Hello, world!

This is the first issue of the Ransomware Roundup. We will discuss:

  • ransomware news in the last week
  • FBI report on economic gains due to ransomware
  • talks at RSA 2020 that cover ransomware
  • NIST draft guidelines

Ransomware in the News

In this section, we will discuss notable news articles about high-profile victims, victims who were successfully targeted multiple times, updates on previously announced attacks and other items as appropriate. When news of ransomware incidents comes in the response to an open records request, that is also noteworthy here; this week’s issue includes such a case in Georgia.

Redcar and Cleveland confirm outage due to ransomware

Redcar and Cleveland council, in the north east of England, confirmed this week that a ransomware attack is the cause of the systems outage they have been experiencing for over three weeks, according to the BBC.

As of this writing, visitors to the council’s website at redcar-cleveland.gov.uk are greeted with an explanatory note and telephone contact information for various government services for council’s ~136,000 residents.

RCBC Cyber Attack

See this Twitter thread for more. Also, BBC cybersecurity reporter Joe Tidy discusses this one on Twitter.

Cases in Florida dropped against suspected drug dealers

The police department in Stuart County Florida was hit by Ryuk ransomware in April 2019 and did not pay the ransom. On February 21, WPTV revealed new elements of the impact of the attack. As a result of the data loss, 28 charges against 6 defendants in 11 drug-related cases had to be dropped, according to WPTV who interviewed a police representative.

ZDNet’s Catalin Cimpanu wrote this up and provides examples of other instances of evidence lost to ransomware.

About

Was the ransom paid?: No

Entry Vector: Phishing email

Malware Family: Ryuk

Ransom Amount: ~$300,000 USD

Prince Edward Island government

On February 25, the government of the Canadian province Prince Edward Island (PEI) revealed that they were victims of a ransomware attack in a press release. According to a CBC article about the incident, the province’s director of business infrastructure services noted that:

  • the majority of the impacted services are internal government services
  • independent backups were being performed and are being restored

It looks like PEI government is a repeat victim. In April 2018, the PEI website was encrypted by ransomware, according to local news outlet, The Guardian.

About

Was the ransom paid?: No

Entry Vector: Unknown

Malware Family: Unknown

Emcor Group

An article in The Hour notes that Emcor fell victim to a ransomware attack. As of this writing, Emcor Group’s official website has a note confirming the ransomware incident. The note, preserved in the WayBack Machine goes on to confirm that RYUK is the ransomware variant involved.

About

Malware Family: Ryuk

Others

RMLD is the Reading Muniicpal Light Department. News of ransomware at this power station in Massachusetts comes a few weeks after a local NBC affiliate released the results of their investigation the impact of ransomware on government agencies in the state.

Ransomware at RSAC 2020

The RSA Conference has ended but the videos are up on YouTube! Here are the videos that I watched and think might be of interest to Ransomware Roundup readers:

Feds Fighting Ransomware: How the FBI Investigates and How You Can Help [YouTube]

Joel DeCapua (@jedec0x0) gives some insight into ransomware investigations as conducted by the FBI. DeCapua’s talks got a lot of coverage for noting that ransomware victims paid in excess of $140 million in ransom, just in payments tracked by the FBI in a six year period. Bleeping Computer has a really good write-up if you don’t want to watch the video. Here is a PDF of the talk slides.

Ransomware: Partnering for Recovery [YouTube]

Deborah Blyth, CISCO, State of Colorado, provides some lessons learned from the 2018 ransomware attack on the Colorado Department of Transportation. This attack has been attributed to the SamSam crew also alleged to be responsible for the Atlanta ransomware incident. See the Justice Department’s November 2018 indictment.

CDOT has also published an 8-page After-Action Report that includes a timeline of the incident and a SWOT analysis.

Detecting and Responding to Ransomware and Other Destructive Events

The National Cybersecurity Center of Excellence has released draft SP1800-26 for public comment. This document comes in three volumes. NIST’s information page is here. Or download all three volumes in one PDF.

Note that the comment period closes on Friday, March 20, 2020.

The Week in Ransomware

The very excellent BleepingComputer put out The Week in Ransomware for February 28th, 2020. In particular, I will draw your attention to the article Sodinokibi Ransomware Posts Alleged Data of Kenneth Cole Fashion Giant.

FIN