Ransomware Groups are Attacking Small Businesses More and More
A new Trend Micro report reveals ransomware attacks have grown by 47% since the second half of 2022. Although the most respected ransowmare-as-a-service operations still attack big companies, most attacks were on small companies with weaker defenses.
In the first half of 2023, the most active ransomware gangs were Clop, LockBit, and BlackCat. LockBit is responsible for 1 in 6 ransomware attacks conducted on government institutions in the first half of 2023. Trend Micro has monitored 522 attacks (26.09% of all attacks) using LockBit ransomware; 212 attacks (10.59%) using BlackCat ransomware and 202 attacks (10.09%) using Clop ransomware. Although there were reports about 202 Clop ransomware attacks in the first half of 2023, Trend Micro mentioned it did not see any attempted attacks by the Clop ransomware group on its clients in the first 6 months of 2023.
Clop was responsible for two mass attacks in the first 6 months of 2023. One exploited the vulnerability in Fortra’s GoAnywhere file transfer solution in January, and another one exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution of Progress Software at the end of May. In the second attack, about 1,203 companies around the world suffered data theft.
Although the BlackCat and LockBit groups both carried out several high-profile attacks in the first half of 2023, which include attacks on Ion Group, Royal Mail, and Taiwan Semiconductor Manufacturing firm by LockBit affiliates, and attacks on Reddit and NextGen Healthcare by BlackCat actors, these ransomware groups are more and more attacking small companies. In the first half of 2023, small businesses had been the victims of 44.8% of attacks by Blackcat and 57.3% of attacks by LockBit. Clop still favors attacks on big companies, which accounted for 50% of its attacks, while 27.2% of Clop attacks are on small companies.
The overall growth in ransomware attacks on small companies is ascribed, partly, to a dispersing ransomware groups, aided by the exposure of the source code of Conti and LockBit ransomware, which permitted cybercriminals to make their ransomware variants for their attacks. Trend Micro discovered 45 active RaaS and RaaS-associated groups in the first half of 2023, which is 6 more than in the second half of 2022 (an 11.3% increase).
According to ransomware file discoveries each month, the most frequently attacked industries in the first half of 2023 were banking (1,812 attacks), retail (733 attacks), and transportation (859 attacks), with nearly half of the attacks on U.S. companies. Worldwide, the number of ransomware attack victims went up by 45.27% from the second half of 2022. Ransomware attacks have gone up as well as extortion-only attacks. New groups seem to be doing data theft and extortion only with no file encryption.
To deal with ransomware attacks, Trend Micro advises activating multifactor authentication, backing up information regularly using the 3-2-1 rule, making sure to apply patches promptly, validating emails before opening them, adhering to established security setup, and using solutions that have network detection and response (NDR) functions.
Snatch Ransomware Group Attacks Mount Desert Island Hospital
Mount Desert Island Hospital, Inc. (MDIH) located in Bay Harbor, ME, sent an additional data breach notice to the Maine Attorney General regarding a data security breach initially reported on July 17, 2023. The hospital detected suspicious activity inside its system on May 7, 2023. Based on the forensic investigation, an unauthorized third party acquired access to its system from April 28, 2023, to May 7, 2023. MDIH stated it had begun an analysis of the files on the breached sections of its system and has now affirmed that they included the personal data and protected health information (PHI) of 32,661 persons, which include 26,046 residents of Maine.
The compromised data contained employee information: names along with at least one of these data elements: birth date, driver’s license/state ID number, financial account data, and Social Security number. Patient information was likewise compromised: name, address, birth date, Social Security number, driver’s license/state ID number, financial account details, Medicare or Medicaid ID number, medical record number, mental or physical treatment/condition details, diagnosis code/data, date of service, date of admission/discharge, prescription details, billing/claims data, name of personal representative or guardian, and medical insurance data.
Impacted persons started receiving notification letters on June 5, 2023, and were provided free credit monitoring and identity theft protection services. There is no additional information about the actual nature of the attack given on the substitute breach notification on the web page of MDIH or in the Attorney General notifications; nevertheless, this seems to be a ransomware attack using the Snatch ransomware.
The Snatch ransomware gang claims to have been responsible for the theft of 266 GB of data in the cyberattack and has posted the complete data on its leak website. One 89 GB data file is shown to have 416 downloads and a 177 GB data file has 390 downloads. Therefore, all persons informed concerning the attack must make sure that they subscribe to the free credit monitoring and identity theft protection services.
Exposed PHI of 3,749 Individuals Reported by Pharm-Pacc Corporation
Pharm-Pacc Corporation based in Coral Gables, FL, a managed recovery services provider to hospitals, has encountered a data security breach. The provider detected suspicious activity in its IT environment on March 24, 2023, and right after making its systems secure, carried out a forensic investigation that affirmed on May 23, 2023, that an unauthorized third party viewed its systems with no authorization. On June 14, 2023, Pharm-Pacc reported that one of the systems that was viewed included the PHI of patients.
The breached data included names, birth dates, medical record numbers, patient account numbers, service dates, addresses, medical device identifiers, driver’s license numbers, taxpayer ID numbers, phone numbers, email addresses, medical photos, license plate numbers, Social Security numbers, death dates, and digital signatures. Though the above information was compromised, Pharm-Pacc did not find any proof that indicates the misuse of any information. Impacted persons were informed concerning the breach on September 11, 2023. The breach report was submitted to the HHS’ Office for Civil Rights indicating that 3,749 individuals were affected.