FlagThis

Ascension Health, a large healthcare organization, experienced a ransomware attack by Black Basta, exposing the data of 5.6 million patients. The attack disrupted operations across 140 hospitals, starting with a phishing email. This is one of the largest healthcare data breaches this year.

Daniel Christian Hulea, a Romanian national, has been sentenced to 20 years in prison for his involvement in NetWalker ransomware attacks. He has also been ordered to forfeit $21.5 million in illicit proceeds. This sentencing serves as a reminder of the serious consequences for those involved in cybercrime and ransomware operations.

Rostislav Panev, a dual Russian-Israeli national, has been charged by the U.S. Department of Justice for his role as a developer within the LockBit ransomware group. He allegedly developed code for disabling antivirus software, spreading malware, and creating ransom notes. The U.S. is seeking his extradition from Israel, where he was arrested in August. The LockBit group, which emerged in 2019, has been responsible for over 2,500 victims across 120 countries, causing over $500 million in ransom payments. Law enforcement seized part of their infrastructure in February but they managed to relaunch soon after.

The Play ransomware group has claimed responsibility for the cyberattack on Krispy Kreme, which disrupted online ordering systems. The attackers have threatened to release sensitive company data if their demands are not met. The initial unauthorized activity was detected on November 29, 2024, and the attackers claim to have exfiltrated significant data.

Multiple reports indicate that the state of Rhode Island experienced a significant cyberattack that has compromised the personal data of hundreds of thousands of residents. The data breach targeted the state’s online portal for social services, possibly exposing Social Security numbers and bank account details. This has led to demands for ransom and a shutdown of the affected systems, leading to a potential crisis in public services.

The Clop ransomware group has claimed responsibility for exploiting zero-day vulnerabilities in Cleo’s managed file transfer platforms (Cleo Harmony, VLTrader, and LexiCom). The attackers used these vulnerabilities to breach corporate networks, steal data, and gain unauthorized access. The vulnerabilities include an autorun directory feature and an arbitrary file-write flaw which allows the execution of malicious files and establishing persistent access using webshells. The attack has impacted businesses across various sectors, including consumer products, food, and shipping, with most incidents occurring in the United States.

Blue Yonder, a supply chain software company, suffered a ransomware attack on November 21, 2024. The Termite ransomware group claimed responsibility for the breach, threatening to publish stolen data. The attack impacted several major clients, including Starbucks, BIC, and Morrisons, causing disruptions. Blue Yonder is investigating the incident, and the full extent of the data breach and its impact is still being assessed. This is a significant incident in the supply chain due to the number of large companies impacted.

The Brain Cipher ransomware group claimed responsibility for a data breach at Deloitte UK, allegedly exfiltrating over 1 terabyte of sensitive data. The group publicized the breach, highlighting what they deemed elementary security flaws. Deloitte has not yet confirmed the incident or the extent of the data exfiltration.

A ransomware attack by RansomHub targeted the Mexican government platform Gob.mx, resulting in the theft of 313GB of data, including government contracts, insurance, and financial information. Attackers threatened to release the data to the dark web if a ransom wasn’t paid.

The Everest Ransomware Group, known for its attacks on organizations like NASA and healthcare providers, recently targeted STIIIZY, a cannabis company. This attack resulted in the exposure of 422,075 customer records, highlighting the expanding scope of ransomware attacks into various industries. The compromise of sensitive customer data underscores the importance of robust cybersecurity measures, regardless of industry. The Everest Ransomware Group’s tactics should serve as a warning to companies across all sectors, emphasizing the need for proactive security assessments, employee training on phishing and social engineering techniques, and robust data encryption practices.

This cluster discusses the arrest of Mikhail Pavlovich Matveev, aka Wazawaka, a notorious ransomware programmer, in Russia. He is known for developing malware and having ties to various hacking groups. This arrest is significant due to his involvement in ransomware attacks. The severity of his crimes and the potential impact of his arrest on the ransomware ecosystem are still emerging.

A supply chain ransomware attack targeted Blue Yonder, impacting its customers including Starbucks and UK grocery chains. The attack disrupted operations and highlighted vulnerabilities in supply chain security. Further details on the specific ransomware used and the extent of data exfiltration are still emerging.

A new cybersecurity advisory details tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group, which is suspected of targeting critical infrastructure. BianLian’s methods include data exfiltration and extortion. The advisory underscores the growing threat of ransomware attacks targeting critical infrastructure and highlights the need for proactive security measures to mitigate the impact of such incidents.

A report reveals LifeLabs, a Canadian medical testing company, failed to adequately protect customer data in a 2019 ransomware attack. The breach exposed the personal health information of 15 million and personally identifiable information of 8.6 million Canadians. The findings highlight critical shortcomings in LifeLabs’ cybersecurity practices and underscore the need for robust data protection measures in the healthcare sector. The four year delay in releasing the report is also concerning.

This cluster centers on the analysis of Elpaco, a variant of the Mimic ransomware. Elpaco exhibits customizable features, including the ability to disable security mechanisms, run system commands, and customize ransom notes. The analysis details the malware’s structure, TTPs, and its use of the Everything library for file searching. The detailed technical analysis provided is valuable for security researchers and incident responders.

Mikhail Pavlovich Matveev, also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin, a notorious ransomware affiliate, was arrested in Russia for developing malware and involvement in several hacking groups. He faced US sanctions and charges, highlighting the international collaboration to combat cybercrime. The arrest is significant due to Wazawaka’s prolific malware development and ties to major ransomware operations.