Ransomware attacks ravaged big names in February

Despite an apparent drop in ransomware activity last month, attacks hit several high-profile targets such as Dole Plc, Dish Network, A10 Networks and the U.S. Marshals Service.

TechTarget Editorial's ransomware database, which consists of publicly reported attacks disclosed through the Office of the Attorney General, media outlets and company-issued statements, revealed similar patterns to past months as enterprises across all sectors experienced disruptions due to ransomware. Schools, municipalities and hospitals continued to be heavily affected, but February attacks also claimed big brand names and one significant federal government entity.

While the number of disclosed ransomware attacks fell from 21 in January to 19 in February, the fallout in several cases was more substantial compared with previous months. After network outages persisted for one week, the city government of Oakland, Calif., declared a state of emergency; an attack against Tallahassee Memorial HealthCare in Florida required the hospital to redirect emergency patients; and one ransomware incident affected multiple police agencies in Wayne County, Mich.

In addition, ransomware gangs hit several major brands last month. In most cases, the enterprises were not the first to publicly report the incident, which is not uncommon.

After being added to the Play ransomware group's public leak site on Feb. 9, California-based A10 Networks confirmed to Bleeping Computer that it had suffered an attack on Jan. 23; the network security vendor published an 8-K filing that disclosed it had detected the attack on Jan. 23, though it's unclear if any data was encrypted. A10 provides application delivery controllers, DDoS detection and mitigation, and convergent firewall tools to Samsung, Twitter, Sony Pictures, Comcast and many other prominent enterprises.

A ransomware attack against food giant Dole was first reported on Feb. 17 through Facebook by one of its customers, Stewart's Food Store in Texas. To explain a salad shortage, Stewart's shared a screenshot of an email it received from Dole stating the food company was "in the midst of a Cyber Attack and have subsequently shut down our systems throughout North America." Dole provided a statement on Feb. 22, confirming that it was the result of ransomware. It also said an investigation into the scope of the incident was ongoing, but the "impact to Dole operations has been limited."

Encino Energy, a major U.S. oil and gas producer, was hit by Alphv ransomware in mid-February. Alphv, also known as BlackCat ransomware, grew increasingly dangerous in 2022 and is known for developing a website where employees and customers of a victim organization could check if their personal data had been compromised. Like public data leak sites, it was another evolution in extortion tactics. Encino Energy was added to Alphv's leak site and publicly confirmed to The Record that it recently suffered a cyber attack. However, Encino has not issued an official statement.

Dish Network, a satellite cable provider with millions of customers, confirmed that it suffered a ransomware attack and data exfiltration on Feb. 23 in an 8-K filing this week. According to the filing, it affected internal servers and IT telephony systems, including the corporation's internal communications, customer call centers and internet sites. Dish notified law enforcement and said the ongoing investigation might "reveal that the extracted data includes personal information."

Arguably the most significant attack occurred against the U.S. Marshals Service (USMS) on Feb. 17. While information on the government agency's witness protection program was not affected, ransomware actors did steal the personally identifiable information of fugitives and some USMS employees. Senior Justice Department officials, who were briefed five days following the attack, determined that the ransomware attack and data breach constituted "a major incident."

Ransomware groups continued to target the education and healthcare sectors last month as well. BlackCat hit the Lehigh Valley Health Network (LVHN), which consists of 13 hospital campuses, on Feb. 6. LVHN President and CEO Brian Nester issued a statement to its website on Feb. 22 and confirmed that while BlackCat demanded a ransom, LVHN refused to pay.

Similarly, Minneapolis Public Schools, which suffered an "encryption event" around Feb. 21, confirmed in a systems outage update on March 1 that it did not pay a ransom. Though disruptions are ongoing weeks later, the school system did say it was able to restore data from backups. In addition, it warned parents and teachers to be aware of phishing and other scams.

Arielle Waldman is a Boston-based reporter covering enterprise security news.