Last Week in Ransomware: 12.09.2024

Last week in ransomware news we saw Russia continues to influence ransomware operations, data exfiltration is putting energy sector at risk, and ransomware attack disrupts SoCal’s PIH Health...

Russia is Influencing Ransomware Attacks

Stoli Group’s U.S. subsidiaries have filed for bankruptcy following a devastating ransomware attack and coordinated actions by Russian authorities, underscoring the blurred lines between cybercrime and state-sponsored aggression.

In August 2024, the ransomware attack crippled Stoli’s IT systems, including its ERP platform, forcing manual operations, disrupting accounting, and delaying financial recovery until 2025. This disruption prevented the company from submitting financial reports, leading lenders to claim default on $78 million in debt.

A month earlier, Russian authorities seized Stoli’s last assets in the country—two distilleries worth $100 million—and designated the company and its founder, Yuri Shefler, as "extremists" for supporting Ukrainian refugees.

These moves align with a long-running campaign by Russia to reclaim Stolichnaya and Moskovskaya vodka trademarks, initiated by a 2000 executive order from Vladimir Putin. Shefler, a vocal Putin critic, fled Russia in 2002 amid politically motivated charges.

Evidence suggests the ransomware attack was part of a coordinated strategy to dismantle Stoli while advancing Russia’s geopolitical aims. Russia’s pervasive influence over ransomware operators is well-documented; in 2021, 74% of ransomware revenue flowed to Russia-linked groups.

These operators often align with Russian intelligence, enabling plausible deniability for state-sponsored aggression.

This case highlights ransomware’s dual purpose: enriching cybercriminals and advancing adversarial state agendas. Attacks targeting critical systems, such as energy or healthcare, go beyond financial motives, aiming to destabilize societies and undermine national security.

Treating ransomware as mere cybercrime is a strategic oversight, ignoring its role as a tool of cyberwarfare and state aggression. A unified, robust response is essential.

READ MORE HERE

Data Exfiltration Puts Energy Sector at Risk

In a recent U.S. Securities and Exchange Commission (SEC) filing, ENGlobal Corporation disclosed a cybersecurity breach discovered on November 25, which led to the encryption of some data files.  

ENGlobal, based in Houston, Texas, provides engineering and automation services to energy sector organizations and U.S. government agencies. The company immediately initiated containment measures, restricted access to IT systems, and enlisted external cybersecurity experts to investigate and remediate the breach.

While essential business operations remain accessible, the timeline for full system restoration is uncertain. ENGlobal has yet to determine whether the attack will materially impact its financial condition or operations, and it did not specify if sensitive data was exfiltrated.

This breach underscores the vulnerabilities faced by critical service providers, particularly those involved in energy and automation. ENGlobal’s focus on automated control systems for energy, municipal, healthcare, and commercial sectors place it at a heightened risk of cyberattacks.

The attack coincides with a ransomware incident involving Schneider Electric, where 40 GB of sensitive data was exfiltrated, demonstrating the cascading risks posed by cyberattacks on critical infrastructure suppliers.  

These breaches highlight the growing threat of attackers leveraging stolen data, such as system blueprints or operational protocols, to craft precision strikes against downstream targets like energy producers.

Such breaches threaten not only corporate stability but also national security. Exploited vulnerabilities in operational technology (OT) systems could lead to power outages, supply chain disruptions, and long-term economic and security consequences.  

Safeguarding critical infrastructure against these evolving threats is imperative to prevent cascading attacks and maintain public trust.

READ MORE HERE

Ransomware Attack Disrupts PIH Health

PIH Health, a Southern California healthcare network, experienced a crippling ransomware attack on December 1, 2024, severely disrupting operations across its three hospitals—Downey, Whittier, and Good Samaritan—and affiliated urgent care centers, doctors’ offices, and home health agencies.

The attack shut down critical IT systems, including electronic health records (EHRs), laboratory tools, pharmacy systems, patient registration, and communication channels such as internet and phone lines. Patients have been advised to expect delays, bring paper prescriptions, and rely on manual processes while services remain offline.

Described as a "criminal act," the attack has left families facing difficult choices, with many seeking alternative care. PIH Health is working with cyber forensic specialists and the FBI to restore systems, though no timeline has been provided.

Officials assured patients that no furloughs are planned and promised to notify those affected if personal health information is found compromised.

This incident underscores the healthcare sector's glaring vulnerabilities amid digital transformation. Ransomware groups exploit critical systems, knowing that disruptions to patient care can be life-threatening, using this leverage to demand ransom payments.

The financial toll of such attacks is staggering—downtime costs can exceed $900,000 per day, with total recovery surpassing $4 million. Beyond financial losses, these attacks delay treatments, interrupt diagnostics, and put lives at risk.

Ransomware attackers also weaponize stolen health data, exploiting patients already facing medical challenges.

Healthcare’s reliance on outdated systems has made it a prime target, demanding urgent action to dismantle ransomware networks, penalize operators, and fortify healthcare cybersecurity. Lives depend on it.

READ MORE HERE

Termite Claims Blue Yonder Attack

The new ransomware group Termite has claimed responsibility for a cyberattack on Blue Yonder, a key supply chain management software provider.

The breach, announced on Termite's Dark Web site, has disrupted operations for major clients like Starbucks, Walgreens, Albertsons, and DHL. Termite claims to have stolen 680GB of sensitive data, including database dumps, emails, and over 200,000 documents, and has hinted at plans to leak the information.

The attack, which began on November 21, highlights Blue Yonder's critical role in logistics and retail operations. The Arizona-based company is working to restore systems and assist affected clients.

Termite, which emerged in November 2024, uses a modified version of Babuk ransomware, encrypting files with a ".termite" extension and issuing ransom notes. Known for targeting sectors such as government, education, and automotive supply, the group likely gains access through phishing, stolen credentials, and software vulnerabilities.

Termite’s victims span multiple countries and industries, including Nifast Corporation (U.S.), Culligan France, OQ (Oman), Lebenshilfe Heinsberg (Germany), and Canada’s Conseil Scolaire Viamonde.

Despite claiming several breaches, Termite has not yet released stolen data, suggesting they leverage the threat of exposure for ransom negotiations.

Operating an English-language data leak site and offering "support" via encrypted communication platforms, Termite portrays a façade of professionalism.

Financial motives drive their actions, with no evidence of political or ideological agendas. However, their lack of a decryption tool makes their attacks particularly damaging, posing prolonged operational risks to victims.

READ MORE HERE

Major Costa Rican Energy Provider Hit

Costa Rica’s state-owned energy provider, RECOPE, suffered a ransomware attack last week, forcing a shift to manual operations to maintain fuel distribution. RECOPE, which oversees the nation’s fossil fuel supply chain, discovered the attack on Wednesday, disrupting its digital payment systems.  

Despite operational challenges, the company reassured citizens of ample fuel inventories and maintained regular unloading at docks. Public concerns led to a spike in fuel sales, prompting extended working hours through the weekend.

RECOPE collaborated with Costa Rica’s Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) and U.S. cybersecurity experts, who arrived on Thanksgiving, to address the crisis. Although some systems were partially restored, manual operations remain in place to ensure safety.  

This incident mirrors Costa Rica’s 2022 Conti ransomware attack, which crippled government services and led to a state of emergency. Despite U.S. support, including $25 million for cyber defenses, vulnerabilities persist.

The attack underscores ransomware’s evolution into a sophisticated, multi-billion-dollar criminal enterprise. Cybercriminals often refine tactics on smaller targets like Costa Rica before escalating to critical infrastructure in larger nations.  

The U.S. must heed these warnings, strengthening defenses and recovery strategies to protect vital sectors like energy, healthcare, and transportation against increasingly advanced threats.

READ MORE HERE

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.