Last Week in Ransomware: 09.23.2024

Last week in ransomware news we saw Hunters International hit ICBC, Rhysida behind Port of Seattle attack, and one million NHS patients' data exposed...

Hunters International Hits ICBC

The London branch of the Industrial and Commercial Bank of China (ICBC) recently suffered a ransomware attack, putting millions of sensitive files at risk. A group called Hunters International claims responsibility for stealing 5.2 million files, totaling 6.6 terabytes of data.  

They have given ICBC a deadline of September 13 to meet their ransom demands, threatening to release the stolen information if the bank does not comply. As of now, ICBC has not made any public statements or responded to inquiries about the breach.

ICBC, the world’s largest bank by assets and market capitalization, plays a vital role in global financial markets. This incident is alarming, as previous ransomware attacks on ICBC have disrupted critical financial markets, including the U.S. Treasury.  

In November 2023, an attack prevented ICBC from settling Treasury trades, which sent shockwaves through the market.

The growing sophistication of ransomware groups, especially those using ransomware-as-a-service (RaaS) platforms, has escalated the threat landscape. RaaS allows attackers to use automated tools to exploit system vulnerabilities, making attacks more frequent and severe.  

Financial institutions, healthcare, and critical infrastructure are common targets because they are under pressure to restore operations quickly, making them more likely to pay ransoms.

Linux systems, which power a significant portion of web servers and critical operations, have become a prime target for attackers. Despite their importance, Linux systems often receive less attention than Windows environments in terms of security.  

Attacks on Linux servers, particularly in cloud-based environments, can cause widespread damage, halting services and disrupting essential operations.

READ MORE HERE

Rhysida Behind Port of Seattle Attack

The Port of Seattle has confirmed that the Rhysida ransomware group was behind a cyberattack that impacted its systems for over three weeks, starting on August 24.  

This attack caused significant IT outages, particularly at Seattle-Tacoma International Airport (SEA), disrupting key services like flight reservations, baggage handling, and check-in kiosks. The Port had to isolate critical systems, affecting Wi-Fi, passenger displays, and its website.

Although most systems were restored within a week, some services, including the Port’s website and the SEA Visitor Pass, are still being repaired. Despite the disruptions, the Port assured the public that it is safe to travel through SEA and use maritime facilities.

Port Executive Director Steve Metruck stated that they refused to pay the ransom, citing the decision as aligned with the Port's values and a responsible use of taxpayer money. Concerns remain about the possible publication of stolen data on the dark web, but no further unauthorized activities have been reported.

Rhysida, a ransomware-as-a-service (RaaS) group, emerged in May 2023 and has since carried out several high-profile attacks. The group uses advanced tactics to exploit vulnerabilities, including a double extortion model where they steal sensitive data and threaten to leak it if ransoms aren’t paid.  

Rhysida has been linked to attacks on various organizations, including the Chilean military and U.S. healthcare facilities. Their methods suggest connections with other notorious ransomware groups like Vice Society.

READ MORE HERE  

One Million NHS Patients' Data Exposed

A recent ransomware attack targeting NHS hospitals in London has exposed sensitive personal information of nearly one million individuals, including patients with serious medical conditions such as cancer and sexually transmitted infections.  

The Qilin ransomware gang, responsible for the June attack, leaked data involving appointment requests and pathology test forms, potentially revealing private medical details.  

While it is estimated that over 900,000 people are affected, neither NHS England nor Synnovis, the affected pathology service provider, has released an official count or clarified the specific data compromised.

Synnovis has been working to restore critical pathology services, with the attack severely disrupting blood testing across the UK. This has led to reduced blood stocks and urgent appeals for donations, especially O negative and O positive types.  

Despite restoring much of its IT infrastructure, Synnovis has not yet notified those whose data was compromised, which included names, dates of birth, and NHS numbers.

The UK has seen a marked rise in ransomware attacks on healthcare institutions, with over 12% of reported breaches in the first half of 2024 linked to ransomware.  

In response to this attack, Synnovis obtained a preliminary injunction from the English High Court to prevent further publication of the stolen data, but enforcing such orders against international attackers remains difficult.

Ransomware attacks on healthcare are escalating beyond financial motives, threatening both patient privacy and safety. Studies show that these attacks can lead to patient care disruptions, increased mortality rates, and procedural complications.  

The broader impact includes compromised medical services and vulnerable personal data, with attackers increasingly using stolen information for direct extortion. This growing crisis demands urgent governmental action to protect both critical healthcare infrastructure and the individuals affected.

READ MORE HERE

Paying a Ransom is No Guarantee

A ransomware attack can be a nightmare for C-suite executives and security leaders, with systems locked and data stolen.  

The Hazard ransomware group compounded this problem for some victims by providing a faulty decryptor after receiving ransom payments, leaving victims unable to recover their data.

One organization, fearing operational downtime, privacy issues, or reputational damage, made the difficult decision to pay the ransom.  

Unfortunately, after receiving a non-functional decryptor and no further communication from the criminals, their situation worsened. This emphasizes the harsh reality that paying a ransom doesn't guarantee data recovery, as highlighted by Mark Lance, a ransomware negotiator.

The debate around whether to pay a ransom remains contentious. While the ideal stance is to never pay, many organizations face complex decisions based on their specific circumstances.  

For some, like hospitals or critical infrastructure providers, the stakes are high, and the ethical implications of delayed access to vital systems may lead them to pay, prioritizing immediate restoration over financial concerns.

On the other hand, paying often incentivizes further criminal activity and doesn't guarantee safe data return. In many cases, organizations that pay become repeat targets for future attacks. Therefore, cybersecurity experts advocate for stronger prevention measures, including system updates, backup strategies, and enhanced detection technologies.  

The best long-term defense lies in building resilience and reducing vulnerabilities, rather than relying on ransom payments as a quick fix.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.