September a quiet month for ransomware attacks

September was a quieter period on the ransomware front, though some notable organizations suffered attacks last month.

Notably, the Institute for Security and Technology's Ransomware Task Force (RTF) on Sept. 26 published its "2023 Global Ransomware Incident Map" detailing trends observed in the ransomware landscape the previous year, such as attacks on large or high-value organizations. Although law enforcement action and Russia's invasion of Ukraine contributed to a small decline in the total volume of ransomware attacks in 2022, there was a 73% year-over-year increase in the number of attacks between 2022 and 2023, with 6,670 ransomware incidents tracked last year.

The RTF's report argued that the steep rise could be attributed to the rise of big game hunting -- the practice of threat actors targeting large organizations with large ransom demands. Moreover, the RTF report authors Taylor Grossman and Trevaughn Smith expect to see even more.

"As we enter the final three months of 2024, we anticipate an increase in 'big game hunting' tactics by ransomware groups -- most notably CL0P -- as cyber criminals adapt and create new ways to further extort ransomware victims," Grossman and Smith said. "We also note the execution of Operation Chronos, a major global disruptive operation targeting LockBit in February 2024, and look forward to unpacking the long-term effects of this operation."

While there were few ransomware attacks against big game targets in September, some high-profile attacks struck familiar targets in the education and healthcare sectors. For example, Rhode Island's Providence Public School District (PPSD) suffered an apparent attack on Sept. 11 when the district discovered irregular network activity. According to a Sept. 12 letter from the district to the school's community, IT staff followed proper security protocol and worked to contain the issue.

Reports came in the following days that the Medusa ransomware gang was responsible for the attack, which demanded a ransom payment of $1 million under threat of publishing over 200 GB of allegedly stolen data on Sept. 25. Because the deadline passed, Medusa's data leak dark web site claimed to have published the data.

PPSD superintendent Javier Montañez wrote a letter to the district on Sept. 25 in which he confirmed that the district suffered unauthorized access and that "an unverified, anonymous group has claimed that they have PPSD files."

"While we cannot confirm the authenticity of these files and verify their claims, there could be concerns that these alleged documents could contain personal information," Montañez said. The superintendent further said that the district had secured assistance from a third-party security vendor as well as that both state and federal law enforcement had extended support.

University Medical Center (UMC) Health System in Lubbock, Texas, confirmed it suffered a ransomware attack after experiencing an IT outage on Sept. 26. The outage caused select service disruptions and forced the hospital to divert incoming emergency and non-emergency patients to nearby health facilities on Sept. 27. According to a status page dedicated to the incident, UMC began accepting emergency patients on Sept. 30 again while still diverting some patients.

Although some select patients are still being diverted according to an Oct. 11 update, the hospital system has restored a significant number of its disrupted systems, and it "[continues] to work alongside third-party firms to safely restore full operations."

Also in Texas, the Dallas suburb Richardson suffered a ransomware attack on Sept. 25. According to the city's website, an unnamed threat actor "temporarily gained access to the City's servers and attempted to encrypt data files within the network." Richardson's automated security system apparently stopped attackers early into the attack, limiting impact to a "small number of files" with no indication that sensitive data was accessed.

The city responded by shutting down internal access to its servers, but critical services remained operational. Moreover, Richardson is cooperating with the FBI as part of its response to the attack. A notable incident occurred early last month in which prolific gang RansomHub claimed an attack against Kawasaki Motors' European offices. However, on Sept. 12, Kawasaki Motors Europe published a now-deleted statement claiming that it was targeted in an unsuccessful cyberattack that "resulted in the company's servers being temporarily isolated until a strategic recovery plan was initiated later on the same day."

This server isolation was a precaution to check all the company's data as well as identify and deal with any suspicious materials, according to the company.

"The KME IT department, IT staff at its Branches plus external cyber security advisors spent the following week isolating and health-checking all servers and restoring their interconnectivity," the statement read. "By the start of the following week, over 90% of server functionality was restored and, despite the need to ensure that each and every server was free of non-authorised information, normal business had been resumed in respect of dealers, business administration and third-party suppliers such as logistics companies."

September might have been a slightly quieter month for ransomware attacks on a whole. Malwarebytes published a blog post last Friday claiming that with 370 ransomware events recorded, September had the third lowest volume of all months this year. The security vendor also observed a significant increase in the number of attacks from what it called "dark horse" ransomware gangs -- groups outside of the 10 most prominent.

"From October 2023 through September 2024, there was a 63% increase in the total number of known attacks outside the top ten ransomware gangs ('dark horse' groups) when comparing the first six months to the last six months," Malwarebytes' Bill Cozens wrote. "During the same period, total known attacks within the top ten ransomware gangs actually decreased by 6%."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.