Cybercriminals, it is widely observed, have a fondness for weekends. This is not by chance—at weekends organizations are short-staffed, making this the best time to launch a cyberattack. It’s a pattern that played out in a ransomware attack on the Romanian health system on Sunday, Feb. 11, that sent some of the country’s most important hospitals back to the world of pen and paper. First reports put the number of hospitals affected at 18, which soon climbed to 21, then 25, and then 30. It quickly became apparent that this was only for starters. The attack targeted the Hipocrate Information Syst ..read more

Stop us if you’ve heard this one before but ransomware is undergoing another one of its periodic surges. Granted, cybercrime always seems to be on the up—does the media ever report drops in cybercrime?—but this time there’s some hard evidence to back it up. That ransomware activity for 2023 rose was no surprise with the war in Ukraine causing a temporary drop in activity during 2022. Even so, when assessing activity on leak sites, Palo Alto’s Unit 42 researchers found significant rises in activity across the year. Another source is Chainalysis, which rates 2023 as ransomware’s “comeback” year ..read more

How will the sudden emergence of artificial intelligence (AI) platforms such as ChatGPT influence future ransomware attacks? Right now, there are so many pessimistic answers to this question it can be hard to judge the real-world risk they pose. On the one hand, there’s no doubt that AI can easily be used to improve individual components of today’s attack, for example improving the language and design of phishing emails to make them read more convincingly (as anyone who’s experimentally coaxed ChatGPT to rewrite an awkwardly phrased phishing email will attest). At the same time, it’s also like ..read more

The most extraordinary week in ransomware history anyone can remember began on Feb. 19 with an historic takedown of the infrastructure used by notorious ransomware group, LockBit. Industry watchers were euphoric, almost giddily so. If anything, that might be understating it. Twitter-X was ablaze with congratulations, most of them aimed at Britain’s National Crime Agency (NCA), which spearheaded the operation. Allan Liska of Recorded Future (a former contributor to this site) even posted a picture of cupcakes his colleagues had delivered to their Boston office to celebrate the occasion. But the ..read more

The 1980s brutalism of the British Library in London has been likened to an unwelcoming fortress, and yet the intimidating appearance was no help when ransomware attackers decided to pay it a visit last October. In what is turning out to be one of the worst incidents ever to hit a public U.K. organization, over several days the famous institution’s website went down, its Wi-Fi stopped working, its email went offline, and the online catalog used by visitors became inaccessible. Days of disruption turned into weeks, weeks turned into months, with the only glimmer of progress being the online cat ..read more

Has the digital reign of terror from the world’s second most active ransomware group, ALPHV (BlackCat), come to an end, or hasn’t it? If you ask the coalition of global police forces that recently seized its infrastructure, you’ll get a clear yes in answer to that question. The first sign that ALPHV was in trouble came on Dec. 7 when the dark websites used by the group to publish data leaks and conduct ransomware negotiations suddenly disappeared. This is highly unusual—dark websites used by ransomware groups are a vital piece of infrastructure necessary for their business model. Without it, t ..read more

One of the most unexpected trends of recent years is the way ransomware has turned high-impact cybercrime incidents into a public spectacle. For ransomware criminals, the more public the better. Extra publicity equals more embarrassment for the victim, which even if it doesn’t result in a ransom being paid serves as a warning to future victims. Public Exposure For organizations being ransomed, there are really only three ways to approach public exposure. The first—and until recently the default option—is to pay the ransom and hope (probably in vain) that this keeps the attack private. The seco ..read more

In the relatively short history of ransomware crime, very few of the professional criminals behind these attacks have ever been brought to justice. So many crimes, so few arrests, and there’s no mystery as to why: Ransomware criminals typically operate from countries with weak or no laws against what they do, and sometimes (stand up, Russia) with what can only reasonably be interpreted as the tacit approval of the government itself. Ringleader Arrest This should make Europol’s announcement on Nov. 21 that it arrested the 32-year old alleged “ringleader” of a major ransomware operation a notabl ..read more

“Those who cannot remember the past are condemned to repeat it,” said philosopher George Santayana in one of the most widely quoted aphorisms of the 20th century. According to a report from security company Sophos covering global customer data from the first half of 2023, a similar principle is applicable in many cyberattacks, especially those by ransomware. The computing equivalent of remembering events is logging, through which events are recorded as data in simple text files that list system messages, application errors, and account logins. Targeting Log Files Log files have been a feature ..read more

On Nov. 7, the ALPHV ransomware group targeted the network of financial services company MeridianLink and, according to the group, stole files. No encryption was involved but, the group claims, MeridianLink was aware that the attack had happened. A communication took place between the attackers and the company, but no ransom was paid. So far, this will sound very similar to many ransomware attacks today. However, what the ransomware criminals did next departed from the usual script. In an innovative tactic, ALPHV reported the publicly quoted MeridianLink to the U.S. Securities and Exchange Com ..read more