Ransomware, Threat Intelligence

Ransomware this week: ALPHV/BlackCat bounty, Cisco exploit and more

Ransomware statistics from 2023 paint a daunting picture for cybersecurity in 2024.

Last year, ransom payments exceeded $1 billion for the first time, according to research by Chainalysis. Additionally, the rate of ransomware attacks stayed steady between 2022 and 2023, with 66% of organizations suffering attacks, Sophos reported in its State of Ransomware 2023 report.  

As we enter the second half of Q1 2024, here’s a look at some of the top ransomware news of the past week.

Latest ransomware news of February 2024

News of the FBI’s disruption of the ALPHV/BlackCat ransomware gang made waves in December 2023, with the group striking back by permitting its affiliates to target critical infrastructure.

Earlier this week, ALPHV/BlackCat claimed responsibility for an attack on Trans-Northern Pipelines, a Canadian oil and gas pipeline operator, saying it exfiltrated 190 GB of data. However, the attack itself dates back to November 2023, according to Trans-Northern.

In related news, the U.S. Department of State put a $10 million bounty on ALPHV/BlackCat leaders, offering the reward to anyone who helps identify or locate the threat actors.

An additional $5 million reward is offered for information that leads to the arrest or conviction of any ALPHV/BlackCat affiliates, the department announced Thursday. Officials set up a Tor-based tip line for anonymous reporting at he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.

Exploitation of vulnerabilities was the most common entry point for ransomware attackers in 2023, according to Sophos’ State of Ransomware report, occurring in 36% of attacks. On Thursday, the U.S Cybersecurity & Infrastructure Security Agency (CISA) added a high-severity Cisco vulnerability to its Known Exploited Vulnerabilities Catalog after researchers discovered it was being exploited by the Akira ransomware group.

The Cisco vulnerability, tracked as CVE-2020-3259, has a CVSS score of 7.5 and allows a crafted GET request to be used by a remote, unauthenticated attacker to retrieve memory contents from a vulnerable device.

Although patches were made available in May 2020, Truesec researchers discovered last month that attackers were exploiting the bug to deploy Akira ransomware in systems still running unpatched Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD).

In other news, the RansomHouse Group ransomware-as-a-service (RaaS) operator has been using a new ransomware tool called “MrAgent” to target VMware ESXi servers. Trellix researchers said Wednesday that MrAgent helps automate ransomware deployment across large victim environments with multiple hypervisors.

U.S government offices, Romanian hospitals take big ransomware hits

Two U.S. counties and a state law office all grappled with the aftermath ransomware attacks this week, including one county that admitted to paying a ransom of nearly $350,000.

Washington County, Pennsylvania, suffered a ransomware attack last month that took many local government systems offline and leaked data including residents' Social Security numbers and driver’s license numbers. County officials ultimately voted to approve a ransom payment of $346,687, WPXI reported Thursday.  

One county commissioner who voted to approve the ransom payment cited fears the attacker would leak sensitive information about children that was stolen from the county’s Children and Youth Services Department. About 80% of the county’s systems have come back online since the Jan. 25 cyberattack, which officials attributed to “Russian hackers,” without naming a specific group.

Fulton County, Georgia, also confirmed this week that a ransomware attack was the cause of IT outages that began in late January. LockBit claimed responsibility for the attack, while Fulton County officials said Wednesday that the attack was “financially motivated” without outright confirming the LockBit attribution.

Meanwhile, a ransomware attack against the Colorado State Public Defender’s Office forced some attorneys to postpone criminal cases, according to 9News. The office, which employs 572 attorneys and handles about 130,000 criminal cases each year, confirmed that its files were encrypted and said it took its systems offline with no definitive timeline for restoration or attribution to a specific threat actor.

Outside of the U.S., Romanian hospitals were rocked by a ransomware attack against the Hipocrate IT platform Sunday. More than 100 hospitals across the country that use the platform were forced to take their systems offline and the Romanian National Cyber Security Directorate (DNSC) reported that a ransom demand of 3.5 bitcoin (about $180,000 USD) was made. Backmydata ransomware, which is part of the Phobos ransomware family, was used in the attack, according to the DNSC.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.