The Week in Ransomware – May 5th 2023 – Targeting the public sector
This week’s ransomware news has been dominated by a Royal ransomware attack on the City of Dallas that took down part of the IT infrastructure.
The attack occurred early Monday, affecting the Dallas Police dispatch system and the public library’s computer network. Additional systems, including the City’s website, were shut down as time passed.
On Wednesday, the City’s network printers began printing ransom notes from the attack. BleepingComputer obtained a screenshot of this note, allowing us to identify that the Royal ransomware operation was behind the attack.
While it may seem counterintuitive to target a local government, Bill Siegel of ransomware incident response firm Coveware told BleepingComputer that approximately 35% of public sector cases they handled paid a ransom.
This includes local governments, schools, police, or other publicly funded entities.
“Historical, public sector victims pay ransoms in 35% of cases we have handled. That is 10 percentage points less that the broad, all industry average as of Q1 2023 (45%),” Siegel told BleepingComputer.
“I would add that the actual rate is likely even lower as public sector victims are much less likely to engage external IR help, especially if they are very small, so there are likely a large volume of incidents where the public sector victim just deals with the impact and does not even bother considering engaging the cyber criminal responsible.”
Regarding other ransomware attacks this week, we learned about:
- Extortionists taunting Western Digital by leaking emails and documents of their response to its cyberattack.
- Pediatric mental health provider BrightLine disclosing they suffered a Clop GoAnywhere breach. Clop claimed to BleepingComputer that they deleted the data after learning they were in healthcare.
- ALPHV/BlackCat claiming to have attacked Constellation Software.
- AvosLocker hijacked Bluefield University’s emergency campus alert system to send SMS texts and email alerts to staff and students about their data being stolen.
Law enforcement also had a victory this week when the FBI announced they seized nine crypto exchanges used to launder ransomware payments and stolen cryptocurrency.
Finally, an interesting report was released by WithSecure regarding threat actors targeting Veeam backup servers for initial access to corporate networks.
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @serghei, @demonslay335, @billtoulas, @Ionut_Ilascu, @fwosar, @LawrenceAbrams, @BleepinComputer, @Seifreed, @AlvieriD, @WithSecure, @PogoWasRight, @pcrisk, @siri_urz, @Unit42_Intel, and @BrettCallow.
April 29th 2023
Hackers target vulnerable Veeam backup servers exposed online
Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.
May 1st 2023
Hackers leak images to taunt Western Digital’s cyberattack response
The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company’s systems even as the company responded to the breach.
May 2nd 2023
FBI seizes 9 crypto exchanges used to launder ransomware payments
The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.
New STOP Ransomware variants
PCrisk found new STOP ransomware variants that append the .saba, .sato, and .fofd extensions.
New Dharma ransomware variant
PCrisk found a new Dharma Ransomware variant that appends the .h3r extension.
New Phobos ransomware variant
PCrisk found a new Phobos Ransomware variant that appends the .BOOM extension.
New Xorist ransomware variant
PCrisk found a new Xorist Ransomware variant that appends the .CrypBits256PT2 extension and drops a ransom note named HOW TO DECRYPT FILES.txt.
New MedusaLocker ransomware variant
PCrisk found a new MedusaLocker Ransomware variant that appends the .attacksystem extension.
New Zhong Ransomware
PCrisk found a new ransomware that appends the .zhong extension and drops a ransom note named Restore.txt.
May 3rd 2023
Brightline data breach impacts 783K pediatric mental health patients
Pediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.
City of Dallas hit by Royal ransomware attack impacting IT services
The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack’s spread.
New Rec_rans ransomware variant
PCrisk found the new Rec_rans Ransomware that appends the .rec_rans extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.
New BlackSuit ransomware
S!Ri, MalwareHunterTeam, and Unit 42 found the new BlackSuit ransomware that targets Windows and VMware ESXi. It appends the .blacksuit extension and drops a ransom note named README.BlackSuit.txt.
May 4th 2023
Ransomware gang hijacks university alert system to issue threats
The Avos ransomware gang hijacked Bluefield University’s emergency broadcast system, “RamAlert,” to send students and staff SMS texts and email alerts that their data was stolen and would soon be released.
New Xorist ransomware variant
PCrisk found a new Xorist ransomware variant that appends the .btc-Apt2 extension and drops a ransom note name HOW TO DECRYPT FILES.txt.
May 5th 2023
ALPHV gang claims ransomware attack on Constellation Software
Canadian diversified software company Constellation Software confirmed on Thursday that some of its systems were breached by threat actors who also stole personal information and business data.
That’s it for this week! Hope everyone has a nice weekend!
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.