Getty Images
Ransomware continues to rise in October across all sectors
Ransomware disclosures and reports surged last month, leading in some cases to bankruptcy filing, prolonged business disruptions and ambulance diversions for hospitals.
Ransomware continued to skyrocket last month with attacks against schools and hospitals following September reports that activity reached historic highs.
TechTarget Editorial's 2023 ransomware database tracks publicly disclosed and reported ransomware attacks against U.S. organizations and found 35 attacks for October compared with 21 in September. Ransomware-related disruptions affected the public and private sectors with victim organizations ranging from schools and hospitals to an energy supplier, one law office and an insurance company.
In September, NCC Group observed a record-setting number of attacks that amounted to a 153% increase year over year. Analysts estimated that the increasing activity would continue and even persist into the new year. Not only did attacks increase last month, but fallout for some victims was substantial.
On Oct. 24, Florida-based healthcare organization Akumin Inc. reported a "recent" ransomware attack that caused service disruptions. As a result, Akumin postponed clinic and diagnostic operations. Akumin had filed for Chapter 11 bankruptcy on Oct. 23, although the 8-K form did not reference ransomware or a cyber attack. As of Thursday, Akumin confirmed that services were restored for a majority of its systems and patients could resume scheduling appointments.
Morrison Community Hospital in Illinois issued a data breach notification on Oct. 19 detailing a security incident it experienced on Sept. 24. The notice said the only data attackers potentially accessed was explanation of benefits information. However, the incident did cause service disruptions.
According to Morrison's Facebook page, the hospital's phone system and internet were down on Sept. 25, which affected patient portal capabilities. Phones were restored as of Sept. 27 along with the patient portal. The BlackCat/Alphv ransomware gang claimed responsibility for the attack through its data leak site on Oct. 13.
Westchester Medical Center Health Network (WMCHealth) reported that a cyber attack affected New York-based HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center on Oct. 16. While the initial statement said patient care was unaffected, an update three days later revealed that HealthAlliance Hospital had diverted ambulances and patients to nearby medical facilities or other hospitals within the network.
On Oct. 19, WMCHealth confirmed that it had "quickly notified the New York State Department of Health and Ulster and Delaware County officials" after discovering the attack. The hospital network is also working with law enforcement and a third-party cybersecurity firm to determine the attack scope in an ongoing investigation.
The temporary ambulance diversion was lifted on Oct. 21, one day after the hospitals forced systems offline to "address the threat." As of Oct. 21, hospital services were fully resumed, but the system restoration process was ongoing.
Another New York-based healthcare organization, Henry Schein Inc., disclosed a cyber attack on Oct. 15 that caused business disruptions. The healthcare supplier, which serves 1 million customers globally, detected the attack on Oct. 14 and determined that it only affected the organization's manufacturing and distribution business. Henry Schein forced systems offline as a result. In addition, Henry Schein notified law enforcement and initiated an investigation with outside cybersecurity and forensic IT experts. The BlackCat/Alphv ransomware gang later claimed responsibility for the attack through its data leak site.
Schools still targeted
In addition to hospitals, schools also suffered prolonged disruptions and remain a consistent target for ransomware groups. While it's unclear when the attack began, the Hopewell Area School District in Pennsylvania confirmed that network disruptions were caused by a ransomware attack. Hopewell Superintendent Jeff Beltz provided a statement to ABC 4 WTAE on Oct. 23 revealing that the district notified law enforcement and began working with outside specialists to investigate the attack.
Beltz said the school district had made "substantial progress" to restore the network. The investigation has yet to reveal if student data was affected, but Beltz did confirm that the attack did not disrupt student devices.
On Oct. 23, California-based Rio Hondo College announced on its Facebook page that its website, e-learning software Canvas and AccessRio platform had been "fully restored and made accessible." The following day, Rio confirmed that its IT department had also restored financial aid disbursement services and apologized for the "temporary disruption." It remains unclear when the network security incident began, but the LockBit ransomware gang added Rio to its public data leak site on Oct. 31.
In a statement to The Record on Oct. 2, Fauquier County Public Schools located in Virginia confirmed that it suffered a ransomware attack on Sept. 12. While the attack did not disrupt the school schedule, LockBit again claimed responsibility with a ransom deadline of Oct. 19. LockBit is known as a prolific ransomware group and has held the No. 1 spot in NCC Group's top active threat actor list for some time.
Two government court systems were also affected by ransomware last month. On Oct. 12, the Kansas Judicial Branch disclosed that it was experiencing network issues that disrupted "a number of systems used daily by courts statewide" including payment and e-filing systems. That same day, the Kansas Supreme Court issued an administrative order that declared court clerk offices inaccessible for electronic filings through Oct. 15.
The following day, an update revealed that the court system would stay open but rely on paper filings. The online court system remained down as of Friday, three weeks after the incident was initially disclosed. While the court has not confirmed that it was related to ransomware, Sedgwick County, Kan., Judge Phillip Journey told media outlets that the disruptions were caused by a ransomware attack.
On Oct. 2, the First Judicial Circuit Court of Florida disclosed that it suffered a cyber attack, though it remains unclear when the attack occurred. The court system did reveal that it forced systems offline and engaged Google Cloud subsidiary Mandiant to assist in an investigation. Threat actors potentially accessed Social Security numbers, taxpayer identification numbers, dates of birth, driver's license information and state ID numbers. In some cases, stolen data also included health and insurance information. The BlackCat/Alphv ransomware gang claimed responsibility for the attack on Oct. 9.
Boeing confirms security investigation
Other notable victims of recent attacks included aviation and aerospace giant Boeing. The ransomware attack came to light after Boeing confirmed that it was investigating a cybersecurity incident following a LockBit claim that a threat actor stole a significant amount of data. The nefarious ransomware group posted Boeing to its public data leak site on Oct. 27 with a ransom deadline of Nov. 2.
On Friday, Bitdefender revealed that Boeing was taken off the leak site, which suggests that a ransom was potentially paid. The Boeing services website also remained down as of Friday, with a message citing "technical issues."
On Oct. 23, BHI Energy in Weymouth, Mass., revealed that its network was encrypted on June 29. The data breach notification revealed that BHI notified law enforcement and initiated incident response protocols directly following the attack. The Westinghouse Electric Co. subsidiary warned that an unauthorized user had potentially accessed personally identifiable information and protected health information. The Akira ransomware gang later took responsibility for the attack.
Lastly, network software vendor LiveAction disclosed that it suffered a ransomware attack in a data breach notification filed to the Office of the Maine Attorney General. While the notification was submitted on Oct. 30, LiveAction confirmed that the attack occurred in April and was detected in May. Based in Campbell, Calif., LiveAction offers analytics, network monitoring and application performance management tools.
Arielle Waldman is a Boston-based reporter covering enterprise security news.
