Notorious ransomware group BianLian has claimed to have added two new organizations as its latest cyberattack victims. The BianLian ransomware attack was allegedly carried out on two US-based firms, namely, Better Business Bureau Inc and U.S. Dermatology Partners. The infamous actor has claimed to have accessed sensitive data including financial, contract, and employee profiles from both its victims.

BianLian Ransomware Attack: Critical Details  

The first organization targeted by hackers was Better Business Bureau (BBB), which is a private, nonprofit organization founded in 1912 in Arlington, Virginia. The firm maintains a massive database of accredited and non-accredited businesses, providing ratings based on several factors. The Better Business Bureau has a revenue of $430.6 Million. [caption id="attachment_79001" align="alignnone" width="1259"] Source: X[/caption] The threat actor claims to have accessed 1.2 TB of organization data, including accounting, budget, and financial data; contract data and NDAs; files from the CFO's computer; operational and business files; and email and PST archives. The group has also disclosed sensitive information such as the names, personal email addresses, and phone numbers of BBB’s CEO, vice president, chief accreditation officer, and chief activation officer. The other organization that has allegedly fallen victim to the ransomware group is US Dermatology Partners. The organization, with a revenue of $213.7 Million, is one of the premier dermatology practitioners in the USA, caring for over two million patients annually. [caption id="attachment_79002" align="alignnone" width="1259"] Source: X[/caption] The hackers claimed to have accessed 300 GB of organization data, including personal data, accounting and budget information, financial data, contract data and NDAs, and employee profiles.

Potential Impact of BianLian Ransomware Attack

If proven, the potential consequences of this ransomware attack could be critical as the accounting and financial details of both these firms could be leaked. The organizations should take appropriate measures to protect the privacy and security of the stakeholders involved. Financial data breaches can lead to identity theft, financial fraud, and a loss of trust among clients, potentially jeopardizing the company’s standing in the industry. Currently, details regarding the extent of the BianLian ransomware attack, data compromise, and the motive behind the cyber assault remain undisclosed. Despite the claims made by BianLian, the official websites of the targeted companies remain fully functional. This discrepancy has raised doubts about the authenticity of the BianLian group’s assertion. To ascertain the veracity of the claims, The Cyber Express has reached out to the officials of the affected organizations. As of the writing of this news report, no response has been received, leaving the ransomware attack claim unverified.

History of BianLian Ransomware Group Attacks

BianLian, a ransomware group, has been targeting critical infrastructure sectors in the U.S. and Australia since June 2022. They exploit RDP credentials, use open-source tools for discovery, and extort data via FTP or Rclone. FBI, CISA, and ACSC advise implementing mitigation strategies to prevent ransomware attacks. Initially employing a double-extortion model, they shifted to exfiltration-based extortion by 2023. According to a report by  BlackBerry, BianLian ransomware showcases exceptional encryption speed and is coded in the Go programming language (Golang). This sophisticated approach has enabled the group to strike multiple organizations, leaving a trail of unverified claims in its wake. Earlier in 2024, the group targeted companies such as North Star Tax and Accounting, KC Pharmaceuticals, Martinaire. In its attack on MOOver, the group claimed to have accessed a staggering 1.1 terabytes of the firm’s data. Subsequently, Northeast Spine and Sports Medicine also found themselves on the list of victims. All these claims, similar to the recent attack, remain unverified. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious BlackBasta ransomware group is claiming credit for carrying out cyberattacks on major multinationals in the U.S. The ransomware gang claims it has access to sensitive data of financial services firm Key Benefit Administrators and healthcare apparel retailer Scrubs & Beyond. BlackBasta was recently suspected to have exploited a Microsoft zero-day prior to Microsoft’s release of a patch for the vulnerability back in March.

Decoding BlackBasta Ransomware's Alleged Attack

The first organization targeted by BlackBasta is Key Benefit Administrators, Inc., which offers financial services. The company provides employment benefit services that manages pension, retirement, health, and welfare funds. BlackBasta claims to have access to 2.5TB of sensitive data of the firm, including client, executive, and employee info. [caption id="attachment_78852" align="alignnone" width="1247"] Source: Ransomware.live[/caption] The other organization targeted by the ransomware group is Scrubs & Beyond, which is the largest retailer of healthcare apparel and accessories in the U.S. The ransomware crew claims to have accessed 600GB of the organization’s sensitive data, including HR, employee, and departmental files. [caption id="attachment_78853" align="alignnone" width="1238"] Source: Ransomware.live[/caption] Until an official statement is released by the two firms, the facts behind the BlackBasta ransomware attack claim will likely remain elusive. If BlackBasta's claims are proven true, the implications could be significant. The compromise of sensitive legal information and client data could have broad consequences, not only for the firms concerned but also for its clients and partners.

How Does BlackBasta Group Operate?

BlackBasta is a highly active ransomware group that has quickly gained a reputation for targeting high-value organizations across various industries. BlackBasta typically uses sophisticated phishing campaigns, and exploits known vulnerabilities in software to obtain access to their targets' systems. After gaining access, the group encrypts critical data and demands hefty ransoms for its release.

Previous Attacks By BlackBasta

A recent joint security advisory from the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) stated that Black Basta has, through its affiliates, compromised more than 500 organizations all over the world. The victims include organizations that span 12 of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) sector. A few of BlackBasta’s victims include Microsoft, Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, and Dish, among others.

How to Protect Against Ransomware

The ever-present threat of ransomware requires vigilant cybersecurity practices by consumers and organizations alike. Keeping software and operating systems up-to-date: Many ransomware attacks exploit vulnerabilities in outdated software and operating systems. By keeping software and operating systems up-to-date, you can minimize the possibility of a ransomware attack. Backing up important data: If your files are encrypted by ransomware, you may be able to restore them from a backup. By regularly backing up important data, you can increase the chances that you can recover your files if they are encrypted by ransomware. However, those backups should be immutable and ransomware-resistant - a good backup service provider may be your surest bet. Using antivirus software: Antivirus software can detect and remove various types of malware, including ransomware. By using antivirus or endpoint security software, you can reduce the risk of a ransomware attack. Being cautious of suspicious emails: Many ransomware attacks are spread via phishing emails. You can lower the risk of a ransomware attack by being wary of suspicious emails and refraining from clicking on links or opening attachments from unknown sources. Educating employees about cybersecurity: Employees play a critical role in defending against cyberattacks. It is of utmost importance that they understand the best practices and know how to identify and report suspicious activities. Isolating critical workloads and data: Isolating your most important data and applications with technologies such as microsegmentation, VLANs, firewalls and strict access and permission controls will create an extra layer of security that will make it that much harder for ransomware to infect your most critical systems. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

After the Qilin ransomware gang last week published on its leak site a data subset as a proof of hacking Synnovis’ systems, the London-based pathology services provider has now confirmed its legitimacy saying the data belongs to its storage drive related to administrative work and contains fragments of patient identifiable data. Hackers that are linked to the Russian-linked Qilin ransomware gang published on Friday around 400 gigabytes of sensitive patient data, which they claimed included names, dates of birth, NHS numbers and descriptions of blood tests stolen from Synnovis’ systems. Following the data leak on the dark web, Synnovis confirmed on Monday that the published data was legitimate but noted it was too early to determine the full extent of the compromised information.

“Last week a group claiming responsibility for the cyberattack published data online. We have now been able to confirm that this data was stolen from Synnovis’ systems.” - Synnovis

An initial review from Synnovis over the weekend revealed no evidence that the Laboratory Information Management Systems (LIMS) - the primary databases for patient test requests and results - were posted. However, fragments of patient-identifiable data from an administrative working drive have been published, Synnovis said. The payroll information storage area remains unaffected but further review of employee-related data that appeared in the dataset published on the dark web is underway. Synnovis emphasized the priority of understanding the compromised administrative working drive. The company is working alongside technical experts to ascertain more details and mitigate concerns among service users, employees and partners. The Information Commissioner’s Office (ICO) is investigating the breach, acknowledging the sensitivity of the leaked data and the anxiety it may cause. “While we are continuing to make enquiries into this matter, we recognize the sensitivity of some of the information in question and the worry this may have caused,” the ICO said. The ICO advises concerned individuals to visit its website and NHS England’s site for guidance and support. NHS England continues collaborating with Synnovis and the National Crime Agency to address the ransomware attack. NHS England acknowledged Synnovis’ initial analysis that confirmed the published data originated from their systems. The complex nature of such investigations means it could take weeks to identify all impacted individuals, it said. As the investigation proceeds, NHS England and Synnovis will provide updates and have established a helpline for those affected. Local health systems are working together to manage the impact on patients and have deployed additional resources to ensure urgent blood samples are processed. Laboratories can now also access historical patient records, which aids continuity of care, NHS England said. The cyberattack has significantly delayed blood tests, with some media reports stating NHS patients potentially waiting up to six months for sample collection. Earlier, Synnovis said the ransomware attack had significantly brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day. The Guardian cited a letter to one of the patients from the impacted hospital being told:

“Sadly it appears it may be three to six months before bloods can be taken again. You will be put on a waiting list and our secretaries will contact you when bloods can be taken again. If you haven’t heard anything in the next four months please feel free to contact us on the details above. I want to apologise for this inconvenience and appreciate this will be frustrating.”

The pathology service provider was processing only “clinically critical” blood samples flagged by clinicians. These delays have prompted some patients to seek private clinics for faster testing and analysis that cost significantly high. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this month to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Last week's ransomware attack on software as a service (SaaS) provider CDK Global has had a ripple effect on its customers, as multiple car dealerships serving thousands of locations report disruptions in their filings with the U.S. Securities and Exchange Commission. The CDK ransomware attack has paralyzed thousands of car dealerships across North America, disrupting operations for some of the largest automotive retailers. The attack that began last Tuesday has impacted operations of major players such as Asbury Automotive Group, AutoNation, Group 1 Automotive, Lithia Motors, Penske, Sonic Automotive, and the number is expected to swell even more in coming days.

Systems Shut Down After Attack

CDK Global, a crucial provider of SaaS platforms for dealerships, was forced last week to shut down its systems in response to the cyberattack. With the work done so far, our core DMS and Digital Retailing solutions have been restored," a spokesperson for CDK Global told The Cyber Express at the time. "We are currently investigating a cyber incident. Erring on the side of caution, we proactively shut all systems down and executed extensive testing." This shutdown has hindered dealerships' abilities to manage customer relationships, sales, financing, service, inventory, and back-office operations. CDK Global's systems are vital to over 15,000 car dealerships in North America. It facilitates various operations, including car sales, repairs and registrations. There are only a handful of DMS companies for dealers to choose from. Thus, thousands of dealerships are hugely reliant on CDK’s services to line up financing and insurance, manage inventory of vehicles and parts, and complete sales and repairs.

How CDK Global Cyberattack Impacts Customers

Asbury, AutoNation, Lithia Motors, Sonic Automotive, and Group 1 Automotive have activated their incident response plans and disconnected from CDK systems as a precaution, although no evidence of compromise within their own networks was found. Sonic Automotive mentioned that as of Friday, the extent to which the attackers accessed customer data remains unknown. Lithia Motors highlighted the ongoing negative impact on its operations, indicating uncertainty over whether the incident will materially affect its financial condition. Group 1 Automotive noted that CDK aims to restore the dealer management system within "several days and not weeks," but the financial impact depends on the system's downtime duration. Group 1 owns and operates 202 automotive dealerships, 264 franchises, and 42 collision centers in the United States and the United Kingdom that offer 35 brands of automobiles.

CDK Customers Move to Manual Methods

Penske Automotive reported that the ransomware attack primarily affected its Premier Truck Group, which sells heavy- and medium-duty trucks across 48 locations in the U.S. and Canada. The company has implemented business continuity plans and continues operations using manual and alternate processes designed for such incidents. Penske noted that the truck dealership business that serves business customers has lower unit volumes compared to automotive dealerships. Asbury said business operations are functioning but "slower than normal." It added that the dealerships at Koons Automotive locations in Maryland and Virginia do not use CDK’s Dealer Management System or CDK’s Customer Relationship Management system and therefore continue to operate with minimal interruption, as does Clicklane, their online vehicle purchasing platform. Asbury operates 157 new vehicle dealerships, which includes 206 franchises representing 31 domestic and foreign vehicle brands.

CDK May Pay Ransom

Late on Friday, Bloomberg reported that CDK Global is negotiating with the a ransomware gang, which Bleeping later confirmed to be BlackSuit, a rebrand of the Royal ransomware group known for last year's attack on the city government of Dallas. Although the ransom amount remains undisclosed, CDK Global reportedly plans to pay, Bloomberg said. CDK Global has issued prerecorded messages to warn customers about hackers posing as CDK staff to gain unauthorized access. Despite making recovery progress last week, CDK faced a second cyber incident that led to a complete shutdown of its systems. The company is working with third-party experts to assess the impact and update its customers regularly. This attack exposes the critical vulnerabilities in the supply chain of the automotive industry and its reliance on centralized digital platforms.

Crown Equipment, a global top five forklift manufacturer, was hit by a cyberattack that has disrupted its manufacturing operations for nearly two weeks. The company yesterday attributed the attack to an "international cybercriminal organization," raising speculation of a ransomware gang's involvement. The cyberattack has affected Crown's IT systems, employee workflows and overall business continuity for the second week running.

Crown Equipment Cyberattack Overview

Since approximately June 8th, Crown's employees reported a breach in the company's IT systems. This breach led to a complete shutdown of systems, preventing employees from clocking in their hours, accessing service manuals, and in some cases delivering machinery. In an internal email sent to employees, the heavy machinery manufacturer confirmed the cyberattack and advised employees to ignore multifactor authentication (MFA) requests and to be cautious of phishing emails.

"I currently work there. Everyone is scrambling, can't order parts except for TVH and that's strictly for emergencies. The company hasn't officially announced that it's been hacked but they keep pushing the importance of MFA. We can read between the lines." - Reddit User (Williams2242)

The company in its press release revealed that the breach necessitated the shutdown of their operating systems to investigate and resolve the issue without giving details on the hackers and their ransom demand, if any.

Crown Equipment Attack Details

Crown disclosed that many of their security measures were effective in limiting data access by the criminals. However, the breach likely occurred due to an employee not adhering to data security policies that resulted in unauthorized access to their device, according to a Reddit post.

"I heard someone got a call from a hacker pretending to be IT. They installed a fake VPN on their computer and got access to everything. They created a privileged account on the network that gave them access all the systems. The network went down Sunday and it's been down since with no ETA." - Reddit User (DragonflyJust2223)

This speculation suggests a social engineering attack where the threat actor installed remote access software on the employee's computer. BornCity, a website maintained by a German-speaking digital observer, first reported the possibility of a hack nearly a week ago. Citing a distant source who used to work at the manufacturing plant of Crown, BornCity said the problems were likely due to a 'coding bug.' "This had sent the Crown 360 (a service likely based on the Microsoft Cloud and Office 365) solution downhill – but I take that information not as reliable." Crown Equipment, however, did not confirm the speculation and thus the claims remain unverified.

Impact on Crown Equipment's Employees

Initially, Crown told employees they would need to file for unemployment or use their paid time off (PTO) and vacation days to receive pay for missed days. Last weekend, this directive was updated and the employees were asked to file for unemployment, after which several took to Reddit to vent their discontent.

"The fact that their not paying people for their mistake is straight bu****it. Crown pretends to be a family company but as soon as they need to support their "family" they shaft them. People need this money to live, while the owner can just sit back and chill with his multi-millions in the bank. Crown needs to take the hit and do the right thing." - Reddit User

Another said: [caption id="attachment_78309" align="aligncenter" width="1024"] Source: Reddit[/caption] However, Crown later decided to provide regular pay as an advance, allowing employees to compensate for the lost hours later. Despite this adjustment, employees expressed frustration over the lack of transparency and communication from the company during the incident. Crown Equipment has reportedly engaged some of the world’s top cybersecurity experts and the FBI to analyze the affected data and manage the aftermath of the attack. The company emphasized that there were no indications that employee personal information or data that could facilitate identity theft was targeted. The company is now in the process of restoring systems and transitioning back to normal business operations. They are also working closely with customers to minimize the disruption's impact on their operations. Although Crown did not specify the type of cyberattack, their description suggests a ransomware attack by an international cybercriminal organization. If confirmed, this implies that corporate data was likely stolen and could be leaked if the ransom demands are not met. As Crown continues to recover from this significant disruption, the incident serves as a reminder for companies worldwide to strengthen their cybersecurity protocols, including isolating critical workloads, invest in employee training to prevent social engineering attacks, and establish effective communication strategies for managing cyber incidents.

CDK Global, a provider of software solutions to auto dealerships across the United States, has fallen victim to a significant cyberattack. This CDK Global cyberattack has forced the company to temporarily shut down most of its systems, effectively bringing sales operations at approximately 15,000 car dealerships to a standstill. The cyberattack on CDK Global has had a profound impact on major clients of CDK Global, including General Motors dealerships, Group 1 Automotive, and Holman, which operates dealerships across eight U.S. states. These dealerships rely heavily on CDK's software to manage their daily operations, from sales transactions to inventory management. "We are actively investigating a cyber incident. Out of an abundance of caution and concern for our customers, we have shut down most of our systems and are working diligently to get everything up and running as quickly as possible", a CDK spokesperson told CBS News. According to the news reports, CDK reported that they had restored some of their systems after conducting extensive tests and consulting with third-party experts. "With the work done so far, our core dealer management system and Digital Retailing solutions have been restored. We are continuing to conduct extensive tests on all other applications and will provide updates as we bring those applications back online," CDK stated in a communication to CBS MoneyWatch. CDK Global’s dealer management system (DMS) serves as a central hub that allows dealerships to monitor their operations from a single interface. Their retail tools enable dealerships to conduct transactions both online and in showrooms. These tools are essential for managing payroll, inventory, and various office operations. CDK also prides itself on offering robust cybersecurity solutions, as stated on its website: "CDK Cybersecurity Solutions provide a three-tiered cybersecurity strategy to prevent, protect, and respond to cyberattacks so you can defend your dealership.

Dealerships' Response to the CDK Global Cyberattack

The sudden outage has caused widespread disruption among car dealerships. Many have been forced to find creative solutions to continue their operations. Dealership employees took to Reddit to discuss the challenges they were facing. They reported relying on spreadsheets and sticky notes to handle small parts sales and repairs, while larger transactions were effectively halted. One employee questioned others on Reddit, asking, "How many of you are standing around because your whole shop runs on CDK?" Responses from users in Wisconsin and Colorado confirmed that their dealership systems were offline, causing significant operational delays. The CDK Global Cyberattack has left many employees with little to do, with some dealerships sending staff home due to the inability to conduct normal business operations. "We are almost to that point… no parts, no ROs, no times… just dead vehicles with nothing to show for them or parts to fix them," lamented one dealership employee on Reddit. Another employee shared, "Excel spreadsheets and post-it notes for any parts we're handing out. Any big jobs are not happening," highlighting the extent to which the disruption has impacted their workflow.

Potential Ransomware Attack

While CDK Global has not released an official statement on the nature of the cyberattack, rumors and reports suggest that the company may have suffered a ransomware attack that also impacted its backups.  If it indeed was a ransomware attack, the outages could persist for several days, potentially stretching into the next week or longer. The Cyber Express Team tried to reach out to CDK Global to get an official statement and know more details about the cyberattack, however, as of writing this news report no response has been received.

AJE Group, a prominent company in the manufacture, distribution, and sale of alcoholic and nonalcoholic beverages, has allegedly fallen victim to a MEDUSA ransomware attack. Founded in 1988 and headquartered in Lima, Peru, AJE Group employs 2,896 people. The unconfirmed ransomware attack on AJE Group has allegedly resulted in a significant data breach, putting allegedly 646.4 GB of data at risk.

Ransomware Attack on AJE Group: Ransom Demand and Countdown

The ransomware group has set an ominous countdown of eight days, 21 hours, 20 minutes, and 30 seconds for the company to comply with their demands. The attackers have placed a hefty price tag of US$1,500,000 to prevent unauthorized distribution of the compromised data. Additionally, for every day that passes without payment, the ransom amount increases by US$100,000. However, these claims remain unconfirmed as AJE Group has yet to release an official statement regarding the incident. [caption id="attachment_77719" align="aligncenter" width="1024"] Source: X[/caption] A preliminary investigation into AJE Group’s official website revealed no apparent disruptions; the site was fully operational, casting doubt on the authenticity of the ransomware group’s claims. Nevertheless, without an official statement from AJE Group, it is premature to conclude whether the ransomware attack on AJE Group has genuinely occurred. If the ransomware attack on AJE Group is confirmed, the implications for the Group could be extensive and severe. Data breaches can lead to significant financial losses, reputational damage, and operational disruptions. The compromised data may include sensitive information that, if leaked, could affect the company's competitive standing and expose its employees and customers to further risks.

MEDUSA Ransomware: A Rising Threat

Earlier, The Cyber Express (TCE) reported that Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities, allegedly targeting two institutions in the USA. The first target is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona. The threat actors claim to have access to 1.2 GB of the school’s data and have threatened to publish it within seven to eight days. The second target is Fitzgerald, DePietro & Wojnas CPAs, P.C., an accounting firm based in Utica, New York. The attackers claim to have access to 92.5 GB of the firm’s data and have threatened to release it within eight to nine days.

History and Modus Operandi of MEDUSA

MEDUSA first emerged in June 2021 and has since launched attacks on organizations across various countries and industries, including healthcare, education, manufacturing, and retail. Despite its global reach, most victims have been based in the United States. MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, offering malicious software and infrastructure to would-be attackers. This model enables less technically skilled criminals to launch sophisticated ransomware attacks. MEDUSA's TAs often utilize a public Telegram channel to post stolen data, leveraging public exposure as an extortion tactic to pressure organizations into paying the ransom.

The Broader Impact of Ransomware Attacks

The reported MEDUSA ransomware attack on AJE Group highlights the growing threat posed by ransomware groups. Ransomware attacks have become increasingly prevalent, targeting critical sectors and causing widespread disruption. The healthcare industry, for instance, has seen hospitals forced to shut down operations, delaying critical medical procedures and compromising patient care. Educational institutions have faced similar disruptions, with students' data at risk and academic schedules thrown into disarray. The manufacturing and retail sectors, too, have not been spared. Companies in these industries have experienced production halts, supply chain disruptions, and significant financial losses due to ransomware attacks. These incidents highlight the importance of enhanced cybersecurity measures and prompt incident response protocols to mitigate the impact of such attacks. Additionally, organizations must prioritize cybersecurity awareness and preparedness to defend against ransomware attacks. Regular employee training, stringent access controls, and up-to-date security software are essential components of a robust cybersecurity strategy. Further, organizations should have a well-defined incident response plan to quickly address and contain any breaches.

Conclusion

While the authenticity of the ransomware attack on AJE Group remains unconfirmed, the potential consequences are significant. TCE will continue to monitor this ongoing situation and provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Threat Actors (TAs) associated with the notorious MEDUSA ransomware have escalated their activities and have allegedly targeted two institutions in the USA. In a scenario mirroring all of its previous attacks, the group has not divulged critical information, such as the type of compromised data. It has, however, demanded a bounty of US $120,000 from Fitzgerald, DePietro & Wojnas CPAs, P.C and $100,000 from Tri-City College Prep High School to stop leaking internal data of the concerned organizations.

Understanding the MEDUSA Ransomware Attack

One of the two institutions targeted by MEDUSA is Tri-Cities Preparatory High School, a public charter middle and high school located in Prescott, Arizona, USA. The threat actor claimed to have access to 1.2 GB of the school's data and has threatened to publish it within 7-8 days. The other organization that the group has claimed to have targeted is Fitzgerald, DePietro & Wojnas CPAs, P.C. It is an accounting firm based in Utica, New York, USA. The group claims to have access to 92.5 GB of the firm's data and has threatened to publish it within 8–9 days. Despite the tall claims made by the ransomware group, the official websites of the targeted companies seem to be fully functional, with no signs of any foul activity. The organizations, however, have not yet reacted to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen if the tactic employed by MEDUSA group is to garner attention or if there are any ulterior motives attached to their actions. Only an official statement by the affected organizations can reveal the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be sweeping. The potential leak of sensitive data could pose a significant threat to the affected organizations and their staff, students and employees.

Who is the MEDUSA Ransomware Group?

MEDUSA first came into limelight in June 2021 and has since launched attacks on organizations in many countries targeting multiple industries, including healthcare, education, manufacturing, and retail. Most of the victims, though, have established their base in the United States of America. MEDUSA carries out its attacks as a Ransomware-as-a-Service (RaaS) platform. It provides would-be target organizations with malicious software and infrastructure required to carry out disrupting ransomware attacks. The ransomware group also runs a public Telegram channel that TAs utilize to post data that might be stolen, which could be an attempt to extort organizations and demand ransom.

History of MEDUSA Ransomware Attacks

Last week, the Medusa group took ownership of the cyberattack on Australia’s Victoria Racing Club (VRC). To provide authenticity, Medusa shared thirty documents from the club and demanded a ransom of US$700,000 from anyone who wanted to either delete the data or else download it. The leaked data included financial details of gaming machines, prizes won by VRC members, customer invoices, marketing details, names, email addresses, and mobile phone numbers. The VRC confirmed the breach, with its chief executive Steve Rosich releasing a statement: "We are currently communicating with our employees, members, partners, and sponsors to inform them that the VRC recently experienced a cyber incident.” In 2024, MEDUSA had targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains constant, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations grapple with the fallout of cyberattacks by groups like MEDUSA, it becomes critical to remain cautious and implement strategic security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In the aftermath of the Synnovis ransomware attack that struck last week, London hospitals continue to struggle to deliver patient care at an optimal level. The attack on the pathology services provider has brought down the daily blood sampling count in major London hospitals from 10,000 to merely 400 per day, according to Synnovis.

“Urgent requests are severely restricted at around 400 a day. Historically primary care and community services have generated around 10,000 samples a day for testing, which gives you an idea of the scale of the impact.” - Synnovis

Services including blood transfusions reportedly remain severely disrupted at Guy's and St Thomas' Hospital and King's College Hospital. Both hospitals are experiencing disruption of pathology services, particularly blood tests.

Blood Testing Severely Impacted After Synnovis Ransomware Attack

The biggest challenge that Synnovis is currently facing is that all its automated end-to-end laboratory processes are offline since all IT systems have been locked down in response to the ransomware attack. “This means we are having to log all samples manually when they arrive, select each test manually on analyzers and, once tests have been processed, type in each result on the laboratory’s computer system (the Laboratory Information Management System - LIMS),” Synnovis said. And this is not the end of it. Synnovis then must manually deliver these results to the Trust’s IT system so that the results can be further electronically submitted back to the requester. But since the Synnovis’ LIMS is presently disconnected from the Trusts’ IT systems, “this extensive manual activity takes so much time that it severely limits the number of pathology tests we can process at the moment,” Synnovis explained. The pathology service provider normally processes around 10,000 primary care blood samples a day, but at the moment is managing only up to 400 from across all six boroughs. “Despite the measures we know colleagues are taking to prioritize the most urgent samples, we are receiving many more than we can process and we have an increasing backlog,” Synnovis said. The lab services provider last week was able to process around 3,000 Full Blood Count samples but could not export results due to the lack of IT connectivity. “Of those tests processed, we have phoned through all results that sit outside of critical limits, however, we have been unable to return any results electronically and are unlikely to be able to do so,” Synnovis said. The impact of the Synnovis ransomware attack is also felt on NHS Blood and Transplant (NHSBT), as it appealed to the public earlier this week to urgently donate O blood-type (+ve and -ve) across England. The attack caused significant disruption on the hospitals’ ability to match patients’ blood types, leading to an increased demand for O-positive and O-negative blood donations that are medically considered safe for all patients.

Will Process only 'Clinically Critical' Blood Samples

To manage the inadequacy of the services, the service provider is momentarily only accepting blood samples that the requesting clinician considers to be “clinically critical.” Clinicians need to consider a test as “critical” only if a test result is needed within 24 hours to determine a patient’s urgent treatment or care plan. “As experts, your clinical view of what is considered ‘critical’ will be accepted by the laboratory, but we urge you to apply this definition carefully, given the severe capacity limitations we are facing,” Synnovis recommended. [caption id="attachment_77097" align="aligncenter" width="1024"] Source: Synnovis[/caption] The pathology service provider is also working with NHS Trust to install laptops at the hub laboratory, which will give them access to the Trust IT systems to return test results electronically.

Caregivers Working Overtime

Doctors and caregivers at Guy's and St Thomas' Hospital and King's College Hospital have been putting in extra hours since the Synnovis ransomware attack disrupted services last week. But this is not enough, as KCH has already cancelled some of its operations and is working only at about 70% capacity. Three of its 17 operating theatres remain shut, BBC reported.

Grand Traverse County, Michigan, finds itself at the center of a cyber crisis as authorities investigate a ransomware attack that has disrupted operations in public offices across the county and the City of Traverse City. The Grand Traverse County cyberattack began when county officials noticed "network irregularities" at 6:06 a.m. on Wednesday, prompting swift action from the IT Department and county leadership.  As a precautionary measure, both county and city offices were taken offline to assess the situation and prevent further damage.

Decoding the Grand Traverse County Cyberattack

Subsequent investigations confirmed the severity of the cyberattack on Grand Traverse County, leading officials to label it as a ransomware attack. Collaboration between Grand Traverse County, Michigan State Police, FBI, and liability providers is underway to comprehend the scope of the attack and plan a strategic response. As of now, there's no confirmation of data transfer, but a thorough investigation is ongoing to safeguard the integrity of the system. While disruptions are inevitable, emergency services such as 911, law enforcement, and fire operations remain operational, ensuring public safety amid the crisis. Nate Alger, Grand Traverse County Administrator, assured the public of swift action, stating, "Our IT Department acted promptly to isolate the incident and shut down affected networks to contain the threat. We're working closely with our partners to minimize disruptions and resolve the situation efficiently."

The Aftermath of the Cyberattack Grand Traverse County 

The impact of the cyberattack on Grand Traverse County extends to in-person customer services at county and city offices, particularly those reliant on network connectivity. Citizens are urged to postpone non-urgent in-person payments at the treasurer's offices, although online payment services remain unaffected and secure. Despite the challenges posed by the attack, the county and city websites remain accessible, hosted on separate servers to ensure uninterrupted public access to essential information and services. While the situation unfolds, authorities are deploying alternative measures and collaborative efforts to mitigate the impact and restore services promptly. Grand Traverse County remains resilient in the face of adversity, prioritizing the safety and well-being of its residents throughout the recovery process. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the alleged Grand Traverse County cyberattack or any additional information from the county. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Black Basta ransomware gang may have exploited a Windows privilege escalation vulnerability as a zero-day before it was patched, new evidence suggests. Symantec researchers have revealed details that the Black Basta ransomware group linked to the Cardinal cybercriminal syndicate (also known as Storm-1811 or UNC4393) may have exploited a flaw in the Windows error reporting service as a zero-day prior to its March Patch Tuesday fix. Tracked as CVE-2024-26169, the vulnerability in question exists in the Windows Error Reporting Service. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said at the time of patching. The Redmond-based tech giant at the time reported no evidence of the bug being exploited in the wild. However, analysis of an exploit tool used in recent attacks indicated that it may have been compiled months before the official patch was released, indicating potential zero-day exploitation.

Black Basta’s Privilege Escalation Bug Exploitation

The Symantec team first uncovered the possible zero-day exploitation while investigating a recent ransomware attack attempt in which an exploit tool for CVE-2024-26169 was used. “Although the attackers did not succeed in deploying a ransomware payload in this attack, the tactics, techniques, and procedures (TTPs) used were highly similar to those described in a recent Microsoft report detailing Black Basta activity,” Symantec said. These TTPs included the use of batch scripts disguised as software updates, the researchers added.

Black Basta Exploit Tool Analysis

The exploit tool leverages a flaw where the Windows file “werkernel.sys” uses a null security descriptor for creating registry keys. The tool exploits this by creating a “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe” registry key, setting its “Debugger” value to its own executable pathname. This allows the attacker to start a shell with administrative privileges, Symantec explained. Two variants of the tool analyzed:

• Variant 1 (SHA256: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63): Compiled on February 27, before the vulnerability was patched.
• Variant 2 (SHA256: b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0): Compiled on December 18, 2023, nearly three months before an official fix was released.

While time stamp values in executables can be modified, in this case the attackers likely had little motivation to alter them, suggesting genuine pre-patch compilation.

Indicators of Compromise

Symantec shared the following IoCs: 4aae231fb5357c0647483181aeae47956ac66e42b6b134f5b90da76d8ec0ac63 – Exploit tool b73a7e25d224778172e394426c98b86215087d815296c71a3f76f738c720c1b0 – Exploit tool a31e075bd5a2652917f91714fea4d272816c028d7734b36c84899cd583181b3d – Batch script 3b3bd81232f517ba6d65c7838c205b301b0f27572fcfef9e5b86dd30a1d55a0d – Batch script 2408be22f6184cdccec7a34e2e79711ff4957e42f1ed7b7ad63f914d37dba625 – Batch script b0903921e666ca3ffd45100a38c11d7e5c53ab38646715eafc6d1851ad41b92e – ScreenConnect

About Black Basta Ransomware

The latest attempts of exploiting a Windows privilege escalation bug comes a month after Microsoft revealed details of Black Basta ransomware operators abusing its Quick Assist application that enables a user to share their Windows or macOS device with another person over a remote connection. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI in a May advisory said Black Basta's affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia since its launch in April 2022. An analysis from blockchain analytics firm Elliptic indicates that Black Basta has accumulated at least $107 million in ransom payments since early 2022, targeting more than 90 victims. The largest ransom payment received was $9 million, and at least 18 of the ransoms exceeded $1 million each. The average ransom payment was $1.2 million.

Ukraine National Police have arrested a man they say helped disguise ransomware used by Russia-based threat groups. The 28-year-old cryptor developer was unnamed in Ukraine and Netherlands announcements of the arrest, but the Dutch statement said he was arrested on April 18, 2024 in a lead-up to May’s massive “Operation Endgame” botnet takedown.

Cryptor Developer Worked with Conti, LockBit

Ukraine cyber ​​police and National Police investigators say they established that the man was involved in the LockBit and Conti ransomware groups. The Kyiv man infected a company in the Netherlands with Conti ransomware in 2021, demanded a ransom and threatened to release confidential company information if payment wasn’t made, according to the Dutch announcement, which cited work by the Netherlands’ High Tech Crime Team of the National Operations and Interventions Unit and the National Public Prosecution Service. They requested Ukraine’s assistance in the case as part of their investigation. As part of the arrest, Ukrainian police conducted house searches in the city of Kyiv and the Kharkiv region on April 18 and seized computer equipment, mobile phones and documents for further investigation (pictured below). [caption id="attachment_76895" align="alignnone" width="300"] Items seized in Ukraine ransomware arrest[/caption] The Ukraine cyber police said the man “specialized in the development of cryptors,” or “special software for masking computer viruses under the guise of safe files” (quotes translated from the Ukraine statement). “Thanks to his programming skills, the person involved was able to hide malicious software from the most popular antiviruses,” the Ukraine statement added.

LockBit Remains Active Despite Repeated Enforcement Activities

The Conti ransomware group reportedly dissolved in 2022 after a Ukrainian researcher leaked the group's source code in retaliation for the group's support of Russia's invasion of Ukraine, but LockBit has remained persistent. Despite the Ukraine arrest and law enforcement successes like Operation Endgame, Operation Cronos, and the unmasking of formerly anonymous LockBit leader Dmitry Khoroshev, LockBit has shown an ability to continually regroup and reestablish threat activities, recently launching high-profile ransomware attacks such as one that the city of Wichita is finally recovering from. Ukraine officials said the investigation is ongoing. The suspect is being charged under part 5 of Article 361, Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks, of the Criminal Code of Ukraine. The article provides for publishment of up to 15 years of imprisonment, and additional charges are possible. Netherlands officials thanked the Ukrainian investigators for their assistance and said they “are very pleased with the arrest in Ukraine and are grateful for the space that the Ukrainian police have found for this in times of war.”

The MEDUSA ransomware group has reared its ugly head again and this time it has claimed to have targeted three new victims: GEMCO Constructors, Dynamo Electric and Farnell Packaging. The ransomware group’s dark web portal highlighted these additions, adding to their growing list of victims. Like many of its earlier attacks, the group has not disclosed crucial details, such as the type of compromised data. It has, however, demanded a bounty of US $900,000 from GEMCO and $100,000 each from Dynamo and Farnell Packaging to stop leaking its internal data.

MEDUSA Ransomware Attack: The Latest Victims

GEMCO Constructors is headquartered in Indianapolis, Indiana, USA. The ransomware actors have claimed to have access to 1.0 TB of the organization's data and has threatened to publish it within 6-7 days. The second company that the group has claimed to have targeted is Dynamo, which is based in Saskatchewan, Canada. Data of the company, which specializes in electrical and electronic manufacturing, has allegedly been compromised. MEDUSA has claimed to have exfiltrated 149.6 GB of the organization's data and plans to publish it within 6-7 days. Farnell Packaging, a Canadian company in the packaging and container industry, has also allegedly been attacked. The attackers claimed to have accessed 193.9 GB of the organization's data and warned the data would be published within 8–9 days. Despite the gigantic claims made by the ransomware group, the official websites of the targeted companies seem to be fully operational, with no signs of foul play. The organizations, however, have not yet responded to the alleged cyberattack, leaving the claims made by the ransomware group unverified.  The article would be updated once the respective organizations respond to the claims. The absence of confirmation raises the question of the authenticity of the ransomware claim. It remains to be seen whether it is a tactic employed by MEDUSA to garner attention or if there are ulterior motives attached to their actions. Only an official statement by the affected companies can shed light on the true nature of the situation. However, if the claims made by the MEDUSA ransomware group do turn out to be true, then the consequences could be far-reaching. The potential leak of sensitive data could pose a significant threat to the affected organizations and their employees.

Background of MEDUSA Ransomware Group

MEDUSA first burst onto the scene in June 2021 and has since targeted organizations in various countries across multiple industries, including healthcare, education, manufacturing, and retail. Most of the companies, though, have been established in the United States of America. MEDUSA functions as a Ransomware-as-a-Service (RaaS) platform. It provides would-be attackers with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware group also has a public Telegram channel that threat actors use to post data that might be stolen, which could be an attempt to extort organizations and demand payment.

Previous Ransomware Attacks

Less than three weeks ago, MEDUSA ransomware group claimed a cyberattack on Comwave, a Canadian communications giant renowned for providing internet, network security solutions, and customer support services.  In January 2024, a prominent non-profit organization, Water For People, was targeted by the group. The organization faced the pressure of a deadline to comply with the demands of the ransomware group. MEDUSA also targeted four organizations across different countries, including France, Italy, and Spain. The group’s modus operandi remains uniform, with announcements being made on their dark web forum accompanied by deadlines and ransom demands. As organizations deal with the fallout of cyberattacks by groups like MEDUSA, it becomes crucial to remain vigilant and implement stringent security measures. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyber threats continue to evolve this week as attackers target huge ticketing platforms, stealing hundreds of millions of people’s information. Large social media platforms like TikTok were also vulnerable to cyber issues this week. TCE Cyberwatch continues to ensure the highlights of the cybersecurity industry are conveyed to our readers. And remember, vigilance is important. Staying informed on what could affect you as well as knowing of the measures that are being taken is essential.

TCE Cyberwatch: Weekly Round-Up

Free Office Suite Turns Malicious: Pirated Downloads Spreading Malware in South Korea

South Korean researchers have found that pirated copies of productivity software like Microsoft Office and Hangul Word Processor are being used to spread malware. This malware maintains persistence by regularly updating itself, often several times a week. Distributed through file-sharing platforms, these malicious copies appear as cracked installers. Attackers use Telegram or Mastodon channels to provide encrypted instructions leading to malicious payloads hosted on Google Drive or GitHub. The malware includes strains like OrcusRAT, XMRig Cryptominer, 3Proxy, and PureCrypter, which perform various malicious activities, including keylogging, cryptomining, and disabling security products. The malware's ability to update and re-infect systems makes it difficult to remove. Researchers urge users to download software from official sources and update antivirus programs to prevent infection. Read More

Spanish Police Bust Illegal Streaming Network Serving 14,000 Subscribers

Spanish police dismantled an illegal media distribution network that had generated over 5.3 million euros since 2015. The operation began in November 2022 after a complaint from the Alliance for Creativity and Entertainment (ACE), targeting the IPTV service ‘TVMucho’ (also known as ‘Teeveeing’). TVMucho/Teeveeing, with over 4 million visits in 2023, offered over 125 channels, including BBC and ITV. Eight individuals were arrested across various cities, and authorities seized a vehicle, and computers, and froze 80,000 euros in bank accounts. Sixteen related websites were blocked. The network, led by Dutch nationals, decrypted and distributed content from over 130 channels. The crackdown disrupted a service with 14,000 subscribers, causing significant financial damage to content creators. Read More

Millions at Risk: Ticketmaster Confirms Huge Data Breach

Live Nation, Ticketmaster's parent company, confirmed a data breach after hackers claimed to have stolen personal details of 560 million customers. The breach was disclosed in a U.S. Securities and Exchange Commission (SEC) filing. Live Nation detected unauthorized activity in a third-party cloud database on May 20, 2024, and began an investigation. The company is mitigating risks, notifying affected users and regulatory authorities, and cooperating with law enforcement. The stolen data was hosted on Snowflake, a cloud storage firm. Snowflake and cybersecurity firms CrowdStrike and Mandiant are investigating, attributing the breach to identity-based attacks exploiting compromised user credentials. Recommendations include enforcing multi-factor authentication and resetting credentials. Live Nation asserts the breach has not significantly impacted its business operations. Read More

COVID Relief Fraud Busted: $5.9 Billion Botnet Scheme Unraveled

The DOJ charged Chinese national YunHe Wang with operating the "world's largest botnet," which stole $5.9 billion in Covid relief funds. Wang allegedly used the 911 S5 botnet to hack over 19 million IP addresses in nearly 200 countries from 2014 to 2022. The botnet also engaged in other crimes like fraud and harassment. Wang, who profited at least $99 million, faces up to 65 years in prison. The DOJ, FBI, and international law enforcement dismantled the network and arrested Wang. The U.S. has been increasingly concerned about sophisticated cyber threats, particularly from China. In January, the FBI dismantled another Chinese hacking group targeting U.S. infrastructure. Wang's arrest follows Treasury Department sanctions on him and his associated companies. Read More 

Poland Boosts Cybersecurity with $760 Million Investment After Suspected Russian Attack

Poland will invest over 3 billion zlotys ($760 million) to enhance cybersecurity following a likely Russian cyberattack on state news agency PAP. With European Parliament elections imminent, Poland is vigilant against Moscow's interference, especially after a false military mobilization article appeared on PAP. Poland, a key supporter of Ukraine, frequently accuses Russia of destabilization attempts, claims Russia denies. Digitalization Minister Krzysztof Gawkowski announced the "Cyber Shield" initiative and highlighted Poland's frontline position in the cyber conflict with Russia. Recent cyberattacks on critical infrastructure were blocked, reinforcing concerns about Russia's intent to destabilize and benefit anti-EU forces. Poland has linked Russia to sabotage and espionage activities, prompting the re-establishment of a commission to investigate Russian influence. Read More

Russia Accused of Spreading Misinformation Ahead of European Parliament Elections

European governments accuse Russia of spreading misinformation ahead of the European Parliament elections from June 6-9. Alleged tactics include amplifying conspiracy theories, creating deepfake videos, and cloning legitimate websites to disseminate false information. The Czech Republic identified a pro-Russian influence operation led by Viktor Medvedchuk, while Belgium accused Russian officials of bribing EU lawmakers to promote propaganda. Russia denies these accusations, claiming the West is waging an information war against it. European leaders, like Ursula von der Leyen, stress the importance of resisting authoritarian influence. The EU's Digital Services Act mandates the removal of illegal content and transparency in content aggregation. Tech giants like Meta, Google, and TikTok are implementing measures to counter election-related disinformation. Read More

Deepfakes Target Businesses: $25 Million Scam Exposes AI's Dark Side

Deepfake scams are increasingly targeting companies worldwide, exploiting generative AI for fraud. In a major case, a Hong Kong finance worker was deceived into transferring over $25 million to fraudsters using deepfake technology to pose as colleagues. UK engineering firm Arup confirmed involvement in this case, emphasizing a rise in such sophisticated attacks. OpenAI’s ChatGPT has popularized generative AI, lowering the barrier for cybercriminals. AI services can generate realistic text, images, and videos, aiding illicit activities. Deepfake incidents have targeted financial employees, leading to substantial financial losses. Companies fear deepfakes could manipulate stock prices, defame brands, and spread misinformation. Cybersecurity experts recommend enhanced staff education, testing, and multi-layered transaction approvals to mitigate risks, stressing that cybercrime will likely escalate before effective defences are developed. Read More

Up to 7 Years Jail for Deepfake Porn in Australia: New Laws Crack Down on Online Abuse

Proposed new Australian laws will impose up to six years in jail for sharing non-consensual deepfake pornographic images, and seven years for creating them. Attorney General Mark Dreyfus will introduce the legislation to make it illegal to share these images via any platform. Dreyfus condemned the harmful nature of such material, which predominantly affects women and girls. The laws aim to update legal protections in line with technological advances. Currently, creating such images isn't illegal under federal law, but the new bill expands existing laws on using technology to commit crimes. The legislation also seeks to curb technology-facilitated abuse and will include measures addressing doxing and reviewing the Online Safety Act. These changes are part of efforts to combat violence against women. Read More

Zero-Click Hack Hits TikTok: High-Profile Accounts Hijacked

Recently, hackers exploited a zero-day vulnerability in TikTok’s direct messaging feature to take over high-profile accounts without victims needing to download anything or click links. This flaw, unknown to the software makers, allowed control of accounts belonging to CNN, Sony, and Paris Hilton. TikTok's security lead, Alex Haurek, stated that they are working to prevent future attacks and restore affected accounts. Although only a few accounts were compromised, TikTok has not specified the numbers. Read More

Wrap Up

This week has shown the multiple vulnerabilities in even the biggest and assumed to be highly protected companies. Like always, there are tensions surrounding cyber issues in the world of politics as well. We over here at TCE hope that our readers know of the measures to be taken if ever affected by these breaches or hacks, as well as knowing the signs to look out for so as to not fall victim to cyberattacks. We are happy to see nations investing in the betterment of cyber security for their people.

First Priority Restoration (FPR), a prominent company in the disaster restoration industry, has reportedly been targeted by a ransomware attack claimed by the Cactus Ransomware group. Headquartered in Odessa, Florida, First Priority Restoration has been a leader in disaster restoration for decades. The company provides comprehensive restoration services following natural and man-made disasters, ensuring swift recovery and mitigation of damage for affected properties. While the ransomware group has not disclosed the specific details of the compromised data, the alleged cyberattack on First Priority Restoration could have significant implications for the company and its clients if proven true. [caption id="attachment_75588" align="aligncenter" width="1024"] Source: X[/caption]

What Will be The Implication of the FPR Cyberattack

Ransomware attacks typically involve the encryption of critical data, rendering it inaccessible to the affected organization. The cybercriminals then demand a ransom, usually in a cryptocurrency, in exchange for the decryption key. Failure to pay the ransom often leads to the publication or destruction of the stolen data. In this case, the ransomware attack on FPR could lead to substantial operational disruptions, financial losses, reputational damage, and potential legal and regulatory repercussions. Critical data may become inaccessible, hindering the company's ability to provide timely disaster restoration services. Additionally, the exposure of sensitive client information could result in identity theft and fraud. However, upon accessing the official website, no signs of foul play were detected, and the website was fully functional. To verify the claim further, The Cyber Express Team (TCE) reached out to FPR officials. However, as of this writing, no response or statement has been received, leaving the Cactus Ransomware claim about the FPR cyberattack unverified.

Cactus Ransomware Previous Cyberattacks Claims

The Cactus Ransomware group is a notorious cybercriminal organization known for its complex and targeted ransomware campaigns. Previously, the group claimed responsibility for the cyberattack on Petersen Health Care, which compromised the company’s digital infrastructure and exposed sensitive information. Petersen Health Care subsequently filed for bankruptcy, burdened by a staggering $295 million in debt. Another example is the Schneider Electric data breach, where the Cactus group claimed to have stolen 1.5 TB of personal documents, confidential agreements, and non-disclosure agreements. Ransomware attacks have become increasingly predominant, with cybercriminals continuously evolving their tactics to exploit vulnerabilities in organizations. In the first quarter of 2024 alone, 1,075 ransomware victims were posted on leak sites, despite the disruption of major ransomware groups like LockBit and ALPHV/BlackCat, which accounted for 22% and 8% of the activity, respectively. As cybercriminals continue to refine their tactics, organizations must remain vigilant and proactive in safeguarding their data and operations. For First Priority Restoration, TCE is closely monitoring the situation and will provide updates as soon as a response is received regarding the alleged FPR cyberattack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.