Ransomware is a type of malware that is designed to take your system or files on your system hostage. The basic concept behind ransomware is pretty simple. An attacker prepares a payload that infiltrates a computer’s hard drive and encrypts the files in it.
The next step is to find a vulnerability – an outdated software, a command field that lacks input validation, or a legitimate user’s credentials that were available on the dark web – and deliver the payload.
Once the infection takes effect and you lose access to your files, a ransom note appears demanding money or cryptocurrencies. Sometimes the attackers are politically motivated and they just want to watch the victims suffer.
Ransomware attacks go way back to 1989 but 2021 and 2022 have been two of the most notorious years as far as ransomware attacks go. We saw a 93% increase in ransomware attacks year-over-year in 2021 and the trend continued in 2022.
8 Major Ransomware Attacks & News in February 2023
- Medusa botnet returns as a Mirai-based variant with ransomware sting
- The new ESXiArgs ransomware version prevents VMware ESXi recovery
- UK cracks down on ransomware actors
- City of Oakland systems offline after ransomware attack
- Ransomware crooks steal 3m+ patients’ medical records, personal info
- Play Ransomware lists A10 Networks on its leak site
- Cyberattack on food giant Dole, temporarily shuts down North American production
- Major cyberattack compromised sensitive U.S. Marshals Service data
Medusa botnet returns as a Mirai-based variant with ransomware sting
Medusa DDoS botnet is an evolved form of Medusa malware that had been around since 2015. News of a new variant of Medusa surfaced on February 7, 2023. The new variant is based on the source code of the Mirai botnet. The malware now has a ransomware feature – it is designed to find and encrypt sensitive files.
The new ESXiArgs ransomware version prevents VMware ESXi recovery
ESXiArgs is a ransomware that attacks ESXi hypervisors. The ransomware has been active since January. As of February 8, 2023, the ransomware has been updated to disable the ESXi recovery methods prescribed by CISA.
Impact: More than 3000 virtual machines are affected.
UK cracks down on ransomware actors
On February 9, 2023, 7 Russian nationals had their assets frozen and travel banned by the government of the UK. These individuals are tied to the 149 ransomware attacks perpetrated by groups like Conti and Ryuk.
City of Oakland systems offline after ransomware attack
On February 8, 2023, the city of Oakland came under ransomware attack and had to close down all digital operations. As of 10th Feb, the systems were being brough back online without any significant losses and 911 dispatch and firefighting services are all unaffected.
Ransomware crooks steal 3m+ patients’ medical records, personal info
On February 10, 2023, a number of medical groups from California sent out notifications to around 3 million patients informing them that ransomware attackers may have stolen their medical and personal information in an attack that took place in December 2022.
Impact: Data of 3 million patients stolen
Play Ransomware lists A10 Networks on its leak site
According to news published on February 11, 2023, ransomware group Play has added networking firm A10 Networks on its leak site. The group claims that it has a host of personal and confidential information, as well as technical documentation and agreements. The gang had gained access to the IT systems of A10 Networks for a brief period of time prior to adding the victim to their leak site.
Cyberattack on food giant Dole, temporarily shuts down North American production
Dole is a major player in the US produce industry. In a recent security event which is reportedly a ransomware attack, Dole had to stop production in its units in North America. In a declaration made on February 10, 2023, the vice president of the company informed retailers of the attack. This is reminiscent of the attack on JBS, USA’s biggest meat supplier who had to pay an $11 million ransom to get its systems back online.
Major cyberattack compromised sensitive U.S. Marshals Service data
The US Marshals Service or USMS is a high-profile government unit that takes care of the protection of federal judges among other things. Following a ransomware attack, the USMS had to shut down some of its services temporarily. The organization has reportedly lost a host of information related to federal investigations.
17 Major Ransomware Attacks in January 2023
We’re 2 months deep into 2023 and businesses, governments, and educational institutes alike are nervous. We’ve already had a depressing number of attacks in 2023. We’ll talk about all of that in this post.
- Los Angeles Housing Authority hit by ransomware
- Swansea Public Schools cancel classes after a ransomware attack
- Romanian hospital held for ransom by hackers
- Ransomware gang claims attack on Mexico-based Grupo Estrategas EMM
- 15 schools across the UK crippled by ransomware (unknown)
- Consulate Health Care chain hit by Hive
- San Francisco’s Bay Area Rapid Transit hit by ransomware (unknown)
- Spain’s City Council of Durango “completely paralyzed” by ransomware
- New York City Bar Association hit by ransomware
- Royal Mail cyber attack carried out by Russian-linked ransomware gang
- DNV confirms the ransomware attack
- The ransomware attack targeted Costa Rica’s Ministry of Public Works and Transportation
- Source code for League of Legends stolen by hackers
- Livingston Memorial VNA reports a data breach following the apparent ransomware attack
- Stratford University reports data breach following a ransomware attack
- Jamaica’s South East Regional Health Authority victim of a ransomware attack
- Audifarma, a Colombian pharmacy chain, suffers a ransomware attack
1. Los Angeles Housing Authority Hit by Ransomware
The Housing Authority of the City of Los Angeles (HACLA) was hit by Ransomware around new year’s weekend. The ransomware is probably a LockBit 3.0. There wasn’t any confirmation of the event by HACLA but the hacker agency posted some pretty convincing screen captures to attest to the issue.
Impact: The actual impact of the attack is yet unknown but the potential impact is quite frightening. HACLA is a platform that landowners and buyers use to pay rent, list properties, and connect with relevant people.
Their website stores personally identifiable information of every member of the community. The hackers have announced that they will be publishing 15GB of personal data which poses a serious threat to the people and the organization.
2. Swansea Public Schools Attacked with Ransomware
This happened on January 3, 2023. The Swansea Public Schools network was shut down after a ransomware attack and the schools were closed for the following day.
3. The Saint Gheorghe Recovery Hospital in Northeastern Romania Faced a Ransomware Attack
The attackers encrypted the hospital’s database and demanded a payment of 3 Bitcoin. At that point in time, 3 Bitcoin were worth approximately EUR 46,400.
Impact: The hospital’s database holds all data regarding insurance, healthcare services, and other forms of patient and equipment data. Not having access to the database means that the hospital wouldn’t be able to claim any money for the services provided in the last month of 2022.
4. Mexico-Based Company Grupo Estrategas EMM got Hit by Ransomware
Ransomware gang BlackCat also known as ALPHV claimed to have encrypted and stolen personal data, client data, and financial information of Mexico-based company Grupo Estrategas EMM.
Impact: BlackCat has established itself as a notorious gang and its claim has not been definitely refuted. If they have client information and financial documents, the victim company may lose clients, lose reputation, and get penalized.
5. 15 Schools Across the UK Faced Ransomware Attacks
The intrusion was initiated in September 2022, but it wasn’t until January 9, 2023, that any breach was reported. The ransomware attack on 15 UK-based schools was perpetrated by the gang called Vice Society. The gang is infamous for having conducted attacks on the Los Angeles School District that affected 1000 schools and compromised 500 GB of data.
Impact: “The compromised information includes children’s special education needs, passport scans, staff pay scales, and contract details.”
6. Consulate Health Care (CHC) Chain Hit by Hive Gang
Consulate Health Care is a chain of healthcare service providers who specialize in care for senior citizens. They were attacked by the ransomware gang Hive on December 3, 2022. The victim stopped negotiations with Hive after a few weeks and it led to the addition of CHC to Hive’s Leak site on January 6, 2023.
Interestingly Hive’s site was seized by the US government on January 26.
Impact: The files encrypted by Hive included personal information, confidential business information, non-disclosure agreements, and financial data.
7. Bay Area Rapid Transit got Hit
The Bay Area Rapid Transit is the fifth largest transit system in the USA. The transit’s network got infected by ransomware in the second week of January. This attack too was affected by the ransomware gang Vice Society.
Impact: The stolen data includes master employee files and other personally identifiable data, crime lab reports, and whatnot.
8. The City Council of the Mexican city Durango was Paralyzed by Ransomware
The mayor of Durango announced the city council’s website would remain shut for a few weeks owing to a ransomware attack. The ransom amount remains unknown, however, the council declared that they were not intent on paying the ransom. No gang has claimed the attack as yet.
Impact: Encrypting a city council’s database and gaining access to it means the hackers have sensitive data regarding citizens, commercial tenders, payscales, and personal information of the employees.
9. New York City Bar Association got Hit by Ransomware Gang, CL0P
CL0P announced that they were about to release 1.8 GB of data stolen from the New York City bar association. According to their declaration, a breach is an act of punishment against the NYC bar association for not protecting their data properly.
CL0P mentioned that they had encrypted the files in December 2022, and the bar association did not try to mitigate the situation by informing anyone.
Impact: The stolen data includes the personal data of lawyers, clients, and case data. The gang revealed screen captures of the passports of a number of people.
10. Printers at Royal Mail got Hacked
Royal Mail deals in international postal deliveries. They got hacked in a weird way. Russian gang LockBit infected the printers used at Royal Mail. These printers, used for printing custom stamps, started spurting out ransom notes demanding payment in cryptocurrency worth $80 million.
Impact: The attack resulted in half a million parcels being stuck.
11. Fleet management Software got Hacked
DNV or Det Norske Veritas is a society of ship owners based out of Norway. 300 customers and over 7000 ships use their fleet management software. On 7th January DNV’s fleet management software faced a ransomware attack.
Impact: The attack affected 1000 ships that use the software.
12. The Attack on Costa Rica Continues
Costa Rica has been dealing with severe ransomware attacks since June 2022. First, the attacks were by Conti and then by Hive. The ransomware gangs targeted Costa Rican ministries. In a recent event, ransomware attacks crippled the nation’s ministry of public works and transports.
Impact: The ransomware attacks have thrown Costa Rica into a continued economic and political emergency. The nation has been losing millions of dollars worth of resources every day owing to the attacks.
13. Hackers Stole Source Code for Popular Game
Riot Games, the League of Legends maker, announced that the game’s source code was stolen in a hacking event. The developers received a ransom mail but they’re not willing to pay the ransom amount.
Impact: The developer confirmed that no user data or personal information was stolen in the attack. Although the theft of the source code may result in new cheats.
14. Attack on Livingstone Memorial VNA Healthcare Corporation
The multi-faceted healthcare company noticed encryption on some of its files back in 2022. In January they finally reported data theft and sent out a declaration to all impacted parties.
Impact: The hackers stole a bunch of personally identifiable information. Some of the customer data was published.
15. Ransomware Attack on Stanford University
Educational institutes have been subject to an unprecedented amount of ransomware attacks in the last couple of years. Stanford University was added to the list in January 2023. The university filed a report with the Attorney General of Maine complaining about unauthorized access to data by hackers.
Impact: Among the stolen data are first and last names, phone numbers, addresses, e-mail addresses, dates of birth, student identification numbers, passport numbers, and Social Security numbers. The attack affected 78,000 students and employees.
16. Jamaican Healthcare Authority Suffered a Ransomware Attack
On January 26th the Southeastern Regional Health Authority or SERHA disclosed that the organization had been hit by a ransomware attack. The attack affected some of the information and telecommunication services provided by SERHA.
Impact: While some services were impacted, SEHRA has been periodically regaining access of all systems.
17. Attacks on Columbian Companies
The South American continent has been targeted with ransomware attacks by BlackCat. Countries like Columbia and Brazil have been marked as vulnerable to cyber-attacks. Columbian company Audifarma is one of the recent victims.
Impact: The specific amount of money lost to ransomware attacks is unknown, however, the never-ending streak of attacks must have been sucking the nation dry.
Ransomware and RaaS Gangs to Beware of in 2023
Ransomware as Service gangs is a relatively new nuisance. These hacker groups prepare ransomware payloads, deliver attacks, and maintain exploits for money or other motivations. These gangs can be politically motivated and participate in cyber warfare. We’ll learn briefly about a few of these notorious gangs.
We have already mentioned LockBit quite a few times while talking about the major attacks in January 2023. LockBit is a name shared by the malware and the gang behind it. They sell payloads to different entities or conduct attacks by themselves.
As a RaaS gang, LockBit has made more than $100 million in ransom since 2019.
Vice Society is a notorious Russian-speaking ransomware gang that is infamous for double extortion. They steal data and then encrypt it. The victim has to pay twice, once to get the decryption key and once again so that the hackers do not publish the stolen data.
Vice Society specifically targeted educational institutes.
Since 2021, Hive victimized 1500 entities and extorted more than $100 million before being submerged by the FBI in January 2023. This gang, much like LockBit operated as a RaaS provider. It will be remembered as one of the most prolific attackers.
Nevada is a new mysterious player with frightening potential. An attack by Nevada is underway right now. They are holding the computer networks of 5000 victims in the USA and Europe captive as I write. The group has demanded a ransom of 2 bitcoin, currently $50,000. Which is a surprisingly small amount.
Ransomware Defense Trends in 2023
It’s important to have a “mitigation mindset”.
Double extortion through ransomware attacks is the trend. The hackers want to make you pay twice and they will steal data on top of encrypting it. Prepare for attacks no matter your level of protection. Having an efficient incidence response plan is important.
Security testing is key
Testing your security posture regularly and making vulnerability scans a part of your business functions can help you stay a step ahead of attackers.
Equip your sites and networks with solid website protection and surveillance mechanisms to track anomalies as early as possible.
With burgeoning ransomware gangs, reinvented malware, and growing dependency on all-digital work setups put every company regardless of size and industry at risk of ransomware attacks. The best approach to avoid this nuisance is running a super tight ship security-wise. Keep every software, extension, and application up to date, and perform regular security tests. 2023 will be a year of many more ransomware attacks. What is your defense strategy going to be?