All Sectors Experiencing Increase Ransomware Attacks in October

After ransomware activity had hit all-time highs in September, the trend of ransomware attacks targeting hospitals and schools continued to escalate in October. The 2023 ransomware database maintained by an editorial follows publicly acknowledged and reported ransomware attacks against US companies and discovered 35 ransomware attacks in October, compared to 21 in September. Ransomware-related outages impacted both the public and private sectors, with victims ranging from schools and hospitals to an energy supplier, a single legal firm, and an insurance company. One cybersecurity company recorded a record-breaking number of ransomware attacks in September, representing a 153% rise year over year. Analysts predicted that the increased activity would continue throughout the new year. Not only did attacks rise last month, but the effect on some victims was severe.

Akumin Inc., a Florida-based healthcare firm, reported a “recent” ransomware attack that disrupted service on Oct. 24. As a result, Akumin rescheduled clinic and diagnostic procedures. On Oct. 23, Akumin filed for Chapter 11 bankruptcy, though the 8-K filing made no mention of ransomware or a computer attack. As of Thursday, Akumin announced that services for most of its systems had been restored, and patients could continue arranging appointments. On October 19, Morrison Community Hospital in Illinois published a data breach report revealing a security event that occurred on September 24. According to the notification, the only data potentially obtained by attackers was benefit explanation information. However, the event did impair service. The hospital’s phone system and internet were down on September 25, affecting patient portal capabilities. Phones and the patient portal were restored on September 27. On October 13, the BlackCat/Alphv ransomware gang claimed responsibility for the attack via their data leak site.

On Oct. 16, Westchester Medical Center Health Network (WMCHealth) announced a cyberattack on HealthAlliance Hospital, Margaretville Hospital, and Mountainside Residential Care Center in New York. While the first announcement stated that patient care would not be disrupted, a three-day update indicated that HealthAlliance Hospital had shifted ambulances and patients to adjacent medical facilities or other hospitals in the network. WMCHealth said on Oct. 19 that it “quickly notified the New York State Department of Health, Ulster and Delaware County officials” after learning of the attack. In an ongoing investigation, the hospital network is also collaborating with law authorities and a third-party cybersecurity firm to establish the scope of the incident. The temporary ambulance diversion was lifted on Oct. 21, one day after hospitals shut down systems to “address the threat.” As of Oct. 21, hospital services had been entirely restored, but the system restoration process was still underway.

On Oct. 15, another New York-based healthcare corporation, Henry Schein Inc., announced a cyber intrusion that disrupted business. The healthcare supplier, which serves 1 million customers worldwide, discovered the attack on Oct. 14 and determined that it solely harmed the company’s manufacturing and distribution operations. As a result, Henry Schein forced systems offline. Furthermore, Henry Schein alerted law police and launched an investigation with the assistance of independent cybersecurity and forensic IT professionals. The ransomware gang BlackCat/Alphv later claimed credit for the attack via their data dump site.

Schools Are Still Being Targeted

Aside from hospitals, schools have also been subjected to lengthy interruptions and are a common target for ransomware gangs. While it is unclear when the attack began, the Hopewell Area School District in Pennsylvania reported that a ransomware attack caused network interruptions. On Oct. 23, the Hopewell Superintendent told a news channel that the district notified law enforcement and began working with outside specialists to investigate the attack. The Hopewell Superintendent stated that the school system has made “substantial progress” toward restoring the network. The inquiry has not revealed whether student data was compromised, but the Hopewell Superintendent has confirmed that the hack did not disrupt student devices. Fauquier County Public Schools in Virginia reported a ransomware attack on Sept. 12 on Oct. 2. While the attack did not affect the school day, LockBit claimed responsibility again, this time with a ransom deadline of Oct. 19. LockBit is a well-known ransomware gang that has long held the top rank on one cybersecurity company’s top active threat actor list.

Last month, ransomware infected two government court systems. The Kansas Judicial Branch announced on Oct. 12 that it was experiencing network issues that were affecting “numerous systems used regularly by courts statewide,” including payment and e-filing systems. The Kansas Supreme Court issued an administrative order the same day declaring court clerk offices unreachable for electronic filings until Oct. 15. The next day, an update stated that the court system would remain operating but would only accept paper filings. The online court system was still down as of Friday, three weeks after the event was first reported. While the court has not acknowledged that it was caused by ransomware, a Sedgwick County judge told media outlets that the disruptions were caused by a ransomware attack. The First Judicial Circuit Court of Florida acknowledged a cyber intrusion on Oct. 2, however, it’s unclear when the attack happened. The court system did acknowledge that it took systems offline and enlisted the help of a cybersecurity company to investigate. Threat actors may have obtained Social Security numbers, taxpayer identification numbers, dates of birth, driver’s license information, and state identification numbers. Health and insurance information was also stolen in some circumstances. On October 9, the BlackCat/Alphv ransomware group claimed credit for the attack.

Security Investigation Confirmed at Boeing

Boeing, the aviation and aerospace company, was another victim of recent attacks. The ransomware attack was discovered after Boeing stated that it was investigating a cybersecurity incident in response to a LockBit claim that a threat actor took a large amount of data. On Oct. 27, the malicious ransomware group posted Boeing to its public data leak site, with a ransom date of Nov. 2. On Friday, one cybersecurity software company revealed that Boeing had been removed from the leak site, implying that a ransom had been paid. The Boeing services website was likewise unavailable as of Friday, claiming “technical issues.” 

BHI Energy in Weymouth, Massachusetts, disclosed on October 23 that their network was encrypted on June 29. Following the attack, BHI alerted law enforcement and launched incident response measures, according to the data breach notification. An unauthorized user may have accessed personally identifiable information and protected health information, according to a Westinghouse Electric Co. subsidiary. The ransomware group Akira claimed responsibility for the attack. In a data breach notification filed with the Office of the Maine Attorney General, network software provider LiveAction disclosed that it had been the victim of a ransomware attack. Even though the warning was submitted on October 30, LiveAction stated that the attack occurred in April and was discovered in May. LiveAction, based in Campbell, California, provides analytics, network monitoring, and application performance management technologies.

With the increase in ransomware attacks in October, companies in all sectors must remain vigilant of the current threat landscape, update their network security infrastructures, and regularly keep backups offline. At SpearTip, our certified engineers are working continuously to monitor companies’ data networks at our 24/7/365 Security Operations Center for potential ransomware attacks. Our IT remediation team works to restore companies’ operations, reclaim their networks by isolating malware, and recover business-critical assets. ShadowSpear platform, our integrable managed detection and response tool, uses comprehensive insights through unparalleled data normalization and visualizations to expose sophisticated unknown and advanced ransomware threats. Our Threat Hunting is a critical pre-breach step in evaluating the effectiveness of current security measures to determine the overall health of an environment and stop breaches. Our cybersecurity awareness training educates individuals and organizations about best cybersecurity practices and provides the knowledge and skills necessary to protect their systems and data from cyber threats. Our training covers topics such as password security, phishing scams, social engineering, malware, data protection, and network security.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.