It seems ransomware attacks were very much the flavor of the month in February. Ransomware attacks often exploit vulnerabilities in credential-based cybersecurity systems and cause significant damage. Bad actors demand that targets pay huge ransoms for stolen data or returned access to their IT systems, a promise they may or may not actually keep.

Ransomware targeted victims, ranging from the U.S. Marshals to major corporations like Dole Food Company, during the past month. One campaign breached over 2,000 organizations.

Read on for our breakdown of the most high-profile hacking news—ransomware or otherwise—from February. 

Dish Network

When it happened 

February 23

What happened

Dish Network, a pay television and wireless giant with brands like Boost Mobile and Sling, suffered a devastating and still ongoing outage following a cyberattack. Customers variously report that they cannot access their accounts, services, or streams, and that when access is available, many services remain severely degraded. The outage affects websites, apps, and customer support systems across most of Dish’s brands, and has helped lead their stock to five-year lows.

Method of attack 

This was a ransomware attack most likely carried out by the Black Basta group, according to Bleeping Computer. The attackers are rumored to have first infiltrated Boost Mobile (a Dish subsidiary) and then the Dish corporate network. Since Dish continues to disclose few details around the breach, speculation and gossip suggests that the adversary’s signature approach of credential harvesting, PsExec-led lateral movement, endpoint protection evasion, and aggressive ransomware deployment to Windows and VMware ESXi targets were all present in this attack and are the reason for rapid transition of large portions of Dish’s IT infrastructure to AWS since the attack.

The fallout so far 

In a public filing, Dish reported the attackers obtained data from its IT systems, which potentially includes sensitive personal data of tens of millions of current and former customers, and even potentially large numbers of rejected account applicants. The attack has heavily disrupted company operations, with TechCrunch reporting that Dish employees were still unable to go to work several days after the attack, and forums like Reddit widely sharing internal status updates on restoration progress. It’s unclear how large a ransom has been demanded by the attackers or how Dish intends to deal with the extortion, but the brand and reputation damage has already been extensive and analysts widely expect large direct costs associated to restoration and inability to collect subscription payments.

US Marshals

When it happened 

February 17

What happened 

The US Marshals Service suffered a major cyberattack, with hackers breaching a computer system that, despite not being connected to the organization’s broader network, contained sensitive information.

Method of attack 

The organization has said it was a ransomware-style attack that involved files being exfiltrated, but they haven’t revealed whether a ransom was demanded. 

The fallout so far 

The data stolen includes sensitive information about subjects of ongoing investigations, employee data, and internal processes, although no information about individuals in the Federal Witness Protection Program was taken. As NPR reports, it’s possible the attack was foreign espionage disguised as an attack by a ransomware gang. The source of the attack is now being investigated by the Justice Department. 

Dole

When it happened 

The attack was disclosed on February 22.

What happened 

One of the world's biggest producers and distributors of fresh produce, Dole Food Company, suffered a ransomware attack on its operations.

Method of attack

Dole disclosed few details beyond saying it was a ransomware attack, but an expert at Dragos has noted that food and beverage companies are currently facing threats that go well beyond conventional ransomware and are able to target specialized industrial control systems with previously unseen depth and efficiency. 

The fallout so far 

Dole said the attack had a limited impact on its operations, but there are reports of the company having to suspend food shipments and shut down production plants. It’s as yet unclear what data was stolen or how large a ransom is being demanded by the attackers. 

Community Health Systems

When it happened 

The attack was disclosed in a public filing on February 13. 

What happened 

Community Health Systems (CHS), a major American healthcare provider, suffered a highly damaging ransomware attack. 

Method of attack 

The ransomware attack, which the Russia-linked group Clop is reportedly responsible for, exploited a zero-day remote code injection vulnerability in Fortra’s secure managed file transfer software called GoAnywhere MFT. The gang claims to have breached over 100 organizations using the software, and continues the trend of adversaries insidiously targeting tools that are fundamentally intended to improve security posture and encryption compliance for file transfers. While Fortra did indicate that the vulnerability required access to the management interface of the server and many customers deploy it without that configuration, they avoided assigning any blame to organizations that deployed it without perimeter controls, an excellent sign that zero trust architectures and universal hardening of production systems are being adopted aggressively across all industries and use cases.

The fallout so far 

As many as one million patients have suffered the theft of personal and confidential medical records, leaving them at risk of identity fraud. This is the second cyberattack on CHS (Chinese hackers stole sensitive data in 2014), compounding the reputational damage. The size of the ransom being demanded is still unknown. 

City of Oakland 

When it happened 

February 8

What happened 

In a dramatic turn of events, Oakland declared a state of emergency after a ransomware attack took its IT systems offline. The state of emergency was declared in an effort to bring the city’s services back online as quickly as possible. 

Method of attack 

Beyond the fact that it was a ransomware attack, few details are publicly available about how this breach came about. The Play ransomware gang has claimed responsibility.  

The fallout so far 

The attack didn’t affect emergency services, but several non-emergency services were impacted and IT systems were severely disrupted. The Play ransomware gang has leaked highly sensitive data belonging to City of Oakland workers (such as passport and financial information), so it appears the authorities refused to pay the ransom. 

Reddit 

When it happened 

February 5

What happened 

Hackers breached Reddit's internal business systems, allowing them to steal confidential documents and source code.

Method of attack 

While Reddit’s disclosure described it as, “a sophisticated and highly-targeted phishing attack,” many, including our CTO Jasson Casey have noted that these kinds of attacks are becoming, “a paint by numbers exercise,” as the tools mature, remain easily accessible, and now have convenient and professional Initial Access Brokers for an as-a-Service supported experience. The hackers used spear phishing tactics to trick a Reddit employee with desirable internal application privileges into entering their login credentials and two-factor authentication tokens on a fake version of the company’s intranet site. The stolen credentials were then used to infiltrate the system. While Reddit and many others have lauded the compromised employee for brisk self-reporting, this incident reinforces the importance of phishing-resistant authentication to properly and broadly immunize organizations from this rapidly growing threat vector that has already impacted some of the most savvy security organizations simply because they continued to use convenient and phishable push MFA from the likes of Duo, Microsoft, and Okta, instead of stronger methods based on PKI and/or FIDO2.

The fallout so far 

The stolen data included limited contact information of current and former employees, as well as details about advertisers. Credit card information, passwords, and ad performance were not compromised, nor were the hackers able to infiltrate the website's production systems. However, the theft of contact information could expose affected individuals to further phishing attacks. 

ESXiArgs Ransomware Spree Targeting Unpatched VMware

When it happened 

The spree started on February 3. 

What happened 

A ransomware spree targeted thousands of organizations using specific versions of VMware ESXi. Experts have linked the campaign to a known VMware vulnerability discovered and patched almost two years ago.

Method of attack 

“ESXiArgs” ransomware is being used to target outdated products, taking advantage of vulnerabilities previously identified and reported in VMware security advisories. The attackers use the well-known heap-overflow vulnerability found in VMware's OpenSLP service (CVE-2021-21974) to gain access and execute relatively basic attacks. Security researchers initially balked at the idea that such an old vulnerability could be at the center of the spree, but VMware research and CISA follow-up advisories seem to suggest this is the case. Security Scorecard, a leading attack surface intelligence platform, detected over 139,000 instances of VMware consoles exposed via public IPv4 interfaces, and search engines like Shodan confirmed at least 30,000 such systems running out-of-date versions as of February 2023.

The fallout so far 

Nearly 2,000 servers were compromised, and at least 2,250 machines have been affected, meaning that this attack was large in scope. The attackers are reportedly demanding around two bitcoins from each victim, with an analysis showing two have already paid. According to one expert, the hackers could modify the ransomware code or identify additional opportunities, potentially leading to another spree. Fortunately, the impact seems to be contained thanks to CISA’s quick work in making an ESXiArgs recovery script available via GitHub on February 8.

Tallahassee Memorial HealthCare

When it happened 

February 2

What happened 

Tallahassee Memorial HealthCare (TMH), a Florida Hospital, was hit by a cyberattack that forced it to take its IT systems offline and suspend non-emergency procedures.

Method of attack  

TMH has not confirmed the attack, but experts believe it was a ransomware attack similar to others recently inflicted on healthcare providers in the US.

The fallout so far 

As well as causing temporary but significant disruption to the hospital’s IT systems and non-emergency procedures, patients requiring emergency services had to be diverted to other hospitals. If, as suspected, this was a ransomware attack, the hospital will face the unenviable situation of being extorted in exchange for (often unreliable) promises of not leaking data. 

Vesuvius 

When it happened 

The company disclosed the attack on February 6. 

What happened 

Vesuvius, a molten metal flow engineering company based in the UK, suffered a cyberattack by cybercriminal organization Vice Society. 

Method of attack

Vice Society is known for using ransomware methods. While Vesuvius hasn’t provided details on how the breach occurred, analysis shows that the company had security vulnerabilities.

The fallout so far 

Vice Society leaked the data stolen, showing that Vesuvius refused to pay the ransom demanded by them. At the time of writing, it’s unclear what damage will come from the release of the data. 

Regal Medical Group

When it happened 

Notification letters were sent out starting on February 1. 

What happened 

Regal Medical Group, a California healthcare provider, revealed that highly sensitive data belonging to 3.3 million individuals was breached in a devastating cyberattack on the organization in December.

Method of attack

This was a ransomware attack, with Regal stating, “Malware was detected on some of our servers, which we later learned resulted in the threat actor accessing and exfiltrating certain data from our systems.” The type of ransomware used is unknown. 

The fallout so far 

The data breached includes Social Security numbers, addresses, treatment information, and radiology reports. This leaves the victims at risk of identity fraud and blackmail. Unsurprisingly, this has resulted in a proposed class action lawsuit by affected individuals against Regal Medical Group. As in most cases, the organization hasn’t revealed details about the ransom demanded.   

Pepsi Bottling Ventures

When it happened 

December 23, but notification letters were sent out in February. 

What happened 

Pepsi Bottling Ventures, the leading American bottler of Pepsi-Cola drinks, disclosed that it suffered a cyberattack resulting in the theft of sensitive employee personal data.

Method of attack 

A network intrusion led to the installation of malware that extracted data from the company's IT systems, according to the notice from the company. 

The fallout so far 

The nature of the data leaked is damaging, as it includes financial account information, Social Security numbers, passport information, digital signatures, and even benefits-related information on health insurance claims and medical history. Identity theft, fraud, and blackmail are now all genuine risks for the victims. While we don’t know yet how many have been affected, this is undoubtedly a very serious matter for the company. 

Scandinavian Airlines 

When it happened 

February 14

What happened 

Scandinavian Airlines (SAS) informed passengers that a cyberattack caused a multi-hour outage of its website and mobile app, and that it caused a malfunction in the airline's online system that made some customer data visible to other customers.

Method of attack 

A hacktivist group calling itself “Anonymous Sudan” claimed responsibility for the attack, citing anti-Swedish political motives, but we don’t know exactly what methods were used to carry out the attack.

The fallout so far 

While the leaked financial information is partial and not easily exploitable, and the attackers did not compromise passport details, the exposure of full names and contact information in the attack still brings the risk of future phishing attacks for these individuals. 

Other news 

ChatGPT

• Amazon is taking precautions to prevent its employees from giving sensitive information to OpenAI's ChatGPT tool, which its lawyers say produced text snippets resembling company secrets.
• The conversational and grammatical capabilities of ChatGPT could potentially enhance phishing scams and make it difficult to identify attackers, according to this expert.
• Cybercriminals are exploiting people who search for ChatGPT online by redirecting them to malware and phishing websites. Some malicious ChatGPT imitations have even made their way to official app stores, such as the Google Play Store.

Cybersecurity and Infrastructure Security Agency (CISA) news

• This Cybersecurity Advisory (CSA) presents insights from a recent CISA red team assessment that will assist network defenders in enhancing their organization's cybersecurity posture.
• Google has released a statement on its blog saying that it agrees with CISA’s position that companies must take more responsibility for preventing cyberattacks. 

Government password audit

• According to a recent security audit, over 20% of the passwords for network accounts at the US Department of the Interior—such as Password1234, Password1234!, and ChangeItN0w!—are vulnerable to basic hacking methods.

Hackers caught

• Finland’s most-wanted hacker, Julius "Zeekill" Kivimäki—charged with blackmailing a local psychotherapy practice and exposing the therapy notes of over 22,000 patients—was detained in France this week. Kivimäki, previously convicted of thousands of cybercrimes, had been on the run since October 2022.
• US and UK authorities have imposed financial sanctions on seven men accused of running the Trickbot cybercrime platform, which facilitated numerous ransomware attacks and bank account takeovers since 2016. The Trickbot group is linked to Russian intelligence services and has targeted various US firms and government agencies.
• Vladislav Klyushin, the owner of Russian cybersecurity firm M-13, was found guilty of hacking two US-based filing agents, enabling him to steal SEC earnings reports and illicitly earn $90 million.

Malicious Google Ads

• Google searches for popular software downloads have become increasingly risky in recent months, according to experts. The sharp increase in malicious Google Ads is affecting searches for famous brands.

Protect your organization against credential-based attacks

Beyond Identity’s phishing-resistant multi-factor authentication (MFA) eliminates the risk of credential-based attacks by replacing vulnerable login details with three secure factors:

• Biometrics (fingerprint and facial recognition) stored on the device
• Cryptographic security keys stored on trusted devices
• Device-level security checks during login

Schedule a demo to discover more about how Beyond Identity's Zero Trust Authentication can protect your organization from damaging breaches.