MoveIt Transfer attacks dominate July ransomware disclosures

While the number of traditional ransomware attacks dropped last month, disclosures involving the zero-day flaw in Progress Software's MoveIt Transfer product continued to rise, as the Clop ransomware gang claimed more victims.

TechTarget Editorial tracks monthly ransomware attacks and trends based on public disclosures, media reports and data breach notifications filed to state attorney general offices. Ransomware gangs have evolved over the last year to forgo encryption and steal only sensitive data, while also employing more aggressive extortion tactics.

The attacks on vulnerable MoveIt Transfer instances are an example of that evolution, as the incidents have involved data theft and exposure but no ransomware to encrypt the data. However, TechTarget's database counts only attacks that involve encryption or attempted encryption of victims' data.

With the rapidly increasing data breach notifications related to those attacks, TechTarget Editorial separately tracked at least 29 additional victims two months after the attacks by a Clop ransomware threat actor first came to light. Organizations in the financial and education sectors accounted for many of the disclosures, including Johns Hopkins University, University of Rochester and 1st Source Bank. The bank confirmed the attack affected 450,000 customers.

Cybersecurity vendor Emsisoft, which is tracking the growing number of MoveIt Transfer attack victims, said Thursday that the total number has reached 566 organizations and more than 40 million people worldwide. That number includes purported victims named on Clop's data leak site, some of which have yet to confirm.

Estee Lauder confirmed a cybersecurity incident in a filing to the Securities and Exchange Committee on July 19. According to the Form 8-K, following the attack Estee Lauder was "focused on remediation, including efforts to restore impact systems and services." Subsequently, it was listed on two ransomware group's public data leak sites: First, by Clop operators related to the MoveIT attacks and then by the BlackCat ransomware group. Many questions remain, including whether encryption was involved and if there were two separate attacks.

As for traditional ransomware attacks that did involve encryption, TechTarget Editorial tracked 20 confirmed incidents in July, compared with 29 in June. While the number decreased, disruptions did not.

George County in Mississippi suffered a ransomware attack on July 15 that began with a phishing email. WKRG reported that Ken Flanagan, George County's communications director, confirmed attackers left a note containing a bank account and demanded payment in Bitcoin to unlock encrypted files. The county had backed up its systems one day prior to the attack and was attempting to restore those backups. The Department of Justice, the FBI and the State of Mississippi initiated an investigation into the attack.

On July 14, the City of Hayward in California declared a state of emergency that was enacted July 18, after ransomware caused prolonged disruption to its network. Two weeks later, ABC 7 reported the city's network was coming back online and that a ransom had not been paid.

The Town of Cornelius, N.C., forced its systems offline to contain a ransomware incident that was detected July 11. In a press release, the town revealed it "immediately severed on-site technology from the network" and that some services would be temporarily unavailable or delayed including phones. As of July 24, North Carolina-based WBTV reported that Cornelius was in the process of restoring from back-up servers and that the town determined there was no data exfiltration.

While the City of West Jordan, Utah, disclosed a cyber attack in June caused service disruptions and confirmed it was the result of ransomware on July 13. A report by KSL TV 5 revealed attackers demanded hundreds of thousands of dollars, but the city did not pay the ransom and stated it had cyber insurance coverage to assist with recovery costs. As of July 13, West Jordan said it was working with a cybersecurity firm to restore systems but there was no time frame on when it would be completed. Systems were initially shut down June 14.

Another hit to the public sector happened on July 11, when the Langlade County Sherriff's Office in Wisconsin reported it was "experiencing a catastrophic software failure" that also affected all phone lines, according to a message on its Facebook page. The LockBit ransomware gang later claimed responsibility.

The healthcare sector, a common target of ransomware groups, was also affected last month. Most notably, Tampa General Hospital in Florida disclosed that it suffered an attack in May but "effectively prevented encryption," which could have caused prolonged disruption to patient care. However, it appears some patient data was still exfiltrated, including names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and treatment information. The Record reported that data belonged to more than 1.2 million patients.

Arielle Waldman is a Boston-based reporter covering enterprise security news.