Ransomware attacks in April began with a burst from one of the most notorious cybercrime gangs and closed with a relative newcomer claiming an attack on one of the world's largest beverage companies.
While it appears the number of ransomware attacks against targets in the United States has declined since Russian's invasion of Ukraine, there were still several attacks reported and disclosed in April.
Last month, the FBI warned that U.S. agriculture could be more heavily targeted by ransomware attacks aiming to disrupt critical infrastructure. Agriculture was not the only industry that the U.S. government recently showed concern for. On April 20, a joint advisory warned of the "increased" threat of Russian hackers launching cyber attacks against the U.S.
While no ransomware attacks against critical infrastructure were publicly reported or disclosed in April, there were still examples of suspected Russian ransomware gangs hitting the U.S., including several high-profile attacks against universities and colleges.
Higher education targeted
Early in the month, the BlackCat or ALPHV group claimed two ransomware attacks, one on April 6 and the other on April 8. The claim made on the April 6 stated that BlackCat was responsible for a March cyber attack that hit North Carolina A&T State University in Greensboro, N.C. The attack disrupted systems at the university, and the group also claimed to have stolen personal information from both employees and students.
The university acknowledged that it shut down "various systems to contain the incident." However, director of media relations Jackie Torok said that while the investigation into the incident is ongoing, "multiple investigating agencies have found no current faculty, staff or student data were affected."
BlackCat two days later claimed it had stolen more than a terabyte of data from Florida International University in Miami. When asked about the incident, an FIU spokesperson told SearchSecurity that the investigation into the attack is still ongoing but that "at this time, we do not believe that any financial information, Social Security numbers, or information on student performance was stored on the impacted server," and that "this incident has not impacted the education process."
Those were not the only schools that reported ransomware attacks in April. On April 27, Austin Peay State University in Clarksville, Tenn., posted on its Twitter account stating, "APSU ALERT: Ransom ware attack. THIS IS NOT A TEST. SHUT DOWN ALL COMPUTERS NOW!" According to Clarksville Now, a news outlet that covers the area, the school canceled final exams scheduled for April 28 but resumed on Monday. The school also shut off access to its computer labs and told employees not to use their work computers.
APSU ALERT: Ransom ware attack. THIS IS NOT A TEST. SHUT DOWN ALL COMPUTERS NOW!— Austin Peay State University (@austinpeay) April 27, 2022
In addition to state universities, other public entities were struck by ransomware last month. At the end of the month, Westchester County's library announced that it was the victim of a ransomware attack, but that personal information did not appear to be compromised.
In mid-April, the computer systems in Wyandotte County, Kansas, were hit by a cyber attack that was later believed to be ransomware. As of May 2, some of the county's systems were still down. Affected systems included the county's district attorney, district court, department of motor vehicles and the sheriff's office.
The attack on Wyandotte County followed a trend of threat actors hitting municipal governments in the U.S. with ransomware. The most notable of 2022 so far was the ransomware attack on Bernalillo County, N.M., in January.
While fewer companies reported ransomware attacks in April, a ransomware gang claimed one major corporation as a victim.
On April 25, the ransomware group Stormous claimed to have stolen 161 gigabytes of data from Coca-Cola and offered to sell the data for a little over $64,000, or 1.65 bitcoin. Stormous reportedly offered to sell portions of the data to any interested parties and would change the cost depending on the amount of data. Coca-Cola has yet to officially confirm this data breach occurred but announced last week that it had begun an investigation into the alleged attack.
During the weekend of April 16, Puerto Rico's toll system was brought down in a ransomware attack. The entity attacked was a company called Professional Account Management, which provides services for the toll system. Following the attack, government databases, webpages and collection systems for toll plazas shut down. Since the attack, Interior Secretary Noelia García said that some services are back online and no personal data appears to have been breached, but the threat actors are still requesting a ransom to decrypt the rest of the system.
The ransomware attack in Puerto Rico was the first against an entity in the territory this year and the first cyber attack since its Senate was targeted in January.