Ransomware Recap – March

Welcome to our March Ransomware Recap! In this monthly series, we discuss a few of the biggest ransomware stories. Let’s jump in.

Nemty Ransomware Posts Victims Stolen Data as Punishment

Nemty Ransomware has created a data leak site to publish information of victims who do not pay ransoms. This information can include financials, personal information of employees, client data and more. The goal for publishing confidential data is to force the next round victims into paying a ransom.

According to Bleeping Computer, “This blog currently lists a single victim, an American footwear company,  and contains a link to 3.5 Gigabytes of files that were allegedly stolen from the company.

“As more ransomware operators begin to utilize this extortion tactic, victims will need to consider all ransomware attacks a data breach. This means file noticed with the government, alerting affected people, and sending out breach notifications.”

Source: BleepingComputer https://www.bleepingcomputer.com/news/security/nemty-ransomware-punishes-victims-by-posting-their-stolen-data/

Most Ransomware Attacks Take Place on Nights and Weekends

To not much surprise, a recent FireEye report showed that most ransomware attacks take place after hours and on weekends, since most businesses to not have IT staff working during those times. And, if they do, staff is usually short handed.

According to ZDNet and FireEye, “…76% of all ransomware infections in the enterprise sector occur outside working hours, with 49% taking place during nighttime over the weekdays, and 27% taking place over the weekend.”

Additionally, all of these cases were human-operated attacks, which means that the ransomware is triggered on the attackers time and not automatically. These kind of attacks have gone up 860% since 2017.

US Department of Health and Human Services Hit by DDoS Attack

The U.S. Department of Health and Human Services (HHS) was slowed by a DDoS attack on Sunday, but didn’t cause it to go offline. Having the site slowed down can be an issue for US citizens looking for up to date information on the Coronavirus spread and other information from the HHS.

DDoS attacks come in various sizes and styles, and it wasn’t disclosed which tactics were used beyond the fact that the attacks took hours to last.

According to Naked Security, “It’s all relative of course, but downplaying it might be to miss the point because this attack was unusual in another way – officials said it coincided with a disinformation campaign carried out via SMS, email and social media that reportedly claimed that a national quarantine of the US was imminent.”

Source: Naked Security https://nakedsecurity.sophos.com/2020/03/18/ddos-attack-on-us-health-agency-part-of-coordinated-campaign/

Two Ransomware Groups Promise Not Attack Health Organizations

In some better news, two ransomware groups, Maze and DoppelPaymer, said they will not attack health organizations during COVID-19 and will focus their attacks elsewhere.

According to Wired, “BleepingComputer reached out to the operators of multiple strains of ransomware, asking if they had plans to stop hitting hospitals during the coronavirus pandemic. Two of them actually wrote back to say yes, absolutely, they’ll take it easy on the health care industry (except pharmaceutical companies) until the Covid-19 situation improves.”

Some more good news, Emsisoft and Coveware are offering their ransomware services for free to healthcare organizations during the pandemic. And don’t forget, Managecast is offering free workstation and laptop backups for remote workers during this time.

Sources: BleepingComputer: https://www.bleepingcomputer.com/news/security/ransomware-gangs-to-stop-attacking-health-orgs-during-pandemic/

Wired: https://www.wired.com/story/ransomware-magecart-coronavirus-security-news/