Last Week in Ransomware: 12.02.2024

Last week in ransomware news we saw the Blue Yonder attack disrupt supply chains, challenges continue following UMC Health attack, and ransomware sends UK patients home...

Blue Yonder Attack Disrupts Supply Chain

Blue Yonder, a supply chain software company owned by Panasonic, suffered a ransomware attack on November 21, 2024, disrupting its private cloud services and impacting several high-profile clients.  

Key affected customers included major UK grocery chains like Morrisons and Sainsbury’s, with Morrisons reporting disruptions to goods flow across nearly 500 stores and Sainsbury’s enacting contingency plans.  

Blue Yonder's Azure public cloud services remained unaffected, and while major U.S. clients like Albertsons and Kroger did not report impacts, the attack underscored vulnerabilities in supply chain software.

Blue Yonder has partnered with external cybersecurity firms to investigate the breach and expedite recovery. While the company reported "steady progress," it did not provide a timeline for full restoration.  

The incident highlights growing risks in supply chain software, a sector increasingly targeted by ransomware. According to OpenText's 2024 Global Ransomware Survey, 62% of organizations reported ransomware incidents tied to software supply chain partners in the past year.

The attack illustrates the cascading effects of ransomware on supply chain operations. For organizations like Morrisons and Sainsbury’s, the outage forced reliance on less efficient contingency measures, leading to delays, potential stock shortages, and customer dissatisfaction.  

Financial impacts include direct recovery costs and indirect losses from downtime, missed sales, and reputational damage.  

Companies dependent on vulnerable providers face scrutiny regarding their risk management practices, as reliance on third-party software increases exposure to such threats.

Modern interconnected supply chains amplify these risks, as a single compromised provider can disrupt operations across industries and geographies. Threat actors are exploiting vulnerabilities more effectively, leveraging generative AI and sophisticated tactics, further increasing the prevalence of attacks.

To mitigate risks, organizations should strengthen third-party risk management, enforce contractual security requirements, and continuously monitor vendor cybersecurity postures, reducing exposure to the cascading impacts of supply chain ransomware incidents.

READ MORE HERE

Challenges Following UMC Health Attack

University Medical Center (UMC) Health System continues to deal with the fallout from an October ransomware attack that disrupted operations and exposed sensitive patient data.  

The attack forced UMC to divert ambulance patients to nearby facilities, delaying care and highlighting vulnerabilities in healthcare cybersecurity.

UMC confirmed a data breach involving Protected Health Information (PHI) and Personally Identifiable Information (PII), including names, Social Security numbers, medical records, and insurance details.  

Notifications to affected patients began on November 22. Such breaches invite regulatory scrutiny, particularly under HIPAA, and impose strict reporting requirements with significant penalties for non-compliance.

The incident underscores the importance of proactive measures like network segmentation and the principle of least privilege. Network segmentation limits attackers’ lateral movement, while least privilege minimizes access to critical systems. These measures can prevent attackers from escalating privileges and compromising broader systems.

The ransomware encryption event is often the final stage of a multi-phase attack, preceded by detectable activities like data exfiltration, privilege escalation, and malware deployment. Organizations must focus on detecting these precursors to disrupt attacks before ransomware activation, reducing disruption and data exposure.

For healthcare organizations, determining the scope of a data compromise is complex and time-intensive. Digital Forensics and Incident Response (DFIR) efforts require analyzing extensive datasets and malware behavior, often taking weeks or months. This process is complicated by attackers’ efforts to cover their tracks.

UMC’s experience highlights the need for robust monitoring, rapid incident response, and careful management of transparency during breach investigations to protect both patients and the organization’s legal interests.

READ MORE HERE

Ransomware Sends UK Patients Home

The recent ransomware attack on Wirral University Teaching Hospital (WUTH) has highlighted the severe impact cyber incidents can have on healthcare operations.  

As one of the key healthcare providers in the Wirral Peninsula, WUTH has been forced to shut down most of its IT systems, resulting in the cancellation of outpatient appointments and a significant strain on emergency services.  

The disruption has left staff reliant on manual processes, severely hindering their ability to access patient records, test results, and other essential systems.

In an official statement, WUTH declared a major cybersecurity incident and urged the public to use the Emergency Department only for critical cases. A staff member described the situation as dire, with “everything” offline, illustrating the profound operational challenges faced by the hospital.

While the exact nature of the attack has not been confirmed, the response aligns with typical ransomware attacks, including system shutdowns to prevent further damage. The extent of data compromise remains unclear, and no group has claimed responsibility.  

As WUTH manages several facilities, including Arrowe Park Hospital, the breach has disrupted a wide range of critical services and placed sensitive patient data at potential risk.

This attack underscores the vulnerabilities within the healthcare sector, including outdated legacy systems, constrained budgets, and the high stakes of operational downtime.

Ransomware groups are increasingly exploiting these weaknesses, targeting healthcare providers to maximize leverage and impact. Beyond disrupting operations, attackers weaponize stolen patient data, leading to further extortion and undermining patient privacy.

The WUTH attack reflects a growing trend where ransomware groups aim not only to disable systems but also to create cascading crises that affect entire communities.  

These incidents highlight the urgent need for coordinated action among governments, industry leaders, and cybersecurity experts to dismantle ransomware networks and strengthen defenses.

Ultimately, ransomware has evolved beyond a technological threat into a humanitarian crisis. Its impact threatens the safety, dignity, and security of patients and the integrity of essential services.  

READ MORE HERE

Black Basta Leveraging Microsoft Teams

In October 2024, the Black Basta ransomware group expanded its tactics by leveraging Microsoft Teams for sophisticated social engineering attacks.  

Transitioning from email-based scams, the group impersonates IT help desk staff on Teams to target employees directly. This method bypasses traditional email security defenses, increasing its effectiveness.

The attack begins with spam emails to create distraction, followed by direct contact through Teams. Attackers convince victims to install remote access tools like Quick Assist or AnyDesk, allowing them to deploy malware and infiltrate networks.  

Key vulnerabilities include spoofed external accounts, misplaced trust in Teams communication, and unsecured remote access. Damages across industries, including finance and government contracting, have exceeded $15 million.

Black Basta, suspected to be an offshoot of Conti and REvil, employs a double extortion model, exfiltrating sensitive data to pressure victims. They utilize advanced encryption (ChaCha20 and RSA-4096) and exploit vulnerabilities like VMware ESXi and ConnectWise.  

Affiliates use tools such as Qakbot malware and exploits like PrintNightmare, disabling defenses through PowerShell commands.

Since its emergence in 2022, Black Basta has generated over $107 million in revenue. Notable victims include Southern Water, BionPharma, and Coca-Cola, cementing its reputation for highly targeted and sophisticated attacks.

READ MORE HERE

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.