CyberAttacks

Ransomware Attacks in May 2023

In the month of May, we witnessed a significant surge in ransomware attacks, reaching a record-breaking count of 66 publicly disclosed incidents. This number stands as the highest we have ever recorded since our blog's inception in January 2020. Notable actors such as Royal, LockBit, and BlackCat were particularly active during this period.

Education emerged as the most heavily targeted sector, experiencing a disproportionate number of attacks. However, we also observed a few instances of ransomware targeting religious organizations, which is an uncommon occurrence in this context.

Several noteworthy incidents garnered attention during this month. Cybersecurity firm Dragos faced a failed extortion attempt, while an attack on health services organization Harvard Pilgrim caused significant disruptions to patient care. Additionally, dental insurance provider MCNA notified nearly 9 million patients of a cyber incident impacting their data.

Let's take a closer look at some of the headline-making ransomware incidents from May:

1. Penncrest School District:The district fell victim to a ransomware attack early in May, resulting in disruptions to its operations. As a precautionary measure, the district shut down and disconnected its entire network and technology infrastructure. Network access was limited for up to three weeks. Fortunately, there was no evidence of data loss, data access, or data theft.

2. Montana State University (MSU):Royal Ransomware Group targeted MSU, claiming to have stolen over 100GB of data. The cyberattack caused disruptions to the university's online services. As of now, Royal has not provided any proof of exfiltrated student or faculty data, and further information about the incident is currently unavailable.

3. HWL Ebsworth (Australian commercial law firm):The firm fell victim to a BlackCat ransomware attack, which resulted in the exfiltration of 4TB of data. The stolen information included IDs, finance reports, accounting data, client documents, and credit card details. Reports indicate that the ransom demanded was approximately $5 million, but the law firm refused to pay. Several high-profile clients also withdrew their files from HWL Ebsworth due to concerns about the security of their data.

4. Our Sunday Visitor (Catholic publishing firm):Our Sunday Visitor experienced a compromise by the Karakurt ransomware gang, leading to the exfiltration of 130GB of data. The stolen data encompassed employee information, accounting files, HR documents, invoices, marketing details, and financial contracts. Immediate action was taken to secure the systems after suspicious activity was detected.

5. AvidXchange:AvidXchange encountered its second ransomware attack in 2023, this time by RansomHouse. The software provider was urged to contact the attackers to prevent the leakage of confidential data. Stolen data samples included non-disclosure agreements, employee payroll information, corporate bank account numbers, and login details for various company systems. The method of compromise, the extent of impact on individuals, and the amount of exfiltrated information remain unclear.

6. City of Dallas:The City of Dallas became a victim of the Royal ransomware group, resulting in the shutdown of certain IT systems to mitigate the attack's spread. Multiple functional areas, including the police department, were impacted. This forced 911 dispatchers to resort to writing down reports for officers instead of using computer-assisted dispatch systems. Ransom notes printed by the attackers taunted the city, indicating a lack of investment in cybersecurity. The investigation is ongoing.

7. EdisonLearning (provider of school management systems):EdisonLearning experienced an infiltration by the Royal ransomware group, who claimed to have stolen 20GB of data. The exfiltrated data was reported to include personal information of employees and students. However, the organization's Director of Communications contradicted this claim