Last Week in Ransomware: 08.26.2024

Last week in ransomware news we saw a new report indicating we are “on track for the worst year on record,” UK IT services provider fined over NHS attack, and Enzo Biochem fined $4.5M for poor security...

Report: On Track for the Worst Year on Record

In 2023, ransomware payments reached an unprecedented $1 billion, driven by major attacks such as Clop’s exploitation of a file transfer tool and BlackCat/ALPHV’s assault on Caesars’ hotel properties.  

The situation has worsened in 2024, with $459 million already extorted in the first half of the year, marking a $10 million increase from the same period in 2023, according to a report by Chainalysis.  

The median ransom payment for the most threatening ransomware groups has also surged dramatically, from $198,939 in early 2023 to $1.5 million by mid-2024, indicating a shift towards targeting larger, wealthier organizations.

Blockchain analysts confirmed a record ransom payment of $75 million in 2024, further highlighting the escalating scale of these attacks.  

This report aligns with data from other cybersecurity firms, which reported a median ransom payment of $2.2 million for 49 state and local governments in 2024. The frequency of ransomware incidents has also increased by 10% this year, although fewer victims are choosing to pay the ransoms.

The Chainalysis report underscores the severe financial impact of ransomware, with payments in 2023 surpassing $1 billion. Combined with the FBI's findings, which revealed that only 20% of ransomware attacks are reported to law enforcement, the true financial toll could be closer to $5 billion.  

This figure accounts only for ransoms paid, not the immense costs of recovery, brand damage, potential lawsuits, and regulatory fines that often follow such attacks.

Ransomware has evolved into a massive, highly profitable industry, with significant economic consequences for consumers, businesses, and governments. To combat this growing threat, it's crucial to disincentivize attackers by making ransomware operations unprofitable—a goal that remains challenging to achieve.  

While completely stopping ransomware attacks may be impossible, organizations can take steps to prevent them from being successful.  

This requires strategic investments in maintaining uptime, productivity, and robust contingency plans to swiftly recover from an attack. Without these investments, organizations will continue to fuel the multi-billion-dollar ransomware economy.

READ MORE HERE

UK IT Provider Fined Over NHS Attack

The Information Commissioner’s Office (ICO) has announced a potential fine of over £6 million against Advanced Computer Software Group following a significant ransomware attack in 2022 that disrupted NHS and social care services in England.  

The breach, which compromised the personal data of nearly 83,000 individuals, including sensitive medical records and other details, occurred due to a lack of multifactor authentication on a customer account.  

The attack caused critical NHS services, such as NHS 111, to go offline temporarily, exacerbating the strain on an already pressured healthcare system.

John Edwards, the Information Commissioner, underscored the gravity of the incident, emphasizing the distress caused to individuals whose sensitive information was compromised.  

He criticized the organization’s inadequate security measures, particularly given its responsibility to handle a large volume of sensitive data.  

The ICO’s findings are provisional, with a final decision pending after considering Advanced’s response. The case reflects a broader trend of increasing legal and regulatory scrutiny following ransomware attacks, particularly those involving data exfiltration.  

The rise in lawsuits against companies affected by such breaches has put significant pressure on executives and Boards of Directors, with third-party service providers also being targeted.  

An example is a lawsuit against managed service provider LanTech LLC and data backup provider Acronis, seeking over $1 million in damages for failing to protect against a ransomware attack.

Ransomware attacks now frequently involve data theft, with attackers using the threat of publishing or selling stolen data as leverage. This evolution has heightened the legal and regulatory risks for organizations, particularly in sectors handling sensitive information.  

The aftermath of such attacks increasingly includes not just operational disruptions but also potential class action lawsuits, regulatory fines, and criminal prosecutions, signaling a shift towards greater accountability for those responsible for cybersecurity within organizations.  

This complex environment requires organizations to strengthen their defenses while navigating a stringent regulatory landscape to mitigate further harm.

READ MORE HERE

‍

Enzo Biochem Fined $4.5M for Poor Security

Enzo Biochem, a biotech company, has been ordered to pay $4.5 million to the attorneys general of New York, New Jersey, and Connecticut after a 2023 ransomware attack compromised the data of over 2.4 million individuals.  

The investigation revealed significant security failings, including poor password management, lack of multi-factor authentication (MFA), and failure to encrypt sensitive data across all systems.  

The attackers exploited shared credentials, one of which had not been updated for a decade. Additionally, Enzo’s reliance on manual network monitoring allowed the breach to go undetected for days.

Following the attack, Enzo Biochem implemented extensive security enhancements, including adopting a Zero Trust approach, improving encryption practices, and enforcing MFA. However, this incident underscores the persistent vulnerabilities in healthcare cybersecurity, with numerous other companies targeted by cybercriminals during the same period.  

The attorneys general highlighted the critical need for robust data security to protect patient information. This case is part of a broader trend of increasing legal actions against organizations affected by ransomware attacks, particularly those involving data exfiltration.  

The rising number of lawsuits is putting unprecedented pressure on executives and Boards of Directors, with third-party service providers also being drawn into legal disputes.  

For example, the law firm Mastagni Holstedt sued managed service provider LanTech LLC and data backup provider Acronis for over $1 million in damages, alleging failure to protect the firm from a significant ransomware attack.

Ransomware has evolved from merely deploying malicious code to focusing on data exfiltration, where attackers threaten to publish or sell stolen data if ransoms are not paid.  

This shift has made ransomware a significant legal and regulatory concern, with organizations facing the risk of regulatory fines, lawsuits, and lasting reputational damage.

While data protection laws aim to safeguard sensitive information, they often exacerbate challenges for organizations targeted by ransomware, essentially revictimizing them. The aftermath of such attacks now includes potential class action lawsuits, regulatory actions, and even personal liability for executives.  

As these pressures converge, organizations must navigate the complex challenge of defending against ransomware while managing an increasingly stringent legal and regulatory landscape.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.