Ransomware 2020: The Year In Review – How It Infects Everything!

Ransomware

Ransomware is rapidly surfacing at pandemic rates.  Research shows that a business is attacked every 11 seconds and attacks are estimated to cost businesses approximately $20 Billion dollars this upcoming year!

There are fundamental ways to protect your organization and close the gaps.

Here is the 2020 year in review:

January

Starting with January, let’s look back at some of the attacks that occurred around the globe.

  1. Hackers celebrated the last New Year’s Eve of the decade with an attack on Travelex, taking down it’s websites across 30 countries and causing chaos for foreign exchange transactions worldwide during the month of January. The ransom was rumoured to be the sum of $6M.
  2. Next we head to the Middle East where Oman’s largest insurance company was hit by a ransomware attack causing data loss but no publicized monetary loss.
  3. To the United States next where Richmond Community Schools in Michigan had to postpone opening after the Christmas break when hackers demanded $10K in Bitcoin to restore access to the server.
  4. Another US city and another school, as this time students in the Pittsburgh Unified School District of Pennsylvania were left without internet access after a ransomware attack disabled the district’s network systems during the festive break.
  5. Next we move on to Florida where patients of a medical practice in Miramar reported that they received ransom demands from a cybercriminal threatening to release their private medical data unless a ransom was paid.
  6. Back to the education sector again as the Panama-Buena Vista School District in California experienced a  ransomware attack that caused a technology and phone outage at multiple schools. While the school was working with the FBI regarding the attack, they let parents and students know that they couldn’t access any grades so report cards would be delayed.
  7. Moving on to the small town of Colonie in New York where cybercriminals hacked into the computer system and demanded $400K in Bitcoin cryptocurrency to unlock it.
  8. Next up is a synagogue in New Jersey who fell victim to a cyberattack and a ransom demand of around $500K.
  9. Next we are back to Florida where 600 computers were taken offline after a cyberattack at Volusia County Public Library.
  10. Back to Europe now where the hackers responsible for the Travelex shut down target the German car parts company Gedia. The group used two Russian-speaking underground forums on the Dark Web to threaten to publish 50GB of sensitive data, including blueprints and employees’ and clients’ details, unless Gedia agreed to pay a ransom.
  11. France is next as the Bouygues construction company was paralysed by a major cyberattack affecting the entire computer network and shutting down all of the company’s servers. A ransom of €10M was requested by the cybercriminals.
  12. Back the United States now where Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor suffered a ransomware infection.
  13. Up next is Oregon, where all of the computer systems for Tillamook County went down. Despite early thoughts that the outages were a technical issue it was later confirmed they suffered a ransomware attack.
  14. Lastly we head to the City of Racine in Wisconsin where a ransomware attack caused the city’s website, email, voicemail, and payments systems to be knocked offline.

February

February saw the same amount of reported attacks with almost 60% of attacks occurring in the education and public sector verticals. Here’s a roundup of the ransomware attacks we have been tracking.

  1. The first attack of the new month was reported in Baton Rouge Louisiana on Feb 3rd when ITI Technical College became the victim of a cyberattack via a phishing email sent at the end of January.
  2. Next up, another school to report as Scotland’s Dundee and Angus College was hit with what they described as a cyber-bomb which took down their entire IT system.
  3. Deliveries across Australia were stranded in the next reported attack as logistics company Toll Group confirmed they had to shut down their systems because of ransomware.
  4. Over to the United States now, this time it’s the North Miami Beach Police Department who reported they had become a victim of ransomware.
  5. Back to the education sector where this time it’s two Texas schools in the same district who were affected. The city of Garrison managed to make a quick recovery but the Nacogdoches Independent School District faced more of a struggle to rebound from the attack.
  6. To England next where a ransomware attack on Redcar Council forced staff back to pen and paper and 35,000 UK residents were without online public services.
  7. Next up was a Valentine’s Day cyberattack on INA Group, Croatia’s biggest oil company and its largest petrol station chain. The suspected ransomware attack had a crippling effect on business operations.
  8. Staying in Europe, the next attack occurred in Denmark where facilities firm ISS World was crippled by a ransomware attack that left hundreds of thousands of employees without access to their systems or email.
  9. Another US school district is up next, this time it’s The South Adams Schools district in Indiana where an overnight ransomware attack affected all of the schools IT systems.
  10. The education sector is up again as the Gadsden Independent School District in Alabama suffered a ransomware attack that managed to take down all of their internet and communications systems across all of its 24 school sites.
  11. Back to Texas again where La Salle County confirmed a ransomware demand was responsible for its ongoing technology issues.
  12. Jordan Health in New York State, a non-profit organization that operates 9 health centres in Rochester and Canandaigua was the next to suffer at the hands of cybercriminals when they reported a ransomware attack had shut down all of their IT systems.
  13. Back to Australia for the next incident. This time ransomware affected the Australian wool industry when sales were stopped by a ransomware attack at wool industry software company Talman.
  14. Closing a month of reported cyberattacks we are back in Kansas where legal services giant Epiq Global reported they had suffered a ransomware attack on the last day of the month. The attack affected the organization’s entire fleet of computers across its 80 global offices.

March

March’s numbers were on par with the first two months of the year with attackers still focusing on the education and public sector verticals. Here’s a roundup of what we uncovered for the month.

  1. The first ransomware attack of the month took place on March 2nd in La Salle County in Illinois where a cyberattack affected around 200 computers and 40 servers in the county government.
  2. On the same day hackers targeted Visser, a parts manufacturer for Tesla based in Colorado. Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data.
  3. On the same day it was revealed that the provincial government in P.E.I. Canada suffered a data breach when internal government documents were posted online following a ransomware attack.
  4. Next up is Missouri where Three Rivers College were forced to cancel almost all of their classes following a ransomware attack.
  5. California based defense contractor CPI was the next company to reveal they had been knocked offline by a ransomware attack. Sources say the company who makes components for military devices and equipment paid a ransom of about $500,000 after an attack in January but they were not yet operational.
  6. Next, we learned that EVRAZ, owned by Roman Abramovich and one of the world’s largest steel manufacturers, suffered a Ryuk ransomware infection that managed to take down its North American branches.
  7. Durham city was the next target when a Ryuk ransomware attack affected everything from the police to fire services. The county government services were also taken offline when 80 servers were impacted by the attack.
  8. The Fort Worth Independent School District in Texas was the next to fall victim after a string of cyberattacks took place across several Texas school districts in 2019.
  9. Next to be hit was the Champaign-Urbana Public Health District in Illinois. Their website was taken down by the NetWalker ransomware attack, hampering the organization’s response efforts amid the Coronavirus pandemic.
  10. The next attack takes us to the UK where cybercriminals hit London based Hammersmith Medical Research firm who were on standby to carry out trials of a possible future vaccine for the Covid-19 coronavirus.
  11. Another London based company was the next victim of the month. Finastra, a fintech firm that provides technology solutions to banks were forced to shut down their key systems globally after detecting a cyberattack.
  12. Next up Connecticut based medical and military contractor Kimchuk who announced they were hit by DoppelPaymer, a newer strain of ransomware that exfiltrates data out of an infected network before encrypting user files.
  13. Over to Missouri next where TI Power Systems, a supplier of the energy company Ameren Missouri was hit by a ransomware attack that allowed the malicious actors behind the attack to steal information from the firm.
  14. Finally, we end a month of attacks in South Carolina where Bluffton Fire and Rescue was the next in a long line of government entities in the state to be compromised by cyberattacks in recent months.

April

April had a slow start and it initially seemed that cyberattacks were on a downward trend for the month. But things picked up mid-month starting with a major attack in Portugal. Here’s a roundup of what we uncovered.

  1. Portuguese Energy giant Energias de Portugal (EDP) were the first to report they had been a victim of a major attack when cybercriminals held them to ransom for a massive 9.9 million Euros!
  2. On the same day in Canada, the Law Society of Manitoba revealed that two un-named law firms in the province had been locked out of their computer systems after they were infected with ransomware.
  3. Up next is the small city of Olean in New York. Few details were released but we know that a ransomware attack shut down all of the computers at the Olean Municipal Building.
  4. Next up was a Maze ransomware attack on information technologies services giant Cognizant . The New Jersey headquartered organization is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.
  5. Over to Denmark now where Agribusiness group Danish Agro, were the target of a ransomware attack on Sunday, April 19.
  6. Colorado-based Parkview Medical Center reported that their technology infrastructure was hit with a ransomware attack on April 21, causing a number of IT network outages amid the battle with Covid-19.
  7. Next is the City of Torrance in the Los Angeles metropolitan area who was allegedly attacked by DoppelPaymer Ransomware. The attackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files.
  8. Back to Canada next where accounting firm MNP were hit by a cyberattack which forced a company-wide shutdown of its computer systems.
  9. Next it was reported by the Architects Journal that a hacker had accessed the servers of Zaha Hadid Architects in London and had stolen confidential information in an attempt to extort money from the firm.
  10. CivicSmart, a Milwaukee, USA based company known for its parking meter technology was the next victim of a ransomware attack that exposed internal files in an attempt to elicit a ransom payment.
  11. Next up, Pennsylvania headquartered pharmaceutical giant ExecuPharm revealed that ransomware attackers had recently encrypted its servers and had stolen corporate and employee data.
  12. The final reported attack of the month takes us back to Canada, where the website and email services of the Northwest Territories Power Corporation were shut down after they received a ransomware message from unknown hackers.

May

May was a busy month for cybercriminals with 20 ransomware incidents reported. This month’s ransomware attacks took us around the globe from Taiwan to Texas, here’s a look at what we found.

  1. On May 5 Toll Group revealed it had found itself at the mercy of cybercriminals for the second time this year. The incident was unrelated to their previous attack in February and was thought to be a relatively new form of ransomware known as Nefilim.
  2. Taiwan’s state-owned energy company CPC Corp was the next victim. Luckily the attack didn’t affect any energy production, but it did cause some disruption for customers attempting to purchase gas.
  3. Up next was Fresenius in Germany, Europe’s largest private hospital operator. The company who employ around 300,000 people across more than 100 countries confirmed that a cyberattack had affected every part of the company’s operations around the globe.
  4. Germany again for the next attack on May 7 Ruhr University Bochum were forced to shut down large parts of their central IT infrastructure, including their backup systems after a ransomware attack occurred overnight.
  5. Moving to the US now for what was likely the most publicized attack of the month. Grubman Shire Meiselas & Sacks, a NYC law firm with a host of celebrity clients including Elton John, Robert DeNiro and Madonna were a victim of REvil ransomware used to steal the personal information of celebrity clients. Hackers threatened to expose nearly 1TB of private celebrity data unless a ransom was paid in Bitcoin.
  6. Swiss Rail construction firm Stadler was the next victim. The company disclosed that hackers had threatened to publish sensitive data to harm the firm and its employees if the large ransom was unpaid.
  7. The seventh attack of the month goes to another repeat victim. Pitney Bowes disclosed that they had been hit by Maze ransomware less than a year after they were hit by a similar attack. The group behind Maze specializes in double extortion, an attack that increases pressure on its victims to pay by threatening to release important data in addition to encrypting systems.
  8. Elexon, the organization that helps balance and settle the UK’s electricity market was attacked by hackers using the REvil/Sodinokibi ransomware on May 11. Sensitive internal data was stolen in the attack with some posted on the Dark Web to pressure the organization into making the ransom payment.
  9. Back the US now where the Office of Court Administration in Texas revealed that a ransomware attack was launched against its court system. It’s thought that no sensitive data was stolen, and at the time of writing they insisted that no ransom would be paid.
  10. Staying in the US, the next attack takes us to Ohio where Diebold Nixdorf, a major provider ATMs and payment technology, disclosed that a ransomware attack had disrupted some of their operations. The company said the hackers didn’t affect the ATMs or customer networks and that the intrusion only affected its corporate network.
  11. Magellan Health, a major US healthcare provider based in Phoenix, Arizona found themselves a victim of ransomware after falling for a phishing email that appeared to be from a client. The hackers proceeded to exfiltrate records containing personal information before launching ransomware to encrypt files.
  12. Back to Australia, where this time it was BlueScope Steel who suffered IT disruption that impacted production across its global operations. The ransomware incident was thought to be caused by employees opening contaminated email attachments.
  13. The next attack takes us to the UK where Bam Construct, a firm that had recently delivered Nightingale Hospitals for the NHS during the Covid-19 crisis had fallen victim to a ransomware attack. The company said that the business “stood up well” after the incident despite being forced to take services offline to mitigate the attack.
  14. Up next was the Texas Department of Transportation who revealed they has been hit by ransomware just days after the state’s judiciary system suffered the same fate. It appears that Texas is becoming a popular destination for cybercriminals as 22 local governments were targeted by ransomware in a single attack in 2019.
  15. Anglo-Eastern, one of the largest ship managers based in Hong Kong was hit with a ransomware attack on May 18. The incident was quickly contained, and it was reported that no data was lost.
  16. Over to New South Wales next where retailer In Sport’s head office hit by ransomware. The firm was unable to confirm what data had been accessed but they revealed that the attackers used REvil/Sodinokibi ransomware.
  17. Staying in Australia, this time it was customer experience firm Stellar who appeared to have taken a hit from a group of attackers using NetWalker ransomware.  Images of data stolen from the company were posted on the Dark Web and according to a countdown timer on the site, the company had just over six days to respond to the hacker’s ransom demands.
  18. The next incident takes us to Halifax in Canada where the Northwest Atlantic Fisheries Organization (NAFO), an intergovernmental organization that manages fish stocks in international waters in the northwest Atlantic Ocean, was hit by a ransomware attack. The organization who counts a dozen countries as members, including Japan, Norway, Canada, the European Union, and Russia admitted the attack had locked them out of their data systems and knocked their website offline in a letter to stakeholders.
  19. Back to the US again where this time it’s Michigan State University . The operators of the NetWalker ransomware gang reportedly gave MSU officials seven days to pay the ransom before they planned to leak the stolen university files.
  20. IT Services Giant Conduent disclosed that a ransomware attack had affected it European operations and although customer data had hit the Dark Web, they had managed to restore their systems in 8 hours.
  21. We close out the month in Austria where a NetWalker ransomware attack was launched against the city of Weiz. The attack affected the public service system and leaked some of the stolen data from building applications and inspections.

June

Ransomware attacks surged again in the month of June with Covid-19 related phishing techniques still proving popular with cybercriminals. Notable attacks include Honda, who had their European operations significantly affected, and the University of California who reportedly paid $1.14 million to recover academic data related to its Covid-19 research. Here is a roundup of the incidents we uncovered.

  1. We start the month in South Africa with telecoms firm Telkom SA SOC Ltd. We found limited coverage of the incident, but it was reported that the attack led to outages across several systems with remote staff unable to connect to the servers or VPN.
  2. Up next is Columbia College in Chicago who were attacked just one week after Michigan State University. On the Netwalker blog the cybercriminals claimed to have exfiltrated very highly- sensitive data during the attack.
  3. Hackers continued their spree on US colleges when they hit the University of California on the same day. Important Covid-19 research was encrypted during the attack and it was later disclosed that the school paid out $1.14 million to recover the data.
  4. The City of Florence in Alabama became the next victim on June 5 when a cyberattack shut down the city’s email system. The city reportedly paid over $250K to recover the encrypted data.
  5. The next attack took place at VT San Antonio Aerospace, the US subsidiary of ST Engineering Aerospace in Singapore. The ransomware attack resulted in the exposure of confidential company data including government contracts.
  6. Automotive giant Honda suffered a Snake ransomware attack which targeted its offices in the United States, Europe and Japan. The attack forced many offices to shut down in what was likely the most publicized ransomware incident of the month.
  7. Earlier in the month Australian beverage giant Lion disclosed they had been the victim of a cyberattack, they later confirmed it was ransomware. The company’s data was said to be available on the Dark Web but at the time of writing the company said they did not have any evidence of data being exfiltrated.
  8. Over to New Mexico next where nuclear missile contractor Westech International was the victim of a Maze ransomware attack. Hackers were able to access sensitive employee information, but it is still unconfirmed whether any classified military information was accessed.
  9. Next up is Norwegian shipbuilder Vard, Europe’s first attack of the month. Local reports indicate that company servers were hit with an encryption attack which led to disruption and downtime. The overall extent of the damage has not yet been disclosed.
  10. Fisher and Paykel, a white-goods manufacturer based in New Zealand disclosed they had been targeted by Nefilim ransomware. Although the attack was quickly identified, the hackers did disclose an initial leak of the company’s corporate files on the Dark Web.
  11. Up next was New York company Threadstone Advisors, a mergers and acquisitions firm whose client list includes Victoria Beckham.   The Maze ransomware gang insisted that they had exfiltrated and encrypted sensitive company data.
  12. An overnight attack hit the City of Knoxville in Tennessee. Fortunately emergency services were not affected in the attack, but by the time it was noticed by the IT department the ransomware had already encrypted multiple systems. Knoxville joins a list of other targeted cities, including Atlanta, Baltimore, Denver and New Orleans.
  13. Back to Europe now where this time it was European energy giant Enel Group. The incident was the work of the Snake ransomware group who were also responsible for the attack at Honda earlier in the month.
  14. Rhode Island-based Care New England (CNE) was victim of a cyberattack that hit its servers on June 16. The suspected ransomware attack forced the shutdown of its website and other internal systems.
  15. Up next is Florida based ConnectWise who hit the headlines when it was revealed that their partners were hit by ransomware through a software flaw in their platform.
  16. Electronics giant LG is reportedly being threatened by the Maze ransomware gang, however at the time of writing no official statement had been issued by the company.
  17. Closing out the month is another suspected attack on car giant Mitsubishi. The Doppelpaymer gang are allegedly threatening to leak data from the organization, although at the time of writing there has been no official statement from the company.

July

July was quiet in comparison to other months this year with only 12 ransomware attacks making the list. Although the number of reported attacks was lower for the month, news of the incident at Blackbaud, the cloud computing provider that serves non-profits, foundations, corporations, educational, healthcare, and religious organizations, dominated the headlines as hundreds of their customers were affected by cyberattacks and breaches due to the major ransomware attack that occurred at Blackbaud in May.

  1. We’ll start the month with Blackbaud. The incident was reported late in July but it has been revealed that the actual ransomware attack occurred in May. At time of writing we don’t know the full extent of the organizations impacted, but reports say the list currently tops 120. Multiple universities, charities and the UK Labour Party on are on the list of those affected.
  2. Up next is Texas-based government institution, Trinity Metro, a transit agency that operates bus and commuter rail transportation services in Fort Worth. Phone lines and booking systems were down following the attack and a post on the NetWalker gang website showed more than 200 Trinity Metro folders containing information that was apparently exfiltrated from the agency before its systems were disrupted.
  3. Xchanging, a subsidiary of IT Services giant DXC was the next victim. DXC announced in a press release that certain systems of London based MSP Xchanging had been affected by a ransomware attack. Xchanging offers IT services and business process outsourcing to aerospace, banking, defence and insurance firms.
  4. Back to Texas again where Cooke County found themselves the next victim of REvil ransomware. The attackers threatened to start releasing data within 7 days of the attack after posting screenshots thought to be documents and data from the county’s police department on the Dark Web.
  5. Another government attack in the US is up next, this time it’s Chilton County in Alabama who implemented a shutdown after being targeted by an attack on the morning of July 7. The incident which caused a temporary disruption to the County’s computer records systems including the tag office and probate court records was announced via social media.
  6. New Jersey based IT Staffing firm Collabera  were the next firm to find themselves victim of a Maze ransomware attack. Hackers were able to exfiltrate employees’ names, addresses and other personal information and infect its systems during the cyberattack.
  7. French telecommunications company Orange was the next company to fall victim, this time to Netfilim ransomware. Luckily for Orange and its 266 million customers, the incident was only related to its business services division. Data exfiltrated from Orange customers was later added to the Nefilim Dark Web site that details corporate leaks.
  8. Next up is yet another telecoms giant, this time in Argentina. Telecom Argentina fell victim to what has been described as a massive ransomware attack with the cybercriminals demanding that $7.5 million be paid in the privacy coin Monero. Twitter posts suggested that the criminal gang demanded payment prior to July 21, if the payment wasn’t made the ransom would double while the systems would remained locked.
  9. Back to the US now for the attack on state owned New Hampshire Radio. The organization revealed that they had been hit by a ransomware attack but no personal information had been accessed. The organization also revealed that third party supplier Blackbaud had discovered and stopped an attack back in May and had contacted them in July with details.
  10. Over to Kansas next where a ransomware attack took place at the GPS and smartwatch business Garmin. The attack took the business entirely offline for more than three days and is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.
  11. Next up was Atlanta based SiteOne, the largest national wholesale distributor of landscape supplies in the United States. The company reacted quickly to the attack and managed to recover its critical business data with little disruption.
  12. We finish the month in Germany with Dussman Group, a global facility management specialist providing cleaning, catering, security, technical, and commercial services worldwide.  The multinational company which employs over 66,000 staff worldwide and makes billions of euros in sales annually was reportedly struck by the Nefilim variant. After the attack the criminal group began posting 16,000 files to the Dark Web as proof of the attack.

August

August was 2020’s second busiest month for ransomware attacks with some well-known brands such as Jack Daniels, Carnival Cruises and Canon hitting the headlines. In the 20 incidents we uncovered manufacturing was the hardest hit sector followed closely by education.

  1. We start the month in Japan where Konica Minolta was hit by their second ransomware attack which took down company services for almost a week. The group behind the attack reportedly used RansomEXX ransomware, a relatively new malware that needs to be operated manually and does not have the ability to steal files. Meaning whoever was behind the attack needed to compromise the network and infiltrate all of the devices before running the malware.
  2. Next to make the headlines was Netherlands based travel management company CWT. A ransomware attack knocked 30,000 company computers offline and cost the company a $4.5 million ransom to get up and running again. Hackers allegedly obtained corporate data although this was denied by the company.
  3. Over to Australia next where aged care operator Regis was the victim of an international cyberattack that led to the loss of personal data. The company told investors that an “overseas third party” was responsible for the attack which resulted in data being copied from its servers and publicly released. Following the incident, the federal Australian government’s cybersecurity centre issued a critical warning that Maze ransomware was threatening aged care facilities across the country.
  4. Ohio based Muskingum Valley Health Center made the headlines next when they notified more than 7,000 patients that their personal information may have been exposed in a ransomware attack on its EHR system.
  5. Boyce Technologies, a manufacturer of transit communication systems that pivoted to build ventilators during the COVID-19 pandemic was the next victim of the DoppelPaymer ransomware gang. The gang posted examples of the stolen data on the Dark Web and threatened to release it unless the ransom was paid.
  6. North Carolina based Cornerstone Building Brands, a top manufacturer of windows in North America was the next reported victim. The company confirmed the attack and launched an investigation. At time of writing the publicly traded company had reportedly recovered many of its critical systems and did not expect the attack to have a material impact on its business.
  7. Back to Japan next where this time it’s the turn of camera maker Canon whose services division experienced an outage caused by a Maze ransomware attack. Internal applications, email servers, Microsoft Teams, and the US website were impacted.
  8. Carnival, the world’s largest cruise line operator were the next to disclose they had become a victim of ransomware. With over 150,000 employees and 13 million guests every year, Carnival Corporation is the largest cruise operator in the world. In an 8-K form filed with the Securities and Exchange Commission (SEC), the company disclosed that one of its brands had suffered a ransomware attack and that data was likely to have been stolen.
  9. Next up is Brown-Forman, the Louisville, Kentucky based manufacturer of Jack Daniels. The company was reportedly able to intervene before attackers could encrypt its systems and is working with law enforcement and third-party experts to mitigate the incident. While there is no confirmation on when the attack took place, a Forbes report indicates the intruders were in Brown-Forman’s environment for more than a month.
  10. The University of Utah was next to hit the headlines when it was reported that following an earlier ransomware attack they paid a $457K ransom. As data stolen during the attack contained student and employee information, the university decided to work with its cyber insurance provider to pay the ransom to prevent it from being leaked.
  11. Over to Chicago next where medical debt collection firm R1 RCM suffered a ransomware attack. The company with more than 19,000 employees and revenues of $1.18 billion in 2019 have contracts with at least 750 healthcare organizations nationwide. The company acknowledged they had been targeted in an attack but declined to discuss it further.
  12. Next up was an attack on South Korea based semiconductor manufacturer SK Hynix. Although the company has yet to comment on the incident the gang behind the attack released screenshots of some of the stolen company documents.
  13. TFI International, a Canadian transport and logistics company was next to disclose that four of their courier divisions were hit by ransomware just two days after they raised $219 million in a share offering. A company notice stated that they would continue to meet most customer shipping needs that they were not aware of any misuse of client information.
  14. Haywood County Schools in North Carolina were forced to close following an attack. In a statement released by the school, it was disclosed that school staff discovered the incident and that the third-party attacker has requested a ransom to stop the attack.
  15. Southeastern Pennsylvania Transportation Authority (SEPTA) were unable to provide real-time transportation information after an attack caused their systems to fail. SEPTA declined to provide further information about the attack but experts speculate that disruption to its systems has been significant.
  16. Brookfield Residential Properties , the home construction division of one of Canada’s largest publicly-traded companies, was next to fall victim to an attack. Although the organization did not confirm that the attack was ransomware, a threat group known as DarkSide claimed the attack and threatened to release stolen data unless a ransom was paid.
  17. Back to education where this time it’s the Gosnell School District in Arkansas. Little has been reported about the attack but it was disclosed that ransomware software infiltrated the school’s system and at the time of writing personal data had not been compromised.
  18. Up next is another attack on the education sector. This time its the Royal Military College in Kingston, Ontario. A cyberattack was reported in July but at the time it was unclear if it was ransomware. Ransomware was later confirmed when hackers posted documents that revealed sensitive personal information online.
  19. California based MA LABS, one of the leading computer component distributors in the United States was the next company to make the list. The REvil ransomware gang claim to have exfiltrated 949 gigabytes of confidential information from the central servers of the company. REvil said the attack affected more than 1,000 servers, and also claimed that the distributor didn’t tell the public about the attack.
  20. We finish the month in Fresno, California where back to school was disrupted when a ransomware attack took down the entire network at the Selma Unified School District forcing Fresno-area schools to cancel online classes.

To learn more about ransomware please download our newest eBook, Ransomware in a Pandemic: A Perfect Storm

September

Ransomware gangs seemingly worked overtime this month as we reported the most attacks of the year, a whopping 31 incidents. The most notable attack was on a German hospital which caused a woman to lose her life. The first cyberattack homicide investigation is currently underway and the EU Cybersecurity Agency is calling for countries to consider making company bosses liable for deaths in the future. Here’s a look at what we uncovered for the month.

  1. We start the month in Australia where workforce design and delivery firm Tandem Corp became a victim of NetWalker ransomware. Screenshots of data allegedly stolen during the attack were published on the Dark Web. The screenshots included files which appeared to contain financial data, personnel information and passport details.
  2. Next we head to Miami where staff at Key West City Hall were forced to go back to pen and paper when a ransomware attack took their systems offline.
  3. Boston headquartered cybersecurity and threat detection company Cygilant suffered a NetWalker ransomware attack. In a statement their CFO confirmed that the attack had impacted a portion of the company’s technology environment. At the time of writing it was unclear whether or not a ransom had been paid.
  4. Next up is another NetWalker attack. This time on Argentina’s official immigration agency, Dirección Nacional de Migraciones. The attack temporarily halted border crossing into and out of the country, and the attackers initially demanded $2 million but this was doubled to $4 million after a 7 day period.
  5. Staying in South America we next heard about a REvil attack on BancoEstado in Chile. The bank, which is one of Chile’s three largest, was forced to close all of its branches following the attack.
  6. Next was the first reported education attack of the month. The ransomware attack disrupted the first day back to school for students of Hartford Public Schools in Connecticut when hackers knocked their critical systems offline over Labor Day weekend.
  7. Newcastle University in the UK was the next reported attack on education. The disruption to the schools systems is ongoing and the DoppelPaymer group has been posting documents it claims to have stolen from its servers to its dedicated “Doppel Leaks” site.
  8. California based data center giant Equinix was the next firm to reveal they had been hit with a ransomware attack. The organization confirmed that its data centers and managed services remained intact as it was only internal systems affected.
  9. Saraburi Hospital in Thailand was the next victim. At the time of writing the hospital confirmed they had been hit with ransomware but that no demand for money had been made.
  10. Attack number 10 takes us to Ukraine where software developer and IT services provider SoftServe suffered a ransomware attack that may have led to the theft of customers source code.
  11. The Fourth District Court of Louisiana suffered a Conti attack , a relatively new ransomware strain. The administrative infrastructure of the courts was affected which led to the website being breached and internal documents being posted online.
  12. Students in Fairfax County Public Schools, Virginia’s largest school system were forced to begin the new school year with remote learning after a ransomware attack affected its systems. The hack reportedly didn’t impact distance learning or personal devices.
  13. Manitoulin Transport, one of Canada’s largest trucking companies was the next to disclose that they had become the latest victim of attacks targeting firms in Canada’s supply chain. The Conti gang posted stolen data but following discussions with the hackers the firm decided not to pay as the information stolen in the attack wasn’t important.
  14. Up next is Veiligheidsregio Noord- en Oost-Gelderland (VNOG) in the Netherlands. The attack damaged internal systems and it is still unclear who was behind it.
  15. The Development Bank of Seychelles (DBS) was next to find themselves a ransomware victim. DBS is a joint venture by the Seychelles government and several shareholders and at the time of writing they were reportedly unclear about how the attack occurred and the damage was still being assessed.
  16. K-Electric, the sole power distributor in Karachi, Pakistan experienced a ransomware attack by the Netwalker gang. The attack led to the disruption of the power utility’s billing and online services and the attackers requested a ransom of $3.8 million.
  17. Back to education again where this time it was Great Falls Public Schools in Montana. The school district shut down most of its systems to investigate and recover from the attack. At the time of writing they were working with the department of Justice, the National Guard, FBI and other private consultants to remedy the problem and were yet to disclose where the attack came from or what the attackers were requesting as a ransom.
  18. Newhall School District in California were next to find themselves victimized by ransomware. The attack locked up the systems and led to the cancellation of remote classes as students where told not to log on to the learning systems or use any district device.
  19. Artech Information Systems, one of the largest IT staffing companies in the US reported their second ransomware attack in nine months. The REvil gang were responsible for the attack which was picked up by the company following reports of suspicious activity on an employee device.
  20. Duesseldorf University Hospital in Germany suffered an attack which meant they were unable to accept emergency patients. Sadly this resulted in a loss of life after a patient was re-routed to another facility 20 miles away. A German news outlet reported that the cyberattack was not intended for the hospital and that the ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital.
  21. Massachusetts based IPG Photonics, a leading developer of fiber lasers for cutting, welding, medical use, and laser weaponry was next to suffer a ransomware attack. It was reported that RansomExx was behind the attack that shut down the IT systems worldwide, affecting email, phones, and network connectivity in the offices.
  22. Over to Canada next where Ontario’s College of Nurses , the organization that oversees 188,000 members, was next to be hit by an attack. At the time of reporting it was disclosed that personal information may have been impacted but a ransom demand had not yet been received.
  23. Another hospital is up next, this time its University Hospital in New Jersey. It was reported that the institution suffered a massive 48,000 document data breach after the ransomware operation leaked their stolen data. The SunCrypt ransomware gang claimed to be responsible for the attack.
  24. Sixth Form College in Bolton, UK was the next reported incident in the education sector. Post attack the college engaged a specialist team to launch an investigation and mitigate the impact. At time of writing the forensic investigation was ongoing but it was confirmed that some data had been exfiltrated.
  25. Italy based Luxottica, the parent company of Ray Ban made the headlines next. The organization reported widespread service outages but claimed that no customer data had been stolen in the incident.
  26. Anglicare Sydney, a not-for-profit that provides social services such as aged care was next to report they had been hit by a ransomware attack that saw attackers exfiltrate 17GB of data. Once the cyberattack was detected they immediately embarked on remediation and investigation before strengthening their cybersecurity.
  27. Texas based Tyler Technologies, the largest provider of software to the United States public sector disclosed that they had become a victim of an attack that affected their internal systems. Tyler reported that there had been no impact on the software they host for their clients and at time of writing, the company, the FBI and the Department of Homeland Security all declined to answer questions on the extent of the hack, the risk of related breaches and the suspected identity of the perpetrators.
  28. French carrier CMA CGM became the latest big name in container shipping to reveal it had become a victim of ransomware, following other leading liners including Maersk, MSC and Cosco in recent years. The Ragnar Locker ransomware gang instructed them to make contact within two days via live chat to pay for the ransom key.
  29. Universal Health Services, one of the largest healthcare providers in the United States was next to be hit by a ransomware attack. Its speculated that the Ryuk gang was behind the attack and details of how widespread the issue is are still unknown. UHS has 400 hospitals and healthcare facilities in the US and the UK and serves millions of patients each year.
  30. Our final attack on education for the month goes to Clark County School District in Las Vegas. The attack which activated at the end of August triggered a data breach involving Social Security numbers, student information and other private information according to the Wall Street Journal. An investigation is ongoing and the district has pledged to keep parents, employees and the public informed as new information about the incident becomes available.
  31. Our final reported ransomware victim of the month is International insurance brokerage firm Arthur J. Gallagher & Co. The company confirmed that the attack had occurred on September 26th and that the incident impacted a “limited portion” of its internal systems. They also said they do not expect it to have a material impact on its operations or finances.

October

October set a new record with a massive 40 attacks recorded at the time of writing. We started the month in healthcare when an attack affected Covid-19 trials and ended the month with warnings that hospitals across the US were under serious attack from the Ryuk ransomware gang. Here’s a look at what we uncovered for the month.

  1. The first attack of the month was recorded on Oct 5th at Philadelphia based eResearchTechnology (ERT) where a ransomware attack disrupted clinical trials being run to develop tests, treatments, and a vaccine for COVID-19.
  2. Up next was the UK’s second largest privately owned insurance broker, Jersey headquartered Ardonagh Group. According to reports from The Register, the firm was forced to suspend 200 internal accounts with admin privileges as the incident progressed through its IT estate. The firm didn’t deny that the attack was ransomware but they did not confirm any specifics.
  3. Next was Texas based customs broker and freight forwarder Daniel B. Hastings. The company, who specialize in U.S.-Mexico cross-border shipments didn’t comment on the attack, but the exfiltrated company files were posted online from the Conti ransomware gang.
  4. Hall County Government in Georgia was the next victim. While officials didn’t release details of how the attack happened or what was being done to resolve it, government offices including the courthouse, community centers,  and the sheriff’s precincts were experiencing issues with phone and email services. It’s thought that no employee or resident data had been compromised.
  5. Next up is the first education attack of the month. With over 25,000 students, 4500 employees and 60 schools, the Springfield Public Schools district is the third largest school district in Massachusetts. Once the attack was identified the district shut down all systems and closed the schools to prevent spread of the attack.
  6. Software AG, one of the largest software companies in the world suffered an attack from the Clop ransomware gang who demanded more than $20 million. After negotiations failed the Clop gang published screenshots of the company’s data on the Dark Web, the screenshots showed employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.
  7. US trucking company Daseke became a victim of the Conti ransomware gang next. Thousands of internal documents exposing the personal information of their drivers and other sensitive data was posted to the Dark Web. Texas-based Daseke declined to offer further information as the investigation into the attack continues.
  8. The City of Mount Pleasant in Michigan was next to fall victim. According to a press release, a remote ransomware attack was detected on the city’s computer and phone systems. Michigan State Police were conducting an investigation and it’s not thought that any personal data had been breached.
  9. Australian based facilities services provider Spotless Group was the next company to hit the headlines when a number of their servers were compromised in a ransomware attack. They join other large Australian companies including Toll Group, Lion, BlueScope and Regis Healthcare as 2020 victims of ransomware.
  10. The next attack was on the Yazoo County School District in Mississippi. Following the attack, the school took its IT systems offline and engaged a cybersecurity firm to help recover data encrypted by threat actors. The school board voted to pay $300,000 to recover the data that was encrypted by malware.
  11. The Lake George Land Conservancy in New York was the target of a ransomware attack on its internal computer server. The organization revealed that no sensitive donor data was compromised and all data had been backed so they did not intend to pay a ransom.
  12. Leading global legal firm Seyfarth Shaw disclosed that they had become a victim of a sophisticated and aggressive ransomware attack. At time of writing it’s unknown who was behind the attack and the extent of the incident.
  13. German based game developer Crytek suffered an attack at the hands of the Egregor ransomware gang. In addition to encrypting the devices, the gang claims they have stolen unencrypted files from Crytek and have leaked a 380MB archive on their data leak site.
  14. A ransomware attack caused outages at Sports data provider Stats Perform during the college football slate, causing issues at daily fantasy sports sites including FanDuel, DraftKings and others.
  15. Back to education, New York based Yorktown and Croton-Harmon schools both reported cybersecurity attacks. Croton-Harmon confirmed the incident was a ransomware attack, however Yorktown did not confirm the attack was indeed ransomware.
  16. Staying in education, Toledo Public Schools (TPS) was next report an incident. The district confirmed that a cyberattack had occurred in September but they were unaware that data had been compromised. It has since been confirmed that Maze ransomware was responsible for the attack and more than nine gigabytes of data were dumped which included social security numbers, addresses and more for employees as well as current and former students.
  17. India based snacks manufacturer Haldiram’s experienced a ransomware attack on its servers. Hackers left a message on all affected services confirming it was a ransomware attack and that all data, files, applications and systems had been encrypted and a ransom would have to be paid to release the data.
  18. Major US bookseller Barnes and Noble was the next company to hit the headlines when they experienced a number of outages. This led to some customers being unable to access their Nook libraries  while others were locked out of the platform completely.
  19. Next up is Australia based container logistics platform Containerchain. According to the firm they quickly identified the ransomware cyberattack and immediately implemented an emergency response procedure resulting in limited data loss and downtime.
  20. The City of Shafter in California announced that its IT system has been compromised by ransomware. In an Instagram post they revealed that the city’s IT system appeared to be frozen and locked. According to the city, it is not believed that any personal information has been obtained and in a follow up post they revealed that they had hired a privacy legal counsel and a forensic investigation firm to determine if any personal information had been compromised.
  21. Dickinson County Healthcare System were the victim of an attack that disrupted access to computer systems across its hospital and clinics. The hospital is working with third-party forensic experts to determine the full impact of the attack to restore its systems. At time of writing they claimed there was no indication that any data was accessed or taken as a result of this incident.
  22. Next came Montreal public transport agency The Société de transport de Montréal (STM). Hackers demanded a ransom of US $2.8m to restore normal network operations but according to the agency no data was exfiltrated and they were not intending to pay the ransom. Bleeping Computer reported that the RansomExx gang had been responsible for the attack that knocked the agency’s reservation system and caused an outage that affected around 1,000 of STM’s 1,600 servers.
  23. The Caribbean’s largest conglomerate, Ansa McAl became the victim of REvil ransomware. It’s understood that work at Tatil, the country’s biggest insurer was stalled for two weeks as the IT department works to find and expel the ransomware from the company’s servers. It is unclear exactly what data and systems were compromised, but Newsday was told whatever was attacked is “very important (mission-critical) data that is crucial to Ansa’s operations.” Clients’ personal data was not compromised, Newsday was told.
  24. On the same day hackers attacked Boston commuter operator Keolis Commuter Services. The company’s threat detection systems alerted the operator who managed to deactivate its network within a few hours. Passenger data isn’t stored by the company but it is possible that employee data may have been stolen in the attack.
  25. French-headquartered IT outsourcer Sopra Steria was next to be struck by a cyberattack. At time of reporting the business declined to say what had happened but French media reports indicated that Sopra Steria’s Active Directory infrastructure had been compromised by hackers linked to the Ryuk malware gang.
  26. In the next reported incident, hackers hijacked and published the mental health records of hundreds of patients from Finland based psychotherapy center Vastaamo. Hackers demanded 450,000 Euros in exchange for ceasing publication of the data which included that of minors. It has been speculated that the ransom was paid after the data leakage ceased.
  27. Indian news agency Press Trust of India (PTI) was hit by a massive ransomware attack which shut its servers down for hours. The attack disrupted operations and the delivery of news to subscribers but no ransom was paid.
  28. Staying in India, this time it’s the turn of restaurant chain Mithaas. The case comes within two weeks of the attack at snack company Haldiram’s.
  29. Michigan based golf and ski resort operator Boyne Resorts was hit by a WastedLocker attack that forced the company to shut down parts of its network. As a result of the attack customers were unable to make online reservations when the booking system was knocked offline.
  30. Steelcase Furniture, another Michigan based company was next to be hit. Steelcase is the largest office furniture manufacturer globally, with 13,000 employees and $3.7 billion in revenues. The Ryuk gang is thought to be behind the attack which forced the shutdown of their network.
  31. Sky Lakes Medical Center in Klamath Falls Oregon was victimized by the Ryuk ransomware gang. The attack took computer systems offline and forced clinicians to switch to pen and paper to record patient information. No evidence has been found to indicate patient information was compromised, although the Ryuk gang is known to exfiltrate patient data prior to file encryption.
  32. Multinational energy company Enel Group were hit by ransomware for the second time this year. The Netwalker gang demanded a $14 million ransom for the decryption key and to not release several terabytes of stolen data.
  33. Lawrence Health System in New York were forced to divert ambulances at three area hospitals after a ransomware attack. The three hospitals hit included Canton-Potsdam Hospital, Gouverneur Hospital and Massena Hospital.
  34. Next we head to Australia where media monitoring company Insentia became the next victim. Most government departments and large corporations in the country are clients of the firm. The firm told the Australian Stock Exchange that it was urgently investigating a cybersecurity incident that was disrupting services involving its media portal – a service customers use to see media reporting on them, or issues of interest to them, and find journalists.
  35. Chenango County in New York found themselves a victim of ransomware when around half of their 400 computers were found locked. The attack primarily targeted the county’s email system. It’s thought the attackers were Hong Kong based according to an investigation by the New York state Department of Homeland Security. The hackers demanded $450 for the release of each machine, making the total bill around $90,000. At time of writing the county claimed they did not intend to pay the ransom.
  36. The networks of the Hanover Chamber of Crafts experienced ransomware attacks at all four of its locations as well as the wholly owned subsidiary Projekt- und Servicegesellschaft. The Sodinokibi ransomware gang was responsible for the attack.
  37. Indian company Dr Reddy’s Laboratories admitted to a ransomware attack following a cyberattack earlier this month. The company refused to divulge details of the ransom and said they are working with a third party to recover and restore their data. They don’t believe the attack is connected with the Russian Covid-19 vaccine Sputnik V. that Dr Reddy’s plans to distribute in India.
  38. More bad news for healthcare as the Ryuk gang strikes again, this time claiming the University of Vermont Health Network as their next victim. An anonymous source who spoke to the press stated that as many as 20 medical facilities have been hit by the recent wave of ransomware. The figure includes multiple facilities within the same hospital chain.
  39. The city of Salem, New Hampshire announced that they had become the victim of a sophisticated cybersecurity attack involving ransomware.  The attack cut off access to internal systems and may have exposed data. Investigators probing the incident learned that data may have been exfiltrated from certain servers.
  40. The final attack of the month take us to Las Vegas where international casino equipment supplier Gaming Partners International became a victim of the REvil gang. According to a recent interview with a Russian tech blog, REvil hacked and encrypted all servers and working computers at the company. The hackers also exfiltrated more than 500 gigabytes of data during the breach including casino contracts, banking information and technical documents related to GPI products. REvil gave the company 72 hours to respond.

Please reach out to us to learn more about what you can do to prevent these from happening to your organization at https://www.sniperwatch.com/apply 

Leave a Comment

Scroll to Top