“Once is happenstance. Twice is coincidence. Three times is enemy action.” – James Bond
More pattern recognition and sensemaking efforts here – following up our recent spotlight on The City of Dallas, Over a Month After A Ransomware Attack, Still not at Full Functionality and the U.S. Turning its Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica – further validating the broader cyber battles that the U.S. is fighting on a daily basis (in what is a broader, global cyber war in which we are already engaged against nation-state and non-state actors alike).
Ransomware Epidemic Hits a Mississippi County and a Hospital in Tampa; Cyberattack Outages in Trinidad and Tobago
Trinidad and Tobago facing outages after cyberattack
Trinidad and Tobago’s justice department is dealing with a cyberattack that has impacted the ministry’s operations. The island nation of more than 1.4 million people announced on Friday that its Ministry of Digital Transformation discovered a cyberattack targeting the country’s Office of the Attorney General and Ministry of Legal Affairs (AGLA) in recent days. No specific date was given for when the attack started but AGLA published a message saying it has been dealing with outages since June 30 and internal services were disrupted. Any court documents served electronically after that date were not received. The ministry provided alternative email addresses where people can send court documents and said in-person court services were still available in the capital of Port of Spain. AGLA did not respond to requests for comment about whether services would be up and running this week.
Lawyers for the government told other local news outlets that they were unable to access their email accounts and were unable to access critical documents for upcoming trials. The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) published an advisory on Friday urging all organizations to “take the necessary precautions to mitigate against rising ransomware attacks in Trinidad and Tobago.” The agency said companies and victims should reach out to them for incident response assistance and provided several email addresses or links to ransomware guides. Any information provided to the agency is confidential and will not be disclosed publicly, they added.
There have been a spate of cyberattacks on government agencies and infrastructure in island nations around the world:
- In June, the Caribbean island of Martinique said it was dealing with a cyberattack that disrupted internet access and other infrastructure for weeks. Guadeloupe — an overseas department and region of France in the Caribbean consisting of six islands with a population of about 385,000 — also dealt with a cyberattack this year that crippled many of the local government’s systems.
- Pacific islands have also faced attack, with the government of Vanuatu being knocked offline in early November 2022 following a ransomware attack.
- The Medusa ransomware group launched a wide-ranging attack on Tonga’s state-owned telecommunications company in February and in March, the largest provider of mobile, television, internet and telephone services to the U.S. territories of Guam and the Northern Mariana Islands was hit with a cyber incident.
- Trinidad itself faced its own cyberattack last year when its biggest supermarket chain was attacked by a now defunct ransomware group. (1)
‘It feels like a digital hurricane’: Coastal Mississippi county recovering from ransomware attack
A coastal Mississippi county is in the process of recovering from a wide-ranging ransomware attack that took down nearly all of the government’s in-office computers. Nestled right along the border with Alabama, George County is the quiet home to more than 25,000 people. But the local government was thrown into chaos..when ransomware actors used a discrete phishing email to gain deep access to the county’s systems. George County communications director Ken Flanagan told Recorded Future News in an interview that the situation “felt like a digital hurricane” after IT officials discovered the attack…
Investigators traced the attack back to a phishing email made to look like a routine system update reminder. When an employee opened the email and clicked on the link, that gave the unnamed ransomware group access that allowed them to jump from computer to computer until they reached an administrative account with access to the wider county network. The hackers made their way through the system throughout the weekend, encrypting everything they could in what Flanagan called a “brute force attack.” Flanagan said…that county officials realized the extent of the damage, finding that it covered “every server and network based computer that we have.”
The county already had a board meeting…that allowed all of the local leaders to convene and figure out a plan forward. At the meeting, they approved budgets for emergency cybersecurity services and increased the number of IT workers from one to four.
One server at a time
There are three county servers that need to be restored and IT workers are going one-by-one in their process to bring the county back online. As IT workers began their work restoring the servers…they discovered a file titled “Restore” that contained a ransomware note. Flanagan said the note was “professional sounding” and had a Bitcoin wallet address to send the ransom to — the attackers demanded payment within five days.
“There was honestly nothing threatening in the wording of it. If you didn’t know any better, you would think you were just looking at a standard IT contract or agreement,” Flanagan said, declining to name the group responsible or the dollar amount of the ransom demand because they were advised not to release the information. “The County Supervisors unanimously agreed not to pay the ransom. We are a small rural county and the ransom amount was just not feasible for our budget. And, of course, there are no guarantees with these types of transactions. So, we had to say no.” The county contacted the FBI…and have had three calls with them and officials from the Department of Homeland Security…
🧵 Mentioned yesterday that there has been an uptick in attacks against local governments.
Ransomware attacks against municipalities was one of the few good news stories, with an actual decrease in *publicly reported* attacks:
2020: 188
2021: 203
2022: 195 pic.twitter.com/vQs8R6QQnu— Allan “Ransomware Sommelier🍷” Liska (@uuallan) July 18, 2023
The Wider landscape
- The attack on George County is the latest in a string of incidents affecting counties across the U.S., including ones in Delaware, California, South Carolina, New Jersey and Oregon as well as major metropolitan areas like Oakland and Dallas.
- Both Oakland and the California city of Hayward declared states of emergency due to their ransomware attacks’ devastating effects.
- Ransomware groups have shown little preference, targeting both small counties and large ones alike.
- Recorded Future ransomware expert Allan Liska said that while the attacks on Dallas and Oakland drew national headlines, the numbers show that in the first quarter of 2023 there were less publicly-reported attacks than the first quarter of 2022.
- But things began to ramp up in April, May and June of this year, with 18,19 and 22 publicly-reported attacks respectively.
- The second quarter of 2023 saw 59 attacks, far above the 51 seen in the second quarter of 2022.
- Liska had several theories on the increase, arguing that the deluge of new ransomware groups and actors splintered off from disbanded gangs was part of the reason why the numbers increased.
- “More experienced ransomware groups know municipalities don’t pay the ransom. But these newer groups are still figuring it out. Right now, all we can say is the numbers are higher, we really need more data to determine if it is a significant increase,” he said.
- “I think a lot of new actors don’t know they won’t get paid. But, even if they do know they won’t get paid, a lot of actors like to do it for the ‘clout.’ There is some reputation building in being able to knock over a city/county and generate a lot of headlines.”
- Emsisoft ransomware expert Brett Callow, who also has been tracking ransomware attacks on municipalities, counted at least 48 incidents involving local governments which is in-line with figures from past years.
- His data shows that there were 113 ransomware incidents affecting local governments in 2019 and 2020. There was a massive dip in 2021 with only 77 attacks but an uptick in 2022 with 106.
-
“This year is shaping up to be similar with 48 incidents,” Callow said. “The numbers would seem to indicate that the public sector is as vulnerable as it was in 2019, which is not good news.” (2)
Tampa hospital says sensitive data of 1.2 million stolen in failed ransomware attack
One of the largest hospitals in Florida said hackers stole the sensitive data of more than 1.2 million patients during an attempted ransomware attack in May. Tampa General Hospital has about 7,000 employees and more than 1,000 beds for patients who come from multiple counties in the region. The hospital published a notice…explaining that it detected unusual activity on its network on May 31 and quickly contained the activity, noting that it “effectively prevented encryption, which would have significantly interrupted the hospital’s ability to provide care for patients.”
But after conducting an investigation with the assistance of a forensic firm, they discovered that the hackers were in the hospital’s network from May 12 to May 30 and accessed the sensitive information of more than 1.2 million people before trying to encrypt the data, the Tampa Bay Times reported. This sensitive information includes names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and/or treatment information used by the hospital for its business operations. The hospital reported the incident to the FBI and provided information about the hackers. The hackers did not access the hospital’s electronic medical record system, according to the statement…the Snatch ransomware group added the hospital to its leak site, according to cybersecurity expert Dominic Alvieri. The hospital told local news outlet Fox13 that it declined to pay the ransom issued but did not say what the ransom demand was or who was behind the attack. The notice comes just one week after one of the biggest healthcare companies in the U.S. – HCA Healthcare announced a data breach affecting 11 million people. The company – which runs several hospitals across the U.S. – is now facing several class action lawsuits due to the breach.
Since 2019, the Snatch gang has been implicated in a number of high-profile attacks, including
The City of Dallas, Over a Month After A Ransomware Attack, is Still not at Full Functionality
The U.S. Turns Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica
