Ransomware attacks on critical sectors ramped up in November

November saw several significant ransomware attacks across the municipal government, medical and energy sectors, though one of the most notable attacks disclosed last month disrupted the food service supply chain.

Ransomware's busy November reflects the ongoing trend of threat actors attacking critical industry organizations large and small, from regional hospitals in the southeastern U.S. to "big game" targets like Schneider Electric SE.

Among those big game targets was supply chain software vendor Blue Yonder, which disclosed on Nov. 22 that it experienced a ransomware attack that resulted in disruptions to its managed services hosted environment. The attack, which began the previous day, caused ripples across a number of organizations. The disruption affected Starbucks' ability to track its workers' hours, and U.K. trade publication The Grocer reported that supermarket chain Morrisons was forced to rebuild a new warehouse management system in mere days in order to maintain stock levels and secure its supply chain.

According to its dedicated status page, Blue Yonder on Dec. 1 said it was "making good progress, several of our impacted customers have been brought back online, and we are actively working directly with others to return them to normal business operations."

As for municipal and government-related organizations, the city of Sheboygan, Wis., disclosed that it had suffered a cyberattack last month involving, according to a Nov. 10 press release, "unauthorized access to our network by an external party." This came after a separate Nov. 7 release disclosed a "potential issue with our network."

The city said at the time it had not found evidence that sensitive personal information had been compromised. The Sheboygan city government also confirmed receipt of a ransom demand. "We have reported this incident to law enforcement, and while we have received a request for payment of a ransom, we are cooperating fully with law enforcement and incorporating their guidance into our response," the later release read.

The city first learned of the issue on Oct. 31, a news post to the official Sheboygan website claimed, and as of Nov. 22 said "there is no evidence that these unauthorized users have obtained sensitive data."

Although CISA viewed Election Day 2024 as a success from a security standpoint, the Embargo ransomware gang conducted a successful attack against Michigan's Wexford County on Nov. 5. The gang published a sample of data to its leak site and claimed to have stolen 1 TB of data. According to Michigan newspaper Cadillac News, County Administrator Joe Porterfield confirmed the attack, said the county's website had been compromised and added that election security was unaffected. The county reported the attack to authorities, including the FBI.

Embargo similarly claimed responsibility in November for an attack against American Associated Pharmacies (AAP), a cooperative that represents more than 2,000 independent and community pharmacies, as first reported by The Register on Nov. 13. The gang claimed to have stolen over 1 TB of data. Although AAP did not publish a formal disclosure, the cooperative published messages to its website at the time stating that it had initiated a full password reset on two of its websites and that "Limited ordering capabilities for API Warehouse have been restored at APIRx.com."

Memorial Hospital and Manor in Bainbridge, Ga., confirmed in a Facebook post made early last month that a threat actor or actors conducted a ransomware attack against the facility, affecting its electronic health record system. No specifics were made available at the time other than that the hospital initiated an investigation process immediately and that the hospital had moved to a "paper-based process." The Facebook post is no longer publicly viewable.

The energy sector saw its share of significant ransomware attacks as well. In early November, the Hellcat ransomware group took credit for an attack against energy management giant Schneider Electric SE. The group claimed to have obtained over 40 GB of data primarily involving "projects, issues, and plugins." The gang demanded a $125,000 ransom.

A Schneider Electric spokesperson shared a statement with TechTarget Editorial via email stating that the company was "investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment," but declined to confirm other reported details of the incident.

"Our Global Incident Response team has been immediately mobilized to respond to the incident," the statement read. "Schneider Electric's products and services remain unaffected."

ENGlobal Corporation, a major project management and engineering vendor for the energy sector, filed an 8-K disclosure with the U.S. Securities and Exchange Commission on Monday stating that the company discovered a ransomware attack on Nov. 25.

According to the 8-K, a preliminary investigation revealed that a threat actor accessed ENGlobal's IT systems and "encrypted some of its data files." The company said it took immediate action to contain, remediate and investigate the incident, which included restricting access to its IT systems.

"As a result of these and other measures, and while the investigation and remediation efforts remain ongoing, access to the Company's IT system is limited to essential business operations," the 8-K read. "The timing of restoration of full access to the Company's IT system remains unclear as of the date of this filing. The Company has not yet determined whether the cybersecurity incident is reasonably likely to materially impact the Company's financial condition or results of operations."