Last Week in Ransomware: 04.08.2024

Last week in ransomware news we saw backups hit in 94% of attacks, MSP sued after ransomware attack, and US Fertility settle lawsuit for $5.75M following attack...

Jackson County Declares State of Emergency following Ransomware Attack

Jackson County, Missouri, declared a state of emergency and indefinitely closed agency offices following a ransomware attack, disrupting vital services such as tax payments, marriage licenses, property tax assessments, and inmate searches.  

Although officials are investigating the cause, ransomware is considered a potential culprit. The county is working with cybersecurity partners to identify the root cause and mitigate the impact.

Ransomware attacks, often financially motivated, aim to maximize profits through higher ransom demands. However, when targeting government or critical infrastructure, attacks may serve larger geopolitical agendas.  

Some attacks, purportedly from cybercriminals, align with the strategic interests of adversarial nations like Russia. Evidence suggests ransomware operators may participate in nation-state-sponsored attacks, blurring the line between cybercrime and geopolitical strategy.

Calling ransomware attacks what they are—terrorist acts—provides avenues for stronger responses, including offensive cyber and military actions. Executive Order 13224 defines terrorism as acts intended to intimidate civilians, influence government policy, or affect government conduct.  

By recognizing ransomware attacks as terrorism, nations can leverage broader countermeasures against threat actors and their sponsors.

Ransomware attacks on critical infrastructure constitute a form of terrorism, closely tied to adversarial geopolitical interests. Treating them as such enables a more robust and proactive response, safeguarding national security and deterring future attacks.

READ MORE HERE

Ransomware Operators Targeting Backups

A recent study has revealed that in 94% of ransomware attacks, data backups are the primary target, significantly amplifying the ransom demands imposed on the victims.  

The survey, conducted among security professionals, indicates that attackers either attempt or successfully compromise data backups, compelling victims to pay more than twice the average ransom demand, amounting to $2.3 million compared to $1 million.  

Moreover, organizations with compromised backups were nearly twice as likely to acquiesce to ransom demands, with a median payment of $2 million, doubling the likelihood of payment compared to those with secure backups.

This trend reflects a shift in ransomware tactics, where attackers not only encrypt files but also exfiltrate sensitive data, rendering traditional backup restoration methods ineffective.

Even if backups remain intact, attackers increasingly employ tactics to delete shadow copy backup files, diminishing the utility of backup systems in mitigating attacks.

The dire consequences of ransomware attacks are illustrated by a case study involving a manufacturing company, which suffered from the Akira ransomware group's assault.  

The attack resulted in the encryption of all Windows workstations and servers, rendering backups irrecoverable and necessitating a lengthy and costly rebuilding process.

While data backups remain essential for disaster recovery, organizations must recognize their limitations in combating ransomware attacks.  

Dependence solely on backups for recovery is no longer viable, emphasizing the urgent need for comprehensive cybersecurity measures to thwart such threats effectively.

READ MORE HERE

Managed Services Provider Sued Following Ransomware Attack

A lawsuit filed by law firm Mastagni Holstedt against managed service provider (MSP) LanTech LLC and data backup provider Acronis seeks over $1 million in damages, alleging failure to safeguard against a ransomware attack.  

The suit claims an oral agreement with LanTech to provide monitoring, advice, and backup services, but Mastagni experienced a significant outage resulting in data loss.  

A ransom demand by the group Black Basta prompted efforts to recover data through Acronis, only to find backups deleted. Potential data exfiltration raises further legal concerns for Mastagni.

This case underscores the broader impact of ransomware attacks, extending beyond immediate financial costs. Average remediation expenses exceed $4 million, with lawsuits adding to liabilities, including brand damage, lost revenue, and regulatory penalties.

Double extortion tactics, involving both encryption and data exposure threats, heighten risks and legal ramifications.

As attackers evolve tactics, organizations handling sensitive data must prioritize robust security measures and clear service agreements with providers.  

The lawsuit highlights the importance of defining service levels and responsibilities in cybersecurity partnerships. However, assigning blame solely to service providers overlooks the complex and evolving nature of cyber threats.

Amidst escalating attacks, efforts to assign liability may intensify, but addressing ransomware requires collaborative efforts to enhance defenses and response strategies.  

Clear communication, proactive security measures, and ongoing risk mitigation are essential in navigating the evolving landscape of cyber threats and legal challenges.

READ MORE HERE

Fertility Clinic Settles Lawsuit Following Ransomware Attack

US Fertility (USF) settled a class action lawsuit for $5.75 million after a ransomware attack in 2020 compromised data for nearly 900,000 individuals.  

While USF did not admit culpability, the lawsuit alleged a failure to implement adequate security measures, allowing hackers to infiltrate systems for over a month undetected. The attackers executed a ransomware scheme that blocked USF's access to its own system, leading to the data breach.  

This incident highlights the pervasive impact of ransomware attacks, with recovery costs averaging over $4 million, not accounting for additional losses such as brand damage and regulatory penalties.

Ransomware attacks increasingly involve data exfiltration before encryption, leveraging stolen data to compel victims to pay ransom demands under the threat of exposure.

Double extortion tactics, including demands for additional payments to prevent data leaks, have led to class-action lawsuits and heightened liability risks for organizations. Even with prepared incident response plans, the exposure of sensitive data exposes victims to further legal and financial consequences.

Despite growing regulatory efforts, such as the SEC's reporting rule requiring disclosure of material security events within four days for publicly traded companies, challenges remain in accurately assessing and reporting cyber incidents.  

Forensic investigations are complex and time-consuming, often leading to incomplete disclosures or regulatory actions due to reporting timelines not aligning with investigation realities.

The evolving legal landscape around cybersecurity underscores the need for comprehensive security measures and clear regulatory frameworks.  

While C-level executives and boards face increasing legal and regulatory scrutiny, it is often cybersecurity professionals who bear the brunt of accountability following successful attacks.  

As organizations navigate these challenges, emphasis on early detection and proactive security measures becomes crucial to mitigating the impact of ransomware attacks and addressing regulatory compliance effectively.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.