Hello, world!
This is the first issue of the Ransomware Roundup. We will discuss:
- ransomware news in the last week
- FBI report on economic gains due to ransomware
- talks at RSA 2020 that cover ransomware
- NIST draft guidelines
Ransomware in the News
In this section, we will discuss notable news articles about high-profile victims, victims who were successfully targeted multiple times, updates on previously announced attacks and other items as appropriate. When news of ransomware incidents comes in the response to an open records request, that is also noteworthy here; this week’s issue includes such a case in Georgia.
Redcar and Cleveland confirm outage due to ransomware
Redcar and Cleveland council, in the north east of England, confirmed this week that a ransomware attack is the cause of the systems outage they have been experiencing for over three weeks, according to the BBC.
As of this writing, visitors to the council’s website at redcar-cleveland.gov.uk are greeted with an explanatory note and telephone contact information for various government services for council’s ~136,000 residents.
See this Twitter thread for more. Also, BBC cybersecurity reporter Joe Tidy discusses this one on Twitter.
Cases in Florida dropped against suspected drug dealers
The police department in Stuart County Florida was hit by Ryuk ransomware in April 2019 and did not pay the ransom. On February 21, WPTV revealed new elements of the impact of the attack. As a result of the data loss, 28 charges against 6 defendants in 11 drug-related cases had to be dropped, according to WPTV who interviewed a police representative.
ZDNet’s Catalin Cimpanu wrote this up and provides examples of other instances of evidence lost to ransomware.
About
Was the ransom paid?: No
Entry Vector: Phishing email
Malware Family: Ryuk
Ransom Amount: ~$300,000 USD
Prince Edward Island government
On February 25, the government of the Canadian province Prince Edward Island (PEI) revealed that they were victims of a ransomware attack in a press release. According to a CBC article about the incident, the province’s director of business infrastructure services noted that:
- the majority of the impacted services are internal government services
- independent backups were being performed and are being restored
It looks like PEI government is a repeat victim. In April 2018, the PEI website was encrypted by ransomware, according to local news outlet, The Guardian.
About
Was the ransom paid?: No
Entry Vector: Unknown
Malware Family: Unknown
Emcor Group
An article in The Hour notes that Emcor fell victim to a ransomware attack. As of this writing, Emcor Group’s official website has a note confirming the ransomware incident. The note, preserved in the WayBack Machine goes on to confirm that RYUK is the ransomware variant involved.
About
Malware Family: Ryuk
Others
- City of Wayne falls victim to ransomware cyber attack
- Ransomware attack responsible for La Salle County Technology Issues
- Records reveal City of Cartersville paid ransomware attackers $380K
- Gadsden school district hit by ransomware for the second time in a year
- RMLD Targeted by Ransomware
RMLD is the Reading Muniicpal Light Department. News of ransomware at this power station in Massachusetts comes a few weeks after a local NBC affiliate released the results of their investigation the impact of ransomware on government agencies in the state.
Ransomware at RSAC 2020
The RSA Conference has ended but the videos are up on YouTube! Here are the videos that I watched and think might be of interest to Ransomware Roundup readers:
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help [YouTube]
Joel DeCapua (@jedec0x0) gives some insight into ransomware investigations as conducted by the FBI. DeCapua’s talks got a lot of coverage for noting that ransomware victims paid in excess of $140 million in ransom, just in payments tracked by the FBI in a six year period. Bleeping Computer has a really good write-up if you don’t want to watch the video. Here is a PDF of the talk slides.
Ransomware: Partnering for Recovery [YouTube]
Deborah Blyth, CISCO, State of Colorado, provides some lessons learned from the 2018 ransomware attack on the Colorado Department of Transportation. This attack has been attributed to the SamSam crew also alleged to be responsible for the Atlanta ransomware incident. See the Justice Department’s November 2018 indictment.
CDOT has also published an 8-page After-Action Report that includes a timeline of the incident and a SWOT analysis.
Recommended Reading
Detecting and Responding to Ransomware and Other Destructive Events
The National Cybersecurity Center of Excellence has released draft SP1800-26 for public comment. This document comes in three volumes. NIST’s information page is here. Or download all three volumes in one PDF.
Note that the comment period closes on Friday, March 20, 2020.
The Week in Ransomware
The very excellent BleepingComputer put out The Week in Ransomware for February 28th, 2020. In particular, I will draw your attention to the article Sodinokibi Ransomware Posts Alleged Data of Kenneth Cole Fashion Giant.