Ransomware Roundup: 07.22.22

Welcome back to this week’s round up…

Ransom City Blues

Corin Faife at The Verge reports that a small Canadian town, St. Marys, Ontario has been hit by the LockBit group. According to the report, most of the essential services in the town of 7,500 were not impacted but screenshots from the leak site show possible impact to finance, health and safety, sewage treatment, property files and public works. St. Marys is unfortunately not alone in this recent spurt of LockBit activity as the town of Frederick, Colorado’s data is also listed as compromised by the group.

School of Hard Knocks

According to a recent Sophos survey of 5,600 IT workers representing 410 colleges and universities across the globe, nearly 75% of these institutions suffered from successful ransomware attacks.

This astounding statistic (unfortunately) shows that higher education institutions are a rich and profitable hunting ground for ransomware groups with a success rate greater than healthcare or even financial services. As attackers run up against better defenses in other market segments, they will look for targets that, for a variety of reasons, do not commit the necessary resources to protecting their infrastructure. If you’ve been in cybersecurity for long enough, this will not come as a surprise – even with specific education-centric discounted programs the adoption of new cybersecurity products and services in education has always lagged other segments.

Twisted Metal

As we’ve written about in previous Ransomware Roundups, ransomware targeting ESXi environments continues to grow.

While it’s one thing to ransom an endpoint, targeting bare-metal hypervisors that host multiple VMs or even clusters of hosts can have devastating results. DarkReading has an excellent roundup of the growth in Luna and BlackBasta that have cross-platform capabilities to target Windows, Linux and ESXi systems. VMware has disclosed several critical vulnerabilities this year that attackers have been taking advantage of.

It’s yet to be seen whether the targeting of ESXi is driven solely by the opportunity these vulns have provided or if these groups are intentionally going after a new and lucrative market segment.

Ransomware goes Freemium

Getting traction with a new product in a crowded market is always difficult, it’s why Product Led Growth (PLG) is such a hot topic with SaaS companies over the last few years. So, it only makes sense that an up-and-coming group would simply give their ransomware away for free, the stipulation being a higher cut on commission. With Redeemer 2.0’s release, the barrier for entry for anyone to kick off a ransomware campaign has never been lower. Plus, the group has stated if the adoption rate isn’t high enough, they’ll just open source the entire project. What a wonderful new world we’re living in.

Down the Drain

There are reports coming in that an organization that runs sewer systems in the Providence and Blackstone Valley areas of Rhode Island was hit by a yet-to-be-known cyberattack, rumored to be ransomware. While details are scant, the crossover from cyber into physical systems has seemingly been increasing in 2022. Be on the lookout next week, as more details come to light.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

https://www.theverge.com/2022/7/22/23274372/st-marys-canada-lockbit-ransomware-cyber-incident

Author: Corin Faife

https://assets.sophos.com/X24WTUEQ/at/pgvqxjrfq4kf7njrncc7b9jp/sophos-state-of-ransomware-education-2022-wp.pdf

Author: Sophos

https://www.darkreading.com/attacks-breaches/snowballing-ransomware-variants-highlight-growing-threat-to-vmware-esxi-environments

Author: Jai Vijayan

https://www.bleepingcomputer.com/news/security/new-redeemer-ransomware-version-promoted-on-hacker-forums/

Author: Bill Toulas

https://www.providencejournal.com/story/news/local/2022/07/16/ri-sewer-system-narragansett-bay-commission-hit-cyber-attack/10076978002/

Author: Paul Edward Parker

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert