July ransomware attacks slam public sector organizations

Public sector entities such as county governments and a state health department were among the most prominent organizations to suffer ransomware attacks in July.

Ransomware is often top of mind in security. Last month was an exception given the global IT outage stemming from an errant CrowdStrike channel file update that began on July 19 and disrupted major sectors, such as transportation and healthcare, for multiple days. That said, extortion-powered cyberattacks haven't gone anywhere.

One cyberattack from the past month seemingly saw extortion and the CrowdStrike outage intersect. Jefferson County, Kan., said in a civic alert that the CrowdStrike outage disrupted services including the ability to access the Kansas driver's license system. The Jefferson County Clerk's Office confirmed to local television news stations, such as ABC's WHAS11, that threat actors had apparently sent an extortion note to the clerk's office claiming to have stolen data. Though the county initially thought threat actors used the outage as cover to claim an attack against the county, later investigation revealed that data was stolen.

On a related note, CISA said in a July 19 alert that it had seen threat actors take advantage of the outage for activity including but not limited to phishing. CrowdStrike also observed such activity; in a July 24 blog post, the cybersecurity vendor warned that phishing domains masquerading as legitimate CrowdStrike support links were being used by threat actors to spread an infostealer known as Lumma.

As for more traditional ransomware attacks, security vendor Check Point Software Technologies said RansomHub was the most prevalent ransomware gang in July, responsible for 11% of all published attacks. Notably, LockBit was the second most prevalent, with 8% of the total share.

RansomHub published data connected to an attack against the Florida Department of Health (DOH) to its dark web leak site in early July. The data appeared to include high-impact data such as sensitive test results, employee records and more. Moreover, the outage apparently caused significant service disruptions for healthcare organizations and funeral homes since the attack occurred in late June. Though little public-facing information exists from the department itself, local news organizations, such as WFTV9, said the DOH confirmed an attack to them.

In other municipality news, Clay County, Ind., filed a local disaster declaration following a ransomware attack that appeared to begin around midnight on July 9. The attack caused significant disruptions to Clay County's court and clerk's office services, though all services appear to be back to normal operation.

According to a press release issued to local news outlet The Brazil Times, the attack occurred following a similar one suffered by Monroe County, Ind., the previous week, and that the attack targeting Monroe involved a "Russia-linked cybercrime syndicate." Soon after, Clay County attributed the attack to Blacksuit Ransomware, a rebrand of Royal ransomware that itself was founded from the remains of the Conti gang.

Private sector organizations were by no means immune to attacks. Bassett Furniture filed an 8-K with the SEC on July 15 disclosing a cyberattack that began on July 10 and all but confirming the presence of ransomware.

"On July 10, 2024, Bassett Furniture Industries, Incorporated (the 'Company') detected unauthorized occurrences on a portion of its information technology (IT) systems," the filing read. "Upon detecting the unauthorized occurrences, the Company immediately began taking steps to contain, assess and remediate the incident, including beginning an investigation, activating its incident response plan, and shutting down some systems. The threat actor disrupted the Company's business operations by encrypting some data files."

Bassett Furniture claimed in the filing that due to containment measures following the attack, order fulfillment was disrupted, and manufacturing facilities were temporarily closed.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.