Threat Intelligence Report: Armor Identifies 15 New Ransomware Victims Since October 1

5 Healthcare Networks and/or Organizations, 2 Municipalities, 3 School Districts, a Police Department, NC State Bar Association, 2 Employment Agency Offices, and a Radio Station

Since October 1, Armor, a global cloud security solutions provider, has identified 15 new organizations which have been hit by ransomware in the U.S. including 5 healthcare networks and/or organizations, 2 municipalities (one of which has suffered 3 ransomware attacks this year), 3 school districts, a police department, the North Carolina State Bar, 2 Florida employment agency offices, and 1 radio station (the 10th to be hit this year).

Hackers Hit 5 Healthcare Networks and/or Organizations in 4 States Forcing 1 to Close Permanently, 1 to Halt Admissions, and 1 to Notify 400,000 Patients

Last week, Wood Ranch Medical of Simi Valley, California announced it would close its doors permanently on December 17, 2019 due to a ransomware attack that occurred on August 10. They are the second publicly reported healthcare victim organization to announce that they are closing their practice this year, due to the destruction of patient files and billing records. Brookside Medical Center in Battle Creek, MI reported in April 2019 that it was forced to close its practice following a ransomware attack in March 2019 because the ransomware affected everything from patient records to billing information. The hackers demanded $6,500 and the owners of the Brookside ENT and Hearing Center opted not to pay.

Non-profit Sarrell Dental and Eye Centers, which has 15 dental centers across Alabama, announced last week that they were a victim of a ransomware attack in July, and reported that the threat actors had been inside their IT networks since January. The attack took their systems down for two weeks and resulted in the non-profit having to notify almost 400,000 patients.

As reported on Tuesday, October 1 and to date, three medical centers belonging to the DCH Health System in Tuscaloosa, Alabama, have been forced to halt admissions and divert new patients to other hospitals (outside of those who are critical) following a ransomware attack. On Saturday, October 5, the DCH Health System released a statement saying “they had obtained a decryption key from the attacker to restore access to the locked systems.” The medical centers impacted include: DCH Health Regional Center in Tuscaloosa, as well as the DCH Medical Centers in Fayette and Northport, Alabama. DCH Health System reported that they were hit by the Ryuk ransomware.

In other healthcare ransomware attacks, CHI Health Lakeside Hospital in Omaha, Nebraska reported that they were hit by a ransomware attack on September 27 that impacted its orthopedic clinic. Berry Family Services of Rowlett, Texas, a family-owned healthcare provider for families with disabilities, was reported to have paid an undisclosed ransom demand after their system was attacked July 10. The ransomware attack encrypted 1,751 patients’ information. Patient data that could have been exposed in the ransomware attack included names, addresses, dates of birth, Social Security numbers, medical insurance information and related health information. However, the Berry Family Services reported that they are unaware of any evidence that the information has been misused. They are offering affected patients one year of credit monitoring and identity theft protection services.

“Even more so than schools, people rely on hospitals and medical practices to provide critical services to patients without disruption,” said Chris Hinkley, Head of Armor’s Threat Resistance Unit (TRU) research team. “These ransomware attacks are beginning to take systems and data hostage which has an immediate and potentially life-threatening impact on people’s lives. Healthcare organizations may feel they have little choice except to pay the ransom. Unfortunately, some medical practices can’t afford the ransom or the cost to recover and are going out of business.”

Amor has identified 33 publicly reported healthcare organizations which have fallen victim to ransomware attacks since January 2019, making them the third largest victim pool after municipalities (75) and educational institutions (57).

Ransomware Attackers Go After 2 Municipalities, One for the 3rd Time

Cornelia, Georgia reported that during the last week of September that they got hit by ransomware for the 3rd time this year. However, as a result of this incident, they state that their computerized billing system was only down for one day. It was the third ransomware attack this year on the small Georgia city of just over 4,000 people. According to an October 2 report by Georgia radio station WDUN, Cornelia City Manager Donald Anderson stated regarding the ransomware attack: “The other two times this year, it actually shut us down for multiple days, so for that reason tonight we approved the purchase of a new firewall to help fix this.” Anderson added that the current firewall is over 10 years old and is no longer supported by the vendor.

City of Charlton Town, Massachusetts Hit by Ransomware

The city of Charlton Town, Massachusetts reported on September 23 that they were a victim of a ransomware attack on August 30. The attack is said to have encrypted documents, emails and data on various servers, and to have impacted 17 departments of the city, including the police department.

Massachusetts Police Department Suffers Ransomware Attack

The police department of Athol, Massachusetts reported on September 23 that they were hit by ransomware in July 2019, and as of October 8, their computer systems were still not fully functional. The hackers demanded $50,000 and later reduced the amount to $30,000. However, they did not pay the ransom, according to Athol Police Chief Craig A. Lundgren.


Missouri’s Platt County School District, Ridgway Area School District in Pennsylvania and Cherry Hill School District in New Jersey Join 54 Other School Districts and/or Educational Institutions Infected with Ransomware

Ridgway School District in Elk County, Pennsylvania stated they suffered a ransomware attack July 30 that temporarily locked network access and files, but left student and parent portals intact. Another victim, Platt County School District in Missouri reported on October 1 that they were a victim of ransomware in late August 2019. Platt County School District’s IT Department Manager Andy Hall reported that they were successful in “shielding their most sensitive information” and “none of the Chromebooks assigned to students were threatened.”

Also, interesting of note, Hall said in an interview that the school district’s decision to store loads of information in the cloud, rather than on local servers, likely saved them from additional issues. Armor suggests users have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.

Administrators in the Cherry Hill School District of New Jersey have been without a fully functioning computer system since October 3, following a ransomware attack. Superintendent Joseph Melcohe confirmed the attack adding “Some files within the computer system were reported to be encrypted and screens displayed the word, ‘Ryuk,’ which is associated with a criminal organization that demands ransomware payments to unlock affected computer systems.”

North Carolina State Bar’s Website and Continuing Education Portal Taken Down by Ransomware

On Monday, October 7, 2019, the North Carolina State Bar announced they had been a victim of a ransomware attack which occurred on Monday, September 30. They reported that an attack infiltrated their network through a server and began encrypting their system, server by server. As of October 8, their website is still down and they report that their continuing legal education portal is also down. The attack was quickly identified by the State Bar’s monitoring system, and they report that their files are being restored from backups.

2 Florida Employment Agencies Victimized by Ransomware

CareerSource Florida, an employment agency with over 100 locations , reported that two locations in the Tampa Bay area were victims on October 2. Doug Tobin, a spokesman at CareerSource Tampa Bay said the company had a robust backup and recovery system, and that the attack was isolated to the last 60 days of data.


Ohio Radio Station 1 of 10 Hit by Ransomware this Year

Local radio station WWOW-A in Conneaut, Ohio was attacked with ransomware on October 5, knocking the station off the air. WWOW-A partner Bill Shannon remarked, “We have ordered new computers and intend to install a new automation system this week to return to service. Thankfully the audio data drives appear unaffected so we can transfer that data to the new system. We were past due for an upgrade anyway.”

WWOW-A is the 10th radio station this year to become a victim of hackers. Max Media, which owns a network of radio stations in the U.S., had six Illinois radio stations fall victim to ransomware in September. Entercomm, the second largest radio group in the US, was also attacked in September 2019.

Armor identified 62 publicly reported ransomware attacks in 2018. Based on that number, Armor has seen a 230% increase in the number of publicly reported ransomware attacks in 2019, with over 200 incidents since January.

 

15 New Ransomware Victims in 12 States Since October 1st

Healthcare Wood Ranch Medical Simi Valley CA
Healthcare CHI Health Lakeside Hospital Omaha NE
Healthcare Berry Family Services Rowlett TX
Healthcare DCH Health System Tuscaloosa AL
Healthcare Sarrell Dental and Eye Centers Anniston AL
Municipality City of Cornelia Cornelia GA
Other CareerSource Tampa Bay Tampa Bay FL
Other CareerSource Pinellas Clearwater FL
Other North Carolina State Bar Raleigh NC
Education Platte County School District Platte City MO
Law Enforcement Athol Police Department Athol MA
Municipality Charlton Town Charlton MA
Media WOWW Radio Conneaut OH
Education Ridgway Area School District Ridgway PA
Education Cherry Hill School District Cherry Hill NJ

Key Ransomware Protection Tips Include:

  • Offline Data Backups – users must have multiple backups of their critical data, applications, and application platforms. These backups must be air-gapped from the internet and password protected.
  • White Listing Solution – limits the use of applications and processes that are allowed to run in your environment by providing a short list of approved applications and processes. Like a VIP List for your PC, if it’s not on the list,
    it’s not allowed.
  • File Integrity Monitoring—Monitors your IT environment 24x7x365 for changes to critical OS, files and processes such as directories, registry keys, and values.  It also watches for changes to application files, rogue applications running on the host and unusual process and port activity, as well as system incompatibilities.
  • Practice Least Privilege Access Control –ensure the user has the least privilege for their job. This also applies to services.
  • Audit/Penetration Testing from Independent, Third-Party Experts—to ensure that you are implementing best practices.
  • IP Reputation Monitoring/Blocking—blocking known bad infrastructure and actors
  • Continuous Security Awareness Training– educate employees about current and emerging cybersecurity risks and phishing emails. Effective training should actively engage employees and include policies concerning the correct response to suspected phishing attempts.
  • Endpoint Protection Solution – includes protection, detection and response capabilities for laptops, workstations and mobile devices. Utilizes antivirus (AV) and antimalware (AM) to block cyberattacks. It is also used to quickly detect and remediate any malicious activity or infection that has made its way onto the endpoint.