Municipal governments and critical infrastructure continue to be targets for threat actors even as ransomware attacks appeared to slow down in May.
According to data collected by SearchSecurity, May had the least number of disclosures or confirmed reports of ransomware attacks of any month so far in 2022. While there might be some attacks that were not made public, just 11 were found to have occurred in the U.S. in May, and eight others were disclosed in the month but had occurred sometime prior.
The past month was not a complete outlier, however, as April too saw signs of ransomware slowing down, with just 20 total attacks disclosed. As for the other months, SearchSecurity found 41 disclosures of ransomware attacks in January, 27 in February and 31 in March.
Rob Joyce, cybersecurity director for the U.S. National Security Agency, said last week that the U.S. has seen a decline in ransomware activity since Russia's invasion of Ukraine. Speaking at the National Cyber Security Centre's CyberUK conference earlier this month, Joyce gave partial credit of the drop to sanctions against specific ransomware groups and cryptocurrency platforms that facilitate ransom payments and obscure them from law enforcement investigations.
Local governments have consistently been victimized by ransomware threat actors. Each month of 2022 has had at least one example of a town, county or state government in the U.S. being hit by a ransomware attack.
Officials originally announced the attack against Quincy on May 6, but did not confirm it as ransomware until May 24, when Mayor Mike Troup held a press conference. During the conference, Troup said that while some departments like police and fire had email and phone systems affected, almost everything was back up and running, and no personal information appeared to have been stolen. According to Troup, the city put in more than $600,000 to stem this ransomware attack; the mayor also said the ransom demand was less than half a million dollars.
On the same day as the Quincy press conference, officials in Somerset County said that their email system was affected by a ransomware attack, but that all other county services seemed to be functioning properly.
In April, the FBI's cyber division released a warning about threats against the agriculture sector in the U.S. The concern was that as the months get warmer and the planting season goes into full effect, threat actors attempting to hurt critical infrastructure would target agriculture companies. While there hasn't yet been a large volume of these attacks on the sector, there was at least one ransomware attack against an agriculture company in May.
AGCO, one of the world's largest agriculture machinery manufacturers, was struck by an attack on May 5 that took down some parts of its production systems. The initial press release from the company said that "its business operations will be adversely affected for several days and potentially longer to fully resume all services depending upon how quickly the Company is able to repair its systems."
On May 16, AGCO issued another statement, saying that most of the production issues had been solved, but that the company was still in the process of restoring all its business operations. When asked by SearchSecurity, AGCO said that there were no further updates beyond the second press release. AGCO sold more than $11 billion worth of products last year, ranging from combine harvesters and tilling machines to grain storage and care equipment for livestock.
AGCO was not the only company in the agriculture sector to confirm a ransomware attack in May. On May 6, the Central Livestock Association informed victims that the group was hit by an attack. The group, which manages auctions for livestock in different locations across the U.S., said that it had parts of its systems encrypted by the attack.
Other attacks on private companies ranged from the healthcare industry to IT services. Cloud hosting provider Opus Interactive announced that it suffered a ransomware attack on May 10 that affected the company's servers. A subsequent announcement on May 16 noted that there were still partial outages in each of its cloud infrastructure centers.
In addition, Fronteo, an international e-discovery vendor, had the data center of its American branch hit on May 16. The "Cuba" ransomware gang took responsibility for the attack. Another company targeted by ransomware last month was Omnicell. The healthcare technology company disclosed in a filing to the Securities and Exchange Commission that it discovered parts of its internal systems were affected by ransomware on May 4.