Ransomware attacks caused prolonged disruptions in October

Many ransomware attacks in October resulted in prolonged disruptions for victim organizations across an array of sectors including healthcare and education.

The number of reported ransomware attacks in the U.S. appeared to be low in October, following a similar trend in September. However, several notable attacks continued to show how disruptive the threat is for victim organizations. Some ransomware incidents resulted in weeks-long disruptions, knocked services offline completely and affected highly sensitive healthcare information.

October attacks hit several industries that have been popular targets for ransomware gangs. Organizations in the healthcare, education, manufacturing and public sectors continued to face significant disruptions.

On Oct. 1, Los Angeles-based C.R. Laurence (CRL) suffered a ransomware attack that disrupted its online ordering and design services. The global architectural hardware and design supplier confirmed the attack in a statement to U.S. Glass Magazine on Oct. 10. By that time, CRL said operations had been restored and an investigation remained ongoing. CRL has up to 5,000 employees and 19 U.S. service locations.

In a Facebook post published on Oct. 2, Oklahoma City Abstract and Title Co. confirmed ransomware disrupted its systems. The real estate title and development company said an external IT team and attorneys were working to resolve the attack. In the last update on Oct. 5, Oklahoma City Abstract and Title Co. said its network was "certified clean" and that progress to restore systems had been made.

The Ransomhub ransomware gang claimed responsibility for the attack on Oct. 8 and said the company had six days to give in to ransom demands. Ransomhub continues to rise as a prominent group across the ransomware landscape, according to research by NCC Group.

Michigan's largest county, Wayne County, also suffered a ransomware attack on Oct. 2 that disrupted some systems and services for two weeks. WXYZ Detroit reported that the attack affected the government's website, tax payment system, jail bonds and Register of Deeds office. Wayne County spokesperson Doda Lulgjuraj provided a statement to The Record on Oct. 3 that said the county was working from backups.

On Oct. 15, CBS News reported government systems would be fully operational by the following day. However, because of the attack, CBS News reported that Wayne county would rebuild systems and implement additional safeguards. The Interlock ransomware gang claimed responsibility for the attack, allegedly exfiltrating 7.7 TB of data.

On Oct. 9, The Union reported that the Nevada Joint Union High School District (NJUHSD) suffered a ransomware attack that affected schools across Nevada County. The attack knocked internet access offline for students in Grass Valley School District, Nevada City School District, Penn Valley Union Elementary School District, Twin Ridges Elementary School District and Clear Creek School District.

Systems remained down on Oct. 11 according to an update provided by The Union. In the update, the outlet reported that school districts were engaged in negotiations with an unnamed threat actor. So far, it appears no ransomware gang has claimed responsibility for the disruptive attack.

On Oct. 25, Colorado-based Axis Health Systems posted a data breach notification regarding an incident it discovered on Aug. 26. An investigation revealed attackers gained and maintained unauthorized access between July 9 and Sept. 4. Axis also said the attack affected sensitive patient information including names, addresses, dates of birth, health plans/policies, insurance companies, group ID numbers, claim numbers and Social Security numbers.

On Oct. 15, TechTarget Xtelligent Healthcare Security reported that Axis Health Systems' patient portal was offline following a ransomware attack. The health system posted a notice on its website, which has since been taken down, stating the portal was offline while it responded to the incident. It remains unclear why the portal was offline in October if Axis detected the attack in August. The Rhysdia ransomware group claimed responsibility for the disruptive attack.

The Superior Court of California County of San Joaquin confirmed it suffered a ransomware attack on Oct. 30. The court initially posted a notification on its Facebook page that said it was "experiencing significant connectivity issues," and later isolation its systems from the internet to conduct an investigation. The attack disrupted access to several services including phone, fax, credit card payments, online records requests, e-filing, juror reporting instructions and support assistance from the clerk's office.

Operations for the court, which serves 800,000 residents, were not fully restored as of Thursday. No ransomware gang has claimed responsibility for the attack.

"As part of the investigation, we are looking for opportunities to further enhance our security posture and taking steps to implement the appropriate measures," San Joaquin County Superior Court said in the statement.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.