Ransomware Attack Wrap-up for 1st Half of December 2022

In the first half of December 2022 we saw ransomware cyberattacks on many industries including healthcare, finance, technology, governmental, energy, and retail. As usual, attacks came in many forms including BlackCat, LockBit, Play and Fidel ransomware.

However, there’s a new ransomware named Royal, which is rebranded version of Zeon ransomware. The U.S. Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned that Royal ransomware attacks were getting more common.

The agency said that “While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal.”

Debt Collector Data Breach

Dec. 1, 2022
Lawsuits have been initiated against debt collection company, Receivables Performance Management (RPM) of Alynwood, Washington, for a data breach/ransomware combo affecting 3.7 million people in April 2021.

Multiple lawsuits in Washington state claim that the company failed to notify the affected people of the breach for over 18 months. But according to RPM’s attorney, Brian Middlebrook, “There is no verified evidence that any personal information was published, shared or misused as a result of this incident.” But the plaintiffs paint a different story saying that the data breach was followed a ransomware attack where files were made penetrable to hackers.

Fidel Ransomware is Alive and Well

Dec. 2, 2022
The Cuba ransomware, also known as Fidel, became widespread in late 2019 and again in 2022, prompting over a hundred victims to pay the ransom, totaling over $60 million. That is almost half of the $145 million it had asked for. This prompted the U.S. Department of Justice and the Federal Bureau of Investigation to issue a flash alert to help prevent further attacks.

The FBI’s latest advisory follows a flash alert from December 2021 in which the FBI revealed that the gang’s ransom payments for attacks on 49 entities were $44 million.

“Fidel” by gianluca cozzolino is licensed under CC BY-NC-ND 2.0

Rackspace Email Service Affected by Attack

Dec. 2, 2022
San Antonio-based managed cloud hosting company, Rackspace, added support to transition thousands of businesses to Microsoft 365 after a ransomware attack disrupted its Hosted Exchange service. Two-thirds of customers have regained access, aided by extra staff and Microsoft FastTrack teams.

The FBI has previously encouraged victims to come forward, sharing information on threats and in some cases aiding in key recovery and ransom return.

New Zealand Government hit by Ransomware Attack

Dec. 6, 2022
The government of New Zealand has confirmed that it has been affected by a ransomware attack on its managed service provider (MSP), Mercury IT. Mercury IT provides a range of IT, telecom, and support services to multiple organizations in New Zealand, including the health ministry, Te Whakatoo Ora, and Middlemore Hospital.

The attack is preventing access to some patient data, including approximately 14,000 records. The ministry noted that the cyberattack also affected six other regulatory authorities, including the following governmental organizations: Psychologists Board, Chiropractic Board, Podiatrists Board, the Dietitians Board, the Optometrists and Dispensing Opticians Board, and the Physiotherapy Board of New Zealand.

623K Patient Records Stolen in Hospital Cyberattack

Dec. 8, 2022
CommonSpirit Health of Chicago, IL, the second largest health system in the U.S., reported that 623,774 patients’ personal data was accessed during an October ransomware attack.

On Dec. 1, it disclosed the results of the investigation, which was referenced on the U.S. Department of Health breach portal, confirming the data exfiltration-related attack. CommonSpirit operates 140 hospitals and 1,000 care sites across 21 states, creating the potential for major disruption.

Related: NBC News explains how ransomware attacks affect the health of patients

German Hotel Chain H-Hotels Struck by Play Ransomware

Dec 11, 2022
Staff at German hotel chain H-Hotels were hit by the Play ransomware gang and could no longer access email services. As usual, Play announced on its victims blog that the ransomware and data exfiltration attack was performed, exposing data that included guest passport information.

The hotel has confirmed that an attack took place, but that no data was stolen and if it had, they would notify customers about the breach. The hotel chain did not say whether a ransom has been asked for nor paid.

Antwerp Hit by Play Ransomware

Dec. 12, 2022
The Play ransomware operation, which emerged in mid-2022, claimed responsibility for a ransomware attack in Antwerp, Belgium. Specifically, the IT company, Digipolis, was hit by a ransomware attack, which disrupted the IT, email and phone services of the city. Local media reported that the city’s Windows applications and email were no longer available.

The city added that almost all services were unavailable or significantly delayed. Play’s website post claims that 557GB of data was stolen, including personal information, passports, IDs and financial documents.

LockBit Ransomware Attack on California Agency

Dec. 12, 2022
The California Department of Finance has been targeted by a ransomware cyberattack, according to state officials. No state funds were compromised in the attack according to the Governor’s Office of Emergency Services, but they have not been able to provide any more information about the investigation. However, some news outlets are reporting that up to 76GB of data was stolen from the agency, including confidential financial documents and other sensitive information.

The attack comes after a group of Russian-affiliated hackers called LockBit claimed that the state department was one of its latest victims. LockBit has been threatening to release data if unspecified demands are not met by December 24. That date has come and gone, but there’s been no update from the California Department of Finance.

BlackCat Ransomware Disrupts Energy Supplier

Dec. 16, 2022
The BlackCat ransomware group is claiming responsibility for the attack on Colombia’s largest public water, electricity, and gas provider, Empresas Públicas de Medellín (EPM) .

The ransomware attack took EPM’s services offline and disrupted the company’s operations, leaving more than 4,000 employees at home with no access to their IT infrastructure. BleepingComputer is reporting that the BlackCat ransomware group was responsible for the hack, claiming to have accessed business data during the attack.

Canadian Supermarket Chain Loses up to $25 Million in Cyberattack

Dec. 16, 2022
Canadian supermarket retailer, Empire Company, stated in its quarterly results that it may lose up to C$25 million for costs not covered by cyber insurance from the cyberattack it suffered on November 4, 2022.

“On November 4, Empire experienced some IT system issues related to a cybersecurity event. Based on an initial assessment, management estimates the financial impact of the cybersecurity event on the fiscal 2023 annual net earnings will be approximately $25 million, net of insurance recoveries.”

This attack shows that even with cyber insurance, an organization can sustain substantial losses due to a malware attack. So, cybersecurity best practices like inspecting SSL traffic for malicious content, back ups, hardening endpoints, keeping systems patched, and Zero Trust training are imperative.

*** This is a Security Bloggers Network syndicated blog from A10 Networks Blog: Cyber Security authored by A10 Networks. Read the original post at: https://www.a10networks.com/blog/this-month-in-ransomware-hospitals-and-patients-affected/