Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks.
While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to see affiliates targeting healthcare with complete disregard to the disruption they are causing patients in trying to receive care.
LockBit says that affiliates can only steal data and not encrypt hospitals, yet they purposely ignore the fact that attacking an organization will cause them to turn off IT system to prevent the spread of the attack.
For hospitals, this means that they no longer have access to medical charts, can’t prescribe electronic prescriptions, respond to patients through online portals, or in some cases, access medical diagnostic reports.
It feels like we hear of a new attacks on hospitals every week, learning this week about an attack on Lurie Children’s Hospital in Chicago and an attack on Saint Anthony Hospital in December, with the latter claimed by LockBit.
Ransomware gangs are fond of saying, “It’s not personal, it’s business. We just care about your money.”
However, having to postpone your child’s heart surgery, sure feels personal.
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @BleepinComputer, @billtoulas, @demonslay335, @serghei, @fwosar, @CyberArk, @coveware, @pcrisk, @USGAO, @Jon__DiMaggio, @ThierryBreton, @Truesec, @Analyst1, @AhnLab_SecuInfo, @RakeshKrish12, @Netenrich, @jgreigj, and @AJVicens.
January 27th 2024
An Ottawa man convicted on charges related to a ransomware attack affecting hundreds of victims was sentenced to two years behind bars on Friday.
January 29th 2024
The number of ransomware victims paying ransom demands has dropped to a record low of 29% in the final quarter of 2023, according to ransomware negotiation firm Coveware.
Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter.
In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited by the Akira ransomware group.
Alpha ransomware, a distinct group not to be confused with ALPHV ransomware, has recently emerged with the launch of its Dedicated/Data Leak Site (DLS) on the Dark Web and an initial listing of six victims’ data. As a developing story, I will continue to provide updates.
PCrisk found a new Phobos ransomware variant that appends the .Ebaka extension.
PCrisk found a new Chaos ransomware variant that appends the .NOOSE extension and drops a ransom ntoe named OPEN_ME.txt.
PCrisk found a new ransomware that appends the .secles extension and drops a ransom note named ReadMe.txt.
January 30th 2024
CyberArk has created an online version of ‘White Phoenix,’ an open-source ransomware decryptor targeting operations using intermittent encryption.
Critical Infrastructure Protection:Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support
Most federal agencies that lead and manage risk for 4 critical sectors—manufacturing, energy, healthcare and public health, and transportation systems—have assessed or plan to assess risks associated with ransomware. But agencies haven’t fully gauged the use of leading cybersecurity practices or whether federal support has mitigated risks effectively in the sectors.
RansomedVC stands out as one of the most unconventional ransomware operations I’ve investigated. Its leadership strategically employs propaganda, influence campaigns, and misinformation tactics to gain fame and notoriety within the criminal community. While I may have my assessment of RansomedVC, I cannot deny the effectiveness of its tactics. It also rubbed many people the wrong way, including other criminals.
AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process.
The Play ransomware group is one of the most successful ransomware syndicates today. All it takes is a quick peek with a disassembler to know why this group has become infamous. This is because reverse engineering the malware would be a Sisyphean task full of anti-analysis techniques. That said, it might come as a surprise that the malware crashes quite frequently when running. In this blog post, we will cover some of the anti-analysis techniques used by Play and look at the process the malware uses to encrypt network drives and how that can cause the malware to crash.
PCrisk found a new ransomware called Silent Anonymous that appends the .SILENTATTACK extension and drops a ransom note named Silent_Anon.txt.
PCrisk found a new Chaos ransomware variant that appends the .slime extension.
January 31st 2024
Johnson Controls International has confirmed that a September 2023 ransomware attack cost the company $27 million in expenses and led to a data breach after hackers stole corporate data.
Together with our American partners, we are acting with speed and ambition to counter the growing threat from malicious cyber actors on all fronts. Firstly, with the Joint Cyber Safe Product Action Plan in place, we will now work concretely together to foster a transatlantic market for trusted digital products and promote our high cybersecurity standards globally. Furthermore, we make a firm commitment that neither the EU institutions, bodies and agencies, nor our Member States’ national government authorities, will pay ransom to such cyber criminals.
The ransomware group ALPHV is threatening to leak data obtained from a Virginia IT services company that contracts with the U.S. military.
A recently announced cyberattack on a large community hospital in Chicago was claimed by the LockBit ransomware gang.
PCrisk found a new Phobos ransomware variant that appends the .dx31 extension.
February 2nd 2024
Aliaksandr Klimenka, a Belarusian and Cypriot national, has been indicted in the U.S. for his involvement in an international cybercrime money laundering operation.
An international law enforcement operation code-named ‘Synergia’ has taken down over 1,300 command and control servers used in ransomware, phishing, and malware campaigns.
PCrisk found a new Phobos ransomware variant that appends the .Mr extension and drops a ransom note named info-MIRROR.txt.
That’s it for this week! Hope everyone has a nice weekend!