Ransomware Attacks: A Week of Ongoing Cyber Threats

In this week’s report on ransomware-related issues, several organisations and companies felt the system protection breakdown. Baltimore continues to experience many problems, especially in the real estate market. Meanwhile, security firms were found to pay off cybercriminals, while other institutions saw their networks compromised through phishing attacks.


Another Day, another Ransomware Attack in Oklahoma

According to Oklahoma’s News 4 report, State’s City Public Schools (OKCPS) found themselves to be a target of a ransomware attack. Occurring on May 13th, the educational institution felt the disruption of its network. OKCPS representatives stated that cyberattack is “continuing to worsen.” Confirming the attack on the following day, officials informed the public that the email system was taken down.

We will have no access to email. We will, however, have access to our cell phones so we encourage you to reach out to us via phone,” the organisation announced on Monday. During the week, the IT department went through security checks of 11,000 devices. At the same time, OKCPS did not cancel the student program.

To limit further exposure, OKCPS management decided to take down the email system. As an alternative communication route, community members can reach out to school through phone lines. So far, it is unclear whether the attack included ransom demands.


Security Firms Paying Hackers

Most security firms that deal with ransomware attacks would usually address the issue without paying hackers. However, two companies did the opposite, paying criminals while charging customers a premium. The two U.S. data recovery organisations, Proven Data Inc. and MonsterCloud Inc., were found making payments to hackers in the name of their customers.

Namely, they would use cryptocurrency as a payment method, even though both firms were officially “against such practice.” The report made by ProPublica, security companies openly used the strategy as part of their regular procedures. The report goes on by stating that, although not illegal, their practices were different than the industry standards. MonsterCloud chief executive Zohar Pinhasi regarded their recovery solutions as “trade secrets.”

ProPublica commented on the market situation as a “thriving one” for such fraudulent activities. “The FBI frowns on it officially — and winks at it in practice,” as found in the analysis. At the same time, police authorities have difficulties in locating the cyber perpetrators, leaving organisations and companies to their own devices. Thus, Proven Data and MonsterCloud used an easier solution to unlock clients’ networks.

According to the report, a ransomware SamSam was used by cybercriminals from 2015 until 2018, resulting in $30 million in damage to at least 200 entities.” Most firms were located in the US and the UK, while security firms scrambled for solutions that would help clients to recover their data. Backup services, according to the report, are one of the sought out solutions, especially in the wake of increased ransomware activity.

Apart from ProPublica’s publication, other industry representatives acknowledged that the situation can be tricky. In an interview with Threatpost, Brett Callow, spokesperson for Emsisoft, mentioned that “it’s easy to say that companies should never pay, but it’s also quite unrealistic.

At the same time, the FBI took on the Proven Data’s Alaska case of ransomware attack management. The questioning was led by claims that firms did not inform their clients on the ransom value. Namely, they would pay the fee and then charge their clients extra without full information disclosure. However, the FBI’s findings did not point out illegal activities, since services did provide needed results.


Ransomware Attack Targets Idaho State

Apart from Oklahoma, it seems that US state institutions are the prime target for ransomware attacks. On May 14th, a cyberattack has forced Idaho State’s Ada County Highway District (ACHD) to shut down its computer networks. FBI and Homeland Security agencies are collaborating with local authorities to uncover the nature of the ransomware attack. During the incident, the ACHD’s network did not provide services for 30 hours.

At the moment, Ada officials do not have information on how ransomware succeeded in penetrating the system. Natalie Shaver, ACHD’s public information specialist, confirmed that the organisation is investigating the attack. Current findings suggest that hackers are yet to reach the department’s databases. However, investigators cannot provide guarantees that files are within the safe zone. Additionally, attackers demanded payments for decryption keys but Shaver did not disclose the amount at the time.

No data was lost that we’re aware of,” Shaver said. With website temporarily out of service, Department representatives immediately alerted police authorities. During the attack, the IT department employee notified other staff members, promptly shutting down the system to stop the spread of the virus. Thus, the attack had very little impact on ACHD’s daily operations, especially since most employees work outside of agency offices.


25,000 healthcare Patients Experience a Data Breach

Apart from government agencies, cybercriminals often target healthcare institutions, as seen from the latest incident. Connecticut’s south eastern Council on Alcoholism and Drug Dependence (SCADD), which specialises in addiction treatment, reportedcertain disruptions in its network.” The attack itself occurred on February 18th, compromising the personal information of 25,148 patients. Although SCADD did launch immediate investigations, the announcement came almost three months later, on May 15th.

In collaboration with third-party experts, the organisation secured the system but also noted that patients’ data sets are compromised. The potentially stolen information includes “individuals’ name, address, Social Security number, as well as medical history, and treatment information.”

The US Department of Health and Human Services’ Office for Civil Rights (OCR), responsible for cybercrime, is in the midst of its own investigations. According to the news report, OCR seeks to determine whether the data breach brought any violations by SCADD in terms of digital safety procedures.  The main reason why OCR launched the inquiry lies in the fact that SCADD released the announcement outside of the 60-day report period.

FBI is working closely with the organisation’s representatives to uncover culprits behind the ransomware attack. So far, there is no information regarding the potential ransomware demands.


Atlassian Bitbucket, GitHub, and GitLab Join Forces to Battle Ransomware

Due to the recent ransomware attack on Git system, major code development platforms decided to join forces against cyber threats. Atlassian Bitbucket, GitHub, and GitLab created a joint publication that sheds light on the recent incident and how users should protect themselves from future cyber attacks. Three entities combined their support teams to uncover issues that came out as a result of the attack.

The attack happened at the beginning of May 2019, where ransomware took out numerous codes and accounts from three prominent websites. As announced by GitLab, the breach was caused by the attacker’s knowledge on accounts’ passwords. Through them, the hacker(s) would clean out Git repositories and demand ransom from users while holding their codes as hostages. Using legitimate account details, hackers went unnoticed across three platforms.



The joint investigation uncovered a third-party credential dump, hosted by the provider in which the attack commenced. So far, about 267 repositories were affected by the ransomware, out of which third came from the said credential dump. Furthermore, cybercriminals took important information from the account, granting themselves full repository rights. These include website & app passwords, API keys, and personal access tokens.

The joint investigation provided several ways for users to protect themselves, including better password management, external file backup, and decreased public exposure. Additionally, the usage of multi-factor authentication (MFA) would greatly improve users’ ability to stop the attack from occurring. On the side of the platforms’ security systems, the joint publication did not reveal any new developments that might be on the horizon.


Baltimore Ransomware Week II: The Aftermath

Since May 7th, Baltimore City is in the midst of manual labour due to a devastating ransomware attack. As reported last week, the City Council switched most services from online platforms to phone and on-site operations. However, issues are rising as time passes by since authorities refused to negotiate with cybercriminals. Hackers demanded 13 bitcoins (approximately $95,000) for decryption codes while most Biltmore departments remain in a deadlock with their systems.

Although 911 and most dispatch sectors remain operational, the city’s $2 million worth of storage capacities are in danger. One of the most affected departments of the city is the real estate market, bearing the full force of the attack. Currently, businesses cannot close deals due to the database crash. Title Co.’s attorney Bob Flynn mentioned that these datasets are crucial for businesses since they use them to provide deals for their clients.

In Baltimore City, you can’t really close a real estate transaction, whether it’s a $1,000 shell of a row house to a $50 million office building, without the ability to search title, without the ability to get water bills and without the ability to get lien certificates,” said Flynn for CBS Baltimore. With online billing system down, clients cannot commence purchases, leaving the market almost completely inactive.

With pressures rising, Baltimore’s Mayor Jack Young stated that he is open to ransom payment as an option. So far, there are no details regarding the payment, as the deadline approaches on Friday, May 17th. Furthermore, the city, apart from investigations, did not disclose other potential solutions for its blocked real estate market.


“No Data Loss,” says ConnectWise

In what turns out to be a ransomware attack, the Florida-based IT service company suffered a breach of security. Although the attack itself occurred on May 3rd, the firm’s management decided to make a public announcement only recently, on May 13th. Company’s report pinpointed that, although attack did slow down its operations, no data was lost. ConnectWise Manage EU platform experienced a shutdown in some of its functions, with most being SQL databases in EU-AWS cluster.

Using file backups, the system managed to get back on its feet, with little to no damage left from the attack. “We found no indication that any personal data was destroyed, altered, disclosed to, or accessed by an unauthorized party. Accordingly, we do not believe there is a risk to the rights and freedoms of EU data subjects as a result of this outage,” as seen on the report.



As to improve its security assessment activities, the company made a decision to change how ConnectWise Manage functions. Namely, the company will invoice 10% of its revenues in the EU as a reimbursement for the potential damages due to the server shutdown. Additionally, representatives stated that they will create “snapshot transaction log backups each hour to reduce the recovery point, in the event the transaction logs are compromised.”

Currently, it is not clear whether the attack carried ransom demands, while the firm’s representatives are working on filling compliant with European law enforcement.


Ransomware Group Busted by Europol

Although ransomware attackers mostly remain unknown to the general public, police authorities do track their activity. After long-run of investigations, Europol managed to breakdown a cybercriminal group that originates from Ukraine, Moldova, Georgia, Bulgaria, Germany, and the US. So far, 10 individuals were arrested, with five more on the run after the initial police efforts. The group developed and used GozNym banking malware, stealing $100 million through 41,000 devices.

Created in 2015, the ransomware program came to be as a result of two older versionsbanking Trojan Gozi from 2010 and popular Nymaim dropper. Most victims were located in the US and Canada from the banking sectors. Through phishing campaigns, cybercriminals would seize control over computer networks and demand ransoms for their release.

Additionally, Europol found evidence against an administrator of the “Avalanche” network, who provided services for the criminal group. “Through the coordinated efforts, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network,” as seen from the Europol’s report.



Although the Europol’s success cannot be denied, the fact remains that businesses and state organisations face hardships from ransomware attacks. Baltimore and other State-owned institutions feel it quite keenly, with effects long-lasting after the incident.



Additionally, it seems that hackers carefully choose their victims, studying systems in terms of their backup abilities and general protection that networks employ.


Easy fix

Keeping files outside of the live system would be helpful for Baltimore’s real estate market and other organisations.

It is easy to prevent ransomware attacks from having a permanent effect on any computer system. If you use any of the BOBcloud services, you can back up your computer systems to multiple destinations. Many of these such as Wasabi, FTP and Dropbox are priced well below £0.005 per GB and will allow you to recover from any disaster. If you want to use something a little more robust such as Microsoft’s Azure, the cost will be around £0.01 per GB.

You can protect a fileserver with hundreds of terabytes of data for £6.50 per month. This is the cost of using our system and licenses. The storage is payable by you if you don’t want to store your data with us.

Leave a Reply

Your email address will not be published. Required fields are marked *

The Old Sorting Office, Corsham, Wiltshire SN13 9AA
Tel: 0800 907 8238 https://www.bobcloud.net/wp-content/themes/bobcloud/images/logo.png