Ransomware gangs display ruthless extortion tactics in April

Ransomware groups are pressuring enterprises into paying with harsher extortion tactics, contacting individual victims directly and leaking stolen photos and video footage.

Ransomware attacks ramped up against the public sector in April, but private enterprises such as Western Digital Corporation, Point32Health and Commscope also suffered prolonged disruptions.

TechTarget Editorial tracks monthly ransomware activity based on public disclosures, media reports and data breach notifications filed to state Attorney General offices,. While the number of victims is likely much higher due to a lack of transparency in ransomware reporting, TechTarget's database concluded 29 attacks were disclosed in April, compared with 22 in March.

Prolonged network disruptions were confirmed by many of the victims, but downtime wasn't always the worst consequence. Attackers continued the trend of pressuring victims into paying with increasingly ruthless extortion tactics.

Two examples of these relentless threats occurred in April against Western Digital and Bluefield University.

Last week, the Alphv ransomware gang, also known as Blackcat, published sensitive data, including video conference footage, that it claimed was stolen from Western Digital during an attack on March 26. The technology company publicly confirmed the attack on April 3 and said it affected customer access to its SanDisk and MyCloud services. Though Western Digital said it restored services only 11 days later, as of Tuesday, it appears disruption continues. A banner on its website displays, "We'll be back soon: We are unable to process orders at this time."

In a twitter statement on Sunday, Virginia-based Bluefield University disclosed that an attack shut down its network amid final exams week. More notably, it warned teachers and students not to access any campus systems, including email. However, unlike many companies that disclose when it became aware of the incident, Bluefield did not provide a timeline.

"Bluefield University systems have been shut down for an unknown period of time due to a recent cybersecurity attack," Bluefield University wrote on Twitter.

A report by WVVA on Monday revealed some extortion tactics used against the school. Operators claiming to be part of the AvosLocker ransomware group sent texts directly to students, faculty and staff through the university's emergency notification system, demanding payment directly in return for not leaking sensitive student data.

BlueField University did not respond to TechTarget Editorial's request for more information.

The university was one of six education sector victims in April. AvosLocker also claimed responsibility for an attack against Boston-based Emmanuel College, which confirmed a "network disruption" on April 28.

The Akira ransomware group listed BridgeValley Community and Technical College to its public data leak site on Monday. The West Virginia-based college confirmed it suffered a ransomware attack that resulted in a network outage on April 4.

While it has not appeared on a data leak site yet, Alabama-based Jefferson County Schools did suffer prolonged disruptions from an attack during its spring break at the end of March. The district disclosed the attack on April 1 and said it disrupted phone and internet services.

"Our district uses multiple security protocols, including filtering, firewalls and antivirus systems. These systems were able to assist us in mitigating the attack early," the Jefferson County Schools statement read.

An update on April 18 revealed that while progress was made in getting the network back up and running and students were still able to attend school, some restrictions and disruptions continued.

The private sector experienced downtime due to ransomware as well. Point32Health, which provides healthcare services for more than 2 million customers, confirmed it suffered a ransomware attack on April 17. It appears disruption was limited but continued for its Harvard Pilgrim Health Care business until April 28.

Another significant attack occurred against CommScope, a network infrastructure and telecommunications provider based in Hickory, N.C. The company boasts more than 30,000 employees and reported $2 billion in first quarter revenue Thursday. According to a report by The Record on April 17, Commscope was investigating claims that Vice Society was behind the attack and threatened to leak stolen data.

In addition to the individual disclosures and reports this month, April also saw significant ransomware activity that exploited previously disclosed flaws in the PaperCut Application Server. The attacks began earlier in the month when threat actors exploited two remote code execution vulnerabilities, tracked as CVE-2023-27350 and CVE-2023-27351, that Trend Micro reported to Papercut in January.

On April 26, Microsoft attributed recently reported attacks against PaperCut, a printing management software, to the Clop ransomware group. Although a fix was released for the two vulnerabilities, attackers are still targeting unpatched servers. Papercut issued a bulletin on the critical flaws that was updated on Tuesday, urging users to upgrade to the latest versions. While monitoring the activity, Microsoft observed Lockbit ransomware deployment and warned "more threat actors could follow suit."

It is unclear how many organizations were affected. But these attacks could have a significant impact on monthly numbers going forward, similar to the ransomware attacks that exploited a zero-day vulnerability in Fortra's GoAnywhere managed file transfer software earlier this year.

Dig Deeper on Threats and vulnerabilities