ransom was paid. The proof pack provided by the threat actors included a file tree listing more than 10,000 files on the system, and archive images of specific files revealing medical information. The ransom demanded to delete all of the data was $100,000.
- Canadian diversified software company Constellation Software confirmed that it had fallen victim to a cybersecurity incident during which systems were breached and personal information and business data stolen. BlackCat claimed responsibility saying it had stolen more than 1TB worth of files. The organization stated that a limited amount of both personal and business data has been impacted. At this time, it is not clear what the ransom demand was nor whether Constellation were intending to pay the threat actors.
- A ransomware attack targeting Rochester Public Schools resulted in theft of some employee and student information. The district was forced to shut down its network causing a significant impact on the district’s operations. It has also been confirmed that Minnesota Comprehensive Assessment tests would not be administered to students this year as a result of the incident. The district refused to pay the undisclosed ransom to threat actors and an investigation involving the FBI continues.
- San Bernadino County Sheriff’s Department confirmed that it suffered a ransomware attack which forced it to temporarily shut down computer systems including email, in-car computers, and some law enforcement databases. Officials confirmed that the hackers demanded a ransom of $1.1 million but after negotiations, the county paid $511,852 with its insurance carrier left to cover the rest. The extent of the attack, including whether sensitive information was compromised is still unknown. The name of the ransomware group behind the attack has not been made public but is believed to be based in Eastern Europe with ties to a larger network of Russian hacking operations.
- Bl00dy Gang claimed responsibility for an attack on the Socrates Academy in North Carolina. It’s still unclear what data was stolen but from evidence on the group’s dark web site it seems that Socrates Academy’s entire network could have been impacted. Information said to have been exfiltrated from both victims includes student and employee information and financial documentation. It is even said to include QuickBooks data, giving access to tax info and much more.
- Bl00dy Gang struck again, this time hitting the Movement School in North Carolina. Details of the attack or what data may have been compromised are still known and the school has yet to comment on the attack.
- Murfreesboro Medical Clinic suffered a ransomware attack which caused the clinic to shut down all operations for three days to limit the spread of the attack. It was reported that BianLian was responsible for the attack, with its leak site claiming to have exfiltrated 250GB of files from the victim. Data stolen included HR documentation, financial data, business data, legal cases, and SQL databases.
- Nashua School District in New Hampshire continues to work with experts to determine what records or personal information was stolen during a “sophisticated cyberattack”. Despite the attack schools remained open across the district in PK and K-12 and business carried on as usual. Royal ransomware group claimed responsibility, stating on it’s leak site that the school district “doesn’t need it’s 728GB of data” which contains SSNs, passports and personal information relating to both students and employees.
- Akira ransomware group claimed responsibility for an attack on Mercer University in Georgia. The University detected unauthorized access to its network and immediately launched an investigation with the assistance of law enforcement and outside legal and technical consultants. It was reported that some data, including SSNs and driver’s licence numbers, was stolen during the incident but there has been no evidence that personal financial information was impacted. Mercer are in the process of notifying all of those individuals affected.
- Basel’s Department of Education experienced a ransomware attack during which their main servers were impacted. BianLian gained access to the networks via a malicious email and exfiltrated around 1.2TB of data. The data was published on the dark web when ransom demands were not met. The sensitivity of the data is currently being analyzed.
- Play ransomware claimed the City of Lowell in MA as a victim in May, causing chaos across the City’s computer systems. Phone lines, emails and other systems were brought down by the attack, taking days for these to become fully operational again. The ransomware group exfiltrated 5GB of data, which is said to include sensitive documents such as personal data, financial documents, budgets, and government IDs. The ransom demand has not been made public, but reports suggest that the data has been published, meaning that it is unlikely that the city negotiated with the group.
- Cybercriminals attempted to breach defenses and infiltrate internal networks in Dragos as part of an extortion attempt, but were not successful. They did however gain access to the company’s Sharepoint and other contract management systems. The threat actors gained access through a compromised personal email of a new sales employee prior to their start date, enabling them to complete initial onboarding steps. During the 16 hours that they had access to the systems they downloaded “general use data” and 25 intel reports which are usually only available to customers.
- The National Gallery of Canada spent two weeks recovering after a ransomware attack forced the art museum to shut down its IT systems. Upon discovering the incident the institution attempted to isolate the affected networks whilst hiring a cybersecurity company to conduct a forensic investigation alongside the Canada Centre of Cybersecurity. It has been reported that no customer data was stole but some operational data was lost.
- Essen Medical Association was added to the BlackCat ransomware group’s leak site on April 6th, with a recent update stating “we gave you time and went into a meeting. Our patience has run out!” The group claim to have stolen a total of 2.6TB of data during the attack.
- Mercy Home in New York fell victim to an attack orchestrated by BianLian in May. No notice has been posted on the organization’s website, but the ransomware group claim to have exfiltrated 533GB of data. No further information on this incident is currently available.
- Another healthcare organization breached by BianLian, during the same week as Mercy Home, was Synergy Hematology Oncology Medical Associates. The threat actors claim to have stolen around 200GB of data from the Californian organization, but no proof or further information of the attack has been made public at this time.
- Swiss multinational tech firm ABB was impacted by a ransomware attack, affecting business systems, delaying projects, and impacting factories. Upon discovery of the incident ABB terminated VPN connections with its customers to prevent the spread of the attack. Reports from employees suggest that the organization’s Windows Active Directory was affected, in turn affecting hundreds of devices. An investigation is ongoing, attempting to identify and analyze the nature and scope of the affected data.
- It was revealed that a ransomware attack impacted the data of around 16,000 members of the Law Society of Singapore. A vulnerability in the organization’s VPN is said to be linked to the attack. Threat actors, who have yet to be named, used an easily guessed password for a compromised administrator account to create a new account with full access to servers. The servers were then accessed, and its contents encrypted. Data including names, addresses, DOBs, and NRIC numbers were stolen during the incident. It was also discovered, during the investigation of the attack, that the Law Society had not conducted periodic security reviews for three years.
- Richmond University Medical Center suffered a ransomware attack forcing it to implement network downtime procedures. Although the impact was reportedly limited, clinicians were forced to monitor patients and enter data with manual processes. The organization is investigating the scope of the attack and the impact on patient data with the support of an external cybersecurity firm. No-one has yet claimed responsibility for the attack and no further details are available.
- MoneyMessage exfiltrated 4.7TB of data containing information on 5.8 million patients during an attack on PharMerica. The pharmacy service providers were breached earlier in the year, discovering the incident soon after. The threat actors published the data which included names, addresses, DOBs, SSNs, medication lists and health insurance information. The data was not only leaked on the group’s dark web leak site but was also made available on the Clearnet hacking forum. It is unclear if a ransom was demanded and if the organization entered into negotiations with the cybercriminals.
- Methodist Family Health is in the process of notifying patients in Arkansas of a ransomware incident which occurred earlier in the year. The threat actors spent two days within the systems before they were discovered, and their access terminated. Investigations involving external cybersecurity and privacy specialists found that a variety of documents used to provide pharmacy services, which contain health information, were copied without authorization. No group has yet claimed responsibility for this attack, and it is not yet known how many patients were impacted.
- Non-financial banking company Fullerton India suffered a major ransomware attack and is now notifying stakeholders about the incident that forced the company to take its systems offline. LockBit claimed responsibility for the attack, exfiltrating 600GB of data. Leaked data included loan agreements, data on international transfers, financial documents and sensitive personal information belonging to customers. LockBit demanded a ransom of $2.9million to recover stolen data.
- Utah-headquartered Academy Mortgage saw its systems infiltrated by BlackCat mere months after settling an underwriting fraud case. The threat actors claimed to have been in the network for a long time and are said to have stolen confidential data. It is also claimed that the firm refused to pay the undisclosed ransom. The organization is yet to comment on the incident.
- MásMovil Group suffered a ransomware attack on three of their brands, Euskaltel, R and Telecable, causing issues with its customer service channels and system access. Clients of these three brands were also unable to access the self-management apps. LockBit claims to have exfiltrated 3TB of data from R and another 100GB of data from Euskaltel, which includes sensitive personal information. MásMovil have been given until June 5th to settle the undisclosed ransom demands before their data is published.
- French electronics manufacturer Lacroix Group was forced to shut down three plants over two continents to contain a ransomware attack. The security team managed to intercept the “targeted cyberattack”, however the attackers managed to encrypt local infrastructure in the French, German and Tunisian facilities. It is currently unknown what data was impacted during the incident and no group has claimed responsibility.
- Curry County in South Oregon was left struggling to function after a ransomware attack left it unable to access any of its digital information. The county was the targeted by Royal ransomware group, who demanded an undisclosed ransom in exchange for access to the inaccessible information. The county is collaborating with state police, the FBI, and the Department of Homeland Security in an ongoing investigation.
- The foreign trade agency for the Federal Republic of Germany, GTAI, fell victim to a ransomware attack that impacted its website, email and phone services. The website stated that due to a hacker attack, the agency was only able to be reached to a limited extent. Play ransomware group claimed responsibility for the incident, claiming to have stolen a lot of sensitive information. There is no further information available about the attack.
- Technology provider ScanSource announced that it had suffered a ransomware attack impacting some of its systems, business operations, and customer portals. In mid-May, ScanSource reported that they no longer had access to the company’s customer portal and websites, fearing a cyberattack. The company is working closely with forensic and cybersecurity experts to investigate the extent of the incident, minimize disruption and mitigate the situation.
- KD Hospital in India fell prey to a ransomware attack which blocked the hospital from accessing all its online systems including patient data and hospital files. All server data belonging to the hospital on its online server was encrypted. The attackers, who are still unknown, sent a ransom demand via email, asking for $70,000 in bitcoin for the decryption of the files. Upon discovery of the attack, all linked servers were disconnected to limit the spread and an investigation began to check if the data could be recovered.
- Dunghill ransomware gang claimed responsibility for an attack on Gentex Corporation in April, but Gentex only confirmed the incident this month. The attackers have allegedly exfiltrated 5TB of sensitive corporate information from the Michigan-based technology and manufacturing company. Data is said to include emails, client documents and personal data of 10,000 Gentex employees. As the organization ignored the leak, Dunghill claims to have shared stolen data with competitors in China, India and the U.S. Gentex have acknowledged the attack but has made no further comment.
- Franklin County Public Schools was forced to shut down certain school systems and cancel classes in the wake of a ransomware attack. The authorities initiated an internal investigation, with the third-party experts brought in to resolve the situation. Investigations continue in collaboration with the FBI and law enforcement, but it is yet unknown if any private information was impacted by the incident.
- Harvard Pilgrim Health Care is still feeling the effects of a ransomware attack which took place mid-April. The cyber incident led the company to take nearly all of its systems offline in order to contain the damage. This downtime meant that the health insurance company were unable to confirm patient eligibility, causing disruption for its members. An investigation confirmed that files containing personal data and protected health information was impacted during the attack. No-one has yet claimed responsibility for this attack.
- LockBit orchestrated an attack against Farmalink prescription drug sales system, giving them 28 days to negotiate and make a ransom payment before exfiltrated data is published. Reports suggest that there has been no dialogue between the two parties. During the incident, networked computers stopped working and the software that manages the virtual machines was disconnected. It is not clear at this time what data was exfiltrated by the threat actors.
- 5TB of personal and financial information stolen from Bank Syariah Indonesia was published by LockBit in May. The cyberattack forced the bank to switch off several channels to ensure system security, some of which remained inaccessible for a number of days. LockBit claimed that the bank “brazenly lied to their customers and partners, reporting some kind of ‘technical work’ was being carried out at the bank.” Data exfiltrated during the attack included personal and financial information relating to around 15 million customers and employees. The bank entered into negotiations with the ransomware group offering them $10 million to recover the stolen data. LockBit counter offered with $20 million before going silent.
- Buckley King LPA law firm was reportedly attacked by Black Basta, who managed to enter the firm’s IT systems via a social engineering attack. The data stolen contained over 230,000 directories and more than 76,000 files. Black Basta contacted the law firm stating that they had 110GB of files, demanding $400,000 to delete data, provide a decryptor and provide a “security report.” The negotiations ended, with the group agreeing to accept a ransom payment of $150,000.
- Black Basta supposedly breached Viking Coca-Cola, one of the largest Coca-Cola bottlers in the US. The ransomware group has not disclosed what type of data they exfiltrated and at this time, no data has been leaked. This likely indicates that negotiations are still taking place between the organization and cybercriminals. Viking have yet to comment on the incident.
- Madhya Pradesh Power Management Company in India suffered a ransomware attack which crippled its internal IT system used for communication among different functionaries of the state-run entity. In the aftermath of the attack the organization put an alternative method in place to ensure urgent work was not affected. Reports suggest that those behind the incident did not make a ransom demand at the time but did provide the company with email IDs to contact them. It is not clear exactly what data was stolen during the incident.
- Clarke County Hospital admitted to an attack and data breach following the Royal ransomware gang sharing details of the incident on the dark web. Security researchers noticed that data from the attack was actively being leaked towards the end of April, but the hospital only acknowledged the attack on May 17th. A notification letter suggests that personal information including PII, and some health information may have been acquired by an unauthorized third party, but emphasizes that EMR, SSNs and financial information were not involved in the breach.
- International audit, accounting and consulting firm Mazars Group appeared on BlackCat’s leak page this month. The gang claimed to have stolen over 700GB of data including agreements, financial records, and other sensitive information. The organization are yet to make any comment on the incident.
- Rheinmetall, the German automotive and arms manufacturer was allegedly breached by Black Basta, appearing on the group’s leak site in mid-May. The post on the site included several data samples including NDAs, agreements, technical schematics, passport scans, and purchase orders. The organization confirmed the attack, clarifying that it only affected the civilian department of the business. Details on ransom demands and if negotiations took place have not been made public.
- The Insurance Information Bureau of India fell victim to a ransomware attack at the beginning of April, leaving nearly 30 server systems encrypted and data inaccessible. An internal investigation revealed that hackers stole certain confidential information from the company’s database, with firewall logs indicating the exfiltration of 16GB of data. Police have reported that the threat actors, who are believed to be pro-Russian, have demanded $250,000 in BTC for a decryption key. IBBB refused to pay the ransom as it believed that paying a ransom doesn’t guarantee the deletion of stolen data.
- The notorious Cuba ransomware gang is believed to be behind the cybersecurity incident that severely impacted The Philadelphia Inquirer After discovering the breach, the company took down its IT systems and was able to find a workaround allowing them to continue to post news stories online. According to a post on the gang’s dark web blog, sensitive data including financial documents, account movements, tax documents and source code was stolen during the attack. After reviewing the leaked data, The Inquirer reported that the files did not belong to its company. The entry on Cuba’s site was later removed. An investigation is still ongoing.
- Monti has claimed responsibility for a ransomware attack on Italian Health Authority, ASL 1 Abruzzo. Several services were blocked, making it “impossible” to book an appointment with the health service. Although ASL 1 Abruzzo claims otherwise, the ransomware group claim to have sensitive health information, including that of HIV patients. An investigation involving IT technicians and experts from a cybersecurity task force continues.
- Thomas Hardye School in Dorchester had its screens and systems locked by a cyberattack, leaving the school unable to receive emails or accept payments. The attack was accompanied by a ransom demand but the threat actors behind the attack have not yet been named. The school said it would not be paying the ransom and was working with the National Cyber Security Centre and law enforcement to resolve the issue. The school remained open with teaching and learning adapted accordingly.
- Morris Hospital was added to Royal ransomware group’s leak site in late May, with a small sample of files as proof of claims available to view. An investigation was launched when the hospital detected unusual activity on its network, indicating that an unauthorized third party had gained access. The hospital’s electronic medical records were not compromised during the attack. The incident did not impact patient care or hospital operations. The statement given by the hospital did not indicate whether files were encrypted or whether they received a ransom demand.
- Norton Healthcare in Kentucky and Indiana disclosed a cybersecurity incident in early May but did not label it as a ransomware attack even though they received threats and demands. BlackCat claimed responsibility for the attack a few weeks later, claiming to have exfiltrated 4.7TB of data. The ransomware group released a “public announcement” taunting the healthcare organization, stating that Board Members have failed to protect privacy of their clients and employees. The sample of stolen data includes personal and sensitive information of patients alongside financial information and employee personnel information. An update on this incident, including if the parties entered into negotiations, is not currently available.
- Managed Care of North America (MCNA) Dental informed almost 9 million patients that their personal data was compromised via a data breach notification on its website. The organization became aware of unauthorized access to its computer systems in March, with an investigation revealing that access was first gained as early as February. Hackers stole patient data including PII, health insurance information, bills and insurance claims and care programs. LockBit claimed responsibility and threatened to publish 700GB of sensitive, confidential information unless they received $10 million. Since then, the ransomware group has published all of the data on its website.
- BlackByte has claimed responsibility for the ransomware attack on the City of Augusta, GA. A sample of 10GB of data was released on the dark web, containing PII, contacts and city budget allocation data, with the group claiming to have exfiltrated “much more” during the incident. The group taunted the city with the words “The clock is ticking.” The ransom demanded in exchange for deleting the data was set at $400,000. BlackByte offered to sell the data to interested third parties for $300,000. An investigation continues, with the city stating that they have not yet confirmed that any sensitive data has in fact been compromised.
- Two different ransomware groups claimed successful attacks on Albany ENT & Allergy Services. AENT determined that an unauthorized actor may have gained access to certain systems that stored personnel and protected health information. It is now believed that the breach may have impacted more than 200,000 individuals. BianLian was first to claim responsibility, adding the practice to its leak site and claiming to have exfiltrated 630GB of files. It went on to leak personal, business, and financial data in multiple parts. RansomHouse later claimed to have infiltrated internal systems and siphoned 2TB of data from the attack, which was allegedly leaked a few weeks later. AENT has not commented on the validity of threat actors’ claims.
- Onix Group recently confirmed in a “Notice of Data security Incident” that they were targeted by ransomware in March this year. The press release revealed that an unauthorized party was able to access confidential consumer data held by the healthcare services provider. Information breached includes names, SSNs, DOB, as well as scheduling, billing, and clinical information of those consumers using Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray and Onix Hospitality Group. The organization is in the process of notifying individuals affected. No ransomware group has yet to claim responsibility for this incident.
- Legal technology platform Casepoint is one of BlackCat’s most recent victims, with the well known gang claiming to have over 2TB of the company’s data. Casepoint appeared on the group’s dark web site with the blog post showing sample data which included visa details, a report, and a certificate. From the information we have it is unclear what ransom has been demanded and when the deadline for payment is.
- New York based biosciences and diagnostics company, Enzo Biochem, confirmed that it experienced a ransomware attack. Threat actors gained “unauthorized access to or acquisition of clinical test information of approximately 2,470,000 individuals. The information accessed, and in some cases exfiltrated, included names, test information and approx. 600,000 SSNs. The company is still investigating the incident but has noted that it has and will continue to incur expenses related to the remediation of the attack. No ransomware group has taken credit for the attack to date.
- Mission Community Hospital in California allegedly experienced a ransomware attack which RansomHouse have now claimed responsibility for. The criminal group claimed to have downloaded 2.5TB of data during the incident. From the proof pack provided on the group’s dark web site, it seems they have accessed the imaging system and image files as well as employee related data and some financial reports. The hospital is yet to comment on the incident.
June
June was the second busiest month of 2023 with 46 publicly disclosed ransomware attacks recorded, not including the victims of the MOVEit attack. Education and healthcare continue to remain two of the most targeted sectors, with eleven and nine attacks respectively. Data exfiltration remains the tactic of choice as cybercriminals continue to focus on extortion. Beverley Hills Plastic Surgery, University of Manchester and Reddit all made headlines when threat actors threatened to publish troves of personal information exfiltrated during the attacks.
Clop made the majority of ransomware headlines this month following a vulnerability in MOVEit file transfer software. Many prominent organizations fell victim to this attack including British multinational gas & oil company Shell, global accounting firm PwC and a number of US state governments. Those impacted had until June 21st to negotiate with the ransomware group before data was published. The current victim list is massive and growing, and Clop continues to share new entries every day, you can read the victim list in our dedicated MOVEit blog, which is updated with new information as the story unfolds.
Let’s find out who else made the ransomware headlines in June:
- Some electronic services at Akron-Summit County Public Libraries were offline as a result of a ransomware attack which affected its network. Upon learning of the incident, internal teams and cybersecurity experts acted quickly to investigate and secure the systems. An investigation is still ongoing.
- The University of Waterloo in Ontario, Canada suffered a cybersecurity incident which compromised the on-premises email server. Although the server was compromised, 99.9% of email users were not affected. The attack was interrupted thanks to prompt actions from law enforcement, internal teams and external cybersecurity partners. No group has yet claimed responsibility for this attack.
- The FBI and Department of Homeland Security prompted a joint investigation after a ransomware attack targeted Middlesex County Public Schools in Virginia. Daily operations were minimally impacted but the primary concern was to ascertain whether personal information was compromised. Akira ransomware group later claimed responsibility for the attack stating they exfiltrated 543GB of data.
- Swiss IT company Xplain fell victim to a cyberattack at the start of June, putting the data of many government departments at risk. Play ransomware group quickly took responsibility while publishing data on their leak site. The organization stated that they did not make contact with the threat actors and would not be paying any ransom. Xplain analyzed the data and is taking next steps after consulting with clients directly affected. The extent of the data theft has not yet been disclosed.
- Rhysida, a ransomware group which first emerged in May, was claimed the Government of Martinique as a victim, adding it to its leak site. As soon as the incident was discovered, measures were taken to isolate the affected system, but major disruption was still caused to communities, users, and partners. Teams accompanied by cybersecurity experts were mobilized to identify the cause of the attack and gradually restore activities with priority themes being finance, solidarity, and education. Rhysida released a sample of government related files but have not yet indicated how much data was actually exfiltrated during the attack.
- Major Spanish lender Globalcaja experienced a ransomware attack which impacted computers at several offices but claimed it did not affect transactions of entities. Security protocols were activated, leading the organization to disable some office posts and temporarily limit the performance of some operations. Play ransomware claimed the attack on the bank and are said to have stolen an undisclosed amount of private and personal confidential data including client and employee documents, passports, and contracts. It is unknown whether Globalcaja has met the ransom demands.
- EliTech Group, based in Paris, fell victim to a ransomware attack at the hands of Snatch. The organization sells diagnostic instruments and software to its global partners meaning there could be danger of a supply chain attack if the ransomware gang were able to garner access to the software provided by the company. There are very few details about this attack available at this time.
- London-based consultancy firm The Briars Group were also listed as victims of Snatch ransomware group’s site this month. Details on the attack are vague at the moment, with the organization yet to comment on the incident.
- South Jersey Behavioral Health Resources disclosed that they were hit with a ransomware attack at the beginning of April. The notification states that the investigation is still ongoing and at this time it is not yet known if any data related to individuals was accessed or stolen by an unauthorized user. Personal information held by SJBHR includes PII and medical data. They did not indicate what group attacked them, or what ransom may have been demanded.
- A new group of threat actors known as Nokoyawa added Canopy Children’s Solutions to its leak site in early May, claiming that 150GB of files were exfiltrated. A statement was released admitting that they had experienced an attack which encrypted some of their files. The non-profit behavioral health, educational and social service solutions provider is conducting a comprehensive review to identify any personal information accessed and to whom the information relates. No individuals have yet been contacted.
- A hacker, who goes by the username Bassterlord, breached the luxury watch retailer Cortina which is based in Singapore. The hacker claims to have stolen 2GB of data from the company and states in his Tweet that they don’t believe that “very rich clients will want their addresses to be public.” Sample of the stolen data appears to include contact details such as names and email addresses.
- Self-styled hacktivist group Anonymous Sudan targeted Scandinavian airline SAS in May, knocking the airline’s website and applications offline. The group posted fresh posts on its Telegram channel seemingly mocking and taunting the airline. The amount demanded as ransom was $3,500 in exchange for either telling the organization how to repel the attack or to stop the attack entirely. The group then increased the amount to $175,000 when the airline did not meet the demands, stating it would continue to increase the payment and keep the affected services down until the airline paid up. The amount has since been increased two more times, with the most recent demand totalling $10 million. The organization’s website is now up and running again but customers are still reporting issues. There has been no indication that SAS have any intention of negotiating with the threat actors.
- YKK Group, the world’s largest manufacturer of zippers, was listed on LockBit’s dark web blog with a warning that all available data will be published. The post does not reveal the type of data exfiltrated in the attack. YKK USA contained the threat before any significant damage could be done or sensitive information stolen. The organization stated that there was no evidence that personal or financial information or intellectual property was compromised as a result of the incident.
- Japanese pharmaceutical giant Eisai Co. was hit by a ransomware attack which encrypted a number of its servers. To limit the attack from progressing further, it cut off links with part of its domestic and overseas internal systems. The organization claims to have no knowledge of leaks involving confidential information. Eisai is working with experts and police to investigate the attack and restore the systems. The company is remaining tight lipped regarding ransom demands and it is not known, at this time, who is responsible for the incident.
- It has been known for some time that Pacific Union College were victims of a cyberattack, but it has since emerged that it was targeted by Trigona ransomware group. In April a statement was released on the college’s website notifying students of an ongoing cyber issue affecting internal networks, phone systems and web services. It has now been confirmed as a ransomware attack, with federal authorities and cybersecurity teams involved in the recovery and investigation process. The college have remained silent about Trigona’s claims regarding 120GB of data, stating that they “do not have evidence that personal information has been compromised.” Trigona claims they have exfiltrated data including employees’ and students’ personal information, commercial contracts, NDAs and confidential high-cost information. The ransom demanded was $200,000 for the deletion of data and a security report, if the ransom is unpaid the data will be sold or auctioned off.
- Vaud Promotion immediately set up a crisis team in co-operation with cybersecurity experts when they discovered a third party had gained unauthorized access to its systems. The organization informed authorities and have filed a criminal complaint. A group named Darktrace claimed to have stolen 161GB of files, posting screenshots as proof on the dark web. Documents exfiltrated are said to include association and financial documents along with employee data and copies of ID cards.
- Peachtree Orthopedics based in Atlanta, GA, announced that it fell victim to a cyberattack in April, with forensics evidence confirming that an unauthorized party had gained access to part of its networks. The organization said it has changed account passwords and implemented additional security measures to limit the risk of this situation occurring in future. Karakurt ransomware group have added Peachtree Orthopedics to their leak site, claiming to have exfiltrated 194GB of data including personal information and medical records and is threatening to leak the data is a ransom is not paid. An investigation is ongoing to establish how many patients have been impacted by the attack.
- Columbus Regional Health System in North Carolina was attacked by Daixin Team when the group encrypted the not for profit’s systems after exfiltrating data and deleting backups. According to their leak site, the group exfiltrated 70GB of data including 250,000 files. The ransomware group initially demanded $3 million but the organization entered into negotiations to try and reduce the amount. CRHS stated that it was unable to get their cyber insurance provider to pay out the amount in time and that the organization itself simply could not fund the ransom demand itself. Daixin Team agreed to drop the ransom down to $1million but negotiations soon stopped after that with no money exchanged. It seemed that the organization was never going to pay. The ransomware group stated that CRHS knew that its systems were critically vulnerable at the time of the attack.
- FIIG Securities, an Australian bond broker fell victim to an attack by BlackCat this month, during which 385BG of data was stolen. Upon discovering unauthorized third-party access, the company took IT systems offline to prevent further access. The ransomware group has posted evidence of the breach online including drivers’ licenses, passports, and other commercially confidential data. Impacted clients are being contacted by the organization via email, highlighting what personal data believed to have been accessed.
- Akira ransomware gang is believed to be behind an attack on the Development Bank of Southern Africa (DBSA) during which employees’ personal information was accessed. According to reports various servers, log files and documents were encrypted by the threat actors who have threatened to publish the stolen data on the dark web if ransom demands are not met. An investigation is still ongoing to determine the full extent of to which personal information of employees was compromised.
- Kaiserslautern University of Applied Sciences (HS Kaiserslautern) took its entire IT infrastructure offline when it discovered it had been hit by a ransomware attack. Almost all services were affected, with staff and students warned not to switch on any of their work computers in case they have been impacted by the “encryption attack.” At this time, it is not clear who the perpetrators are, or whether information was stolen from the university’s systems.
- The National Securities Commission (CNV) in Buenos Aires suffered disruption as internal systems remained offline for a number of days following a ransomware attack. The organization managed to contain the attack immediately, but 1.5TB of files were still exfiltrated during the incident. Medusa has claimed responsibility, demanding $500,000 to prevent the leak of the data and another $500,000 to delete the files off the group’s computers.
- Rhysida ransomware group was auctioning off data belonging to Paris High School in Illinois on their leak site. At this time there has been no confirmation from the school itself confirming details of the incident. Rhysida did offer proof of claims as a collage of files and images was made available. No further information on this attack has been made public.
- OSG Hengelo, a school community in the Netherlands are unclear what data was exfiltrated during a ransomware attack. The investigation continues, with parents and students looking for answers on whether their personal data has been impacted by the incident. There are very few details about the attack, but the board is reported to have “closed a deal” with hackers.
- BlackCat/APLHV claimed an attack on Automatic Systems, a subsidiary of French conglomerate Bolloré. The organization acknowledged the attack stating that an intrusion happened on June 3rd, with threat actors targeting “part of its servers.” Upon discovering the incident, specific protection measures were immediately implemented to stop the advance of the attack. The notorious ransomware group posted hundreds of samples of stolen data on their leak site, ranging from NDAs to copies of passports, while also claiming to have “a lot of critical data.” Confidential documents relating to NATO, Chinese retailer Alibaba and French defense contractors Thales are present in the samples.
- TAG Aviation based in Geneva Airport saw some of its system encrypted after its Intrusion Detection System detected an unauthorized attempt to access its network. The company stated that it believed the cyber incident was limited to “Asia.” An external taskforce forensically investigated the incident and data concerned. Although the organization claims it is not sure what data has been impacted as of yet, an unknown ransomware gang has posted several screenshots of passports and other internal or confidential data on the dark web. The group also claims to have exfiltrated “several terabytes” of data.
- Rhysida have leaked online, what they claim to be, documents stolen from the network of the Chilean Army (Ejército de Chile). The Chilean Army confirmed in late May that its systems had been impacted by a security incident. The impacted network was isolated following the breach, with military security experts working to recover the affected systems. Rhysida ransomware group published around 360,000 Chilean Army documents, 30% of all the data they claim to have exfiltrated from the network.
- Walsall Healthcare NHS Trust posted an update on their website this month, disclosing that it had been subject to a cyberattack earlier this year, when a malicious actor attempted to infiltrate the Trust network and execute a ransomware attack. Although the trust was able to “prevent the attack” before it was executed, there is evidence that some data was exfiltrated. Clinical systems were not affected and no financial data belonging to patients or staff is believed to have been compromised. A number of audits were carried out by specialist bodies, but it is still unclear exactly what data may have been transferred. The Trust has issued advice to staff and patients to remain vigilant and observe good cyber practice in wake of the incident.
- LockBit claimed responsibility for a cyberattack on the Indian pharmaceutical giants Granules India. The ransomware group listed Granules India as one of its victims on its leak site and have published portions of data allegedly stolen. The organization is yet to confirm the incident, however the company did disclose a cybersecurity incident to Indian stock exchanges last month. In a statement made by the company, they state that it is “investigating the matter with utmost priority.”
- New Zealand based payments solutions provider Smartpay Holdings faced a ransomware attack this month, becoming one of the latest victims to in a slew of cyberattacks against organizations in the NZ and Australia in the past year. Payment platforms and terminals were not affected by the incident. The company conducted an investigation which revealed that information from customers in Australia and New Zealand had been stolen from its systems.
- Reddit disclosed that its system had been hacked in February this year, but in June BlackCat ransomware gang have claimed responsibility for the incident. Threat actors were able to gain access to Reddit’s systems after an employee fell victim to a phishing attack. The threat actors claim to have exfiltrated 80GB of data including internal documents, source code, employee data and limited data about the company’s advertisers. No user passwords, accounts or credit card information were impacted.
- Iowa’s largest school district Des Moines Public Schools fell victim to a ransomware attack earlier in the year which forced all networked systems offline and caused classes to be cancelled for several days. The school district received a ransom demand from an unnamed ransomware group but have no intention of meeting the groups demands. Around 6,700 individuals were impacted and will be contacted regarding what personal information was exposed.
- Mondelez International announced that 51,000 of past and present employees’ information is at risk after a Bryan Cave Leighton Paisner LLP (BCLP), a law firm hired by them, was hacked. The law firm had copies of and access to sensitive personal information belonging to employees of the Oreo and Ritz Cracker giant.
- The University of Hawai’i confirmed that Hawai’i Community College was targeted by a ransomware attack. The college was made aware of the incident on June 13th, with IT services responding immediately by taking the network offline. There has been no further comment from the educational institution at this time, but the investigation continues. Those responsible for the attack have not been named and it is not clear if any data was exfiltrated during the attack.
- Vincera Institute in Philadelphia is notifying patients who were impacted by a ransomware attack in April. Vincera reported the incident to HHS on June 20th with four entries: Vincera Core Physicians reported 10,000 patients impacted, Vincera Surgery Center reported 5,000 patients impacted, Vincera Rehab reported 5,000 patients impacted and Vincera Imaging reported 5,000 patients impacted. It is believed that some individuals may have been seen by multiple services so numbers may be considerably less than the 25,000 reported. Information stolen during the attack is said to include names, contact details, SSNs, DOBs, medical history and treatment records and insurance information among other information provided to the institute. The ransomware group responsible has not been made public and it is unknown whether any patient records were corrupted during the incident.
- Threat actors emailed students at the University of Manchester warning them that their data will soon be leaked if an extortion demand is not met. The unnamed ransomware operation claimed to have stolen 7TB of data during an attack in early June. The exfiltrated data reportedly includes confidential personal information from staff and students, research data, medical data, police reports, drug test results, databases, HR documents, finance documents and more. The group went on to list professors and university personnel that they hold accountable for the situation. It was later reported that over 1 million NHS users have been impacted by this incident.
- An attack on the French Rugby Federation saw some of their systems affected, with mail servers taking the biggest hit. The organization quickly secured its entire system and restored operations. Play ransomware group claimed the attack, threatening to publish data if the ransom demands are not met. To date, the FFR claim that it has not received a ransom demand from the group. Investigations continue and according to reports the scale of the attack is yet to be determined.
- National Institutional Facilitation Technologies (NIFT) in Pakistan was forced to resort to a manual banking system as a result of a cyberattack. It was forced to shut down its two data centers in Islamabad and Karachi and digital payments remain halted. According to reports the “well organized” incident was detected, isolated and halter swiftly after discovery. A comprehensive assessment and investigation is underway, but it seems too early to say if any data has in fact been lost of exfiltrated during the attack. Some experts have expressed concerns that the data belonging to 67.5 million customers could be impacted.
- BlackCat has claimed that it stole “lots” of highly sensitive medical records from Beverly Hills Plastic Surgery and has threatened to leak patients’ photos if the clinic doesn’t fulfil the ransom demand. The group have bragged about exfiltrating personal information and healthcare records, along with “a lot of pictures of patients that they would not want out there.” Details on this attack remain vague at this time.
- Atlanta Postal Credit Union (APCU) confirmed that a recent ransomware attack compromised the confidential information of some bank customers. In response to disruption to its network, APCU secured its system and launched an investigation into the incident. The investigation revealed that threat actors had orchestrated a ransomware attack which allowed them to access certain customers’ confidential information, though it is believed that the access was limited to March 23, 2023. APCU cannot rule out the possibility that highly sensitive information belonging to bank customers was obtained during the attack. No group has yet claimed responsibility.
- The personal information of 1,244 people has been compromised following a ransomware attack on Chattanooga State Community College. It is believed that the majority of those impacted had taken their GED test at the college’s testing center in 2012 and 2013. Names, phone numbers and email addresses belonging to administrators at the institution were also impacted. Upon discovering the incident, the college took computer systems offline and cancelled classes for two weeks. Snatch claimed the attack, however the college did not engage with the ransomware group on advice from the FBI, Tennessee Board of Regents and cybersecurity experts.
- Major Philadelphia consulting firm Econsult has reportedly suffered a breach that has exposed employees’ financial information. The organization, whose clients include City of Philadelphia, Pew Charitable Trust and other major regional institutions, has revealed internally that the incident was in fact a ransomware attack. An investigation has been launched and the organization continues to work diligently to identify the nature and scope of the information that may have been involved. The spokesperson for the organization stated that specifics could not be provided at this time.
- Lebanon School District in Pennsylvania was hit by a ransomware attack in early June, forcing the district to shut down systems as a precautionary measure. Outside cybersecurity experts were hired to secure the systems and to investigate the nature and scope of the attack. The investigation is ongoing, but at this time the district has not found any evidence to suggest that unauthorized acquisition or misuse of personal information has occurred. It is reported that the letter from the unnamed threat actors did not demand a ransom.
- Peter Mark, a chain of hairdressers based in Ireland, has disclosed that it believes internal HR data was compromised during a cybersecurity incident. The organization is liaising with Gardai from the National Cyber Security Centre to assess what information has been accessed. At this time there is no evidence of personal data belonging to the organization on the dark web, but they are continuing to monitor the situation.
- The world’s largest semiconductor manufacturer TSMC has been listed on LockBit’s dark web site, demanding a whopping $70million for data stolen during the incident. The group has not specified what type of data they have stolen but they have also threatened to publish network entry points as well as login and password details if the ransom is not paid. TSMC has stated that it is aware that one of its IT hardware suppliers was faced with a cyberattack which led to the attack on them. But upon review TSMC commented that the incident did not affect business operations, nor did it compromise TSMC’s customer information.
- The Barts Health NHS Trust in the UK has appeared on BlackCat’s dark web victim blog, with the group claiming to have stolen over 7TB of sensitive data. The exfiltrated data is said to include “citizens confidential information” including personal and financial information alongside internal company data. The gang are threatening to release the data should the trust not engage, with the deadline of 3rd July set. Details of the ransom demanded were not published on the dark web blog.
July
We tracked 38 publicly disclosed ransomware attacks in July, representing an 81% increase on 2022, the busiest July we’ve recorded over the past 4 years. Healthcare was heavily targeted with 14 attacks targeting that sector alone. Many large organizations made news headlines during the month including the Japanese Port of Nagoya who were forced to deal with massive disruption due to a ransomware attack, while 11 million patients were impacted by the incident on HCA healthcare, and cosmetics giant Estee Lauder fell victim to an attack from not one, but two ransomware groups. Here’s a summary of who else made ransomware news during the month.
- Mount Desert Island Hospital reported unauthorized access to its systems in April and May which resulted in a data breach impacting 24,180 patients. Stolen data included personally identifiable information, patient medical information, and financial data. Snatch claimed responsibility for the attack, but no proof of claims or files have been posted on its leak site.
- 8Base listed ClearMedi Health on its leak site in early July, with the post indicating that the information had been exfiltrated from the organization on June 26th. The upload was a 9-part archive with most parts containing 10GB each. The ransomware group stated that stolen files included personal documents, patient data, employee information, financial documents and much more. ClearMedi are yet to comment on the incident.
- The Port of Nagoya, the largest and busiest port in Japan was targeted by a ransomware attack which impacted the operation of its container terminals. The port’s central system controlling all container terminals was down for approximately 24 hours while the port authority worked to restore it. This caused the cancellation of all loading and unloading operations resulting in massive financial losses to the port and severe disruption to the circulation of goods to and from Japan. This is still a developing story with more details emerging.
- A relatively new ransomware group named Cyclops claimed to have attacked Atherfield Medical and Skin Cancer Clinic in Australia. In the listing on the group’s leak site, there is a link to download files and screencaps as proof of claims. The data contains personal and health information of patients as well as banking details of doctors. The clinic has stated that it is aware of the incident and is notifying individuals who may have been impacted.
- Townsquare Media suffered a ransomware attack for the second time in five years. BlackCat took credit for the attack which took place in late June. The group claim to have exfiltrated 215GB of data including files sourced from the company’s servers and workstations. Only files created within the last year have been impacted. The organization were given one week to “resolve the misunderstanding” before their data would be leaked to the public.
- UK independent retail chain, Roys of Wroxham, faced a ransomware cyberattack which impacted IT systems, causing problems in its stores and prevented the dispatch of online orders. The company are undertaking an extensive forensic investigation to assess the full scope of the incident. The retailer has assured customers that it does not store financial information so it will not have been impacted.
- Threat actors brought down four of nine local radio stations owned and operated by Amaturo Sonoma Media Group for at least six hours during an attack. The five other stations remained unaffected as they operate on a different server. The group has chosen not to negotiate with the unknown ransomware group and instead embarked on a two-week rebuilding process of the four hacked stations. The hackers demanded the company’s financial records stating that they would present their “reasonable demand” once these documents had been reviewed.
- The Law Foundation of Silicon Valley disclosed that it was hit by a “sophisticated ransomware attack” which disrupted their systems. One of the foundation’s servers was impacted which compromised the data of 42,525 individuals including clients, staff, and others. Compromised information includes SSNs, medical records, immigration numbers and financial data with the chance that other forms of additional data may have also been accessed.
- The Election Commission of Pakistan issued an alert to all of its employees after emails were received relating to a ransomware attack. They asked staff to kindly ignore the emails and report it as spam/junk. At this time, it has not been confirmed whether threat actors gained access to crucial data. The country is currently preparing for general elections.
- Luigi Vanvitelli hospital in Italy posted a notice on its website on 4th July announcing that it had fallen victim to a ransomware attack. According to reports, cybercriminals have stolen email passwords of university professors, doctors, managers, and employees. During the attack a “computer blackout” occurred which impacted a number of services. The hospital is working to evaluate the extent of the incident and the nature of the data breach but believe that the hackers could be part of a Chinese cybercrime group, with the claim based on the type of email address provided to them for negotiation purposes.
- BM Group Polytec issued a statement on its website to update customers on developments of the ransomware attack which impacted its business. During the incident, there was damage caused to the IT infrastructure and some personal data was exfiltrated. Information on exactly what information was stolen is vague at this time. Rhysida has claimed responsibility for the attack but there is not information on what ransom demands have been made.
- Denver-based manufacturer Gates Corporation has announced that it was a victim of a ransomware attack in February, with details of the incident only coming to light now. The organization assured authorities and the public that it did not pay the ransom demanded and was able to restore systems on its own. Although threat actors were able to access information relating to over 11,000 people, Gates Corporation believe that hacker did not steal information but are notifying the affected parties of the incident “in an abundance of caution.” However, it is believed that threat actors may have exfiltrated HR files that include personally identifiable information. The hackers responsible for this incident have not been named and the company have not released any details on the ransom demanded.
- 8Base claim to have attacked Kansas Medical Center in mid-June, downloading data containing sensitive patient information. This data is said to include personal documents, ID cards, health insurance information, patient PII, employee information, internal documents, accounts information and other financial documents. 8Base has not posted proof of claims on its leak site, but this is not uncommon for this particular ransomware group.
- 11 million patients have been impacted by a cyberattack on HCA Healthcare. The healthcare provider owns and operates 182 hospitals and 2,200 care centres across the US and UK. Threat actors began selling the data belonging to the organization on a forum, claiming in the post that the stolen database contains 17 files and 27.7million database records. HCA has confirmed that the data on the leak site is indeed authentic. Stolen data is said to contain personal patient information, but HCA has stated that it does not believe the data contains clinical or financial information.
- The City of Hayward was forced to temporarily shut down its official website and online municipal portals following a ransomware attack. Although some services were impacted, city officials confirmed that essential services such as 911 and emergency assistance were unaffected. After discovering the incident, city officials took immediate action to mitigate potential risks to its network and data. There is no further information about the attack currently available.
- ZooTampa was hit with a cyberattack which impacted its network environment and involved the theft of employee and vendor data. Upon detecting the incident, swift action was taken, and third-party forensics specialists acquired to secure the network and investigate the extent of the attack. The zoo has notified those whose information may have been accessed but are confident that no personal or financial information of visitors has been affected. BlackSuit, who has links to Royal ransomware group, has claimed responsibility for the attack.
- The Town of Cornelius in North Carolina disconnected all on-site technology from the town’s network in the wake of a ransomware attack. Various services were disrupted including those dependent on phone communications, but a spokesperson emphasized that emergency services remained operational and accessible. Cornelius officials were working closely with law enforcement to mitigate the impact of the attack. It is not yet known who is behind the attack, what their motivations were and if any ransom has been demanded.
- 300 clients were impacted when a ransomware attack shut down Internet Thailand’s hypervisor management system. Those impacted, such as The Bangkok Post, saw their websites inaccessible for a day. According to Inet’s deputy managing director, a hacker obtained credentials from an employee who was working remotely. The organization claimed to have backups which eliminated the need to pay a ransom. It is unclear if any data was exfiltrated during the incident and who might be responsible for the attack.
- The City of West Jordan in Utah announced it was a victim of a ransomware attack at the beginning of June. The city has stated that no personal or financial information was exposed during the attack. An investigation into this incident is still ongoing, with details remaining vague at this time.
- Panorama Eyecare in Colorado fell victim to a LockBit ransomware attack, with the ransomware group claiming to have exfiltrated 798GB of data from four of the organization’s clients. The four clients impacted were Eye Center of Northern Colorado, Denver Eye Surgeons, Cheyenne Eye & Surgery Center and 2020 Vision Center. Screencaps posted as proof of claims contained patient information. It is unclear what impact the attack has had on business operations and ransom demands have not yet been disclosed.
- ALPHV (aka BlackCat) claimed responsibility for an attack on Highland Health Systems in Alabama. The ransomware group posted proof of claims including employee and patient data and information. Data relating to patients in treatment for substance abuse was also posted on the leak site. The group claim to have patient logs, mental health records, SSNs, drivers’ licenses and employee passwords and have also stated that they will be contacting patients and employees to give them the opportunity to pay to have their data removed from public leaks or darknet sales.
- 355GB of data belonging to Belize Electricity Limited (BEL) was released when the company did not meet ransom demands made by Ragnar Locker. The organization stated that the data exfiltrated was “confidential transactional information pertaining to employees and customers and other network configuration information” that was stored on file servers and employee computers. Teams are currently monitoring and investigating the full extent of the incident and are reporting to the appropriate authorities. The ransom demanded has not been disclosed.
- 3,461 individuals have been affected by a cyberattack on Gary Motykie M.D. during which data was exfiltrated. The incident which took place in May saw data including PII, financial account information, SSNs, health insurance information and medical information stolen as a result of a threat actor gaining unauthorized access to IT systems. The attack also involved the theft of nude images which were used in connection with the services provided by the plastic surgeon. A ransom demand of $2.5million was demanded from unknown threat actors. Patients were contacted by threat actors, pointing them to the leak site and offering them the opportunity to have their images and files removed from the leak site if they paid $800,000.
- Langdale County in Wisconsin suffered a “catastrophic software failure” as a result of a ransomware attack orchestrated by LockBit. On July 11, the county shared news that it was experiencing severe technology failures, causing all phone lines to be non-functioning. This included 911 calls for assistance which were rerouted. The county did not attribute the issues to a cyberattack, but LockBit added the county to their leak site, giving them until August 1st to fulfil undisclosed ransom demands or the data stolen would be leaked. At this time, it is not clear what type of information was exfiltrated during the attack.
- Russian medical lab fell victim to a “serious” cyberattack which left customers unable to receive their test results for several days. According to a statement, hackers attempted to infect the company’s systems with ransomware which led to the service disruptions. The company also stated that no personal customer data was leaked during the incident and that tech teams were able to partially restore functionality of its website, mobile app, and other e-health services without paying a ransom. It is unclear which group was responsible for the attack and what their motivation might be.
- Not one, but two ransomware groups listed Estee Lauder on their leak sites as a victim of separate attacks. One of the groups was Clop who used a vulnerability in the MOVEit Transfer platform to gain access to the company, claiming to have exfiltrated more than 131GB of data. BlackCat was the second group to claim the cosmetics giant as a victim, opting not to encrypt any of the company’s system, but instead threatening to reveal stolen data if the parties did not enter into negotiations. BlackCat hinted that exfiltrated data could impact customers, company employees and suppliers. It is not clear if either of these attacks caused disruption to the organization or what ransom demands were made.
- George County in Mississippi saw its local government thrown into chaos when a discreet phishing email allowed threat actors to gain deep access into the county’s systems. Hackers made their way through the county’s systems over a weekend, encrypting everything they could. All three servers were encrypted, and all employees were locked out of their personal office computers. While IT workers began their work to restore the servers they came across a file containing a ransom note, providing a Bitcoin wallet address to send the ransom to with a five-day deadline date. The county chose not to pay the ransom due to budgetary constraints and the lack of guarantee that the issues would be resolved.
- Snatch ransomware group reportedly stole sensitive data of more than 1.2 million patients from Tampa General Hospital during a ‘failed’ ransomware attack in May. A statement from the hospital confirmed that it detected unusual activity and quickly contained it preventing encryption which would have significantly disrupted patient care. It was later discovered that the hackers had been in the hospital’s network for more than two weeks and had exfiltrated a significant amount of patient data which is said to include PII, health insurance information and treatment information. The hospital declined to pay the undisclosed ransom amount.
- A ransomware attack orchestrated by DonutLeaks targeted Jackson Township in Ohio, impacting services offered by the Jackson Police Department. Other primary township services including emergency services were not impacted. The incident affected the function of multiple systems with external cybersecurity experts being brought in to work through the problem. An investigation revealed that there was no known access to unauthorized personal or employee data by the hackers.
- Californian authorities were made aware of a cyberattack involving U.S law firm Quinn Emanuel Urquhart & Sullivan which may have resulted in client information being exposed. The law firm stated that a third-party data center used for document management had fallen victim to a ransomware attack last year. The attack did not impact the firm’s network infrastructure, however around 2,000 individuals were affected by the incident. It is not known who the third-party vendor was, what group launched the attack or if a ransom demand was made.
- Yamaha’s Canadian music division encountered a cyberattack which led to unauthorized access to its systems and data theft. According to a statement, the organization swiftly implemented measures to contain the attack and worked alongside external specialists to prevent significant damage or malware infiltration into its network. Two ransomware groups claimed responsibility for the attack on Yamaha – BlackByte posted the company on its leak site in early June, with Akira adding Yamaha to its leak site in mid-July. The nature of the data exfiltrated has not been disclosed and as of yet information on ransom demands from either ransomware group has not been released.
- Italian asset management company Azimut Group became a victim of the BlackCat ransomware group in June, with the threat actors claiming to have stolen over 500GB of potential data. The ransom letter from the gang allegedly included sensitive photographs of customer data and asserted having access to other customers’ complete financial information. Azimut has declined to pay the undisclosed ransom demand stating that attackers did not access personal or financial information of clients.
- Desorden Group, who has been quiet for the past number of months, re-emerged by launching an attack on Ranhill Utilities Berhad, who provide power and water supply in Malaysia. The attack, which stemmed from an initial breach 18 months ago, disrupted billing operations and water supply to over 1 million customers. In July this year the ransomware group stole all of the organization’s databases in its billing system, deleted backups and removed databases entirely. Hundreds of gigabytes of data including sensitive customer and corporate information was stolen. Ranhill does not appear to have made a statement about the incident.
- Rhysida ransomware group put data supposedly stolen from The University of West Scotland (UWS) up for auction on its dark web victim blog. The gang is demanding £452,640 (20 bitcoin) for the data, stating that it will be sold to the highest bidder. UWS announced that it had suffered an attack on July 7th and enlisted the help of NCSC and the Scottish government to deal with the incident which affected a number of digital systems. The university is yet to comment on further on the ransomware attack.
- Family Vision, an optometry center based in South Carolina, was compromised by a ransomware attack. The clinic immediately disabled external access to its systems and launched an investigation into the nature and the scope of the incident. Unknown threat actors were able to install ransomware on the server and as a result the server was encrypted. Sensitive data of around 62,000 patients was compromised during the incident, however Family Vision clarified that no financial information was exfiltrated.
- Karakurt claimed responsibility for an attack on The Chattanooga Heart Institute during which they claim to have stolen 158GB of data. Although no proof of the claim was provided, the gang gave details on their website of the data stolen, which is said to include patient and employee private data, medical records, and treatment information. The incident is said to have taken place between March 8th and March 16th this year, with CHI detecting the attack in April. CHI notified the Main Attorney General’s Office that 170,450 people had been impacted by the incident. At this time no data has been leaked by Karakurt.
- BankCard USA (BUSA) recently paid the Black Basta ransomware group $50,000 ransom in the hopes that the no publication of any kind relating to the incident would be made in exchange for the money. The organization and threat actors negotiated for over a month, with BUSA demanding guarantees and offering the threat actors less than 10% of what was being demanded in exchange for the deletion of the 200GB exfiltrated. Although Black Basta claimed there would be no publication, SuspectFile has reported on the incident. It is not yet clear how many individuals have been impacted by the ransomware attack.
- MHMR Authority of Brazos Valley has issued a press release detailing the outcome of a ransomware attack which reportedly took place in December 2022. The statement revealed that personal and protected health information of some employees and current and former patients may have been compromised during the incident. Hive claimed responsibility for the attack on the Texas mental health and substance abuse treatment provider at the end of last year. Data from the attack was never released by the ransomware group before its demise. It is still unclear how many individuals were impacted as a result of the incident or if they will ever be notified by MHMR.
August
We recorded 59 publicly disclosed ransomware attacks in August, a 51% increase over the same period last year and the second busiest month for disclosed attacks in 2023. LockBit and Medusa were the most active ransomware groups, while education and healthcare were the highest targeted sectors, closely followed by government. A number of organizations made headlines with attacks and breaches causing huge consequences, including Prospect Medical Holdings who were forced to revert back to pen and paper after a system-wide outage, while almost 1.5 million patients were impacted by a data breach on Alberta Dental Service Corporation. Check out who else made ransomware headlines this month:
- Karakurt ransomware gang allegedly stole genetic DNA patient records from McAlester Regional Health Center, threatening to auction them off to the highest bidder. The Oklahoma based hospital has not made a statement about the breach but the threat actors claim to have exfiltrated 126GB of organizational data, with an additional 40GB of DNA test information.
- The Township of Montclair in Essex County, New Jersey suffered a cyberattack in June which led to data loss including information on outside vendors, individuals, and data which affected the township’s ability to respond to some requests. The name of the attackers has not been made public, but it has been reported that the township’s insurer negotiated a settlement of $450,000 to end the attack.
- At the beginning of August St Landry Parish Schools in Louisiana announced that they had been subject to a ransomware attack, first identified on July 25th. Medusa claimed responsibility for the attack and posted various evidence of claims including a $57 cheque, a 2021 training course certificate, an education disability claim form, communications with an insurance department and teacher’s salaries. The ransomware group demanded a $1million ransom to erase the compromised data.
- National Institute of Social Services for Retirees and Pensioners (PAMI) in Argentina was added to Rhysida ransomware group’s victim list on August 12th. The attack claim which was posted on the group’s dark web portal gave PAMI just six days to meet its demands. The ransom demanded by Rhysida was 25BTC. Samples of data including identity cards bearing photos of people was posted as proof of the attack. The full scope of the attack is not yet clear.
- LockBit added West Oaks School in England to its darknet victim site, giving the school two weeks to make the ransom payment or data stolen during the attack would be published. The school which specializes in education for children “with a wide range of needs” is yet to make a statement regarding the incident.
- Prominent component and product manufacturer MW Components filed a notice of a data breach with the Attorney General of Texas after discovering that an unauthorized party had gained access to its computer network. The ransomware attack occurred between March 1st and March 26th this year. Upon discovering the incident, the company took swift action to secure its systems and notified law enforcement. Exposed information included consumer data including names, SSNs, driver’s license numbers, financial account information, health insurance information, and medical records. The company has notified all individuals whose information had been compromised.
- The next attack made several headlines throughout August as the story continued to progress. Prospect Medical Holdings, one of the largest hospital networks in the US, fell victim to a ransomware attack at the start of the month, causing chaos across several of its hospitals. The cyberattack forced hospitals to divert patients to other facilities and put a temporary halt on operations, with some other facilities having to completely revert back to paper records to treat patients. The Rhysida ransomware gang claimed responsibility for the attack in which they said they had exfiltrated a total of 1TB of unique files, as well as a 1.3TB SQL database. The files were said to contain the personal data of more than half a million PMH patients and employees including SSNs, passports, driver’s licenses, patient medical files, and legal and financial documents. The ransom demanded by the group was 50 Bitcoins, payable by September 1st or the data goes up for auction.
- Tempur Sealy, one of the world’s biggest mattress sellers, was forced to shut down parts of its IT systems and activate incident response and business continuity plans due to a cyberattack. BlackCat ransomware group took credit for the attack and claimed to have sensitive documents from senior officials in the company. It is unclear whether customer information was involved but the company said it plans to notify regulators of data leaked.
- Ebert Group, a car dealership based in Weinheim, Germany, announced that it was the target of a “hacker attack” which caused disruption on the company’s servers. There is limited information available relating to the incident, but it has been reported that data belonging to approximately 30,000 customers is now visible on the dark web. A group called Metaencryptor claimed responsibility for the attack.
- On August 1st, Akira added Parathon by JDA eHealth Systems to its leak site with a note stating that 560GB has been taken from their network. The information is said to contain contracts, employee information, and confidential documents, however no proof of claims were posted alongside the note. At this time the company is yet to make a comment on the incident.
- A data breach was announced this month after a June ransomware attack on the Colorado Department of Higher Education. An investigation determined that threat actors had access to CDHE systems between June 11 and June 19 and copied data from company systems during this time. Current and past students, along with teachers were impacted by the incident, with attackers gaining access to names and SSNs or student identification numbers, as well as other education records. The number of individuals impacted has still not been released by the CDHE.
- England based recruitment agency Delaney Brown Recruitment was involved in an attack by 8Base ransomware group. The threat actors claim to have exfiltrated information including invoices, receipts, accounting documents, personal data, employees’ contracts and personal files of employees and clients among other corporate documents. The organization is yet to publicly address the claims made by 8Base.
- Jefferson County Health Center was added to the Karakurt threat actors leak site in July but it was not clear whether it was the facility in Iowa or Jefferson County Hospital in Oklahoma. But in August, Jefferson County Health Centre in Iowa submitted a breach notification to the Vermont Attorney General’s Office, confirming that an investigation determined an unknown actor has accessed their systems earlier this year. The investigation also highlighted that patient files may have been accessed during the incident. The notification did not name Karakurt as the threat actors and did not mention a ransom demand. The ransomware group have yet to leak any of the 1TB of files it claimed to have exfiltrated from JCHC.
- Varian Medical Systems, a company providing software for oncology applications was hit by a ransomware attack at the hands of LockBit. Details on how LockBit breached Varian’s systems or how much data was exfiltrated is yet to be revealed, but the ransomware group has warned its readers to expect private databases and patient medical data belonging to the company if negotiations did not take place within two weeks of the attack. Parent company Siemens Healthineers confirmed an internal investigation is taking place but did not comment further on the incident.
- Thornburi Energy Storage Systems, a prominent battery manufacturer based in Thailand, was added to Qilin ransomware group’s victim list following a cyberattack. The threat actors claimed that the company had chosen not to communicate with them, after which they started publishing various documents. Five screenshots were posted as proof of claims by the group. TESM has not yet made a public comment responding to these claims.
- 8Base added Oregon Sports Medicine to its leak site at the beginning of August. While no files or filetree was posted as proof of claims, the ransomware group claim to have acquired invoices, receipts, accounting documents, personal data along with a “huge amount of confidential information”. The organization has neither confirmed nor denied the claims, remaining tight lipped about the incident. It is not clear how much data was impacted by the attack or if a ransom was demanded.
- Mayanei Hayeshua Medical Center in Bnei Brak saw its administrative computer system damaged and shut down by a ransomware attack. Following the attack, some treatments were stopped, and the emergency room was forced to refer patients to other hospitals. An investigation was launched into the incident and resulted in further services within the hospital being disrupted. Teams from the Cyber Directorate and the Ministry of Health helped the hospital staff to deal with the incident and its consequences. At this time the cyberattack has not been linked to or claimed by any ransomware groups.
- On the same day as leaders met in the Whitehouse to discuss cyberattacks on schools, Emerson Schools in New Jersey was added to Medusa’s “hostage list.” The group claimed to have exfiltrated data from the IT infrastructures of the school district, demanding $100,000 in bitcoin in exchange for the deletion of the stolen information. Information on the nature of the data stolen is yet to be released and other information regarding the attack remains limited.
- The California city of El Cerrito is investigating the potential theft of data after LockBit added it to a list of victims. Assistant to the City Manager stated that the city’s systems were fully operational, and they were not locked out of any devices or data. However, on LockBit’s leak site, multiple screenshots of information belonging to the city’s government were posted as proof of claims alongside a deadline of 19th The city have made no further comment on the incident.
- Akira ransomware gang added The Belt Railway Company of Chicago to its leak site on 10th August, claiming to have stolen 85GB of data. General Counsel for the largest switching and terminal railway in the US acknowledged the claims made by Akira but stated that the event did not impact its operations. The organization has engaged a leading cybersecurity firm to investigate the incident and is working with federal law enforcement.
- A ransomware attack on Alberta Dental Service Corporation has compromised the personal information of around 1.47million individuals. ADSC revealed that individuals enrolled in the Alberta Government’s Dental Assistance for Seniors Plan, the Alberta Government’s Low-Income Health Benefits Plans and Quikcard were impacted as a result of the incident. Threat actors had access to ADSC’s network for more than two months before deploying file-encrypting malware. Among the 1.47 million whose data was accessed, around 7,300 of those records contained personal banking information. ADSC president Lyle Best reportedly told IT World Canada that a ransom payment was made to 8Base ransomware gang, who later provided proof that the stolen data was deleted. The ransom amount was not disclosed but he did reveal that the initial intrusion vector was a phishing email.
- Cummins Behavioral Health Systems (CBHS) announced that they became a victim of a cyberattack sometime between February 2 and March 9 this year. CBHS discovered the incident when they found a ransom note in their environment in early March. There was no encryption of any data and CBHS did not name attackers or mention whether they paid a ransom. Data that may have been accessed or stolen during the incident included personally identifiable information, financial information, and medical information. A notification made by the organization to Maine Attorney General’s Office stated that 157,688 people were affected by the attack.
- The real estate industry suffered widespread disruption to property listings across the United States as a result of a ransomware attack targeting Rapattoni. The California-based data services company hosts multiple listing services (MLS) databases. On August 8 Rapattoni triggered a system outage which was quickly communicated on the organization’s social media channels. Details on this attack continue to be released, no ransomware gang has taken responsibility yet.
- The Municipality of Ferrara in Italy was “brutally” hit by Rhysida ransomware gang this month with investigations still underway to determine the overall extent of the damage caused by the attack. The attack has been strongly condemned and the administration has expressed its refusal to give into the threats made by the perpetrators. The demands made have not been made public and information on what data, if any, was exfiltrated during the incident is still unknown.
- Levare International, headquartered in Dubai, was attacked by Medusa with the group claiming to have exfiltrated data that could harm both the privacy of employees and trade secrets. After negotiations broke down between threat actors and Levare’s negotiators, Medusa knocked Levare offline with DDoS attacks. A ransom of $500,000 was demanded on the group’s dark web leak site alongside screencaps of files as proof of claims. No further information on this incident has been released.
- Freeport-McMoRan reported a cybersecurity incident on 11th August but stated that it did not cause any major impact on production. The American copper miner worked with third-party experts and law enforcement agencies to assess and address the situation. Although impact on production was limited, the company noted that prolonged disruption could impact future operations. BlackCat took responsibility for this incident on its leak site, claiming to have presented the organization with proof of data stolen but the organization “made no attempt to find out what was taken.” The group noted that private information from banks and payroll providers is among the data exfiltrated from FCX.
- Sydney based engineering firm Algorry Zappia & Associates allegedly became a victim of a attack orchestrated by the Play ransomware group. Play’s darknet leak site listed the engineering firm alongside claims that it had exfiltrated “private and personal confidential data, clients and employees’ documents” as well as financial details.
- ToyotaLift Northeast was recently listed on the 8Base ransomware group’s victim list, with the hacker collective claiming to have data belonging to the forklift dealer. The group publicly announced the alleged failed negotiations and the deadline for an unknown ransom payment. Data exfiltrated was reported to include personal correspondence of company clients, financial statements, and other documents with confidential information. The company has not commented on the attack.
- Less than 5% of faculty and staff devices were impacted during a ransomware attack on Cleveland City Schools this month. The school district reassured parents that their student’s sensitive information was secure and stored offsite, also stating that there was “no indication” of student, faculty or parent data being compromised. Homeland Security and local law enforcement are investigating the incident. No ransomware group has yet been linked with the attack and it not known what, if any data, was stolen.
- Australian civil infrastructure firm CB Group was struck by a Medusa ransomware attack, with the data breach announced on the group’s darknet leak site. The group demanded a ransom of $100,000 to delete the data entirely, giving the CB Group a deadline of August 24 to meet the demand. Medusa offered to extend the deadline for 24 hours at the cost of $10,000. The information can be downloaded for the same price as the ransom, allowing anyone online to purchase the data before the deadline has even been reached. Twenty-seven sample files were also posted on the darknet site alongside a directory structure of the stolen data. Proof of claims included images of staff driver’s licenses, invoices, detailed organization structures, and confidential deeds and contracts.
- Postel, a subsidiary of Poste Italiane was another Medusa victim this month. A press release from the organization stated that it “detected anomalous activity on its systems” which caused disruption of some servers and knocked the site offline. An investigation was launched into the incident, with Postel making it known that “currently only data within the company has been affected.” The ransomware group claimed to be in possession of huge amounts of data including the personal documents of employees, tax and administrative files, and payslips. A ransom of $500,000 was posted with the information being made public if the demands are not met.
- 186GB of data, comprised of over 108,000 files were stolen from Optimum Health Solutions during a ransomware attack. Employee data including passport details, and patient files alongside emails and other employee and patient credentials were exfiltrated from the Australian preventative healthcare provider by the Rhysida ransomware group. The group posted the data online, claiming that the information shared was only 85% of the total data stolen, with the rest allegedly sold. There is no information on what ransom was demanded, if any, or if the two parties entered into negotiations before the data was published.
- The Foundation de Verdeil which provides special educational services in the canton of Vaud in Switzerland confirmed that it had been targeted by threat actors. During the incident a server was encrypted, and operations, especially those within the office and communication areas were impacted. The CEO of the organization stated that upon discovering the attack IT service providers were immediately contacted, as well as security specialists and the IT and security department of the canton of Vaud. NoEscape took responsibility, claiming to have exfiltrated 40GB of records. These records were said to include medical certificates, insurance documents, hundreds of photos of children and documents relating to children alongside other sensitive information.
- Sartrouville town hall was “paralyzed” by attacks that shut down all municipal activity for twenty-four hours. The French commune saw all of its data encrypted and all services affected and inoperative, with the exception of the police department and identity cards and passport services. Computers contained financial information about all public contracts, payments to companies, budgets, and payrolls. In addition, medical records from the health center, and data from nurseries and elementary schools were held. The provisional damage is estimated at €200,000. City hall filed a complaint and did not intend to meet the demands of the threat actors. Medusa has taken credit for this attack.
- Rhysida added Prince George’s County School System (PGCPS) to its leak site just three days before the start of the new academic year. The district claimed that only about 4,500 user accounts out of 180,000 were impacted by the attack, but Rhysida has since put sensitive data from those user accounts up for sale. The ransomware group appeared to be auctioning off a sizeable amount of sensitive information which included passports, driver’s licenses and other data, but has not posted a specific amount. The ransom demanded for all the data is 15 Bitcoin which is roughly $390,000.
- Following a ransomware attack in May, threat actors have started releasing sensitive personal information belonging to Raleigh Housing Authority (RHA). The attack crashed the organization’s entire system and stopped its ability to function for several days. State and federal authorities were notified, bringing in National Guard cybersecurity teams to investigate the incident. BlackBasta recently added troves of sensitive information which was stolen during the incident, including government IDs, financial documents, and social security cards. Information on ransom demands or how much data was exfiltrated has not been made available to the public.
- The German Federal Bar (BRAK) Association is investigating an attack which took place at the start of August. The ransomware attack targeted its Brussels office, leading to a failure of IT systems. Once discovered, all network connections were immediately severed, and IT security teams were brought in to clarify the incident and repair the damage. NoEscape ransomware group has claimed the attack, encrypting BRAK’s mail servers and exfiltrating 160GB of data.
- A press release from Bunker Hill Community College revealed that irregular activity, consistent with a ransomware attack, was detected in certain BHCC systems in May. BHCC immediately responded to the situation and was able to contain the incident to a number of systems. Due to existing safeguards, the college was able to continue with its academic calendar with no disruption. An investigation is still ongoing but due to the data collected by the college it is feared that personal and sensitive information may have been impacted as a result of the attack. At this time specific details as to what categories of information were involved is not yet available. BHCC has not disclosed the threat actors responsible or details of any ransom demand.
- The au Domain Administration (auDA) confirmed that it had been a victim of a ransomware attack, after initially suggesting it had found no evidence of a breach. NoEscape claimed the attack on its leak site, noting that it had exfiltrated more than 15GB of data. The ransomware group posted a number of threats to the auDA, including a reduction in deadline due to “bad behaviour” and a note stating, “if you do not contact us, the first step will be to sell access to bank accounts with balances over $4K.” Documents stolen during the incident included powers of attorney and legal documents, passports, personal data, medical reports, access to customer bank accounts and much more. auDA stated that it was taking the claims very seriously and had notified the Australian Cyber Security Center alongside other government organizations and was working with experts to investigate the claim further.
- LockBit took credit for an attack on United Medical Centers based in Southwest Texas. The facility announced issues with its network two weeks prior to the posting on LockBit’s leak site. The ransomware group added twenty-one screenshots to its site as proof of claims, giving the organization a deadline of August 27th.
- India’s largest paint manufacturer Kansai Nerolac Ltd announced that it fell victim to a cyberattack which impacted a few systems within its IT infrastructure. In response to the incident, the organization was working alongside a team to cybersecurity experts to respond and mitigate the impact. The financial impact of the ransomware attack is yet unknown and at this time no ransomware group has been linked to the attack on Kansai Nerolac.
- Respublikinė Vilniaus Psichiatrijos Ligoninė in Lithuania fell victim to a NoEscape ransomware attack this month. As proof of the incident, the ransomware group leaked a filetree but claimed that this information is only part of the total exfiltrated during the attack. NoEscape also noted that “management wants to hide the fact that their services were encrypted and compromised.” Data stolen during the attack included finances, personal and medical information of patients, employee documents and “other confidential information” linked to both clients and the company. It is not clear what, if any, ransom was demanded by the cybercriminals.
- Japanese watch maker SEIKO announced that it was a victim of a cyberattack which resulted in data exfiltration. The organization retained external cybersecurity professionals to investigate the breach but believe that at least one server was impacted during the incident. While SEIKO was working to verify the information involved in the attack, BlackCat claimed responsibility and mocked the well-known brand for bad cybersecurity practices. The criminal group claimed to have exfiltrated at least 2TB of data including lab tests, production plans and product design, which could threaten the integrity of some intellectual property. Other information exfiltrated included corporate data such as invoices, sales reports, and employee personal data. BlackCat threatened to publish or sell the stolen data after SEIKO refused to negotiate.
- The Department of Defence South Africa denied claims that a hacker infiltrated its systems and exfiltrated data. The statement comes after the Snatch ransomware gang published the military organization on its leak site, claiming to have stolen 1.6TB of data. The data is said to include military contracts, internal call signs and personal info which could put employees of the organization at risk.
- St Helens Council in the UK identified a cyberattack this month and immediately reached out to third party specialists to help mitigate and investigate the attack. A statement revealed that internal systems had been affected due to actions put in place to prevent further impact while investigations continue. It has been referred to as a “complex and evolving” situation. The council is telling residents to be mindful of their own online safety and to be wary of suspicious communications from the council. This suggests that personal data may have been exfiltrated, but this has not yet been confirmed. The name of the threat actors responsible have not yet been disclosed.
- CloudNordic notified its customers that they should consider their data as lost following a ransomware attack on the company’s servers, which paralyzed CloudNordic completely. Threat actors shut down the organization’s systems, wiping both company and customers’ websites and email systems. Backups were also impacted as well as production data. The unnamed threat actors posted a ransom demand which CloudNordic stated it “cannot and did not want to meet.” It is unclear if information was exfiltrated for publishing or sale at this time.
- Stockwell Harris Law was added to LockBit’s victim list this month, with the legal firm being given a deadline of August 20th to meet demands. According to a post on the threat actors’ site, the breach was attributed to the firm’s alleged negligence in safeguarding clients’ sensitive data. A sizeable amount of the company’s legal data has been exposed. The law firm is yet to comment on the incident.
- Another Danish cloud hosting company became a ransomware victim this month. AzeroCloud who has the same parent company as CloudNordic, was also forced to shut down all email and customer sites as a result of the combined ransomware attack on the two companies. Unnamed hackers set a ransom of 6BTC, or $157,000 for the data to be restored. The Director of both hosting companies said that consequences are unimaginable and “there is no company left.”
- Almost 7,600 individuals have had their sensitive data exposed as a result of a ransomware attack on the Ohio History Connection. The nonprofit organization had its internal servers targeted and encrypted in early July, with unnamed threat actors demanding millions of dollars in exchange for the encrypted data. The ransomware group exposed the stolen data belonging to employees of the organization between 2009 and 2023, after the OHC refused to pay the ransom demanded. Other compromised files include documents relating to vendors and donor checks since 2020.
- A press release from Île-de-France Nature confirmed that the regional agency had been subject to a ransomware attack in August. As soon as the intrusion was discovered, measures to restore services were implemented. Unfortunately, these measures did not prevent data from being encrypted and stolen. LockBit claimed responsibility for the attack but has not yet released the stolen data even though the deadline has passed. It is not clear what data was allegedly exfiltrated from the organization nor what ransom demands were made.
- Belgian IT service provider Econom fell victim to a cyberattack this month but at the time thought that no sensitive information was stolen during the incident. An ongoing investigation however has already revealed that information has been leaked but that the majority of the data has not been deemed as “sensitive.” Stormous took credit for this attack.
- Dutch electromagnet manufacturer Kendrion reported that it had fallen victim to a LockBit attack. According to a statement on its website, the company reported a “cybersecurity incident” during which an unauthorized third-party gained access to its business systems. The organization has not yet disclosed details surrounding the attack but has not ruled out the possibility that sensitive data may have been exfiltrated as a result. LockBit took responsibility giving Kendrion three days to meet their undisclosed ransom demand. Failure to do so would result in the publication of compromised data. At this time the nature and volume of data exfiltrated is unknown.
- PurFoods warned customers of a ransomware attack which resulted in the exposure of the personal information of 1.2 million customers and employees. Suspicious activity was identified in February when files on its systems were encrypted. Signs of network problems were still evident in early March with employees stating they had missed work and pay for a week due to “internet issues.” An investigation concluded that hackers had accessed data including dates of birth, driver’s licenses, financial account information, payment card information, medical and health information along with other sensitive data. The breach impacted individuals who have received Mom’s Meals packages, current and former employees, and independent contractors.
- Akira ransomware group claimed Jasper High School as one of its latest victims. Although the exact nature of the data has not been revealed, the group claimed to have gained access to 60GB of sensitive information. A message on Akira’s dark web site aired its grievances, stating “Another school that appears to disregard the security of its students’ documents.” Information on this incident is still vague and the school is yet to make a public statement addressing the claims.
- The BlackCat gang took credit for a June attack on Forsyth County in Georgia. According to breach notification letters sent out to 250,000 residents, files had been removed from servers during the attack and it was believed that SSNs and driver’s license numbers were accessed. BlackCat, also known as AlphV claimed to have accessed and exfiltrated more than 350GB of data which including SSNs, financial reports, insurance information, loan applications and business agreements.
- Chambersburg Area School District recently confirmed that their computer systems were impacted by a ransomware attack. The disclosure indicated that they had experienced a network disruption which compromised certain computer systems functionality. The district engaged forensic specialists to understand the scope and ramifications of the attack.
- Highly sensitive personal information was exposed as a result of a ransomware attack on Gaston College. The attack which took place in February, saw an individual gain access to and expose information from the college’s network. Stolen information varied by individual but is thought to include personally identifiable information, financial account information, medical information, and employment information. The unnamed hacker made files from the attack available online on both the dark web and the internet.
- Critical infrastructure belonging to Commission des services électriques de Montréal (CSEM) was targeted by a ransomware attack. LockBit claimed responsibility and initially made a portion of the stolen data public. While condemning this illegal act CSEM emphasized that the exposed data posed minimal risk to public safety or operations. The organization refused to pay the ransom, instead choosing to engage with authorities for assistance. LockBit later provided a link on its dark web site to download 44GB of exfiltrated data.
- Network monitoring company LogicMonitor confirmed that some of the users of its SaaS platform had recently experienced cyberattacks. The organization is in contact with impacted clients and is working with them to mitigate the situation. Sources have revealed that attackers were able to infiltrate customers’ accounts through weak passwords provided by LogicMonitor. Others reported that LogicMonitor was reaching out to other customers proactively explaining that some other accounts monitored by the organization had been compromised which had led to a ransomware attack. Information on this attack remains vague and further details are expected to become available in the coming days.
September
With seventy publicly disclosed attacks, September set a new record since starting our State of Ransomware blog back in January 2020. Healthcare and government were the highest targeted sectors, with twelve attacks each, closely followed by education with eleven. A large number of ransomware groups launched attacks this month, with BlackCat leading the charge claiming fifteen attacks, we also notes a number of new variants emerging. BlackCat’s attacks on Caesars Entertainment and MGM Resorts dominated the headlines for most of this month, alongside incidents with other big organizations such as SONY, Johnson Controls and PhilHealth.
Let’s see who else made ransomware news headlines in September:
- San Francisco based law firm Orrick, Herrington & Sutcliffe is facing a class action lawsuit following a ransomware attack earlier this year. The law firm determined that part of its network had been compromised by an unauthorized third party, which had gained access to a file share containing client information. 152,818 individuals had their personal information compromised as a result of this attack. The breached information included names, addresses, Dates of birth and social security numbers. The lawsuit alleges the firm did not implement adequate cybersecurity measures, detect the breach in a timely manner or provide timely notifications to those impacted.
- Carlisle Area School District in Pennsylvania temporarily shut down their internet- based applications after finding a “possible security breach”. The district released a statement explaining that while the incident did not post a direct threat to students or staff, certain restrictions had to be put in place to ensure safety. It was later reported that the school was notified by federal government officials that its internet system had been infiltrated with ransomware. No ransomware group has claimed the attack and any impact on data is yet to be determined.
- INC Ransom, a relatively new ransomware group, claimed Arkopharma, a well-known pharmaceutical platform as a victim in early September. The ransomware group announced the attack on its blog and while details on this incident are very vague, some evidence suggests that the organization either paid the ransom or managed to deal with the ransomware.
- IT professionals at the US National Science Foundation’s NOIRLab discovered suspicious behaviour in August, leading to the decision to temporarily halt activities at the at telescopes located in Hawaii for the sake of safety. It is unclear what kind of threat, if any, the telescopes themselves would have been exposed to, but the concern lies with the scientific research that may have been accessed during the incident. A ransomware group is yet to claim responsibility for the attack, and it is not clear what information was impacted.
- LockBit leaked data belonging to the UK’s Ministry of Defence, which was stolen during an attack on Zaun, one of the MOD’s third party suppliers. The supplier of metal fencing products appeared on LockBit’s leak site in mid-August, with data from the attack appearing online at the beginning of September. Data is said to include sales orders and details of equipment used across different MOD locations, but Zaun do not believe that any classified documents were accessed. LockBit was able to successfully exfiltrate approximately 10GB of data during the “sophisticated cyberattack”.
- Melbourne-based pathology firm, TissuPath, fell victim to a BlackCat ransomware attack in which the threat actors managed to gain access to detailed patient records by exploiting third-party supplier log in credentials. BlackCat, who claimed to have exfiltrated 446GB and 735,414 files gave the organization a chilling ultimatum; pay the ransom or they would publicly release sensitive patient information within 48 hours. Patient data compromised in the breach includes a range of sensitive information alongside some other medical data.
- Hillsborough County School District took a number of systems offline to prevent widespread disruption as a result of a ransomware attack. During the initial investigation it appeared that the incident did not affect the system that stored student data, unfortunately, later reviews confirmed that an administrative file from the 2021-22 school year had been accessed. Information may include PII and some academic information belonging to 254 students. LockBit has taken credit for this attack but information on whether a ransom demand was made has not been made public.
- Maiden Erlegh Trust in the UK saw systems accessed by an unauthorized third party resulting in its network being temporarily unavailable and inaccessible. The CEO of the Trust stated that business continuity plans were initiated upon discovery of the “sophisticated” attack. A forensic analysis is currently being conducted to fully investigate the circumstances and impact of the incident to determine the degree to which personal data has been put at risk.
- Australian owners corporation service provider Strata Plan fell victim to a BlackCat ransomware attack during which 1.43TB of data was exfiltrated. Although the group has posted the organization on their leak site, the Director of Strata Plan has disputed the claims of data theft, stating it is aware of the cyberattack but the company’s data “remains safe”. No further comment has been made.
- The City of Betton in France issued a press release indicating that it had been the victim of a “major attack by what is called ransomware.” The attack was discovered at the end of August and impacted the town hall’s servers. Medusa took credit for the attack, posting a ransom demand of $100,000 on its leak site, alongside a 10-day deadline. It is not clear what data was exfiltrated during the incident.
- The Financial Services Commission in Jamaica confirmed a ransomware attack which allowed cybercriminals to gain unauthorized access to its networks. As soon as the breach was detected, the FSC initiated a response plan and collaborated with law enforcement and cybersecurity experts to access and contain the incident. This is deemed a serious breach and is subject to an intensive investigation involving the Jamaica Cyber Incident Response Team and the Major Organized Crime & Anti-Corruption Agency. The investigation is still ongoing to ascertain the extent of the breach, implement a data recovery plan and strengthen the Commission’s IT security infrastructure.
- Dunghill Leak group has claimed responsibility for an attack on travel booking giant Sabre, alleging it took around 1.3TB of data from the organization. The data is said to include databases on ticket sales and passenger turnover, employees’ personal data and corporate financial information. Screenshots showing several databases containing tens of millions of records was posted as proof of claims, though it is not clear if the threat actors gained access to those databases. A spokesperson from Sabre commented that it is aware of the claims of data exfiltration and is investigating the validity of the claims.
- Digital ID, the company responsible for printing the Metropolitan Police Service of London’s warrant cards, suffered an IT breach which may have exposed 47,000 officers’ details. The Managing Director of Digital ID was contacted by extortionists demanding a ransom from the company. The organization has identified the incident and engaged the assistance of specialist external cyber and forensics consultants to conduct an investigation to assess the potential impact of attack. According to the Met Commissioner, although the breach is not believed to contain personal or financial information, it does cause wider concern. Later in September, it was revealed that the attack on Digital ID also impacted the Greater Manchester Police, putting more than 20,000 police officers’ details at risk.
- Real estate agency Barry Plant was one of the many Australian victims claimed by BlackCat this month. The amount of data allegedly stolen totalled 3.2TB with the group leaking the “entire dataset” as a consequence for the company refusing to engage in negotiations. The leak contains email content, NDAs, property applications, criminal records, passports, and client and employee IDs. Barry Plant’s Chief Executive has commented on the attack stressing that it was isolated to one office and did not breach the rest of the company’s systems.
- The city council of Seville is refusing to pay a $1.5million ransom demanded by LockBit following an attack on its networks. The incident affected a broad range of city services including, police, firefighters, and tax collection, with the city trying to restore all services as soon as possible. The attack was initially identified as an internal system failure but further analysis quickly revealed that it was in fact a cyberattack. It is unclear if LockBit stole any data and at the time the story was reported there were no reports of LockBit leaking any data from Seville’s government.
- Cyberport, a Hong Kong based technology park, revealed that sensitive information including employee details and credit card records were leaked online following a “malicious intrusion” in mid-August. The hack was not made public until September 5th, nearly three weeks after Cyberport notified Hong Kong’s privacy watchdog, claiming that it wanted to “avoid unnecessary concern.” Trigona has been linked to the incident after posting 438GB of Cyberport files on its leak site.
- A threat actor known as “TheSnake” leaked some data from Coca-Cola FEMSA on a popular hacking site claiming they had acquired a full database from the organization. The threat actor claimed to have access to databases containing “complete company information”, confidential photos and files, passwords, financial documents, supplier data and employee information. The attack involved both the encryption and exfiltration of files, though “TheSnake” claims the encryption did not hamper the organization’s productivity. A ransom demand of $12 million was made in exchange for the deletion of the files exfiltrated by Coca-Cola who paid $1.5 million to ensure only certain files were not leaked. The remainder of the files remain locked and are for sale on the dark web for $65,000.
- Ragnar Locker added Do IT Consultants in Canada to its “Wall of Shame” in early September, adding that the although the organization is responsible for network safety of others, it was not interested in building a safety perimeter nor resolving detected issues. A number of clients were involved in the leak which is reported to have a total data volume of 613GB. No further information about this incident is currently available.
- The Sri Lankan government’s email network, Lanka Government Cloud was hit by a ransomware attack that wiped months of data from almost 5,000 email accounts, including those belonging to top government officials. Although officials were able to restore LGC within 12 hours of the attack, the targeted system was encrypted along with its backups. Backups from May 17 to August 26 were lost as a result of the attack. An investigation has been launched and the country’s CERT are working to recover the lost data. The government has stated that it will not negotiate with the unknown threat actors or pay the undisclosed ransom. The government has faced criticism in the past for its lack of attention on cybersecurity and according to officials, a planned system upgrade in 2021 was postponed due to budget constraints and board decisions.
- Hinds County in Mississippi is still struggling to recover from a ransomware attack that disrupted essential services for its residents. The breach impacted internal servers countrywide and left employees unable to connect to the internet from their workstations causing several crucial services to be inaccessible to residents. An investigation was launched to establish the scope of the incident but it is still unclear who is behind the attack and whether any data was compromised. Some services are still impacted a number of weeks after the initial incident, with the county approving $600,000 in costs to restore its computer systems.
- The Church of England St Augustine Academy based in the English town of Kent, suffered a cyberattack which took down its phone lines and email systems. The headteacher of the school warned parents about the attack via a Facebook post where he revealed that data had been encrypted by an outside criminal organization. External payment systems remained secured, but parents were urged to be extra vigilant in case they received unusual emails or phone calls. It is unclear who launched the attack or if any data was stolen.
- LockBit added Hanwha Group, based in South Korea, to its victim list at the beginning of September, claiming to have stolen 800GB of data. The Fortune 500 company made it an attractive target for the hacking group. LockBit threatened to release the exfiltrated data if the undisclosed ransom wasn’t paid. It is not currently known if Hanwha responded to the threats or whether the situation is still ongoing.
- Electromechanical components manufacturer Alps Alpine confirmed that illegal access to its servers had been detected and the type of attack was ransomware. Upon discovering the intrusion, targeted servers were isolated from the network and an investigation was launched to determine the impact. Some systems continued to experience issues but where possible production activity continued.
- NoEscape ransomware gang claimed to have struck the International Joint Commission, a US-Canadian body that oversees the shared lake and river system along their borders. The gang claimed to have stolen 80GB of data including confidential and legal documents, as well as personal information of commission employees, threatening to release the 500,000 files unless the undisclosed ransom was paid.
- The personal information of 50 doctors linked to the Academy of Medicine in Singapore has been leaked on the dark web by LockBit. A 13.69GB database was published with personal information such as NRIC numbers and home addresses as well as credentials for AMS’s social media accounts, and a list of its staff and their mobile numbers.
- Save the Children International confirmed that it was hit with a cyberattack during which hackers gained unauthorized access to parts of the network. There was no operational disruption, and the charity continues to work with external specialists to understand how the attack happened and what data was impacted. The attack was made public when BianLian boasted that it had stolen 6.8TB of data from the organization, including personal information, 800GB of financial data, healthcare files and emails. It is presumed that the ransomware gang plans to leak or sell the data if an undisclosed ransom is not met.
- One of the biggest news stories in September was the cyberattack on MGM Resorts that wreaked havoc on operations. For several days after the initial attack, reports said everything from hotel room keys to slot machines, ATMs and paid parking systems weren’t working. Ten days after the incident MGM announced that hotels and casinos were “operating normally” again. BlackCat claimed that one of its affiliates, being tracked as Scattered Spider, was responsible for executing this attack by using social engineering to identify an IT employee on LinkedIn and then within 10 minutes of calling the help desk, the attack was launched. Reports suggest that 6TB of data was exfiltrated and servers encrypted but the threat actors stated that the lack of communication indicates that the company has no intention of negotiating a ransom payment.
- The website of the Tamil Nadu Police was hacked by cybercriminals who demanded a $20,000 ransom to restore the site. The hackers gained access to the Face Recognition System database during the breach, which contains images and other details of individuals with criminal records and repeat offenders. The incident also impacted a variety of e-services offered by the police. The attack was launched when threat actors used two logins with weak passwords to gain access to the site. An investigation is due to be launched, with enhancements to the website’s security also being proposed. It is not clear is any information was exfiltrated during the incident, or who was behind the attack.
- Derrimon Trading Co, who operate supermarket chains in Jamaica, publicly noted that its systems were breached by threat actors at the end of August but was able to restore the impacted systems within 48 hours. According to the organization’s CEO only some business within its local operations were impacted. BlackCat took credit for the incident, but it is not known if any data was stolen during the attack. The organization has stated that no ransom was paid and it is confident that no staff or customer data was compromised. According to reports, the ransomware gang tried to gain access to back up data from point of sales but were quickly intercepted.
- An attack on Singing River Health System in Mississippi crippled its systems and impacted three hospitals and 10 clinics. The organization said that it detected unusual activity in its network and immediately took several systems offline to mitigate the impact of the attack. Downtime procedures were in place allowing the healthcare facilities to continue to see patients. SRHS launched an internal investigation to understand the nature and scope of the incident and has notified law enforcements. Rhysida has claimed this attack posting a small sample of data apparently belonging to SRHS. The ransomware group stated that it is willing to sell the data for 30BTC which is around $780,000.
- Claxton-Hepburn Medical Center, which serves more than 200,000 people in New York counties is struggling to recover from a cyberattack. All appointments were rescheduled, and emergency cases diverted to other hospitals, with appointment cancellations continuing for up to seven days after the initial incident. LockBit took credit for the attack, threatening to publish the data unless an undisclosed ransom was paid before 19th.
- LockBit also claimed another New York hospital in September, creating similar consequences to the attack on Claxton-Hepburn. Carthage Area Hospital, a 25-bed facility serving both civilian and military personnel contended with the fallout of the cybersecurity breach which affected thousands of residents. The ransom demand has not been made public and it is not clear if the data from the attacks on both of these hospitals has been leaked.
- In September it was revealed that the Royal Dutch Football Association paid hackers to secure the safety of stolen data after a ransomware attack in April this year. LockBit successfully accessed the national football governing body’s systems and stole personal data belonging to a broad range of audiences, from youth players’ families to professionals. The KNVB stated that the prevention of a spread was more important than the principle of not allowing themselves to be extorted. Therefore, under expert guidance on the subject the organization opted to pay the undisclosed amount.
- A few days after the attack on MGM resorts hit the headlines, it was revealed that Caesars Entertainment also fell victim to a BlackCat ransomware attack. The same affiliate, Scattered Spider, who was responsible for carrying out the attack on MGM orchestrated the attack on the Nevada-based hotel and casino company. The disclosure made by Caesars indicated that the attackers specifically accessed the “Caesar’s Rewards” loyalty database. Reports indicate that attackers initially demanded $30million ransom payment, but Caesars was able to negotiate the eventual amount down to $15million. It appears the attack took place several weeks before the MGM breach, with the ransom payment being made mere days before the attackers moved on to the other casino giant.
- Multiple prominent government ministries in Colombia were forced to respond to a ransomware attack that forced officials to make significant operational changes. The cyberattack which targeted third-party technology provider, IFX Networks Colombia, caused a range of problems which limited the functionality of the Ministry of Health and Social Protection, the country’s Judiciary Branch and the Superintendency of Industry and Commerce. No ransomware group has publicly taken credit for the incident, but experts believe that RansomHouse hacking group may be behind the attack.
- ORBCOMM, a US based trucking and fleet management solutions provider, confirmed that a ransomware attack was responsible for service outages that prevented trucking companies from managing their fleets. ORBCOMM customers reported that they could not track transported inventory or use Blue Tree ELD devices, forcing truckers to switch to paper logs. The US Federal Motor Carrier Safety Administration issued a waiver allowing the use of paper logs until the service is restored, no later than 29th.
- The Auckland Transport (AT) transportation authority in New Zealand experienced widespread outages caused by a cyber incident which impacted a wide range of customer services. The HOP system, its integrated ticketing and fares systems was heavily impacted, preventing passengers from using their HOP cards to avail public transport services. Investigations continue but AT ensured that customers were still able to use public transport during the disruption. Medusa ransomware gang is demanding $1million for data it claims to have stolen from the transportation authority.
- Skidmore College in New York filed a notice in September stating that an unauthorized party was able to gain access to and encrypt the school’s IT network through a ransomware attack earlier this year. Upon discovering the incident, Skidmore secured its systems, notified law enforcement, and enlisted outside security experts to assist with an investigation. It was later revealed that certain files containing confidential information of around 121,000 individuals had been accessed by the hackers. Breached information varied depending on the individual, but it was believed to include names and SSNs.
- A relatively new ransomware group named ThreeAM posted Visiting Physician’s Network as one of its victims earlier this month. The listing indicated that the threat actors had leaked 85% of the files acquired during the incident and that 272 people had viewed the listing. The listing shows that they acquired patient chart scans, divided into three folders by patients’ last name. It is not clear how many files in total were exfiltrated during the attack, but ThreeAM claim to have “unloaded” all of the data they stole. VPN is yet to comment on or address queries about the attack.
- European multinational aerospace corporation Airbus is investigating a possible cyber security incident after a threat actor published data allegedly stolen from its networks on a leak site. Ransomed, a relatively new ransomware group, exposed the personal information of 3,200 sensitive Airbus vendors including names, addresses, phone numbers and email addresses. Screenshots of the compromised data contains details on vendors including Rockwell Collins and Thales Group. Hackers claim to have infiltrated Airbus’ systems by compromising an account belonging to an employee at a Turkish airline.
- Azerbaijani news outlet Mikroskop had its website taken down in an apparent ransomware attack, with a message from attackers demanding 0.5 bitcoin ($13,000) to unlock the site. The co-founder of Mikroskop suspected that the Azerbaijani government might be behind the attack due to the backlash it has been receiving about some of its news coverage.
- Medusa launched an attacked on Steripharma, a Moroccan pharmaceutical laboratory, in mid-September. The group posted twenty-five screenshots of stolen files as proof of its access to the victim’s systems. The sample included sensitive information, patents, industry secrets and more. A ransom of $100,000 was set, with the possibility of paying $10,000 per day to extend the deadline beyond the original eleven-day ultimatum that was given. It is not known if the organization is negotiating with the threat actors.
- Lakeland Community College in Ohio notified 290,000 people of a data breach which may have compromised personal, financial and health information. In the breach notification the college did not provide details on the attack which took place in March this year, but the Vice Society ransomware group had listed the college on its data leak site. Information impacted is said to include individuals’ names, SSNs, driver’s license numbers, financial account information, credit or debit card information, passport numbers, medical information, and health insurance policy information.
- Progressive Leasing experienced a cybersecurity incident that affected some of its systems. Promptly after detecting the incident, leading third-party experts were engaged and steps were taken to respond to, remediate, and investigate the incident. Preliminary findings from the investigation have revealed that data involved in the attack contained a substantial amount of personally identifiable information such as SSNs of customers and other individuals. BlackCat took credit for this attack.
- Victoria-headquartered firm Peacock Bros was struck by Cactus ransomware group in mid-September. The ransomware group posted limited details of the hack, alongside a tranche of other victims with data including an NDA, a land sale contract, an income statement, and a drivers’ licence, to backup claims of the access to Peacock Bros’ internal networks. Cactus has not disclosed how much data it possesses, how much ransom it demanded or when it plans to publish data if payment is not received.
- Al Ashram Contracting, one of the UAE’s leading construction companies, became a victim of the BlackCat ransomware group this month. The data breach allegedly resulted in the loss of 257GB of sensitive corporate information which was later uploaded to the threat group’s leak website. Stolen information included a trove of information such as ISO audit records, procurement records, suppliers’ library, legal files, and IT asset inventory & exchange account. A deadline for negotiations was not given to the organization who did not issue a statement regarding this alleged breach.
- RansomHouse gang added luxury handbag maker Radley London to its victim blog, claiming to have stolen 600GB of data from the company, however, the criminal gang have made no ransom demand and no negotiation deadline. A note posted on the leak site addresses Radley and advises the organization to contact the threat actors to avoid confidential data being leaked or sold. A Radley spokesperson acknowledged the IT security incident and stated that an investigation is ongoing.
- Almost one year from when the initial incident occurred, Crown Point Community Schools in Indiana confirmed that it was a victim of a ransomware attack. The attack occurred when a staff member fell for a phishing email which resulted in the encryption of files on the school district’s servers. Superintendent Todd Terrill said that the ransom was paid, and student and staff information was turned over to the school district instead of being posted online. According to the findings of the investigation, no financial information was accessed but it is still unclear what personal information may have been impacted. In total, the ransom payment, technology updates and payments to specialists and legal teams cost the school district $1million. Cyber insurance would pay out on all costs excluding the ransom amount paid.
- The Florida Department of Veterans Affairs became a victim of Snatch ransomware gang, with the group posting about the cyberattack on its dark web site. Hackers published a proof pack of sample data allegedly exfiltrated from the FDVA during the incident. Some reports indicate that a conversation had occurred between the two parties regarding a ransom payment, with the dark web post suggesting that negotiations had broken down. No other information about this attack has been made available, however the CISA have since released a joint cybersecurity advisory alerting organizations about Snatch ransomware.
- Donut ransomware gang have claimed to be in possession of source code and SQL databases belonging to UK-based IT services company Agilitas. The gang claimed to have been in contact with Agilitas following the attack, but a blog post suggested that the company has not responded to the threat actors. A threat has been made stipulating that if the organization remains silent, source code and SQL databases will be posted on the dark web, with the “first pack of data” containing 30GB of source code. No ransom demand or deadline for payment has been published on the site.
- Smartfren Telecom, an Asian telecom giant, was a victim of a BianLian cyberattack in August this year. Smartfren opted not to meet the undisclosed ransom demands made by the ransomware group, resulting in the public disclosure of the company name and 1.2TB of data being leaked. The vast trove of data encompassed a wide range of sensitive information including personal data, accounting records, budgetary details, financial data, technical data and much more.
- Pelmorex Corporation, the parent company of two Canadian weather websites, recently re-established most of its operations following an attack on an unnamed third-party software provider. LockBit took credit for the attack, claiming it has downloaded “a lot of databases.” Pelmorex issued a statement acknowledging the claims made by LockBit and highlighting that, at this time, investigations suggest that attackers gained limited access to publicly available information. Representatives did not say whether hackers have asked for a ransom.
- Pain Care Specialists in Oregon became a victim of an attack by BlackCat, with threat actors adding the medical entity to its leak site with some files containing personal information of employees and patients. BlackCat noted that as a result of the hack, the network was encrypted and 150GB of sensitive information was exfiltrated. Data included patient and employee medical records, SSNs, employees’ IDs, contracts, drug screens and payment information. The group also claimed to have accessed portals of federal medical regulation web-resources. Pain Care Specialists was given until September 26 to pay an undisclosed fee in return for the data.
- The Philippine Health Insurance Corporation (PhilHealth) has been “paralyzed” by a Medusa ransomware attack which forced some of its services offline. According to the Department of Information and Communications Technology, the PhilHealth member databases are secure and leaked information only pertains to the PhilHealth employees. A ransom demand of $300,000 was made by the threat actors.
- Auckland University of Technology (AUT) confirmed that it recently experienced a cyber incident involving “unauthorized access to its IT environment,” but that disruption to AUT services remained minimal. AUT took immediate action to contain and isolate potentially affected servers. It was later revealed that Monti ransomware group claimed to have stolen 60GB of data from the university, with a deadline of October 9 to pay an undisclosed ransom. AUT has stated that further investigation is required to determine the extent of the breach.
- Hong Kong’s consumer watchdog revealed certain types of its employees and client data may have been compromised following a ransomware attack. According to a media briefing, the seven-hour attack resulted in almost 80% damage to its computer systems, causing disruption to its hotline services and update of price comparison tools. A data transfer volume of 65GB higher than usual was also observed. It has not yet been confirmed what data was impacted but the chairman of the Consumer Council has said that data of current and former employees, job applicants and other internal documents may be at risk of unauthorized exposure. Furthermore, credit card information provided by 8,000 subscribers of its monthly magazine CHOICE may have been compromised. The council will not pay the ransom which is valued between $500,000 and $700,000. Those behind the attack have not been publicly named.
- BlackCat, added Clarion, the global manufacturer of audio and video equipment for cars and other vehicles, to the list of victims on its Tor leak site. The group announced that Clarion was hacked and confidential data about their business and their partners was to be leaked. Screenshots were added to the leak site as proof of claims. BlackCat also claims to have stolen customers’ data and threatened to sell it to interested parties. Clarion has yet to comment on the incident.
- MNGI Digestive Health in Minnesota were seemingly hit by BlackCat. The listing on the group’s site on September 24 stated that the company should contact the group within 48 hours. Failure to do so would result in 2TB of data being automatically published and patients notified about the breach. As proof of claims, BlackCat uploaded some images from diagnostic tests, but without legible corresponding patient IDs or details. MNGI has yet to respond to these claims with further information on the attack still unavailable.
- KNP Logistics, one of the UK’s largest privately owned logistics groups, declared itself insolvent, blaming a ransomware attack in June. The “major” ransomware attack affected key systems, processes, and financial information, which adversely impacted on the financial position of the Group and its ability to secure additional investment and funding. The attack is believed to have been orchestrated by Akira. As a result of the administration process, approximately 730 employees will be made redundant.
- NoEscape ransomware group claimed to have struck Leekes, a chain of furniture stores based in Wales and the West of England. The company was posted on the gang’s victim blog, alongside the claim that 130GB of data was stolen from Leekes. It is unknown whether a ransom demand was made, or if the company is cooperating with hackers. Screenshots of the post show the acronym DDoS in the bottom of the post, hinting that one of tactics for this particular attack could have been a distributed denial of service (DDoS) attack. Leekes is yet to make a public comment addressing the incident.
- Sony is still investigating allegations of a cyberattack, with ransomware groups claiming to have compromised all of Sony’s systems. Threat actor Ransomed claimed the attack and put its “data and access” up for sale rather than offering the organization the chance to pay a ransom demand. Sample data posted by the group only contained 2MB of data comprising of a PowerPoint presentation, some Java source code files, and other assets. The extortion group claims to have stolen 260GB of data during the attack which they are attempting to sell for $2.5million. Other threat actors are also claiming responsibility for the attack, refuting Ransomed claims. A Sony Corporation representative has stated that the organization is currently investigating the situation and has no further comment at this time.
- Phil-Data Business Systems was the second organization in the Philippines targeted by ransomware gangs in September, with BlackCat claiming responsibility. Members of the group claimed that they gained access to the company’s network and stole critical data, including client information, sensitive data, and business-critical information. Based on the company’s investigation, it was confident that no customer information had been impacted. It is unclear how the criminal gang gained access to Phil-Data’s systems, but the group gave the organization 48 hours to negotiate a ransom amount.
- The government of Kuwait is recovering from a ransomware attack which impacted its Ministry of Finance. Government officials immediately tried to separate and shut off affected systems upon discovery of the incident. A technical team consisting of several entities, including the National Cyber Center, was formed to address the issue. The Ministry of Finance confirmed that all data on worker’ salaries in government bodies is stored within the Ministry’s systems and financial transactions are recorded. Rhysida claimed responsibility for the attack, giving the government seven days to pay an undisclosed ransom amount.
- Johnson Controls International suffered a massive ransomware attack which encrypted many of the company devices, impacting the company’s and its subsidiaries’ operations. The organization was initially breached at its Asia offices, but the attack caused the company to shut down part of its IT systems, with its subsidiaries displaying technical outage messages on website login pages and customer portals. New entry, Dark Angels was credited for the attack, with the group claiming to have exfiltrated over 27TB of corporate data and encrypted the company’s VMWare ESXi virtual machines. The ransom note provided by the gang linked to a negotiation chat where a ransom demand of $51million was posted in exchange for providing a decryptor and the deletion of stolen data. Recent reports suggest that the stolen data may contain sensitive Department of Homeland Security (DHS) data.
- Edinburgh Trams suffered a cyberattack making the company’s website “inaccessible” to its user base for some time. The transport company confirmed that it was investigating the cyberattack but has given no further information regarding the incident. NoName ransomware gang claimed responsibility for the incident.
- McLaren HealthCare, one of Michigan’s largest healthcare systems confirmed that it fell victim to a ransomware attack orchestrated by BlackCat. The organization detected suspicious activity and immediately began an investigation which determined what it experienced was in fact a ransomware incident. However, the investigation into claims made by BlackCat is still ongoing. The gang claimed to have stolen 6TB of data including the personal data of millions as well as videos of the hospital’s work.
- Hong Kong Laureate Forum suffered a ransomware attack that encrypted its computer server in late September. The forum’s secretariat has stated that around 550 people were “most affected” by the incident which involved work documents and personal data. The unnamed hackers did not specify a ransom amount but instead requested the forum to contact them within 24 hours of the attack and follow further instruction to purchase Bitcoin.
- In Arizona, Pinal County School Office Data Processing Service Consortium was involved in a cyberattack which put the pay checks of employees from 21 districts in jeopardy. A statement revealed that employee data is not believed to have been comprised. Pinal County Schools had to work around the clock to recover the data needed to complete the payroll process however it has still not been confirmed, at time of writing, if the employees received their pay checks. An investigation has been launched, working alongside Homeland Security and the FBI, to determine how the attack happened and what, if any information has been stolen.
- Although reports are still vague, Furtwangen University in Germany issued a statement to its students confirming that its IT infrastructure was affected by a hacker attack. The university’s entire IT infrastructure became unavailable as a result of the incident, impacting all online services available to students. An FAQ section provided to students indicated that according to initial findings, data was encrypted or deleted. BlackCat took credit for the attack and claimed to be in possession of data including personal information, marketing strategy, intellectual property and “other hot stuff”. It is not clear if a ransom was demanded or if the university has entered into negotiations with the ransomware group.
- German hotel chain Motel One has been added to BlackCat’s victim list, with the group claiming to have stolen 24,449,137 files, approximately 6TB of data. This stolen information is said to include 5.5TB of booking confirmations from the past three years, containing names, addresses, payment methods and contact information, as well as customers’ credit card information and internal company documents. The hotel chain was given 5 days to pay the undisclosed ransom before “a catastrophe occurs”. It is not known if Motel One intend on communicating with the group at this time.
October
We recorded sixty-four publicly disclosed ransomware attacks this month, the busiest October we have seen since we started this blog in 2020 and a 45% increase on last year’s figures. Government and healthcare were the most impacted sectors, with sixteen and fourteen attacks, respectively. Notorious gangs BlackCat and LockBit topped the lists of variants in a month where we also seen a number of new gangs emerge, including a possible rebrand of the disbanded Hive ransomware group. Check out which companies made ransomware headlines in October:
- The Federal University of Mato Grosso do Sul (UFMS) in Brazil suffered a cyberattack which forced the university to take all computer systems and digital services offline for security reasons. Technology systems allowed the recovery of data and other systems from backups. At this time, it is not clear whether any student or server data was accessed or stolen during the incident. Federal Police, the Legal Attorney’s Office and the National Data Protection Authority are investigating the case. Rhysida has since taken responsibility for the attack.
- BlackCat added Brooklyn Premier Orthopedics to their leak site, providing proof of claims showing protected health data and other personally identifiable information. In September, the group leaked 126GB of data claiming that BPO representative refused to engage in negotiations. The statement made by the company, released at the beginning of October, acknowledged the incident but did not mention the leaked data. On Oct 6th, BPO notified HHS that 48,459 patients had been impacted by the attack.
- Prestige Care and Prestige Senior Living were also victims of a ransomware attack orchestrated by BlackCat. The group claimed to have stolen 260GB of files, some of which were leaked earlier than others. It is not clear what data was taken but files names such as personal data, finance, HR, SharePoint, and Marketing are seen in the proof of claims. At the time of writing, there is nothing on Prestige Care’s website acknowledging the breach of public data leak.
- Garn Mason Orthodontics in Arizona was added to Knight’s leak site, with the post declaring that the organization was “the most collaborative and dangerous dentistry in the USA”. The ransomware group claimed to have stolen critical data including client’s personal data, insurance information, financial and banking information, client medical histories and more. They were given 72 hours to contact Knight, but it is not known if these negotiations occurred.
- At the beginning of October, Monti added Cascade Family Dental to their leak site. According to the post around 130GB of data including SSNs, DOBs, addresses and more personal information belonging to around 2,500 clients was stolen during the incident. Cascade are yet to publicly acknowledge the incident.
- Fauquier County Public Schools released a statement announcing that a ransomware attack aimed at its systems in September had compromised the sensitive personal information of close to 14,000 students and staff. Upon identifying the cyber incident an internal investigation was launched with the assistance of third party experts, to understand the nature and scope of the incident. LockBit took credit for the attack, demanding an undisclosed ransom to stop the public release of stolen data.
- Canadian cymbal and drumming accessories manufacturer Sabian was forced to deal with a widespread IT service outage which impacted all of its internal systems, as a result of a ransomware attack. 8Base ransomware group took responsibility for the attack in which they claimed to have breached the company’s network, exfiltrating invoices, receipts, accounting documents, personal data, certificates, employment documents and other documents.
- An attack targeted Rock County Public Health Department, affecting several of their computer systems. Systems were taken offline to prevent further impact, causing a temporary disruption to certain County operations. Third party specialists were sourced to secure systems and bring them online, while an investigation into the nature and score of the event continues. Cuba ransomware gang claimed the attack, stating that stolen information included financial documents, tax information and more, without revealing how much data in total was exfiltrated.
- Rhysida was responsible for an attack on the database of the Dominican Republic’s General Directorate of Migration (DGM). The DGM announced that the institution’s database was a victim of a “cybersecurity incident” which resulted in the “unauthorized exposure of data”. Operations of the government body was not compromised. It was later confirmed that the data breach would possibly include names, addresses, and date of births. The National Cybersecurity Centre was notified of the incident. It is not known if a ransom was demanded in exchange for the data.
- Suncoast Community Health Centers (CHC) Inc. was added to LockBit’s victim list, with the ransomware group claiming to have exfiltrated SSNs, passports, financial records, insurance data and other patient information during the incident. The Suncoast CHC was given 48 hours to pay the undisclosed ransom. One day after posting the initial threat on its dark web site, LockBit updated the threat suggesting that the healthcare organization did not respond to ransom demands.
- Lorenz ransomware group orchestrated a major cyber assault on Arkansas-based AllCare Pharmacy, resulting in the threat of a significant breach of data. The data exfiltrated is said to include large amounts of personal and confidential information. AllCare Pharmacy has not publicly acknowledged the attack or the potentially compromised data. Information on this attack remains limited at this time.
- The District of Columbia Board of Elections (DCBOE) believes that threat actors behind a ransomware attack in early October may have obtained access to the personal information of all registered voters. The agency took down its website upon discovering the attack. Investigations revealed that attackers gained access to the information through a web server. RansomedVC claims to have stolen 600,000 lines of U.S. voter data, including D.C. voter records. Information stolen includes names, registration IDs, voter IDs, partial SSNs, driver’s license numbers, DOBs, phone numbers and emails among other data. The ransom demand remains undisclosed.
- The city of Gondomar in Portugal reported that some municipal services were disrupted after a cyberattack forced officials to take systems offline. Email systems remained down for multiple days making it difficult for residents to contact government officials. Rhysida claimed to be behind the attack, sharing samples of passports and other financial documents allegedly stolen during the incident.
- Information technology products and services company CDW announced in an email statement that there was an “isolated IT security matter” which was associated with non-customer facing servers. LockBit made a ransom demand of $80 million in exchange for not leaking data stolen during the incident. Reports suggest that negotiations broke down between CDW and threat actors when the organization offered $1.1 million in response to the original demand. LockBit later published two posts on its leak site containing CDW data which included information associated with employee badges, audits, commissions payout data and other account-related information.
- In Colorado, Boulder’s Office of Disaster Management’s X page (formerly known as Twitter) was hacked, forcing the agency to deactivate the account and re-direct residents to the ODM website for updates. The ODM reassured residents that the attack did not impact its ability to send out emergency alerts. Reports did not name the group behind the attack but did confirm that screenshots provided by the threat actors demanded an undisclosed ransom in cryptocurrency in exchange for returning access of the account back to ODM.
- Global construction consultancy firm WT Partnership fell victim to a Qilin ransomware attack in October. WT Partnership Asia was posted on the ransomware group’s leak site, with a note threatening to publish stolen information. This information is said to include confidential agreements, projects, customers’ information and more. The ransom amount was unspecified. It is not clear if the organization entered into negotiations with Qilin, with WT Partnerships yet to make a public comment on the incident and data theft claims.
- One of the biggest global manufacturing technology providers, Volex, was hit by a cyberattack which affected its IT systems across several international sites. According to a statement from the company, hackers gained access to some of its IT systems and data. Upon discovering the incident, the Group took immediate steps to stop the unauthorized access to systems and data. Investigations have begun to establish the nature and extent of the incident. Black Basta took credit for the attack, but it is not yet known what data, if any, was exfiltrated during the incident.
- Confidential agreements, contracts, banking services, legal documents, customer data and thousands of other important documents were stolen from the Order of Psychologists of Lombardy in early October. NoEscape ransomware group declared that it was able to steal 7GB of data from the organization’s IT infrastructure, threatening to publish it 6 days after the original claim was made. The group did not disclose a ransom but instead told the OPL to assign a negotiation to contact them for and explanation and “help”.
- St Louis Metro Transit was a victim of a cyberattack which impacted some phone and computer services for a number of days, forcing the agency to take computer systems offline temporarily. At the start of the investigation, officials said that no customer data had been compromised. Play took credit for the attack and have posted screenshots on the dark web showing the publication of 10 files, each 500MB and a tracker noting that the download link had been viewed more than 700 times. A ransom was demanded but the amount has not been made public.
- Florida First Judicial Circuit disclosed that it has initiated an investigation into a cyberattack which disrupted operations on October 2nd, cancelling and rescheduling non-essential court proceedings. BlackCat claimed responsibility for targeting the courts, claiming to have obtained sensitive personal information including SSNs and CV of employees, including judges. The Florida court circuit was added to the ransomware group’s data leak page, indicating that the court either had not engaged in negotiations or have simply rejected the gang’s demands.
- California-headquartered Simpson Manufacturing Company took some systems offline to contain a cyberattack after becoming aware of the malicious activity. The incident caused disruption to parts of the company’s business operations. An investigation was launched to determine the nature of the attack as well as the scope of its effect. BlackBasta posted Simpson Strong Tie Company, a subsidiary of Simpson Manufacturing, on their leak site in late October.
- French professional basketball team AVSEL acknowledged a data breach following a claim from NoEscape ransomware gang. A press statement disclosed that the team was alerted by the press and immediately contacted companies specializing in cybersecurity but could confirm that it was a “victim of a violation of its computer system, with data exfiltration.” Threat actors claim to have stolen 32GB of data encompassing personal data of players, passports, ID cards and other documents relating to finance, legal matters, NDAs, contracts, and confidential information. AVSEL also confirmed, that to date, there is no evidence to suggest that attackers were able to gain access to financial information of their fans. NoEscape removed ASVEL from its leak site, raising speculation that negotiations between the two parties may be underway.
- NoEscape claimed another attack, this time Seattle Housing Authority was the victim. In a post on the leak site, the ransomware group claimed to have encrypted the SHA’s main servers, exfiltrating 158 GB of data. The data included 400,000 confidential files containing agreements, NDAs, personally identifiable information, audit, and client data along with tens of thousands of scanned documents. Although these claims were made, no proof pack was posted to support the claim.
- 60GB of confidential and personal data, including the protected health information of around 30,000 patients was exfiltrated during an attack on Mulkay Cardiology Consultants. The New Jersey medical practice appeared on NoEscape’s leak site with the listing including sample images and 2.43GB of downloadable data. The information stolen is said to include PII, health insurance details, medical records among other confidential documents. Mulkay has not yet publicly disclosed any information regarding the attack.
- Air Canada announced its internal systems had been breached in September but refused to comment on claims made by BianLian, stating only that the group “threatened to resort to exploiting the media in their unsuccessful extortion efforts”. BianLian claimed that it was able to exfiltrate at least 210GB of data from the airline and the data included technical and operational data, SQL backups, employee personal data, information on vendors and suppliers, and confidential documents. A proof pack was included in the post, alongside the personal emails and phone numbers of the airline president and CIO.
- BlackBasta took credit for a recent cyberattack against UK hotel chain, Edwardian Hotels London. The ransomware group added the hotel chain to its leak site, including data samples of passport information and bank details as proof that data was exfiltrated during the incident. Specific details about the ransom amount demanded and the volume of data exfiltrated has not been disclosed. At this time, Edwardian Hotels are yet to make a public statement addressing the attack.
- National Health Mission in India has been added to Knight ransomware groups dark web channel, with the update including screenshots. The screenshots appear to display a system dashboard belonging to a test employee. Details on this attack remain vague and the National Health Mission are yet to comment on the incident.
- Local news publications are reporting on the impacts that an attack on Norwegian IT provider Inventum Øst has had on its clients. A manager from the IT provider confirmed that a cybersecurity incident forced them to shut down parts of their data services to ensure the attack did not spread. Threat actors gained access to the network through a hole in one of the company’s firewalls. It is believed that 20 to 30 customers across Norway could be impacted by the incident. One of the company’s clients, Knut Malmberg AS, has told reporters that they lost a 6.5million crown deal due to IT services being unavailable. Akira took responsibility for this incident, claiming to have exfiltrated 20GB of data.
- BlackCat claims to have hacked Morrison Community Hospital in Illinois, stealing 5TB of data during the attack. Data allegedly exfiltrated contained backups, personally identifiable information and more, with the claim being validated by samples of proof of stolen data posted on the group’s dark web site. BlackCat has stated that hospital officials have not provided a clear response to the group’s posting and are not threatening to initiate patients call shortly.
- Taylored Services learned that it was the target of a cyberattack in September, but after containing the incident, an ongoing investigation suggested that an unauthorized party did not access or remove any data from the IT network. However, it was later shared that a threat actor was able to access files containing confidential information belonging to current and former employees. The multinational logistics provider has since revealed that information including names, SSNs, addresses, DOBs and financial account information was among the data breached.
- Comtek Advanced Structures, based in Burlington, Ontario, faced a ransomware threat in early October, forcing the facility to temporarily close until forensic investigations and recovery efforts were completed. Parent company, Latecoere, released a statement ensuring stakeholders that Comtek’s IT systems are separated and isolated from other Latecoere Group entities, which remain unaffected. 8Base added Comtek to its victim list, adding that files such as invoices, accounting documents, personal data, employment contracts, as well as a huge amount of confidential information, was stolen during the incident.
- The Texas Department of Public Safety’s Cyber Security unit launched an investigation into a breach of the Harlingen Police Department’s data technology system. Upon discovering the incident, officials shut down the city’s data system and disabled telephone and internet services. It is believed that hackers encrypted the department’s data but failed to steal any information. LockBit added the City of Harlingen to its leak site, suggesting that the ransomware gang did in fact manage to exfiltrate data during the incident. No further information on the attack has been made public.
- Taiwanese networking equipment manufacturer D-Link confirmed a data breach involving information stolen from its network. The attacker claims to have breached the organization, stealing 3 million lines of customer information, as well as source code to D-View. The incident occurred due to an employee falling victim to a phishing attack. The company immediately shut down potentially impacted servers and disabled all but two user accounts in response to the breach. D-Link has stated that it was a “test lab environment” that the hacker had accessed and that, contrary to the hackers’ claims, only 700 outdated and fragmented records were impacted.
- Akumin proactively shut down computer systems upon noticing suspicious activity on its network. The radiology and oncology services provider revealed they had temporarily postponed most clinical and diagnostic operations and would be turning patients away due to a ransomware incident. An estimated timeline for restoration of services remains unavailable at this time. To date, no ransomware group has claimed responsibility for the attack or leaked any data from it.
- The Servicio Nacional de Aduanas de Chile was able to prevent a cyberattack from progressing in mid-October. The government’s customs department stated that upon detecting the security incident, IT teams took preventative measures ensuring that the operational continuity of the Service was not impacted. Chile’s Computer Security Incident Response Team confirmed that it was a ransomware attack involving Black Basta ransomware gang and has alerted all of the country’s government bodies of the incident.
- Cybersecurity researchers reported that information belonging to Quality Service Installation (QSI) has been made available on the dark web. The recognized ITM and ATM solutions provider has not confirmed the assertation of the cyberattack, but BlackCat has made claims relating to the organization. The ransomware group declared that it was successful in exfiltrating a wide range of data including financial records, client information, and work-related data. Personal data and development information was also reportedly compromised alongside 5TB of SQL-based data from QSI.
- Hong Kong Ballet reported a data breach caused by a ransomware attack on its computer systems in October. An official statement revealed that its network systems had been infected by ransomware, allowing intruders to access and encrypt files. An investigation is ongoing to determine the full scope of the attack, but it is believed that personal user details and organizational internal information was impacted. The institution has not received any ransom demands or threats of a data leak from any ransomware groups to date.
- Kansas court system suffered at least 2 weeks of downtime following an alleged ransomware attack. The disruption has left attorneys unable to search online records and forced them to file motions on paper. The Kansas Supreme Court decided to suspend electronic filings to “give the judicial branch time to examine a security incident that has disrupted access to court systems”. No ransomware group has claimed responsibility for the incident and no further details have been released regarding the attack.
- Ampersand, a television advertising sales and technology company, fell victim to a ransomware attack that temporarily disrupted its operations. The company are addressing the issue alongside third-party advisors and law enforcement. Black Basta claimed the attack but did not reveal the extent of data stolen and have not yet published any samples of information.
- Boise Recuse Mission Ministries became a victim to BlackCat in October, with the group exfiltrating a wide range of data during the incident. The post on BlackCat’s dark web site detailed exfiltrated data which included information on employees, information on all guests of the shelter, incident reports, partner contact information, budget sheets and other working documents. There has been no official statement made by the not-for-profit organization.
- Brazil’s Presidency of the Republic denied claims that it been victimized by a ransomware attack orchestrated by an operative of Royal ransomware gang. Black Suit cybercriminal group claimed to have successfully infected the government division, collecting administrative data as a result of the attack. No further information relating to this case has been made public.
- Henwood Family Dentistry in Texas announced that the protected health information of 7,300 patients was potentially accessed by unauthorized individuals in August this year. Access to a desktop computer was gained via remote access, with threat actors then using the credentials for a user account to access the network. Data exposed varied from individual to individual but may include PII, health insurance information and information regarding ongoing care. The dental center has been made aware of one patient that has been contacted directly by the attacker and is urging other patients not to engage with the threat actor should they be contacted. Those behind the attack have not been publicly named.
- Protected health information belonging to up to 235,931 individuals may have been impacted during a ransomware attack on Fairfax Oral and Maxillofacial Surgery. The incident, detected in May, saw files encrypted on the surgery’s systems. Although investigations did not find evidence of data theft, the possibility that files were stolen could not be ruled out. Affected parts of the network contained information such as names, driver’s license numbers, health insurance information and medical history information. To date, no ransomware group has taken credit for this incident.
- Wisconsin-based employment and staffing services provider Cadre Services was added to the BlackCat site with threat actors claiming to have acquired 100GB of files. These files are said to include job seekers data, employee data, financial data, top management data and a collection of pornography found on the CFO’s PC. The ransomware group initially demanded a ransom of $300,000, which the organization insisted it could not afford. The firm’s negotiator then stated bosses were offering $25,000 which was rejected by the threat actors who could see a bank account with $190,000 in it. The final offer posed to and rejected by the threat actors was $35,000. Since then, BlackCat has uploaded the “first part” of the leak including one folder containing 4,400 files with detailed personal and identity information of job seekers.
- Knight ransomware group claimed responsibility for an attack on BMW Munique Motors in Brazil. Threat actors left a notice stating that they would display the download links for stolen files after a countdown expired. The BMW dealership is yet to release an official statement to address the attack. With no proof of claims and no data yet leaked, the validity of the group’s claims remain unverified.
- The Cumberland County Register of Deed’s online records were temporarily impacted by a ransomware attack on one of its servers. Fortunately, only one server was impacted, and no data was lost or compromised during the attack. The attack also disabled Hoke County’s Register of Deeds website, but again, no data was compromised. Local, state, and federal agencies are working to support the entities in investigating the incident. It is not yet known who was behind the attack or how the ransomware infected the server.
- Play ransomware group claimed an attack on Associated Wholesale Grocers (AWG) and threatened to release sensitive data acquired during the breach. The data allegedly contained sensitive information including private and confidential data, client documents, contracts, SSNs, passports, payroll details, tax records and financial information. The cooperative food wholesaler was given three days to contact the ransomware group. No updated information on this incident has been publicly disclosed.
- It is believed that a rebranded Hive, Hunters International, was behind an attack on Stratton Primary School in the UK. The new Tor website listed the school as its only victim so far, posting two blocks of stolen data. The first block contained 47.3GB of data, named “Pupils Details” concerns documents on students at the school, with the second block, containing 78.5GB, subtitled “Pupils & Teachers info Network & web credentials Finance”. No other information relating to the attack is available at this time.
- Hunters International is also behind an attack on the clinic of plastic surgeon Jaime Schwartz, sharing four images of nude or partially clothed individuals as proof. The group claim to have acquired 1.1TB of data consisting of 248,245 files. A follow up post from the group revealed names, address, photos and in some cases videos of alleged patients, calling this the first of three total disclosures. The leak site also stated that bulk emails will be sent to clinic patients if negotiations are not started. It is not clear if a ransom has been demanded, or if the clinic has since been in communication with the cybercriminals.
- Massachusetts based energy industrial services provider BHI Energy has stated that Akira ransomware group infiltrated its network and stole around 700GB of data during an attack in June this year. The company’s IT team identified unauthorized access to certain systems and immediately launched an investigation into the nature and scope of the incident while trying to remove the unauthorized access. The threat actor gained access through a VPN connection linked to a previously compromised user account of a third-party contractor. 767,035 files were encrypted and exfiltrated, totally 690GB of compressed data. The organization was able to resolve the security incident, remove malware and decrypt files without a decryption tool from Akira.
- Hopewell Area School District claims it was a victim of a “sophisticated” ransomware attack which caused network disruption throughout the district. The district in Pennsylvania is working with state and federal law enforcement to investigate the incident and determine whether any data on the network was accessed without permission. It is not yet known which ransomware group was behind the attack and there has been no comment made on whether a ransom has been demanded.
- Chile’s Grupo GTD revealed that a cyberattack impacted its Infrastructure as a Service (IaaS) platform, causing disruption to online services. Numerous services including data centers, internet access and VoIP were impacted when the IaaS was disconnected in attempts to limit the attack. The CSIRT has not disclosed the name of the ransomware gang behind the attack, but reports suggest that relatively new encryptor Rorschach ransomware was involved.
- Rock County in Wisconsin is investigating a cyberattack on its administrative offices which took place in early October. The hacker, who remains unnamed, infiltrated the county’s network database, encrypted some files, and demanded $1.9 million in exchange for access to the locked files. Officials said that the county’s technology team was able to restore access without paying the ransom fee. An investigation is ongoing, and it is not yet known if any private or confidential information was exfiltrated.
- BlackCat has claimed the US hotel management LBA Hospitality as one of its latest victims, just one month after the group attacked MGM and Caesars Las Vegas resorts. LBA includes nearly 100 hotels under four major hotel chains appeared on BlackCat’s data leak site with a small sample of files allegedly exfiltrated during the attack. The ransomware gang claimed to have stolen about 200GB of “highly confidential” internal company data from the company’s main servers, including both client and employee personnel data. A deadline of 72 hours was given to initiate negotiations before data would be leaked to the dark web. More information on this attack is expected to surface in the coming weeks.
- The Italian data protection authority (Garante) announced its decision to impose a €30,000 fine on the Napoli 3 Sud Local Health Authority following a ransomware attack. The attack limited access to the Health Authority’s database, with a ransom requested to restore the full functionality of the system. Garante deemed that the Local Health Authority had failed to adequately protect the personal data and health data of 842,000 patients and employees. It is not clear if the data had belonging to these individuals were merely accessed or if the data has been exfiltrated.
- Sanford University confirmed that an internal investigation had been launched following a security incident that affected the Stanford University Department of Public Safety (SUDPS). It has been confirmed that the attack was limited to SUDPS and did not impact any other part of the university, nor the police response to emergencies. Akira has claimed the attack and listed the University on its leak site. The group claimed to have stolen up to 430GB of internal data from the University’s systems but are yet to share any samples of the allegedly stolen data. Data that may have been compromised contains sensitive personal information submitted by students applying for the Ph.D. programme between December 5, 2022, and January 24, 2023.
- Clark County School District (CCSD) in Nevada was targeted by a “cybersecurity incident” at the beginning of October, and after three weeks, has still not fully recovered from the attack. CCSD informed parents and employees of the incident but reports suggest that there was a lack of transparency about what data was stolen during the breach. At the end of October, hackers leaked 200,000 student’s information and numerous other files containing personal information, with the threat that there may still be more to come. It has also been suggested that hackers still have access to the district’s email server.
- Six Rivers Media, the largest media company in Northeast Tennessee, experienced a cyberattack that took down all of its servers. The incident impacted the Times News, the Press, the Erwin Record, and the Jonesborough Herald & Tribute but two of the company’s other publications were still able to publish their newspapers. Six Rivers Media COO stated that he did not think it was a ransomware attack as they were not contacted by any threat actors. However, 8Base has added Kingsport Times News, one of the company’s publications, to its leak site, claiming to have exfiltrated data. Additional information relating to this attack remains unavailable.
- Play ransomware group posted Dallas County to its leak site, claiming to have stolen an undisclosed amount of data which it threatened to leak by November 3rd. The county has not validated the threat actors claims but has stated that it is aware of a cybersecurity incident affecting a portion of its environment and has launched an official investigation. The county has stated that it will provide updates once more information is available.
- LockBit has claimed The Boeing Company as a victim, adding the aerospace company to its leak site in late October. The ransomware group has stated that it has a “tremendous amount of sensitive data” that will be published if the company does not get in contact with the group. No proof claims or samples have been posted on the dark web site as of yet, but LockBit has stated that these will be published before the deadline. It has not been revealed how much data has been exfiltrated nor what the nature of that data is. Boeing is currently assessing the claims made by LockBit and have yet to make any further statement on the incident.
- Online reports revealed that Telecommunication Services of Trinidad and Tobago (TSTT) was breached by Ransom Exx, with the group claiming to have exfiltrated 6GB of data from the organization. A 300MB files containing personal identifiable information of 800,000 TST customers was posted as proof of claims on the dark web. Public Utilities Minister Martin Gonzales has stated that these claims of a ransomware attack are “not true”, adding that an official statement from TSTT will be issued soon.
- The Intercontinental Airport of Querétaro (AIQ) announced that it had experienced a cyberattack caused by “malicious software” that did not put its operation at risk. The attack was generated when someone accidently opened a malicious file that infected the system. Upon discovering the attack, the cybersecurity team applied containment and isolation measures but at no time was the operational safety of the airport compromised. LockBit has since claimed responsibility for the incident, setting a deadline of Nov 27th for the organization and posting three screenshots of data as a proof of claims.
- Five southwestern Ontario hospitals had their IT systems compromised due to a ransomware attack on IT system provider, TransForm. Outages persisted for eight days, postponing surgeries and appointments and impacting cancer care treatments. The hospitals affected were Windsor Regional Hospital, Eerie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and Chatham-Kent Health Alliance. The company has stated that patient and staff data was taken during the incident and the information could be exposed. No ransomware group has yet taken credit for the attack.
- The City of Victorville in California identified suspicious activities in its internal network and launched an investigation to understand the nature and scope of the incident. Some services were unavailable to residents due to technical difficulties as a result of the attack. A threat actor gained access to certain files within the network which contained some personal information said to include names, SSNs, state identification cards, medical information, and health insurance policy numbers. NoEscape ransomware group has reportedly claimed responsibility for the attack, listing the city on its leak site. The group claims to be in possession of 200GB of confidential data and will publish it if undisclosed demands are not met.
November
We recorded eighty-nine publicly disclosed ransomware attacks in November, the highest number we’ve recorded since starting our State of Ransomware blog in 2020. This figure represents a massive 112% increase on 2022’s recorded attacks. LockBit and BlackCat continue to be the two top variants, with 20 and 15 attacks respectively. Healthcare was the hardest hit industry with 21 incidents recorded, including the attack on Ardent Health Services which caused chaos across various states over Thanksgiving. Other notable attacks this month include ICBC, SIRVA and Fidelity National Financial.
Discover who else made ransomware headlines in November:
- DePauw University in Greencastle, Indiana fell victim to a cyberattack which had a widespread impact on student life. Classes were still in session but there was no internet, no online class program, no access to the university’s local network and printers were down. The university launched a comprehensive investigation and recognized the significance of the event. Later in the month, BlackSuit ransomware gang posted the university on its leak site, claiming to have exfiltrated 214GB of personal data. No further information was posted by the group, so it is not known if a ransom was demanded.
- The Bank of Ceylon’s online systems were forced offline, causing online banking to be down for an entire day with customer service being unresponsive. Reports suggested that the bank had been hit by a malware attack, however BOC’s infosec team denied the claim, stating that it was a “glitch in the month-end process” causing the issues. A ransomware gang known as Cloak claimed responsibility for the attack on its leak site, writing that BOC “decided to cover up the leak and close their eyes and ears as if nothing happened.” The group also noted that compromised sensitive and personal data was available for download, posting an image of a staff payment request as proof of claims.
- At the end of October, Río Hondo College in Southern California dealt with a cybersecurity incident that limited campus functions for a number of days before normal services were resumed. The school did not identify the disruptions as ransomware but in early November LockBit added the school to its list of victims, giving officials until November 20th to pay an undisclosed ransom. The school has since acknowledged the attack, letting students know that an investigation was launched, and additional updates would be provided when it was complete. The school did not mention if a ransom had been paid or if law enforcement was involved.
- Medical researcher Advarra fell victim to a ransomware attack at the hands of BlackCat this month, using SIM swap to facilitate the attack. One or more affiliates of BlackCat managed to get into a work account of an exec at Advarra to copy business information. According to claims on its dark web site, more than 120GB of confidential information concerning customers, patients, and employees, both past and present, was stolen during the incident. BlackCat also published a file containing the name, DOB and SSN of a US citizen alongside a passport scan of a Advarra executive as proof of claims. The organization denied the claims and an investigation remains ongoing.
- ALPHV claimed the Town of Iowa in the state of Louisiana as a victim at the start of November, publishing the first part of data exfiltrated from the town. Approximately 250 scanned documents were released containing SSNs of employees, employee salaries, balance sheets, DOBs, addresses and other PII. Documents also included administrative records from the Police and Fire department alongside a 2020 insurance policy regarding the “Terrorism Risk Insurance Act”. It is not clear what the ransom demand was or when the ransomware group will publish additional documents exfiltrated during the attack.
- Northeast healthcare network Summit Health was breached in an attack by LockBit ransomware gang. The Russian-linked criminal gang threatened to publish all available data if Summit Health did not make contact and begin negotiations. LockBit did not disclose they data type or amount they had managed to exfiltrate and there has been no other information regarding this attack made public at this time.
- Toronto Public Library has stated that its systems will remain down until the new year following a ransomware attack late last month. The restoration of library services has been deemed “complex” and due to the interconnectivity of systems it is taking longer than originally anticipated to resolve the issue. Black Basta claimed responsibility for the ongoing technical outages, stealing personal information of employees, customers, volunteers, and donors. Cardholder and donor databases were not affected, with the data stolen coming from a compromised file server. TPL has not paid the undisclosed ransom amount and is working alongside external cybersecurity experts to investigate the incident.
- A ransomware attack paralyzed local government services in cities and districts in western Germany in late October. An unknown hacker group encrypted servers of Südwestfalen IT, forcing them to restrict access to its infrastructure for over 70 municipalities, leaving local government services “severely limited.” German police and cybersecurity agencies are involved in a “complex and lengthy” investigation of the hack whilst working to restore services. No further details have been released due to the ongoing investigation.
- Deer Oaks, a Texas-based mental healthcare provider, reported a data breach which exposed the personal information of thousands of its patients. The company became aware of “potential unauthorized activity” and was able to detect and isolate the event to one segment of the network. A specialized incident response vendor was hired to secure the network and conduct forensic investigations. It has been revealed that 171,871 individuals were impacted by the incident, with personal information such as SSNs, diagnosis codes and treatment service types acquired by the hackers. LockBit claimed responsibility.
- When Jefferson County School District staff members received alarming email messages from an external cybersecurity threat actor indicating a cyberattack, the organization immediately began working with cybersecurity experts and law enforcement to determine the scope of the incident. The message from “SingularityMD” claimed to have illegally accessed the school district’s network and downloaded confidential information belonging to staff and students. A ransom demand of $15,000 was made by the group as well as proof of claims and consequences for failure to pay.
- American healthcare company Henry Schein reported not one, but two cyberattacks in November, both orchestrated by BlackCat. At the beginning of the month, the organization announced that it was forced to take some systems offline to contain a cyberattack that occurred in October. The ransomware group claimed the attack stating that the network had been breached and 35TB of data stolen. The breached data included sensitive customer and supplier information. In November, the cybercrime group claimed that negotiations had stalled and that it had decided to re-encrypt files just as the company had finished restoring systems. The second attack rendered some of its applications, including the e-commerce platform, unavailable. At the time of writing, Henry Schein is no longer posted on BlackCat’s dark web site, suggesting negotiations might have resumed or possibly that the undisclosed ransom demand was met.
- Allied Pilots Association, the pilot union of American Airlines, had some of its systems encrypted following a ransomware attack. The union became aware of the attack when its servers were taken offline, blocking access to both the union’s public website and secure member-only pages, as well as specific tools built for pilots. The APA is working with third-party experts to investigate the extent of the incident. No ransomware group has taken responsibility for this incident.
- LockBit took credit for an attack on Japanese manufacturer Shimano, claiming to have stolen 4.5TB of confidential data. Data included confidential employee details, financial documents, client databases, confidential diagrams and drawings, lab tests, NDAs, contracts, and development materials. The group gave Shimano three days to pay an unspecified ransom before publishing all of the data. The ransom note received by the company carried a threat from LockBit stating “if you do not pay the ransom, we will attack your company again in the future.” Some of the data has now been published by LockBit.
- In South Africa, the Mangaung Metropolitan Municipality confirmed in a public notice that a security breach on its network was in fact caused by ransomware. The municipality’s IT systems had been offline since 24th October, with the attack rendering all applications used by the municipality inoperable. This included access to critical application systems, causing an overwhelming number of complaints from residents who were unable to get assistance from officials. The city manager communicated with both state-owned agencies and private companies such as the Council of Scientific and Industrial Research (CSIR) to further analyze the severity of the attack. No group has yet claimed the attack and it is not clear if any data was exfiltrated during the incident.
- A cyberattack paralyzed the services of the Loiret departmental council in early November, interrupting access to servers and certain business software. The case was escalated to “the cybercrime section of Paris prosecutor’s office, “with an investigation taking place to determine the origin and consequences of the attack. LockBit claimed responsibility but did not post a ransom on its dark web site. The group stated that all data would be published if demands were not met, but it is not clear what data was exfiltrated.
- Shipping company Corisca Ferries fell victim to a cyberattack which resulted in the theft of 101GB of confidential data. The “serious incident” interrupted the organization’s servers, making the website and applications unavailable for a day. BlackCat was behind the attack, stealing troves of data including banking services information, personal information, and internal documents. The group made the stolen information available, explaining that Corisca Ferries had “decided not to cooperate.”
- McCamish Systems, a US-based unit of Infosys, was hit by a ransomware attack in early November, resulting in certain applications becoming unavailable. Infosys has not disclosed the impact and nature of the attack, however, LockBit claimed responsibility by posting Infosys on its dark web site. The group claimed to have encrypted more than 2000 systems and exfiltrated files created or edited in the last 365 days. McCamish offered a payment of $50,000 which the group deemed unacceptable, posting that the data would be sold with a starting bid of $500,000 for 50GB of data. It is not clear at this time if McCamish continued to negotiate with the cybercriminals.
- Qilin added Cardiovascular Consultants LTD (CVC Heart) in Arizona to its dark web site, stating that you can download “all personal data of clients and employees” of the company, however the link to the file allegedly containing 205.93GB of data did not work. CVC Heart has not acknowledged the attack and it is not clear whether the information “stolen” is actually legitimate. Further information on this attack is not available.
- Medusa ransomware group claimed an attack on the Canadian Psychological Association during which the group attempted to encrypt one of CPA’s servers. The ransomware group shared details of the CPA data breach on their dark web channel and included a countdown timer. The post also included ultimatums, demanding $10,000 to delay the publication of compromised data for another day, and $200,000 for the complete deletion of data, which can then be downloaded and restored. It is not clear if the organization paid the ransom nor what data was exfiltrated during the attack.
- Major Japanese tech manufacturer, Japan Aviation Electronics (JAE) confirmed that it was hit by a cyberattack, impacting its workflow and rendering its website unavailable. JAE confirmed the attack stating that an external party had accessed some of the group’s servers without authorization and that an investigation was launched to establish the status of the damage. JAE noted that there’s no indication that any information was leaked. BlackCat claimed the attack but details about the breach were vague and did they not indicate what type of data they accessed.
- Personal information of employees and clinicians was stolen during a ransomware attack on Michael Garron Hospital in Canada. In late October the hospital first announced that it was investigating a cybersecurity incident, declaring a Code Grey, a term used by hospitals for IT system emergencies. In early November, the hospital announced that patient and donor information was also exposed but it was not yet clear how many people would be impacted. Akira claimed responsibility for the incident but a hospital spokesperson stated that “while a ransom was demanded, this was not a ransomware attack.” Akira claimed to have stolen 882,000 files (775GB) from the hospital’s network.
- In Scotland, Western Isles local authority Comhairle nan Eilean Siar faced significant disruption when its systems and website went down as a result of a ransomware attack. Police Scotland, the National Cyber Security Centre and the Scottish government are working alongside the local authority in a criminal investigation. The attack has not yet been claimed by a ransomware group and it is not clear at this time if any data was stolen during the incident.
- Pulaski County Public Schools in Virginia issued a statement confirming that it had been impacted by a cybercriminal attack, after irregularities were detected in the system servers. PCPS immediately retained outside experts to launch a forensic investigation, which determined that the incident involved ransomware. Further information on this attack has not been made public.
- Egypt’s leading electronic payment network Fawry confirmed claims that its network was breached by LockBit but stated that no financial information was stolen during the incident. The attack caused the network to crash and led to widespread advisories warning users to immediately delete bank account details from the app. Personal details of some customers were exfiltrated, including contact information such as addresses and phone numbers.
- Tri-City Healthcare in California reportedly experienced an “internal disaster” as a result of a sophisticated cyberattack. The incident impacted the facility’s ability to handle emergency cases and ambulances were diverted to other hospitals. Pending operations and appointments were also rescheduled. Internal and external internet technicians, along with law enforcement experts investigated the breach. This attack has not been claimed by any cybercriminal group and details remain vague.
- Kyocera AVX Components Corporation (KAVX) sent out notices this month of a data breach which exposed the personal information of 39,111 individuals following a ransomware attack. The American manufacturer stated that it discovered the attack on October 10th and that hackers had accessed its systems between February 16 and March 30th this year. The attack resulted in the encryption of a limited number of servers and the temporary disruption of certain services. KAVX confirmed that information including full names, SSNs and other personal data was exposed during the incident.
- London-based law firm Allen & Overy were removed from LockBit’s dark web site in late November, suggesting that parties may be negotiating a ransom payment following an attack earlier this month. The cybersecurity incident impacted a small number of storage servers but did not impact data in core systems. The technical team, alongside an independent security adviser, took immediate action to isolate and contain the incident. It is not known what data LockBit claimed to have stolen from the law firm.
- The Integrated University Hospital of Verona in Italy was published on Rhysida’s victim list along with a ransom demand of 10BTC. The attack led to days of disruption for the hospital. The data stolen during the attack was described by the ransomware group as “exclusive data” with proof of claims containing laboratory test results, electronic invoices, and a number of excel files. The hospital stood firm on the stance that it would not consider paying ransom demands from cybercriminals.
- A ransomware attack on the Harris Center for Mental Health and IDD in Texas encrypted some employee files, making them inaccessible which caused delay to patient care. Center administrators worked with their teams and third-party security response specialists to restore full functionality and an investigation involving law enforcement is ongoing. Due to the ongoing nature of the investigation, no further details on the incident have been shared at this time.
- Major Chinese Bank Industrial & Commercial Bank of China (ICBC) failed to convince some of its market partners to resume trading following a LockBit ransomware attack earlier this month. The attack which targeted the U.S. subsidiary ICBC Financial Services caused major disruption to US Treasury Markets, with the ICBC FS disconnecting and isolating impacted systems to contain the threat. It was reported that the bank paid LockBit a ransom, but the sum paid has not been made public nor has the claim been verified.
- PriceSmart became a target of BlackCat this month, with the group allegedly stealing and exposing more than 500GB of sensitive data belonging to employees and clients of the organization. No further information on this incident is available at this time.
- Cogdell Memorial Hospital experienced a computer network incident that prevented the hospital from accessing some of its systems and severely limited the operability of its phone systems. Lorenz ransomware group claimed responsibility for the incident, adding the hospital to its leak site. The group claimed to have stolen more than 400GB of data including internal files, patient medical images, and also employee email communications. Lorenz has since leaked around 95% of the data exfiltrated during the attack.
- Toronto-based technology company Moneris stated that it prevented a recent ransomware attack orchestrated by Medusa. The ransomware gang added Moneris to its leak site but a spokesperson from the organization said its cybersecurity team “prevented access to critical data and no ransom request was made.” Medusa gave a nine-day deadline to pay $6 million ransom to either download or delete the data.
- Pacific Union College (PUC) fell victim to a ransomware attack which resulted in the exposure of a significant amount of highly sensitive personal and financial information. The breach at PUC has affected 56,041 individuals, with Trigona claiming responsibility for the attack and threatening to sell stolen data if ransom demands are not met. The compromised data included a wide range of confidential information such as financial account details, employee information, student records and financial aid documents. The college has been scrutinized due to the delay on acknowledging and reporting the issue which was first discovered on April 7th, 2023.
- com, an on-demand moving and delivery platform, reportedly paid hackers not to publish customer data stolen during an attack, but unfortunately that was not enough to satisfy the attackers. The attack by unknown cybercriminals took place in late August or early September, but emails showed that on Sept 7th Dolly.com agreed to pay a ransom. Information stolen during the attack included sensitive company and customer data. The ransom paid by the organization was deemed insufficient but instead of returning the money, the hackers kept the money and published the stolen data. The attempt to retrieve files and mute the attack was unfortunately unsuccessful.
- In Ohio, the city of Huber Heights saw various city divisions impacted by a ransomware attack in mid-November. The disruption lasted at least one week but some services remain unavailable. Upon discovering the incident, the IT Department began working with local, state, and federal law enforcement to investigate the scope and severity of the attack. Forensic teams are still reviewing what data if any was breached during the incident.
- Carespring, an organization providing nursing care throughout Cincinnati, Dayton and Northern Kentucky was added to NoEscape’s leak site on November 10th. The ransomware group locked Carespring’s files and exfiltrated 364GB of files that allegedly contain personal data of employees and patients, medical records, internal and financial documents. The organization did not respond to NoEscape’s posting, leading the group to post a threat advising “not to bring the situation to a critical level” and to get in contact as soon as possible.
- NoEscape also added Southern Orthopaedic Specialists in North Carolina to its leak site. According to the ransomware group, the organizations systems were locked on October 25 and 3GB of data was exfiltrated. When Southern Orthopaedic Specialists did not respond to the group’s demands, it was hit with a DDoS attack. It is not clear what the nature of the data exfiltrated during the attack was.
- Global search and consultancy firm Execuzen Ltd was announced as a victim on ALPHV’s (BlackCat) Telegram account. The ransomware group claimed to have stolen personal data, photos, and sensitive corporate information from the organization. There is also a threat that the stolen information would be made public if Execuzen does not negotiate with the group. There was no proof of claims posted and at this time no further information on this attack has been made public.
- Kentucky based Homeland Inc was added to Hunters International’s leak site, with the group claiming to have acquired over 200GB of data. The 183,793 files are said to contain tenants and management information, financial data, business data, employee data and other sensitive Homeland business information. A sample of the files posted as proof of claims contains tenant’s personal information, with sensitive information omitted. Hunters said that Homeland representatives have been contacted and given all of the information they need, but the lack of response prompted the ransomware group to make a public announcement about the attack.
- INC ransomware targeted Decatur Independent School District causing DISD’s main server to go down and disrupting internet and phone services. The ransomware group did not share details of the attack or any ransom demand. A proof pack, however, was posted and included a small number of files with student names and info on them. At the time of the attack, the district had not received any ransom demands and no further information is available at this time.
- The world’s second-largest chicken, beef and pork processor, Tyson Foods, allegedly fell victim to a ransomware attack, claimed by Snatch. The cybercriminal group posted the organization on its blog implying that it had information on the organization’s future plans. The lack of samples or proof pack could imply that the breach was not substantial or involved a separate plant of Tyson Foods. The company is yet to make a public comment acknowledging the attack.
- The British Library confirmed that user data was exfiltrated and leaked by Rhysida following a ransomware attack. Systems still remain offline weeks after the attack, forcing the library to operate only minimal services. A forensic investigation was undertaken with the support of the National Cyber Security Centre, the Metropolitan Police and other cybersecurity specialists. Rhysida posted evidence that they had stolen internal documents, mostly HR files. The gang started a seven-day auction which ended on 27th November, when data was leaked.
- LockBit ensnared Finland-based KWH Freeze in its malicious activities in November. A warning of intent to publish compromised data was made, with the deadline of 27th November given. It is not yet known what the nature of the stolen data was. The CEO of KWH Freeze stated that the matter has been reported to the Data Protection Ombudsman but would not comment on a ransom demand or any other details regarding the attack.
- Yamaha Motor Philippines Inc, a subsidiary of the Yamaha Motor Co. issued a statement confirming that servers were accessed without authorization by a third-party, and that a ransomware attack was responsible for a partial leakage of employees’ personal information. An internal investigation was immediately launched to understand the scope of the attack. INC ransomware claimed the attack on YMPH and listed the company as a victim on its dark web site. The group claimed to be in possession of 37.5GB of data which includes financial data, backups and passports, and published samples of stolen data on the dark web as proof of claims.
- Toyota Financial Services (TFS) confirmed that unauthorized access to some of its systems in Europe and Africa had been detected, following an attack claim made by Medusa. TFS was added to the group’s leak site, listing a demand of $8,000,000 to delete the data allegedly stolen from the Toyota Motor Co. subsidiary. Threat actors gave the organization ten days to respond, with the option to extend the deadline for $10,000 per day. The hackers published sample data as proof of the attack which contained financial documents, purchase invoices, passport scans, staff email addresses and more.
- BlackCat not only targeted MeridianLink with a ransomware attack, the ransomware group also reported the organization to the Securities and Exchange Commission for failure to inform the regulator of the incident. MeridianLink confirmed that it had recently identified a cyberattack and acted immediately to contain the threat and investigate the incident. BlackCat shared a photo of the form sent to the SEC and gave the organization 24 hours to pay an undisclosed ransom before data exfiltrated during the attack was leaked. Once new reporting rules come into effect in mid-December, this could become a commonly used tactic to pressure organizations into paying ransoms.
- Port Adelaide Football Club has begun an investigation into claims made by the Cuba ransomware gang. The threat actors claimed to have exfiltrated financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation and source code belonging to the football club. The club was made aware of claims and immediately engaged external cybersecurity experts to facilitate an ongoing investigation. The post on the group’s leak site was later deleted but no information has been released on whether or not a ransom was paid, or the claims were in fact true.
- LockBit added Alphadyne Asset Management to its list of victims on its dark web page. A representative from the New York based investment firm declined to comment on the incident. The post on the dark web site suggested that data had been exfiltrated during the attack, but it is not clear what the nature of the allegedly stolen data is. There has been no further information made available.
- Chicago Trading Company was also added to LockBit’s victim list this month alongside Alphadyne. The attack on CTC was carried out in late October and upon discovering the incident an investigation involving law enforcement was started. Operations were not impacted, and a spokesperson said, “there was never any ransomware.” LockBit gave the organization a deadline to make unspecified payments, with the threat of stolen data being published if demands are not met.
- Healthcare organization WellLife Network posted a notice at the beginning of November informing patients and employees that their IT team had discovered a cyberattack in early September. An unauthorized actor gained access to certain WellLife systems and exfiltrated certain information including PII, demographic information and other personal and health information. Documents filed with the HHS stated that 501 people were impacted but the organization has not made that information publicly available.
- Play ransomware gang claimed to have successfully hit a maximum-security detention center in Rhode Island. The Donald W. Wyatt Detention Facility was listed on the group’s dark web site alongside claims that private and personal confidential information, client documents, agreements, budgets, HR and finance information was exfiltrated. The amount of data exfiltrated was not disclosed with the gang giving a deadline of November 19th for payment of undisclosed ransom demands. The prison has not released any statement regarding the attack.
- Disruption of a computer system impacting the St Lucie County tax collector is being blamed on a ransomware attack. Despite the hack in October, the agency reassured taxpayers that their personal information had not been stolen. BlackCat was behind the incident and posted a proof pack on its dark web site alongside the first part of the listing.
- BlackCat disclosed NAFTOR, a company in the PERN SA Capital Group, as a victim this month, claiming that the business could be hacked by dozens of vulnerabilities in its network. Critical and sensitive data was stolen including databases, NDA documents, financial data, customer data, internal company and partner correspondence, legal documents and more. The group threatened to publish call sensitive data and also use critical data for criminal purposes. Allegedly some documents from the incident have already been published.
- A data breach impacting Canadian government, military and police employees may involve 24 years’ worth of personal and financial information. The BGRS/SIRVA breach was made public in late October, with little information about the scope of the attack, when relocation services from the organizations’ were interrupted and BGRS’s website went offline. Preliminary information indicated that breached information could belong to anyone who has used the relocation services as early as 1999 and may include financial information belonging to employees. LockBit took credit for the incident and claimed to have stolen 1.5TB of documents and “3 full backups of CRM” from SIRVAs Europe, North America and Australian branches. The data has since been leaked after the SIRVA declined to pay $15million ransom, offering instead $1m.
- LockBit listed HSKS Greenhalgh Chartered Accountants on its leak site claiming to have exfiltrated 168GB of files including employee personal information, client databases, contracts, various corporate documents, and other databases. Another file stated was “USA patient database” which has called into question where that data has come from. No further information, including the source of that data, has been made available.
- British logistics company Owens Group reportedly suffered a significant data security incident that compromised confidential data and the sensitive personal information of its drivers, employees and clients. LockBit took credit for the attack, claiming to have exfiltrated 710GB from the company’s internal network. The compromised data included company financial information as well as sensitive personal data of employees and drivers and the Owen’s Group customer database. LockBit published the stolen data on its leak site after the organization failed to pay the undisclosed ransom amount within the deadline. Owens Group is yet to make an official announcement addressing the claims made by the ransomware group.
- Autonomous Flight Technologies (AFT) was targeted by a cyberattack orchestrated by BlackCat. Allegations suggested that the attackers breached AFT’s systems and sold sensitive data to an undisclosed foreign entity. AFT has not issued an official statement concerning the data breach leaves claims unverified.
- LockBit claimed responsibility for an attack on US-based logistics company Brown Integrated Logistics. The ransomware group claimed to have exfiltrated critical data including invoices, balance sheets, and customer details. The organization was given until December 2nd to negotiate ransom payments before all data will be leaked. The threat actors have not disclosed how much data they have in their possession.
- French organization DS Granit was targeted by 3AM ransomware in late November. The threat actors initially used LockBit against the victim but switched to 3AM when LockBit failed. It is believed that 3AM used an outdated tool to operate, with modern firewalls not set up to recognize old scripts. Further information on the attack has not yet been disclosed.
- Data from the Agency for French Education Abroad was impacted by a cyberattack on French software firm, Elap. The hackers gained access to personal information including banking details of parents and students who attended international schools operated by the AEFE. The AEFE has declined to comment further on the incident. Ransomware gang RansomEXX claimed the attack and published 1.1TB of documents on its dark web site.
- Sabre Insurance, a UK-based motor insurance company, was a victim of a ransomware attack which resulted in data breach. The company has stated that the information accessed during the incident was “non-critical” and related to archived data. Initial findings in the ongoing investigation suggest that the compromise originated at an IT management company providing technical services to Sabre. LockBit has claimed the attack and added the organization to its leak site. Six images were posted as proof of claims and a ransom demand of $900,000 made in exchange for destroying and downloading the information. A deadline of 30th November was given before all data will be published.
- Global aircraft maintenance and technical services company Feam Aero was claimed by BlackCat ransomware gang this month, with the organization being posted on the dark leak site alongside claims of stolen troves of sensitive information. The post stated “FEAM has been hacked. All critical company and customer data was stolen,” a 48-hour deadline was attached. BlackCat did not post the amount of data it had stolen but did provide a sample of 67 files including passports, social security cards, third-party disclosures, company credit card statements and insurance records. The group also warned that “numerous customers of the company have been accessed they will be attacked soon.”
- Tri Counties Bank, had its systems breached and data including personal customer and employee data stolen by unnamed cybercriminals. Information submitted to the Maine Attorney General stated a total of 74,385 individuals were impacted by the attack. The breach notification also says that “the network had been infected with malware which prevented access to certain files on its network.” No ransomware group has yet claimed the attack.
- McHale Landscape Design based in Maryland fell victim to a cyberattack, allegedly at the hands of the Play ransomware gang. The gang reportedly gained unauthorized access to a significant amount of sensitive data during the incident. The extent of the compromised data and full scope of the attack remain uncertain, but hackers claimed to have obtained confidential information including private and personal information, client documents, budget details, HR records and financial data.
- Popular payment provider Ingo Money suffered a ransomware attack, with the company being added to the leak site belonging to Inc Ransom. The attackers did not specify what type of data they may have exfiltrated and Ingo Money has yet to make a public statement responding to the claims. Information on this attack remains vague.
- An attack on London & Zurich has resulted in major outages which has forced at least one customer to take out a short-term loan as backlogs cause cash flow chaos. The company confirmed that ransomware was involved in the attack as customers were unable to process the vast majority of direct debit payments. Upon learning of the incident the organization immediately initiated an investigation with the assistance of third-party cybersecurity experts and took steps to contain the incident. A spokesperson stated that only one environment was impacted, and a new, clean environment has now been built and is in final testing.
- In early November, Meredosia-Chambersburg school district experienced issues with staff computers after receiving an email demanding money for the computers to be made operational. Network servers were unplugged and removed as a security measure while administrators worked with experienced cybersecurity professionals to resolve the incident. The school district managed to get most of its computer systems back online. No ransomware group has claimed the attack.
- In Texas, Nassau Bay admitted to having suffered a ransomware attack which impacted more than 8,000 individuals. The incident was reported as a “data security incident that caused the encryption of certain systems and files.” An investigation was immediately launched to eradicate the threat, determine the nature and scope of the incident and confirm whether any personal information was accessed or acquired by a third-party. A thorough and detailed forensic investigation revealed that files removed from the network contained personal information. Compromised data included sensitive personal information of city residents, financial account numbers, credit and debit card numbers, passwords, and PIN number for accounts. Akira recently took credit for the attack claiming to be in possession of 45GB of data.
- Vanderbilt University Medical Center confirmed that it was investigating a cybersecurity incident that led to the compromise of a database this month. VUMC identified and contained the incident and launched an investigation, with preliminary results indicating that compromised data did not include personal or protected information about patients or employees. Relatively new group Meow claimed the attack, stating that they infiltrated the network and stole the data but did not provide a sample as proof of claims. Meow made the data available on its leak site with a warning that the “company will be hacked again.” VUMC has not disclosed any further information regarding the attack.
- Fidelity National Financial became aware of a cybersecurity incident that impacted certain FNF systems before starting an investigation to access and contain the incident. The ongoing investigation has revealed that hackers accessed certain company systems and “acquired certain credentials.” The attack caused major disruption to the business, especially services related to real estate, with many scheduled home-sale closings being delayed as a result of the disruption. BlackCat took credit for the intrusion, publishing a lengthy screed against the company for hiring incident responders from Mandiant. The ransomware group did not disclose the amount or nature of the data exfiltrated during the attack.
- Hampton-Newport News CSB, a mental health service provider in Virginia, was added to BlackCat’s leak site in late November. The message on the site claims that the group has stolen over 800GB of sensitive data and that the organization should appoint a person responsible for negotiation. The organization was not intimidated, prompting BlackCat to post a “last chance” message giving then 48 hours to get in touch or all confidential data would be published. The threat was accompanied by screenshots of various files with confidential assessment records on clients and confidential information on employees.
- Crystal Lake Health Centers (CLHC) have been compromised by Hunters International, who have added the medical care provider to their leak site. According to the leak site notice the group managed to acquire patient data, employee data, financial information, real estate data, insurance documents, legal data, and other sensitive information. As proof, they leaked 47.5MB of data which was only a small portion of the 120GB that Hunters claimed to have exfiltrated.
- Rhysida ransomware group claim to have infiltrated the Chinese state-owned energy conglomerate China Energy Engineering Corporation. The ransomware group claimed to have stolen a substantial amount of “impressive data” which it is auctioning off for 50BTC. The gang plans to release the data to the public seven days after the breach announcement. Proof of claims was posted on the group’s TOR site. At this time there is no further information regarding this attack available.
- Granger Medical Clinic in Utah was added to NoEscape ransomware group’s leak site. The threat actors provided a filetree and screenshots as proof of claims, which contained files relating to facilities and other internal documents, as well as employee files. On NoEscape’s listing, they claimed to have exfiltrated more than 35GB of sensitive data from the clinic, giving them 24 hours to pay $700,000 or data will be leaked. It is assumed that negotiations were not established between the two parties as NoEscape leaked more than 31GB of files in a multi-part leak.
- BlackCat claimed to have stolen 1TB of data from UK law firm Sills & Betteridge, posting the organization on its victim blog. Compromised data is said to include confidential client documentation and personal data belonging to staff, among other sensitive files. The law firm was given three days to initiate negotiations for the ransom before “most of” the files would be published. Sills & Betteridge has stated that it wished to make no comment at this time.
- A ransomware attack on the “Ethyrial: Echoes of Yore” MMORPG, published by Gellyberry Studios, destroyed 17,000 player accounts, deleting their in-game items and progress in the game. Threat actors attacked the main server and encrypted all data, including local backup drives, and demanded an undisclosed ransom payment in exchange for the decryption key. Due to the lack of trust in the hackers, the studio was forced to rebuild the server and create new account and character databases in an attempt to manually restore everything that was lost “to the fullest extent possible.”
- Slovenia’s largest power provider Holding Slovenske Elektrane (HSE) suffered a ransomware attack which compromised its systems and encrypted files. Although IT systems and files were locked, all power generation operations remained unaffected. It was reported that threat actors breached HSE by stealing passwords for its internal systems from an unprotected cloud storage instance. HSE immediately information the National Office for Cyber Incidents and the Ljubljana Police Administration and engaged with external experts to mitigate the attack. Although the organization has not yet received a ransom demand, reports suggest that Rhysida was behind the attack.
- An attack on Tennessee-based Ardent Health Services caused chaos as several hospitals across the US suffered crippling operational disruptions. The “information technology cybersecurity incident” was acknowledged by the organization after multiple hospitals managed by the company started reporting network outages forcing them to divert ER patients and ambulances and postpone appointments and surgeries. Ardent stated that the ransomware attack did cause disruptions to both its clinical and financial operations but that IT teams are working alongside law enforcement and third-party cybersecurity experts to recover systems as soon as possible. At this time, no ransomware group has claimed the attack, and it is not clear if any information was stolen during the incident.
- BianLian claimed an attack on Growers Express, a defunct produce grower, shipper, and manufacturer in the US. During the “sophisticated computer attack,” threat actors accessed the Growers Express IT environment, exfiltrating employee data of at least 1,700 individuals. The organization stated that the actors were not interested in the data, but more invested in the extortion plots they might have profited from. In BianLian’s leak site post, the gang does not reference the amount of data stolen but instead names the President, Chief Executive & Financial Officer, and the COO of the organization.
- LockBit took credit for a cyberattack which targeted India’s state-owned aerospace research lab, National Aerospace Laboratories (NAL). Although NAL has not made a public comment about the incident, its websites were down across the world. The ransomware group posted NAL as a victim on its dark web site, giving the organization until Dec 18th to negotiate a ransom payment before “all available data will be published.” The notice does not reference how much data LockBit has in its possession, but eight stolen documents including confidential letters, an employee’s passport and other internal documents were included as proof of claim.
- The North Texas Municipal Water District detected a cybersecurity incident but were able to quickly restore access to most of its network, with the exception of the phone system. Services were not impacted by the incident. The district hired forensic specialists to investigate the attack’s extent and review the potential of any data being impacted. Daixin Team claimed responsibility for the attack stating that it had obtained 33844 files including PII and PHI and warning of the consequences of this information bring breached. Information on a ransom demanded or if the parties entered into negotiations is yet to be disclosed to the public.
- In Poland, ALAB Laboratories, a key player in the medial laboratory industry, fell victim to a “significant hacker attack” this month. The RA Team, a relatively unknown cybercriminal gang claimed the attack, publishing snippers of the stolen data on its blog. Among the information shared was results of more than 50,000 medical studies. The group claims to have exfiltrated 246GB of data including lab reports, customer information, legal documents, financial data, and business contracts. ALAB has been given until December 31st to meet undisclosed demands.
- Qilin ransomware group claimed credit for a cyberattack on Chinese automotive parts manufacturer Yanfeng. The organization reported that the cyberattack directly affected Stellantis, a multinational automotive manufacturing organization, causing disruption at several of its U.S. factories. Qilin added Yanfeng to their TOR data leak site, publishing multiple samples of data, including financial documents, NDAs, quotation files, technical data sheets and internal reports, as proof of claims. The ransomware group threatened to release all data in their possession in the coming days but did not specify a deadline or how much data was exfiltrated. Yanfeng is yet to make any further public comment on the incident.
- LockBit claimed Queensland-based Q Automotive Group as a victim, adding the automotive franchise to its victim site. The ransomware group leaked nearly 50GB of compressed archive, as well as a file tree of every document included in the breach, after the ransom deadline passed with no agreement reached. Data is said to include payroll information, lease agreements, redundancy payouts and motor sales licenses for many of the company’s employees. CRM information along with service quotes, invoices and crash assistance forms were also included. Documents appear to range from 2012 to September 2023. Q Automotive is yet to comment on the incident.
- A former employee and patient are suing UI Community HomeCare and UI Community Medical Services over a ransomware attack which resulted in a data breach in earlier this year. During the security breach, files on Iowa Community HomeCare’s networks were encrypted, with an investigating confirming that there had been unauthorized access to sensitive data. Personal and protected health information was exposed, and potentially stolen, such as names, birthdates, addresses, phone numbers, medical record numbers, referring physician names, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. The data breach was reported to the HHS as affecting up to 67,897 individuals.
- King Edward VII’s Hospital in London has been added to the victim list of Rhysida ransomware group, who claim to have hacked the hospital. The group claims to have stolen data belonging to a large number of patients and employees, including the Royal Family. Images were published on Rhysida’s Tor site as a proof of claims including medical reports, registration forms, x-rays, medical prescriptions and more. The gang has stolen a substantial amount of “sensitive information” and is auctioning it off for 10BTC.
- NoEscape ransomware group claimed an attack on the Science History Institute in Philadelphia in late November. The group posted the organization on its leak site stating that 22GB of data had been successfully stolen during the incident. The notice also claimed that management of the Science History Institute “chose to hush up this situation” and had not contacted NoEscape. A threat closed the note, stating that if contact was not made that the group would start launching new attacks on the IT infrastructure.
- Proliance Surgeons notified HHS that 437,392 patients were impacted by a ransomware attack discovered in May this year. The attack seen files and systems encrypted along with some data exfiltrated. Data stolen includes personally identifiable information, health insurance information, financial account numbers and “other identification information.” It is not clear what ransomware group was behind the attack and if a ransom was demanded at the time of the incident.
December
December is historically one of the quieter months of the year for ransomware, but this was not the case in 2023, with seventy publicly disclosed ransomware attacks recorded. This figure sees a massive 97% increase on December last year. LockBit and BlackCat remained the two most active variants, while we also saw new variants such as DragonForce make its mark on the ransomware landscape. Healthcare was the most impacted industry with high profile attacks on Integris Health and Fred Hutchinson Cancer Center making headlines during the month.
Discover who else made ransomware headlines in December.
- Great Valley School District in Pennsylvania was targeted by a Medusa ransomware attack which caused disruption to their technology. An investigation was launched to determine the nature and scope of the event. It was revealed that an unauthorized actor had gained access to some systems and exfiltrated data. The ransomware group posted the School District on its leak site alongside a filetree and 20+ screencaps of student info and employee files. Stolen information included SSNs, driver’s licenses, and medical information. A ransom of $600,000 wad demanded, but after contacting Medusa’s negotiator, the School District refused to pay the ransom.
- Around 60 credit unions in the United States were forced to deal with outages when their cloud services provider Ongoing Operations fell victim to a ransomware attack. Upon discovering the incident, immediate action was taken to address and investigate its nature and scope. Ongoing Operations explained that the incident may have resulted in an unauthorized party being able to access customers’ sensitive information. The attack had larger downstream effects on other credit union technology providers.
- BlackCat claimed to have accessed the systems of payment technology vendor Tipalti while threatening to carry out follow up attacks on its customer Roblox. The ransomware group also claimed to have exfiltrated 265GB of confidential business data belonging to the company, as well as its employees and clients. However, no proof was posted on the leak site and Tipalti has claimed that it had not seen any evidence of a breach.
- UK premium independent retailer, Jules B had to enlist a specialist to help navigate current financial difficulties after trade was impacted for two weeks following a cyberattack. The unnamed threat actors disrupted the retailer’s internal systems and demanded a ransom of $100,000, however, owners of Jules B refused to pay.
- HTC Global Services announced via X (formerly known as Twitter) that it experienced a cyberattack which teams were addressing and investigating. The IT services and consultancy firm made no other statement about the incident. BlackCat claimed the attack, listing the company on its leak site while claiming to have over one million files with screenshots of stolen data as proof of claims. The screenshots included passports, contact lists and other confidential data.
- It came to light in December that Hangzhou Great Star Industrial Company paid $1 million to Akira to stop the publication of administrative and company data belonging to the American division of the Chinese company. The attack happened in August 2023 and initial access was gained through credentials that threat actors found on the dark web. There were three databases stolen during the attack which are said to belong to three major subsidiaries of the company. Akira initially demanded $2 million which was then increased to $2.4million due to the nature of the information stolen, but after negotiations between the two parties, the demand was dropped to $1 million.
- Reports of a November ransomware attack which impacted Hermon School Department made news in December. The school department was unsure what data was accessed during the incident but refused to pay the undisclosed ransom. Apparently, Maine Department of Public Safety’s Information Analysis Center informed administrators that they were running “outdated Windows 2012” and a “vulnerable instance” of Apache ActiveMQ. A ransomware group is yet to claim the incident.
- Hunters International claimed Austal USA, a shipbuilder for the US Navy, as a victim, adding them to its leak site in early December. Austal was able to mitigate the incident resulting in no impact to operations. Federal agencies remain involved in investigations to discover the cause of the situation and the extent of information accessed. The organization has stated that it is believed that no personal or classified information was accessed or exfiltrated during the incident. Hunters International hinted on the leak site that a sample of forty-three files containing 87.2MB of data was to be made available soon.
- Ho Chi Minh City Energy Corporation (EVNHCMC), a subsidiary of Vietnam Energy was claimed as a victim by BlackCat. On its victim site BlackCat stated that its staff were preparing a detailed report on the attack which would be shared with journalists. They also threatened to inform the Vietnam Department of Energy of the incident. Eighty-four samples of Vietnam Electricity data was posted as proof of claims.
- Hunters International launched an attack on St Johns River Management District, a regulatory agency in Florida. A spokesperson confirmed that suspicious activity was identified in its technology environment and that containment measures were successfully implemented. The ransomware group provided samples of data as proof of claims but did not confirm the total amount of data exfiltrated during the incident.
- Dameron Hospital reported a cyberattack in early December which affected some of its network systems. The incident did not impact patient care operations or emergency care, but some procedures had to be rescheduled. RansomHouse claimed the incident, posting on its leak site that it had encrypted files and exfiltrated around 480GB of data. The hospital has not yet responded to the ransomware group’s claims.
- La Prensa, a newspaper in Nicaragua was claimed by LockBit as a victim. On its leak site, LockBit posted seven screenshots as proof and gave the newspaper a deadline of Christmas Day to pay the undisclosed ransom. No further details on this attack have been made available at this time.
- Taylor University warned students, alumni, and employees that it had been impacted by a “sophisticated cyberattack” which resulted in data theft. The investigation was completed in mid-November and confirmed that data including personal information, financial account information and card numbers, including PINs, was stolen during the incident. At this time, no ransomware group has taken responsibility.
- In Atlanta, Henry County Schools disclosed that it had discovered suspicious activity impacting its network operations during the first week of November. The unauthorized user was able to gain access to a certain environment on the network which was a “storage area containing mostly historical procedural documents.” The Superintendent confirmed that hackers did not breach important student and employee information. BlackSuit claimed the attack but did not include much detail on the leak site posting.
- LockBit listed Canadian multinational retailer Aldo Shoes on its leak site in early December, giving the company until December 25th to pay an undisclosed ransom. The ransomware group claimed to be in possession of confidential data but has not disclosed the amount or exact nature of the data stolen. An Aldo spokesperson confirmed that data was stolen from a franchise partner and that the incident was contained without impacting any daily operations. Customer financial or payment card information was not impacted by the attack.
- The Deutsche Energie-Agentur (Dena) announced that it has been a victim of a cyberattack in late November which forced the company to take systems offline in an effort to contain the damage. Although forensic experts are still working to determine “exactly which data was leaked,” the company announced that there was a risk to the data processed by the business including sensitive data. BlackCat took credit for the incident, posting a short blog claiming to have stolen sensitive data from the energy company, but did not specify an amount.
- An incident in February 2023 impacting Sweetwater High School District was confirmed as a ransomware attack in December. During the incident twenty servers were encrypted and ransom notes were found on eighty-one servers and numerous printers. It was revealed that an unauthorized user gained access to the network and exfiltrated data. A ransom demand of $1.5million was given to the school district, but after negotiations, only $175,000 was paid to the unknown threat actors. This month it was revealed that the breach impacted 22,000 people.
- Stanley Steemer announced that a March cybersecurity incident affected data belonging to almost 68,000 individuals. It was reported that hackers broke into systems in February before the organization discovered the incident in early March. A comprehensive review of the impacted content was completed to assess if sensitive information was affected and to whom the information might relate. It was determined that data such as names and SSNs was involved. Play claimed responsibility for the attack stating that they were in possession of accounting data, budgets, tax documents and images of passports.
- Glendale Unified School District in California warned all students and employees not to use district issued devices following a cyberattack on its systems. The school district acknowledged the attack in a brief statement, simply stating that the incident had impacted some systems. Medusa was responsible for the attack, giving the school district 10 days to pay the $1 million ransom, or add an additional day to the deadline for $10,000. It is not clear what information was stolen during the incident.
- Patients are being extorted by Hunters International following a ransomware attack on Fred Hutchinson Cancer Center in Seattle. The healthcare facility stated that federal law enforcement agencies became involved after unauthorized activity was discovered on its clinical network. In an effort to contain the incident the organization was forced to “quarantine” servers and take the clinical network offline. Recent reports suggest that the threat actors were emailing individual patients, offering to remove personal information for $50. The email also revealed that around 800,000 individuals were impacted, and the information stolen included medical history, lab results, SSNs and other personal information. Hunters claim to have stolen a total of 533GB of data.
- In central Virigina, Greater Richmond Transit Company (GRTC) revealed that network disruption around Thanksgiving temporarily impacted certain applications and parts of the GRTC network. An investigation was launched to establish the full scope of the attack. Play ransomware took credit for the incident posting on its leak site and demanding an undisclosed ransom. The group also claimed to have exfiltrated private and personal confidential information including client documents, budgets, IDs, scans, payroll, and finance information.
- Munich-based games developer Travian Games, fell victim to a ransomware attack orchestrated by Rhysida. The organization was added to the group’s dark web blog, with the threat actors claiming to have stolen close to 800,000 files comprising of 560GB of data. Travian Games are yet to comment on the incident.
- Hinsdale School District confirmed it was impacted by a cyberattack early in the month, working alongside a cyber insurance provider and professional cybersecurity professionals to assess the situation. A few days after the initial attack Medusa added the school district to its dark web leak site. The dark web posting included a file tree and numerous screenshots of internal documents and personal information. The ransomware gang gave a 10-day deadline to pay a $200,000 ransom in exchange for the information.
- Foursquare Healthcare discovered unauthorized activity on its network in September this year, with a forensic investigation confirming that hackers had infiltrated the network and accessed files containing patient and employee information. It has since been revealed that 10,890 individuals were impacted by the resulting data breach. Information stolen varied depending on the individuals but could include addresses, billing information, SSNs, banking information and clinical data. Ransom House claimed the attack back in October this year.
- An attack on Washington-based drug store chain Hi-School Pharmacy caused network disruption in late November. During the incident, unauthorized individuals accessed parts of the chain’s network containing personal health information. LockBit claimed the attack and demanded $700,000 for an undisclosed amount of information.
- Blue Waters Products Ltd in Trincity was attacked by LockBit ransomware group impacting automated ordering and delivery capabilities. The company announced that officials were assessing the cyberattack and taking the necessary actions to ensure the networks are secured. The ransomware group gave the organization 48 hours to pay an undisclosed ransom before files would be made available. It is not clear the nature or amount of data involved in the incident.
- GOLFZON, a world-renowned golf simulator manufacturer, was added to BlackSuit’s victim list following a ransomware attack in early December. The incident caused issues for users and franchisees for days due to a server outage. Customers only had limited access to the website and mobile applications, meaning they were unable to make online reservations. GOLFZON claimed that it did not detect any signs of private information being leaked. BlackSuit encrypted the organization’s server and leaked the exfiltrated data.
- Hotel chain Red Roof recently confirmed that a cybersecurity incident in September caused temporary system outages but did not involve guest data. The organization detected suspicious activity and found that a limited subset of data had been encrypted. The breach was confined to a “small number of systems.” Personal data including names, DOBs, SSNs, medical information and health insurance information was copied from Red Roof’s network.
- BianLian claimed AMCO Proteins, adding the organization to its victim list with data exfiltration claims. The group stated that it had exfiltrated 4TB of data including personal data, accounting information, personnel data belonging to employees, contracts, and operational files among other information. The post on the dark web site also contained the names of AMCO’s CEO and Vice President. AMCO are yet to publicly acknowledge the incident.
- DragonForce claimed an attack on the Heart of Texas Behavioral Health Network, reportedly stealing 55.78GB during the incident. The organization stated that an unauthorized party had gained access to its networks which contained information including PII, medical information and health insurance information. According to the ransomware group’s leak site some files have already been published. The non-profit organization is yet to make a further comment on DragonForce’s claims.
- Over 129,000 employees and their dependents had personal information stolen during an attack on Americold in April this year. The organization was forced to shut down its IT network to contain the breach and “rebuild impacted systems,” affecting operations. Investigations concluded that personal data including PII, financial account information and medical information may have been involved in the breach. In December Cactus ransomware group claimed responsibility for the attack, leaking 6GB of archived accounting and financial documents. The group reportedly has plans to release more information at a later date.
- UK travel company Hotelplan UK announced in early December that it had fallen victim to a cyberattack which led to temporarily isolating and shutting down key systems. Although there was IT disruption, there was no impact on holidays and trips already booked. BlackBasta claimed responsibility for the incident and reportedly exfiltrated 704GB of data including HR information, user personnel files and finance documents.
- DragonForce added Decina, an Australian bathroom product manufacturer, to its victim list on its dark web site. The listing contains claims that the group exfiltrated 108.98GB of files from the organization, with a link available to download all of the stolen information. It appears the leak contained six hundred lines of folders and documents belonging to Decina. Information including detailed lists of debtors and creditors, wage details and log in information was impacted. Decina is yet to respond to DragonForce’s claims.
- Sony-owned game developer Insomniac Games was impacted by a ransomware attack launched by Rhysida. Stolen data is said to include internal emails, employee passport scans, confidential documents, and details of the upcoming Wolverine game. The ransomware group has set a price of $2million for the data, claiming it will be sold to the highest bidder. Sony is aware of the claims made and is investigating the situation.
- In northern Kentucky, Campbell County Schools was victimized by a ransomware attack in early December. The incident involved some of its computer servers, with a spokesperson confirming that some files had been removed from servers without authorization. Medusa claimed responsibility for the incident, setting the ransom at $600,000. It is not clear what data was stolen by the group and an investigation is still ongoing.
- Memorial Sloan Kettering Cancer Center (MSKCC) in New York City was listed on Meow’s data leak site this month. The fairly new ransomware group provided very little information on the posting, with no indication of a ransom demanded or data exfiltrated. MSKCC has not made a public comment addressing these claims.
- Online education platform Wondrium was targeted by Akira ransomware group, who claim to have exfiltrated 60GB of data during a recent cyberattack. Data reportedly included client information, accounting and finance data, and course information. No further details regarding this attack have been made public.
- Petersen Health Care was added to the data leak site of the Cactus ransomware group in November, with the cybercriminals updating it in early December with several screenshots of identity documents such as passports as proof. It is not clear if these documents belonged to employees or patients. No files were marked as patient or medical records and Cactus did not reveal whether files or systems had been encrypted during the incident.
- Hunters International began leaking data belonging to Covenant Care in December following a cyberattack in November. A trove of information has been published by the group including patients’ protected health information and employees’ personal information. Hunters also claimed to have encrypted files during the incident, but Covenant Care has given no indication of service disruption.
- One of the world’s largest law firms, CMS, has been claimed as a victim by LockBit, with the threat actors claiming to have exfiltrated data during the attack. Around 500GB of data has been allegedly stolen from the law firm, including files relating to “financial and corporate crimes of clients,” as well as information on CMS employees, the company’s tax, and financial reports. CMS has not publicly acknowledged these claims.
- The notorious Knight ransomware group has claimed the City of Defiance in Ohio as one of their latest victims. On the post on its leak site, the group claimed to have obtained more than 390GB of files from the city’s internal network. Information exfiltrated during the incident contains employee files, law enforcement video, mail, and various other confidential documents.
- The Snatch ransomware group claimed to have infiltrated KraftHeinz food corporation, but the food giant stated that there is “no evidence” that the attack ever took place. The organization reviewed a cyberattack on a decommissioned marketing website but were unable to verify claims, and with all other systems operating normally, they could see no evidence of an attack. Threat actors created the KraftHeinz entry on its leak site in August but updated the post earlier this month. The post did not include any proof of claims or any information on what data the group claim to have exfiltrated.
- Newfound Area School District was hit by a cyberattack in November, which locked users out of systems and caused disruption. The ransomware entered the system through a laptop and infected the computers in five schools and the central office. The school district is still working to restore all of its systems and data following the incident. The unknown hacker did not make a financial demand and it is not known if any information was stolen during the attack.
- BlackCat claimed an attack on Viking Therapeutics but instead of posting proof of claims, the group got an employee to file an SEC report on his own company, after a “productive talk with his family.” The complaint alleges that the firm violated the four-day reporting deadline. The group also claims to have reported the incident to the HHS as it was deemed unlikely that the organization would do so itself. The post on BlackCat’s dark web site also stated that the organization did not have access to the negotiation link and that data was set to be published. A stark warning to other organizations was also included in the post.
- VF Corporation, owners of brands like Supreme, Vans, Timberland, and The North Face, suffered a security incident that caused operational disruption. Unauthorized access to the organization’s network was detected, forcing the company to shut down some of its systems. Threat actors managed to disrupt company business operations by encrypting some IT systems and stole data from the company, including personal information. VF Corp is still assessing the full extent of the security breach and it is not yet known if the data exfiltrated impacts employees, suppliers, resellers, partners, or customers.
- Medusa has allegedly targeted and breached data from speciality pharmacy chain BioMatrix. A notice was posted on the group’s dark web portal in mid-December, claiming to be in possession of data including CVS Health’s contract and patient complaints. The ransomware gang demanded $1 million to prevent exposure of the data. BioMatrix has not publicly addressed these claims.
- An attack on the New York School of Interior Design has been claimed by INC RANSOM, with the relatively new hacking group claiming to have exfiltrated data from the school. The post on the group’s victim list does not give many details on the alleged attack but does provide a proof pack of six screenshots. It is not yet known if a ransom has been demanded, when the group is threatening to post data, or the nature of the data stolen.
- TheUniversity of Buenos Aires suffered a ransomware attack which caused “technical problems affecting the university’s computer systems.” The university was forced to suspend registration for courses, the publication of final exam marks and the requests for revision of grades. The intrusion began in UBA’s data center and was quickly isolated, though some servers were compromised. At this time, it is not clear who is behind the attack and what, if any, data was exfiltrated during the incident.
- In Vermont, Milton Town School District faced a ransomware attack that affected several files on its MTSD, with compromised files encrypted and locked. Upon discovery of the incident, the school district quickly notified authorities and is collaborating with those responsible for its cybersecurity insurance. LockBit has claimed the attack, posting MSTD on its leak site alongside nine screenshots of exfiltrated data as proof of claims.
- Indian IT company HCL Technologies reported a ransomware attack this month which occurred in an “isolated cloud environment for one of its projects”. It was reported that there was no impact to the overall HCLTech network and that an investigation to assess the root cause of the incident was underway. At this time there is no further information available relating to this attack and no ransomware group has yet taken credit.
- Nearly three million people have had their information exposed following a ransomware attack on ESO Solutions. The company, who provides software to hospitals and EMS, detected and stopped a sophisticated ransomware attack in September but later discovered that hackers had still been able to access personal information located in an impacted system. The incident involved patient data including personal information and medical treatment information. It is not yet clear who is responsible for the attack.
- Qilin ransomware group added the Neurology Center of Nevada to its leak site, claiming to have exfiltrated at least 198GB of sensitive data, a proof of claims including nine photos was also posted on the group’s leak site. Neurology Center of Nevada are yet to publicly address these claims but if they are true this will be the second attack the healthcare provider faced within a year.
- Liberty Hospital in Missouri faced disruptions to its computer system forcing the facility to temporarily transfer some patients to other hospitals for care, and reschedule some appointments. While systems were down hospital staff struggled to document patient care. The hospital itself has not commented on the incident, local news outlets reported that officials at the hospital received a ransom note from unknown threat actors. The note stated that all confidential data within the company was downloaded and issued a 72-hour deadline for initial contact to be made. No ransomware group has yet claimed the incident.
- LockBit claimed responsibility for hacking UK accountancy firm Xeinadin, threatening to disclose stolen information if demands are not met. The group claimed to have stolen 1.5TB of customer data including internal databases, customer financials, passports, account balances, client legal information and personal accounts of Companies House customers. A 72-hour deadline, ending on Christmas Day, was set for management to contact the threat actors with failure to do so resulting in “legal, tax, financial and other private data of hundreds of companies” would be leaked.
- In late December, Clay County in Minnesota published a notice on its website relating to a ransomware attack back in October. The attack impacted Caseworks, the county’s electronic document management system, hosted by Clay County and used by other Minnesota County social services entities. An investigation determined that compromised data included names, SSNs, addresses and other information provided by Clay County Social Services. It is not clear who is responsible for the attack nor how much data was exfiltrated during the incident.
- Patients of Integris Health in Oklahoma have been reportedly receiving blackmail emails stating that their data was stolen during a cyberattack on the healthcare network and asking them to pay an extortion demand to keep their data safe. The healthcare network has confirmed that it suffered a cyberattack in November that led to the theft of patient data. In extortion emails sent on December 24th, the hackers claim to have stolen personal data of over two million patients, with compromised information said to include SSNs, dates of birth, addresses, phone numbers, insurance information and employer information. Emails apparently contained accurate personal information, confirming that patient data was stolen during the attack. The emails also state that Integris has refused to resolve the issue and gives a deadline of January 5th for patients to pay before the database is sold to data brokers. A link to a website was included, allowing visitors to pay $50 to delete a data record or $3 to view it, with approximately 4,674,000 data records available. It is not known who is behind the attack.
- In Alabama, Cullman County Revenue Commissioner confirmed that it was hit by a ransomware attack over the Christmas weekend. The attack compromised some systems on the server which made it impossible to process property tax payments for a few days. The commissioner’s office stated that the server affected does include public records regarding historic property records, but personal information was redacted from these documents before they were uploaded. Backup servers underwent scans to verify whether or not they had been impacted by the ransomware. It is not clear at this time who is responsible for the attack or if data was exfiltrated.
- Rhysida ransomware group has taken credit for an attack on Abdali Hospital in Jordan, adding the healthcare provider to its Tor leak site. The group published images of stolen documents as proof of claims including ID cards, contracts and more. The posting on the Tor site auctioned off a substantial trove of sensitive information for 10BTC, with plans to sell the data to a single buyer before publicly releasing after the seven-day deadline.
- Richmont Graduate University allegedly fell victim to a LockBit ransomware attack in December, with the group claiming to have exfiltrated data during the incident. The university are yet to address these claims publicly and there is no evidence that an attack has taken place as the official website is operational. LockBit however claims to have stolen around 37GB of sensitive information, adding screenshots to its leak site as a proof of claims. A deadline of Jan 2nd was set before information is made publicly available.
- National Amusements announced a data breach which impacted more than 82,000 following a cyberattack in December 2022. Suspicious activity was detected on the organization’s network with an investigation concluding that hackers had accessed files over a two-day period. Information leaked included names, financial account numbers, credit card and debit card numbers along with the PINs. The justification given by the organization when asked why it took a year to report this was that they only finished investigations in August this year. 82,128 were impacted by the incident.
- The Ohio Lottery was forced to shut down some key systems following a Christmas Eve cyberattack which impacted an undisclosed number of internal applications. A number of services were unavailable for a time including cash outs of over $600. DragonForce took credit for the attack claiming to have encrypted devices and exfiltrated 600+GB of data. According to the leak site, stolen files contain information belonging to Ohio Lottery customers and employees, with the group claiming to have stolen over three million entries.
- German hospital network, Katholische Hospitalvereinigung Ostwestfalen (KHO), confirmed that recent service disruptions at three hospitals were caused by a ransomware attack. The incident which took place on Christmas Eve severely impacted systems that support the operations of three hospitals and forced the shutdown of the systems for security reasons. Emergency care was unavailable at all three hospitals resulting in critical delays. Threat actors were able to gain access to the IT infrastructure and encrypt data. Although the group has not officially claimed the attack, it is believed that LockBit are responsible for this incident.
- A hacker group named CyberAv3ngers are claiming to be in possession of 1TB of data belonging to Israel Electric Corporation. The group posted on “daily dark web” declaring the sale of Israel’s electricity infrastructure data. The price for the entire 1TB is set at 5BTC, with the first part of 100GB available also set at 5BTC. The group took to X, formerly known as Twitter, to address rumours of the validity of the attack, stating that it would “unveil some documents that show who is lying and who is telling the truth.” IEC is yet to publicly address the claims.
- The National Insurance Board of Trinidad and Tobago (NIBTT), was closed for two days following a ransomware attack on December 26th. The NIBTT stated that all steps are being taken to protect the integrity of data and technology hardware. The incident was reported to the country’s Cyber Security Incident Response Team who are working toward a resolution. It is not known who was behind the attack or if threat actors exfiltrated any data.
- In early December, Japanese car manufacturer Nissan reported a cybersecurity incident involving its systems in Australia and New Zealand which was later confirmed as a ransomware attack. Upon discovery of the unauthorized access, the company started investigating the extent of the incident and whether any personal data was accessed. Akira ransomware group took credit for the attack claiming to have stolen 100GB of data including company files and personal information belonging to employees.
- Ultra Intelligence and Communications was added to BlackCat’s victim list, with the group claiming to have breached the organization’s network while exfiltrating 30GB of sensitive data. Although details on how the breach occurred remain unknown, BlackCat suggested that it was in Ultra’s systems for a period of time, apparently “enough time to put hands on some interesting papers”. Multiple screen shots were added to the leak post as proof of claims. Stolen data is said to include audit data, financial data, and subcontractor related documents among many other data types. Ultra I&C has not yet publicly addressed these claims.
- Yakult Australia confirmed that its Australian and New Zealand IT systems were impacted by a cyber incident which did not impact operations of offices in the regions. The organization noted that it was a victim of a ransomware attack. DragonForce claimed the attack, providing a sample of the 95GB of data stolen during the incident. The cache included sensitive employee information such as passports, salaries, performance reviewed among other information. A separate database contained 9,000 names and addresses but it is not clear if these belong to customers or employees.
- BlackBasta claimed responsibility for targeting American Alarm and Communications (AAC). Although the company has not addressed these claims, news outlets reported that the company’s website was inaccessible, giving a “access is forbidden” message. The ransomware group breached the AAC’s network and allegedly exfiltrated 504GB of data including HR records, accounting, and financial information and 401Ks.
- The Serbian government are yet to comment on claims that public energy company Elektroprivreda Srbije (EPS) was targeted by a ransomware attack. EPS stated that the company had come under a “crypto type” hacker attack on December 19th which impacted EPS payment portal and delayed the distributed of November bills. Qilin claims to have blocked servers and seized a significant amount of confidential information from EPS including private agreements, contracts, financial documents and more. Twenty-four screenshots were posted as proof of claims and a 10-day countdown established to reach an agreement before the data is leaked. The National Centre of Prevention of Security Risks of Serbia (CERT) has stated that it cannot disclose information about security incidents to the public due to protocols and rules.
- The US division of Xerox Business Solutions (XBS) was the victim to a ransomware attack according to a statement by parent company Xerox Corporation. INC ransomware gang added the corporation to its extortion site on December 29th, claiming to have stolen sensitive information from its systems. The group published images of eight documents, including emails and an invoice, as proof of claims. There is limited information available relating to this attack at this time.
Related Posts
Everything That You Need to Know About the Dark Web and Cybercrime
Learn about the dark web, including who uses it, how it operates, and what tools cybercriminals obtain on it. Find out how BlackFog monitors networks, forums, and ransomware leak sites in order to stay ahead of new threats.
BlackFog unveils AI based anti data exfiltration (ADX) platform for ransomware and data loss prevention
BlackFog unveils the latest version of its AI based anti data exfiltration (ADX) platform for even more powerful ransomware and data loss prevention. Version 5 introduces new features including air gap protection, real-time geofencing, and baseline activity monitoring to ensure the highest level of cybersecurity protection.
EDR Kill Shifter: Why a Layered Cybersecurity Approach is Required
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The Rise of Ransomware-as-a-Service and Decline of Custom Tool Development
Learn how ransomware-as-a-service is simplifying ransomware tool creation and increasing ransomware attack accessibility in cybercrime. Find out how modern ransomware syndications use RaaS.
The State of Ransomware 2024
BlackFog's state of ransomware report measures publicly disclosed and non-disclosed attacks globally.
Data Exfiltration Detection: Best Practices and Tools
Data exfiltration, a tactic used in 93% of ransomware attacks, can lead to severe consequences including financial losses, reputational damage, and loss of customer trust. To mitigate these risks, organizations must implement effective detection strategies and technologies.