Targeting Healthcare: The Week in Ransomware, January 6, 2023

There was a lot to report this week on ransomware, including new tactics and ransomware gangs giving away decryptors after they attacked a children’s hospital.

It was overall a bad year for organisations, with 200 healthcare, government and education entities being targeted by ransomware.

According to cybersecurity company, ransomware attacks on hospitals and health systems that are multi-hospital were carried out last year.

The year ends with a bang. LockBit ransomware confirmed that they had attacked SickKids Children’s Hospital. The attack caused delays in receiving imaging and lab results, and a longer waiting time for patients.

Ransomware gang says the attacker was a rogue affiliate. This led to an .

LockBit members have a reputation for taking data in their attacks. It is not clear if any data has been stolen or if the data is being used.

BlackCat/AlphV are expanding their extortion techniques by . on the data leak site that was previously set up by threat actors.

This week, we also received more details about several cyberattacks that have been identified as ransomware.

The ransomware attack included a . that they were targeted by Play Ransomware. This included a and a .

Rackspace confirmed later that Play ransomware was able to access Microsoft Exchange Personal Storage Table files for 27 customers. These files can be used to save emails and other information for your email account.

Despite the majority of it being bad news, there was some positive news.

A . Anyone who has saved encrypted files to the hope of getting a decryptor can retrieve their files free.

This week’s ransomware stories and contributors include @LawrenceAbrams and @PolarToffee.

January 1, 2023

LockBit, a ransomware group that has been attacking healthcare organizations with ransomware, released a decryptor for free for the Hospital for Sick Children (SickKids).

ALPHV ransomware attackers have been creative in their extortion tactics and created replicas of victims’ sites to post stolen data.

February 2, 2023

Ransomware attacks on the U.S. government sector, education and healthcare sectors impacted over 200k larger companies in 2022.

discovered a new version of STOP ransomware. It adds the extension to encrypted files.

PCrisk discovered a new Dharma ransomware version that adds the .CY3 extension.

PCrisk discovered the Upsilon ransomware. It appends the .upsil0n extension to the ransom note Upsilon.txt.

PCrisk found a new ransomware that appends the .bettercallsaul extension and drops ransom notes named DECRYPT_MY_FILES.txt.

February 3rd, 2023

Royal ransomware has taken responsibility for the recent attack on Queensland University of Technology. They have begun to leak the data that was allegedly stolen in the breach.

Wabtec Corporation, a U.S. railroad and locomotive company has revealed a data breach which exposed sensitive and personal information.

PCrisk discovered a new Dharma ransomware version that adds the .d0n extension.

PCrisk discovered a new version of STOP ransomware. It adds the .bpsm extension, to encrypted files.

January 4, 2023

Rackspace, a Texas-based provider of cloud computing services, has revealed that Play ransomware was responsible for a cyberattack on Rackspace’s Microsoft Exchange servers.

February 5, 2023

Bitdefender, an antivirus company has made it easy for MegaCortex ransomware victims to recover their data.

Rackspace announced on Thursday that the attackers responsible for last month’s attack accessed some customers’ Personal Storage Table files (PST). These files can include emails, calendar data and contacts as well as tasks.

The Ransomware Roundup’s latest issue covers Monti ransomware, BlackHunt and Putin ransomware.

January 6, 2023

PCrisk discovered new versions of STOP ransomware. These add the .bpws, .bpto extension to encrypted files.

This concludes this week. We wish everyone a happy weekend.