Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

From St. Louis to France, Ransomware Victim List Expands

Among the Causes: Hit Against Managed.com Website Hosting Giant
From St. Louis to France, Ransomware Victim List Expands
South Korean retailer E-Land was forced to suspend operations at 23 stores after being hit by ransomware. (Source: E-Land Group)

Ransomware continues to pummel many types of organizations - including schools, churches, newspapers, hospitals, retail chains and managed service providers - across the world.

See Also: How to Build an Effective Threat Intelligence Program

Ransomware operators continue to innovate to maximize the return on their crime-campaign investments.

"The number of successful ransomware attacks has remained steady throughout the year," aside from "the usual peaks and troughs," Brett Callow, a security adviser at Emsisoft, tells Information Security Media Group.

Given that ransomware operations are run as a business, such behavior "is what you'd expect," he says. "Like any legitimate business, cybercriminal enterprises are limited by their resources and cannot suddenly and significantly increase their rates of attack."

In recent weeks, many new victims have been hit. On Sunday, for example, South Korean fashion retailer E-Land Group reported that a ransomware attack caused it to suspend operations at 23 of its 50 store branches, according to Yonhap News Agency.

On Wednesday, French daily newspaper Paris-Normandie tweeted that, because of a ransomware attack, it was unable to update its website. But it noted that it was continuing to produce its print edition - although on Thursday, it release one edition instead of the usual three.

Speaking anonymously, two Paris-Normandie journalists told the newspaper Le Monde that attackers had issued a ransom demand. As of Monday, Paris-Normandie's website appeared to once again be functioning. It's not yet clear if the newspaper, owned by Belgium-based media group Rossel, paid a ransom.

Oglethorpe County Schools Close

On Thursday, officials in Georgia's northeastern Oglethorpe County - population: 15,000 - announced that, because of a ransomware attack, classes had been canceled for the rest of the week. Oglethorpe County School System "was recently the victim of a ransomware computer attack," Superintendent Beverley Levine said in a post to Facebook.

"As a result of the incident, OCSS immediately launched an investigation, with the assistance of leading cybersecurity experts, the FBI and other state agencies to determine what happened and to remediate the attack," she added. "This investigation is currently ongoing."

With no classes having been scheduled for this week - due to Thanksgiving - she said school is set to resume on Nov. 30.

Oglethorpe is far from the first county in Georgia to get hit. In March 2019, Jackson County responded to a ransomware attack by paying attackers a $400,000 ransom.

The average ransom paid by victims has continued to increase. (Source: Coveware)

Managed.com Hit

Meanwhile, several organizations have also experienced disruptions as a result of an attack against Nebraska-based managed website hosting giant Managed.com.

Managed.com says it offers a "1,000% uptime guarantee ... because downtime is for amateurs."

But on Nov. 16, customers began reporting site outages, despite the company failing to issue any official communications. Shortly thereafter, ZDNet reported that the company confirmed that the downtime was due to it having been hit by a ransomware attack.

While the company claimed that only a small number of customer sites were affected, shortly thereafter, it reportedly took its entire infrastructure offline to prevent the infection from spreading.

Archdiocese of St. Louis: Sites Offline

The Archdiocese of St. Louis is another Managed.com customer suffering ongoing outages due to what it described as "a coordinated ransomware campaign" against the website hosting firm. Since Nov. 16, seven of its websites, including ArchSTL.org and Cemeteries.ArchSTL.org, have not been available.

"To ensure integrity of our data, the limited number of impacted sites - including ours - have been taken offline," it says in a statement. "Upon further investigation and out of an abundance of caution, our hosting company took down their entire system to ensure that we were not compromised. Our hosting security team are working diligently to eliminate the threat and restore our website to full capacity."

The archdiocese says that only its websites - and "no archdiocesan entities or information" - were affected by the attack.

Griffin Hospital Website Down

Others affected by the ransomware attack on Managed.com include Iowa's Department of Transportation as well as Griffin Hospital in Derby, Connecticut.

A Griffin Hospital spokesman, Christian Meagher, told the Connecticut Post that no patient data had been exposed.

"There was no exposure whatsoever," Meagher said, noting that patient data is stored only on other systems. "The website was mostly informational and links."

As of Monday, outages tied to the Managed.com incident still appeared to be widespread. "Can you provide access to our backups so we can download?" one customer posted to Managed.com's Facebook page on Sunday. "All my dev is on your server and this is getting expensive."

Gangs Target Hosting Services

Managed.com joins a growing list of hosting firms and data center providers that have been hit by ransomware gangs. Those include Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.NET, Data Resolution and Internet Nayana, ZDNet reports.

But the Managed.com hit "seems to be 'Blackbaud Lite,' in that it seems to have impacted a considerable number of third parties," Emsisoft's Callow says.

Blackbaud, a provider of cloud-based marketing, fundraising and customer relationship management software, was hit by ransomware in May. Since then, its investigators have found that the resulting breach may have exposed large amounts of personally identifiable information and banking details for millions of individuals who are customers of the organizations that relied on Blackbaud's cloud-based software.

At least 10 lawsuits seeking class-action status have been filed against Charleston, South Carolina-based Blackbaud.

In a similar incident last year, 22 Texas municipalities had data crypto-locked after an attacker apparently hit their managed service provider. At the time, ransomware incident response firm Coveware warned that attackers - especially some specialist affiliates of the Sodinokibi, aka REvil, operation - were targeting MSPs' and IT service providers' remote-administration tools to try to take them over and push ransomware onto managed systems. By doing so, gangs could potentially hold not just the MSP to ransom, but every affected customer, as well (see: Texas Ransomware Responders Urge Remote Access Lockdown).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.