July another down month in ransomware attack disclosures

July saw a fairly small number of major ransomware attack disclosures -- a number comparable to June and far smaller than this year's peak in January. Still, attacks on the public and private sectors continue to cause significant damage.

SearchSecurity has tracked ransomware in 2022 via a database of public reports and disclosures, as well as an article series that covers the most notable attacks each month. According to SearchSecurity's data sets, there was approximately a 300% drop between attacks in January and June. July saw similar numbers, with just 13 confirmed disclosures last month; in addition, only three disclosures were for attacks in July.

NCC Group noted a 42% drop in worldwide ransomware attacks from May to June. NCC posited that two potential reasons for this decline were the apparent shuttering of prolific Russian gang Conti and the transition from LockBit 2.0 to successor LockBit Black.

The exact reason for this drop is unknown, and the true scope of ransomware's decline (if there truly is one) is unknown thanks to things like incomplete incident reporting. For example, there were a number of cyber attacks disclosed in July via data breach notification letters that appeared consistent with ransomware but were not confirmed to be.

At AWS re:Inforce 2022, SearchSecurity asked CrowdStrike's Param Singh, vice president of the company's managed threat hunting service Falcon OverWatch, whether he has seen a significant decline in ransomware attacks on his end. He answered in the negative.

"My team looks at about eight incidents on a daily basis, which are around ransomware and some other threats going on," Singh said. "We're not seeing any drop in ransomware, at least from a sheer quantity perspective. And I'll say we are seeing a constant increase in the number of attempts to conduct ransomware attacks. Because of our service, we are stopping them before the breach happens, but the attempts are definitely going up."

Regardless of the quantity of attacks, the targets of last month's ransomware disclosures were across the board, affecting the public sector, healthcare and other areas.

One of the most significant involved the city of Newport, R.I. The city government said in a July 22 press release that a June cyber attack resulted in an unauthorized party stealing files from city servers containing information "used for human resources and benefits purposes for certain current and former employees and their spouses and/or dependents, including names, addresses, dates of birth, Social Security numbers, financial account numbers used for direct deposit and information related to group health insurance."

A Rhode Island State Police spokesperson told The Newport Daily News that it had assisted with the city's "ransomware issue" but declined to provide more information.

One of the biggest attacks this month was on digital marketing platform vendor WordFly, which suffered an attack that disrupted its network on July 10. WordFly business development director Kirk Bentley wrote in a July 14 notice that the attack was "ransomware-related" and that some client data was potentially compromised.

"While this investigation remains ongoing, and we are still assessing the scope of the incident, on July 14, 2022, we learned that some data your organization utilizes in WordFly to communicate with your subscribers may have been impacted," Bentley wrote. "At this time, we understand the scope of this data to primarily include names and email addresses."

Several customers in the arts industry, including the Smithsonian Institution and the Toronto Symphony Orchestra, have since announced their data was accessed in the WordFly attack. However, Bentley wrote in a subsequent update that "It is our understanding that as of the evening of July 15, 2022, the data was deleted from the bad actor's possession." It's unclear if WordFly paid a ransom in exchange for the threat actor agreeing to delete all customer data.

Healthcare saw two significant cybersecurity disclosures last month. Professional Finance Company (PFC), an accounts receivable management company that works with healthcare organizations, said on July 1 that it had "detected and stopped" a ransomware attack in February.

"PFC immediately engaged third-party forensic specialists to assist with securing the network environment and investigating the extent of any unauthorized activity," a press release read. "Federal law enforcement was also notified. The ongoing investigation determined that an unauthorized third party accessed files containing certain individuals' personal information during this incident. PFC notified the respective healthcare providers on May 5, 2022. This incident only impacted data on PFC's systems."

Paired with the press release was a list of 657 affected healthcare organizations.

While PFC "found no evidence that personal information has been specifically misused," it conceded that personal information may have been accessed by an unauthorized third party, including name, address, accounts receivable balance and information regarding payments made to accounts. Plus, "in some cases," dates of birth, Social Security numbers, health insurance and medical treatment information may have also been accessed.

Also disclosed on July 1, managed behavioral healthcare provider Carolina Behavioral Health Alliance said it "detected and stopped a sophisticated ransomware attack" in late March. Its press release uses similar wording to PFC's, though it was not included on the aforementioned list.

Another disclosure came from tooling system manufacturer Wilson Tool, which on July 25 sent out a consumer notification letter to address a cyber attack it endured on March 13. While the word ransomware, was not used in the letter, Wilson Tool said an unauthorized party had encrypted and accessed information stored on company systems.

"Wilson Tool terminated the unauthorized access, and promptly commenced an internal investigation to determine the nature and scope of the Incident," the letter read. "While the Incident is still being investigated, it was determined that the unauthorized party accessed servers which contain some of your sensitive personal information.

"While Wilson Tool has no reason to believe that any individual information has been misused, upon this discovery, Wilson Tool has decided to make notification to you, and to provide identity monitoring services to help protect you from the potential misuse of personal data."

Several data breach notification letters last month described security incidents that suggested a ransomware attack had taken place. However, the notifications did not contain enough information to clearly indicate a ransomware attack. Similarly, several organizations in July publicly disclosed major cyber attacks with circumstances that were consistent with ransomware attacks. However, SearchSecurity was unable to confirm these malware attacks were in fact ransomware.

Alexander Culafi is a writer, journalist and podcaster based in Boston.