Florida Ransomware Incidents 2020 - 2024 by Cyber Florida: The Florida Center for Cybersecurity

Kendith Broxton II, PhD

Randy

Here is an example of a Sodinokibi/REvil ransom note. The commercial world has been overtaken by cloud services, and the same is true with ransomware. One of the most wellknown strains of the malware is “REvil.” REvil, sometimes referred to as Sodinokibi or Sodin, is a ransomware-as-a-service (RaaS) provider, meaning that the ransomware code is created and maintained by a core group and distributed to affiliates who deploy it on potential victims.

To the right is an example of REvil’s affiliate operations. In this case, the operator received 40% of each ransom payment made by a victim in 2019. This portion decreased to 30% when an affiliate made three successful ransom payments. According to Group-IB, the operator's cut could have decreased to 25% more recently. The company also points out that REvil's main operators, similar to other RaaS businesses, often negotiate directly with victims. According to experts, this specialized strategy having an associate infect victims and an operator maintain code and supporting services—has contributed to the continuous rise in the number of affected firms and the ransom amounts they are having to pay. REvil is among the most prosperous of these malware ventures in the last several years.

Foreword

Cybercriminals commonly deploy ransomware, especially on the Dark Web, and Florida is not immune to these attacks. Ransomware poses a significant challenge for Chief Information Security Officers (CISOs), cyber analysts, and policy-makers This report aims to highlight recent ransomware attacks and suggest ways to prevent or mitigate their impact

Ransomware often enters computer systems through phishing attacks. Once inside, it locks and encrypts a large number of files and data, demanding a ransom to restore the victim’s access. Cyber extortion is a serious and growing problem, with incidents increasing every year Forecasts suggest that by 2025 ransomware could lead to losses of up to $5 billion for affected companies, potentially causing annual economic losses of up to $5 trillion.

National and local governmental entities are particularly vulnerable because they often pay ransoms In 2022, the Florida legislature passed a bill that prohibits state and local governments from paying attackers. This approach may deter cybercriminals who might avoid targeting entities that are unlikely to pay ransoms.

Fighting ransomware attacks is challenging Some attacks are random, while others are specifically targeted Most intruders take advantage of human error, highlighting the importance of strong information security practices.

One proposal to combat this issue is to stop offering ransomware insurance payments. This could reduce the resources available to criminals and increase support for those who refuse to pay[1] This would eliminate the success of ransomware attacks, produce cheaper premiums in cyber insurance, and ultimately reduce needs for federal support.

Copyright ©2024 Florida Centerfor Cybersecurity, All Rights Reserved. This publication is made available by the FloridaCenter for Cybersecurity for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney and/ or cybersecurity professional with the sufficient expertise necessary to address your organization’s specific needs. Use of this document does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.

[1]Logue,K D,&Shniderman,A B (2021,August) TheCaseforBanning(andMandating) RansomwareInsurance |SSRNElectronicJournal UofMichiganLaw&EconResearchPaperNo 21-040 ConnecticutInsuranceLawJournal Forthcoming DOI:102139/ssrn3907373

Executive Summary

Ransomware infections represent a serious and growing threat to Florida’s public and private institutions. Since 2020, the number of ransomware cases has grown substantially, leading to significant economic losses and disruptions in critical infrastructure Between 2018 to 2023, ransomware attacks have cost US government organizations an estimated $38 3 billion[2] Public sector organizations comprise 75% of ransomware victims, with an additional 18% in the private sector The remaining 7% were composed of private organizations and NGOs Globally, the estimated annual expense of ransomware incidents is expected to rise and reach $265 billion by 2031[3].

Seven known ransomware strains have emerged in Florida-based incidents: REvil, Ryuk, BlackCat, Conti, Crucio, Blackbyte, and RansomHub Among these, only the Crucio ransomware is clearly linked to state-sponsored hackers known as the Cyber Av3ngers, believed to be linked to the Iran's Islamic Revolutionary Guard Corps (IRGC) This group has been accused of attacking critical infrastructure, including programmable logic controllers (PLCs), and claims to have created the Crucio ransomware. Most of the ransomware operators involved in Florida-based incidents remain uncertain and difficult to attribute Ransomware, however, has become a low-cost and accessible mode of extortion The rise of Ransomware as a Service (RaaS) has lowered the technical barrier to entry, making it a tempting choice for cybercriminals A simple phishing email carrying a ransomware program and a single encryption key is all that is required to infect a computer network

Ransomware unlike other forms of malware does not require large-scale infections to be effective. Even a few infections can spread across multiple networks and lead to financial gains Many ransomware cybercriminals operate from countries where extradition is unavailable, making it difficult to disrupt and prosecute them The simple tools available to these criminals, combined with the potential for high rewards, suggest that ransomware will continue to be a major threat for the foreseeable future

The trend of ransomware attacks is expected to continue, with both the frequency and the amount of ransom likely to increase With the recent surge in AI, especially Generative (GenAI), it is likely that AI will play a major role in ransomware soon, whether used to develop ransomware, propagate ransomware, request and receive ransoms, or assist with Ransomware as a Service (RaaS) To protect against ransomware, it is important to use the information provided here to strengthen network security

In an attempt to deter ransomware attacks in the State, the Florida legislature enacted Florida Statute 282.3186, prescribing that State, country and municipality agencies “experiencing a ransomware incident may not pay or otherwise comply with a ransom demand ”

[2] Bischoff, P. (2021, March 17). Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022. | Comparitech. https://www.comparitech.com/blog/information-security/government-ransomware-attacks/ [3] ESentire (2024,July 23) Cybersecurity Ventures Report on Cybercrime | ESentire https://esentire com/cybersecurity-fundamentalsdefined/glossary/cybersecurity-ventures-report-on-cybercrime#:~:text=Global%20cybercrime%20damage%20is%20predicted,e

Florida Ransomware Incidents 2020-2024

Through a search of publicly available news sources, we identified 30 ransomware incidents in the state of Florida occurring between 2020 and 2024, this is an increase from 18 ransomware incidents between 2016-2019 (see Florida Ransomware Incidents 16-19) Ransomware attacks have been on the rise for these targets: government, local emergency services, hospitals, small and medium-sized businesses, and small NGOs. The attacked targets share a number of common features: (1) most targeted entities relied heavily on centralized information technology (IT) and operational technology (OT) infrastructures; (2) they were generally not large, high-profile service providers; (3) they did not extensively investigate the incident or seek to attribute or take official action to report or prosecute those responsible; and (4) they typically had sufficient financial resources to pay out a ransom demand

The limited number of identified incidents suggests that many ransomware victims are reticent to disclose the attacks The incident analysis shows that when the attacks are publicly disclosed, detailed information is typically unavailable or unreported In a number of cases, negotiations with the ransomware perpetrators ended with no final settlement on the fate of the payment

A breakdown of the analysis of 2020-2024 Florida ransomware incidents is provided below (Note: these results are consistent with trends in publicly reported ransomware incidents nationally and internationally, see appendices):

-Public sector agencies appear to be attractive targets It is possible that public sector entities are perceived as being less prepared for a ransomware attack, less sophisticated in their ability to detect and remove the phishing emails that activate the malware, and generally less secure in their overall cybersecurity posture than their private sector counterparts (low-hanging fruit) Compared to the 16-19 report, there is a slight increase in private sector ransomware incidents for 20-24

-There is no consistent year-over-year trend in the known incidence of Florida-based ransomware attacks For that reason, and because the incidents are underreported, it is difficult to develop any reliable forecasts for 2025 We do know, however, that ransomware incidents nationally began escalating in 2020, particularly affecting healthcare and education sectors, and continued into 2021, including the Colonial Pipeline attack We also know that targets in the financial sector jumped between 2022 and 2023, with -nearly two-thirds of institutions worldwide reporting a ransomware attack[1] . The numbers were similar for 2024, but the amounts of the ransom demands have been increasing[3] Compared to the 1619 report, ransomware incidents have no clear trend, but the overall amount of ransomware incidents have increased for 20-24 ,[2]

-In Florida-based attacks, many of the victims are not reporting whether they paid the ransomware or not Reporting ransomware payment status should be mandatory Nationally, we know that although fewer victims are paying the ransoms, the amounts of the demands have risen significantly[1]. Compared to the 16-19 report, the number of unknowns regarding payment has increased so we are unable to determine if paid or unpaid has increased or decreased for 20-24 In a direct comparison, it does appear that less ransoms are being paid for 20-24

[4]Kerner,S M (2024,January 3) Ransomware trends,statistics and facts heading into 2024 TechTarget Retrieved from https://www techtarget com/searchsecurity/feature/Ransomware-trends-statistics-and-facts [5]Statista (2024,July 9) Global financial ransomware attack rate 2024 Statista Retrieved from https://www statista com/statistics/1460896/rate-ransomwareattacks-global/ [6]Sophos.(2024).The State of Ransomware 2024.Sophos Ltd.Retrieved from: https://www.sophos.com/en-us/content/state-of-ransomware?utm source=chatgpt.com [7]Elgan,M.(2024,December 5).Roundup: The top ransomware stories of 2024.Security Intelligence.Retrieved from https://securityintelligence.com/articles/roundupthe-top-ransomware-stories-of-2024/

-The unknowns concerning the types of ransomware being deployed in the attacks are of primary concern. This gap in our threat intelligence could be due to lack of reporting, but without knowing the primary types of ransomware being used it is harder to defend against these attacks Understanding our cyber adversaries and their tactics helps to successfully defend against them Compared to the 16-19 report, we are seeing a drastic increase in not identifying or reporting the type of ransomware for 20-24

Table 1 - Florida Ransomware Incidents 2020-2024

[8] Bischoff, P (2021, March 17) Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022 | Comparitech https://www.comparitech.com/blog/information-security/government-ransomware-attacks/

[9] Bischoff, P (2021, March 17) Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022 | Comparitech https://www comparitech com/blog/information-security/government-ransomware-attacks/ [10] 10 Tampa Bay. (2020, October 16). Data breach of software company used by AdventHealth may have obtained donor information. https://www.wtsp.com/article/tech/data-breach-of-software-company-used-by-adventhhealth-may-have-obtained-donor-information/67568498a3-5a58-4c04-aedd-56f038525a13

[11] CBS Miami. (2020, February 7). North Miami Beach affected by cyber attack. https://www.cbsnews.com/miami/news/north-miami-beachaffected-by-cyber-attack/

[12] Freed, B (2019,June 20) Florida city pays hackers $600,000 after ransomware attack | StateScoop https://statescoop com/florida-city-payshackers-600000-after-ransomware-attack/ [13] Montalbano, E. (2020, October 15). Carnival Corp hit by ransomware attack, threatening cruise ops. | Threatpost. https://threatpost.com/carnivalcorp-ransomware-attack-cruise/160134/

[14] OODA Loop (2020, October 15) Cybercriminals steal nearly 1TB of data from Miami-based international tech firm https://oodaloop.com/briefs/cyber/cybercriminals-steal-nearly-1tb-of-data-from-miami-based-international-tech-firm/ [15] Bischoff, P (2021, March 17) Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022 | Comparitech https://www comparitech com/blog/information-security/government-ransomware-attacks/ [16] Razzano,T. (2021, February 25). Florida Studio Theatre endures ransomware attack. | Patch. https://patch.com/florida/sarasota/florida-studiotheatre-endures-ransomware-attack [17] Razzano,T (2021, February 25) Bond Clinic shut out of computer systems, patients concerned | WFLA https://www wfla com/news/polkcounty/bond-clinic-shut-out-of-computer-systems-patients-concerned/ [18] Tavel,J. (2021, March 25). Hackers hit University of Miami, posted patients’ private info. School won’t discuss details.| Miami Herald. https://www miamiherald com/news/health-care/article250172390 html [19] Toulas, B. (2021,June 23). Nefilim ransomware group hit Spirit Airlines. | TechNadu. https://www.technadu.com/nefilim-ransomware-group-hitspirit-airlines/252679/

[20] Zurier, S (2022,June 23) Conti Ransomware Gang Hits Broward County Schools with $40M Demand | SC Media https://www.scmagazine.com/news/conti-ransomware-gang-hits-broward-county-schools-with-40m-demand [21] Zurier, S. (2022,June 23). Conti Ransomware Gang Hits Broward County Schools with $40M Demand. | SC Media. https://www scmagazine com/news/conti-ransomware-gang-hits-broward-county-schools-with-40m-demand

Both BlackSuit and Royal also have ties to the now defunct Conti ransomware group[29]

Shut down a medical diagnostic imaging firm in

[22] Cimpanu, C. (2021, July 19). Ransomware incident at major cloud provider disrupts real estate title industry. | The Record. https://therecord.media/ransomware-incident-at-major-cloud-provider-disrupts-real-estate-title-industry [23]Hait, A., and King, S. (2021, November 1). Martin County officials 'in the dark' as to ransomware network issues at tax collector's office. | WPBF. https://www.wpbf.com/article/martin-county-officials-in-the-dark-as-to-computer-issues-at-tax-collectors-office/38098275 [24]Hait, A., and King, S. (2021, November 1). Martin County officials 'in the dark' as to ransomware network issues at tax collector's office. | WPBF. https://www.wpbf.com/article/martin-county-officials-in-the-dark-as-to-computer-issues-at-tax-collectors-office/38098275

[25] Bischoff, P. (2021, March 17). Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022. | Comparitech. https://www.comparitech.com/blog/information-security/government-ransomware-attacks/ [26] Pearson, J., and Satter, R. (2023, February 8). Ransomware outbreak hits Florida Supreme Court, US, European Universities hit by ransomware outbreak. | Reuters. https://www.reuters.com/world/us/ransomware-outbreak-hits-florida-supreme-court-us-european-universities-2023-02-07/ [27] Bischoff, P. (2021, March 17). Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022. | Comparitech. https://www.comparitech.com/blog/information-security/government-ransomware-attacks/ [28] Arghire, I. (2023, July 21). Tampa General Hospital says patient information stolen in ransomware attack. | SecurityWeek. https://www.securityweek.com/tampa-general-hospital-says-patient-information-stolen-in-ransomware-attack/ [29] Greig, J. (2023, July 12). Tampa zoo targeted in cyberattack. | The Record. https://therecord.media/tampa-zoo-targeted-in-cyberattack [30] Pedersen, J. M. (2023, October 27). Ransomware attack shuts down Central Florida radiology imager sites. | Central Florida Public Media. https://www.cfpublic.org/health/2023-10-27/ransomware-attack-shuts-down-central-florida-radiology-imager-sites [31] Bohman, D. (2023, November 14). Ransomware attack responsible for shuttering St. Lucie County tax collector's computer system. | WPTV News Channel 5 West Palm. https://www.wptv.com/news/treasure-coast/region-st-lucie-county/ransomware-attack-responsible-for-shuttering-st-lucie-county-taxcollectors-computer-system

[32] Bohman, D. (2023, November 14). Ransomware attack responsible for shuttering St. Lucie County tax collector's computer system. | WPTV News Channel 5 West Palm. https://www.wptv.com/news/treasure-coast/region-st-lucie-county/ransomware-attack-responsible-for-shuttering-st-lucie-county-taxcollectors-computer-system

[33] SCMagazine. (2023, December 6). Florida water agency impacted by cyberattack. | SC Media. https://www.scmagazine.com/brief/florida-wateragency-impacted-by-cyberattack

[34] SCMagazine. (2023, December 6). Florida water agency impacted by cyberattack. | SC Media. https://www.scmagazine.com/brief/florida-wateragency-impacted-by-cyberattack

[35] Kingsley, R. (2023, November 28). Fidelity National Financial hit by cyberattack. | National Mortgage Professional. https://nationalmortgageprofessional.com/news/fidelity-national-financial-hit-cyberattack

Cyber Threat Actors’ Intentions

Financial gain is the primary motive for ransomware attacks generally, and in Florida specifically That is evident in all the documented cases Although data are lacking about payment outcomes in most cases, only two cases have been reported in the public domain where the Florida organizations paid the ransom, and in both cases the attackers subsequently decrypted the files.

The North Miami Beach Police Department was among the most prominent targets, reporting a $5 million ransom demand, though details and specifics of the attacks have not been reported. The Florida Supreme Court was also hit with a ransomware attack. Reuters revealed that the attackers exploited a vulnerability in file transfer software to access the system. Their reporting suggested that the hackers had only extorted $88,000, a rather small sum compared to controversial million-dollar ransoms demanded by other hacking groups

Similarly, there is very little systematic research highlighting whether, when and how these criminal groups escalate or retaliate in scenarios where no ransom is paid That information gap limits a holistic analysis of ransomware adversaries’ tactics and techniques

Ransomware Types

Our incident analysis shows that seven major strains of ransomware have been used in attacks against Florida-based targets Those strains are: REvil, Ryuk, BlackCat, Conti, Crucio, Blackbyte, and RansomHub The following section provides a brief rundown on each

The first known case of ransomware called Ryuk was discovered in August 2018 and was listed in a public malware repository[41] Ryuk tends to be used in highly targeted attacks against large organizations Its operators often conduct extensive network reconnaissance and manual exploitation before deploying the ransomware[42] Analysis of its code suggests that it likely originated from Hermes ransomware Hermes is linked to a subgroup of the North Korean Lazarus group, also known as Stardust Chollima, which offered it on hacker forums for $300 in 2017[43].

In many ways the Ryuk and Hermes attack methods are quite similar, they manipulate files differently Both use a combination of RSA-2048 and AES-256 for encryption, with the keys stored in an executable format called Microsoft SIMPLEBLOBs[44] Both ransomware strains use the mount command to encrypt files on both local devices and connected remote hosts, and both insert specific markers into encrypted files to identify them Ryuk even uses the same file marker as its "HERMES" predecessor, suggesting a direct link and shared codebase However, Hermes relies on a single RSA public/private key pair, known as the "Victim key," while Ryuk takes a different approach Ryuk generates two RSA public keys and includes them in each executable, creating a unique key for every instance This means that the key from a Ryuk attack can only decrypt files on the system it infected, making it ineffective on other victims' machines Ryuk also eliminated HERMES’ specific anti-analysis measures and has added an operation to erase shadow copies and backup files, which blocks attempts to restore the system[45].

While many criminal groups use Hermes, Ryuk appears to be utilized exclusively by one group: Wizard Spider Despite being used in only 15-25% of all ransomware incidents, Ryuk's market presence is still significant.

Ryuk is constantly evolving with new capabilities that continually expand and contract with time. The Ryuk ransomware comes in two forms: a dropper and a working code for the patch The dropper is usually temporary; it is removed from the system by the payload once its task is done Ryuk knows that there are few blacklists for non-encrypted files, so it encrypts a wide range of system files, which can harm the stability of the host system[46] Currently, only three file extensions are allowed: "exe," "dll," and "hrmlog" (the Hermes debug log filename) Ryuk uses a cryptographic routine to encrypt files and is designed to act like a rootkit, giving it higher privileges and allowing it to expose the encrypted files Unlike other ransomware, Ryuk runs persistently in the background and prevents any recovery attempts Additionally, the Ryuk ransomware does not attack systems that use the Russian, Ukrainian, or Belarusian languages, as this tactic helps Russian cybercriminals avoid detection by local law enforcement.

[36] Console, R Jr (2024, January 2) Akumin confirms data breach impacting thousands | JD Supra https://www jdsupra com/legalnews/akumin-confirms-data-breach-impacting-4063971/

[37] Jones, J A Jr (2023, December 19) Manatee Memorial Hospital reports ransomware incident involving patient information | Bradenton Herald https://www bradenton com/news/local/article283238878 html

[38] Alder, S (2024, August 30) Florida Department of Health Notifies Individuals Affected by June 2024 Cyberattack | HIPAA Journal https://www hipaajournal com/ransomhub-florida-department-health-cyberattack/ [39]Kephart, T (2024, July 31) OneBlood hit by ransomware attack, software systems impacted | ABC Action News https://www abcactionnews com/news/state/oneblood-hit-by-ransomware-attack-software-systems-impacted [40] Gramajo, M (2024, August 6) Sumter County Sheriff’s Office ransomware attack | WESH https://wwwwesh com/article/sumtercounty-sheriffs-office-ransomware-attack/61808496

[41] Trend Micro Research (2024 April) RYUK ransomware | Trend Micro https://wwwtrendmicro com/en us/what-is/ransomware/ryuk-ransomware html Ryuk

[42]CrowdStrike (January 10, 2019) Big game hunting with Ryuk: Another lucrative, targeted ransomware CrowdStrike Retrieved February 4, 2025, from https://www.crowdstrike.com/en-us/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

[43] Trend Micro Research (2024, April) RYUK ransomware | Trend Micro https://www trendmicro com/en us/what-is/ransomware/ryukransomware html

[44] Trend Micro Research (2024, April) RYUK ransomware | Trend Micro https://www trendmicro com/en us/what-is/ransomware/ryukransomware html

[45]Dodia, R , & Kumar, A (2019, October 10) Examining the Ryuk ransomware Zscaler Retrieved from https://www zscaler com/blogs/security-research/examining-ryuk-ransomware

[46] Trend Micro Research (2024, April) RYUK ransomware | Trend Micro https://www trendmicro com/en us/what-is/ransomware/ryukransomware html

Figure 1

Ryuk Ransomware Attack Example

Phishing Email with malicious BazarLoader

User is baited to execute by using dual extensions

External Tools Used:

Cobalt Strike

SharpHound (BloodHound)

Rubeus

AdFind

Vsftpd

SystemBC

Kerbrute

Deployed on

Domain Discovery nltest net group -AdFind -Powershell

Domain Credentials -SharpHound -Rubeus -Exploit CVE -Kerbrute

CVE-2020-1472

Reset password of Domain Controller

Disable AV Tools -Powershell -GMER

Hide from Av -SystemBC (provy tool)

Exfiltrate stolen Data -vsftpd

Cobalt Strike

Ransom RYUK

Ryuk Ransomware Attack Kill Chain

Ryuk attack kill chain

Figure 2

Source: Sophos

REvil

REvil, also known as Sodinokibi, is a type of ransomware that locks a computer's files and demands payment to unlock them[47] It was first discovered by McAfee's Advanced Threat Research team in April 2019 A typical ransom note asks for payment in Bitcoin, with threats of doubling the ransom if payment is late

One unique feature of REvil is its ransomware-as-a-service (RaaS) model In this setup, some groups focus on creating and maintaining the ransomware code, while others, known as affiliates, handle its distribution[48] Affiliates can spread REvil through various methods, including large-scale attacks using exploit kits or targeted campaigns like phishing These attacks often begin with the hackers gaining access through Remote Desktop Protocol (RDP) breaches

REvil operates in several stages First, the group infiltrates the system and encrypts files using RSA-2048 and AES-256 encryption methods They then demand a ransom payment in Bitcoin The ransom note often includes threats to the affected organization if payment is not made on time[49] Typically, the malware is spread using various tools that exploit system vulnerabilities or through phishing campaigns After encrypting the files, REvil stores the decryption keys in the Command Line Interface (CLI) using Microsoft BLOB format, making the decryption process difficult without hacking the key

[47] Ballejos, L (2024, February 2) What is REvil ransomware? | NinjaOne https://www ninjaone com/it-hub/endpointsecurity/what-is-revil-ransomware/# [48] Ballejos, L (2024, February 2) What is REvil ransomware? | NinjaOne https://www ninjaone com/it-hub/endpointsecurity/what-is-revil-ransomware/# [49] Ballejos, L (2024, February 2) What is REvil ransomware? | NinjaOne https://www ninjaone com/it-hub/endpointsecurity/what-is-revil-ransomware/#

Crucio rookery is a type of malicious software that encrypts files on a victim's computer, making them inaccessible until a ransom is paid[50] It is believed to have originated in Iran by the IRGC and takes its name from the “Crucio” curse from the Harry Potter series First discovered in early 2021, Crucio is now seen as a powerful tool for cybercriminals

This ransomware is known for its complexity and ability to hide from traditional security measures, thanks to its advanced encryption algorithms and evasion techniques Like many ransomware programs, Crucio often spreads through phishing emails or harmful links Once a victim interacts with it, the malware takes control of the system and begins encrypting files Crucio can target various file types, including documents, images, and videos

One notable feature of Crucio is its use of double-layered encryption This means it encrypts files twice with different algorithms, making it extremely difficult to decrypt them without the private key held by the attackers[51] After encrypting the victim's files, Crucio displays a ransom note, either as a file or a pop-up window, demanding payment for the decryption key The amounts of money involved vary based on the scale of the attack, typically ranging from hundreds to thousands of dollars[52] To increase pressure, Crucio operators threaten to destroy the decryption key if the ransom is not paid within a certain timeframe Crucio is also known for disrupting analysis and debugging processes, making it difficult for cybersecurity experts to reverse-engineer code for decryption tools Additionally, Crucio operators use the Tor network and cryptocurrency payments to avoid detection by law enforcement

CISA shared the following “suspected” ransomware Indictors of Compromise (IoCs) in their advisory[53].

MD5 Hash: ‘BA284A4B508A7ABD8070A427386E93E0’ – Suspected to be associated with Crucio Ransomware.

SHA1 Hash: ’66AE21571FAEE1E258549078144325DC9DD60303′ – Suspected to be linked to Crucio Ransomware

SHA256 Hash: ‘440b5385d3838e3f6bc21220caa83b65cd5f3618daea676f271c3671650ce9a3’ – Suspected Crucio Ransomware hash

IP Address: ‘178 162 227[ ]180’ – Suspected IP associated with Crucio Ransomware

IP Address: ‘185 162 235[ ]206’ – Another suspected IP linked to Crucio Ransomware

[50] CISA (2023, December 1) AA23-335A IRGC-affiliated cyber actors exploit PLCs in multiple sectors, including U S water and wastewater systems facilities | Cybersecurity and Infrastructure Security Agency https://www cisa gov/news-events/cybersecurity-advisories/aa23-335a

[51] CISA (2023, December 1) AA23-335A IRGC-affiliated cyber actors exploit PLCs in multiple sectors, including U S water and wastewater systems facilities | Cybersecurity and Infrastructure Security Agency https://www cisa gov/news-events/cybersecurity-advisories/aa23-335a

[52] CISA (2023, December 1) AA23-335A IRGC-affiliated cyber actors exploit PLCs in multiple sectors, including U S water and wastewater systems facilities | Cybersecurity and Infrastructure Security Agency https://www cisa gov/news-events/cybersecurity-advisories/aa23-335a

[53] CISA (2023, December 1) AA23-335A IRGC-affiliated cyber actors exploit PLCs in multiple sectors, including U S water and wastewater systems facilities | Cybersecurity and Infrastructure Security Agency https://www cisa gov/news-events/cybersecurity-advisories/aa23-335a

In mid-November 2021, a new family of ransomware emerged from Russia that quickly caught the attention of the infosec community This was the first major ransomware family written in Rust, a programming language that is not commonly used in cybercrime [54]

The choice of language tools helps attackers create malware for both Windows and Linux systems, which can be used in various business settings for activities like spying and stealing data Among the new wave of malicious groups, BlackCat stands out for using triple extortion to pressure victims into paying ransoms These attackers threaten to launch distributed denial-of-service (DDoS) attacks and to both expose and encrypt data at the same time This approach sets BlackCat apart from other Ransomware-as-a-Service (RaaS) providers, giving them a competitive edge

The BlackCat group is believed to be linked to former RaaS groups, such as DarkSide and BlackMatter This suggests that they may have support from established groups or may have previously been part of existing RaaS networks[55] BlackCat's operations have evolved over time Reports indicate the types of tools they use and whether these tools have been enhanced, specifically focusing on data exfiltration and credential theft BlackCat's strategy includes making stolen data available on their leak site, offering high affiliate payouts of up to 90%, and using private access key tokens on their negotiation site The group employs various attack methods, such as exploiting vulnerabilities in MS Exchange servers and using the Emotet botnet for initial access and spreading further within networks[56]

The impact of the BlackCat attacks is significant, affecting victims from various industries, including construction, retail, manufacturing, technology, and energy Notably, this hacker group has executed large-scale attacks, targeting oil companies in Germany and energy agencies in Italy This suggests that they have the capability to jeopardize operations and data by taking control of essential infrastructure

Figure 4

Ransomware Attack Example 2

[54] Trend Micro Research (2022, October 27) Ransomware spotlight: BlackCat | Trend Micro (US) https://wwwtrendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat

[55] Trend Micro Research (2022, October 27) Ransomware spotlight: BlackCat | Trend Micro (US) https://wwwtrendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat

[56] Trend Micro Research (2022, October 27) Ransomware spotlight: BlackCat | Trend Micro (US)

https://wwwtrendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat

BlackCat Ransomware Attack Example 1

Figure 5

BlackCat

Conti ransomware emerged from Russia in 2020, quickly gaining attention because of its regular updates and harmful impact It soon became one of the most significant types of malware[57]

This malicious software is particularly dangerous because it can quickly encrypt infections and spread rapidly throughout the system Its ability to self-propagate allows it to move swiftly through the communication network [58] The actors behind Conti have released three versions of their ransomware since the first one appeared in May 2020, with each version becoming more effective A key feature of the Conti ransomware is its use of the double-extortion technique, similar to other ransomware families like Netwalker and Sodinokibi In addition to demanding a ransom for a decryption key, Conti operators also threaten to leak a portion of the stolen data to pressure victims into paying

[57] Flashpoint Intel Team (2022, October 4) Conti ransomware: Inside one of the world’s most aggressive ransomware groups | Flashpoint https://flashpoint io/blog/history-of-conti-ransomware/ [58] Flashpoint Intel Team (2022, October 4) Conti ransomware: Inside one of the world’s most aggressive ransomware groups | Flashpoint https://flashpoint io/blog/history-of-conti-ransomware/

Conti

Conti does more than just encrypt files on an infected machine; it spreads through the SMB protocol, which can potentially impact an entire network Its ability to operate with multiple threads allows it to infect many host networks quickly, making it difficult to contain[59].

The partnership between the Trickbot gang and the Conti gang has been observed, although their shared strategies have not been clearly explained Conti operates as a Ransomware as a Service (RaaS), meaning it is accessible to all criminals using this service[60] The most common way to carry out this type of attack is through a phishing email that includes a link to a Google Drive file containing the malicious software This software is usually disguised as a PDF or another type of file, which installs the Bazar backdoor on the victim's device Once the backdoor infects the network, the Conti ransomware is deployed on the target systems to start the encryption and spreading processes

The Conti ransomware group is known for targeting 150 organizations and generating millions of dollars in ransom payments. However, these claims are not independently verified. The Conti gang operates a website that resembles a news agency, where they publish stolen data and make further threats if the ransom is not paid, increasing the pressure on their victims.

[59] Flashpoint Intel Team. (2022, October 4). Conti ransomware: Inside one of the world’s most aggressive ransomware groups. | Flashpoint. https://flashpoint io/blog/history-of-conti-ransomware/ [60] Flashpoint Intel Team (2022, October 4) Conti ransomware: Inside one of the world’s most aggressive ransomware groups | Flashpoint https://flashpoint io/blog/history-of-conti-ransomware/

Figure 6

Conti Ransomware Attack Example

BlackByte

BlackByte is a flexible ransomware that uses advanced encryption to make files on a victim's system unavailable After the ransom is paid, the files may be restored and accessed again [61] The product comes from Russia The BlackByte malware, which originated in Russia and was first reported in July 2021, continues to capture the attention of security analysts This is largely because the malware targets important sectors and uses specific techniques that make it difficult to track.

BlackByte can spread through various methods, including attacking networks using the Proxy Shell vulnerability in Microsoft Exchange or through phishing. It takes advantage of specific network access by employing symmetric keys and AES encryption[62]. Over the years, it has continually evolved. Recent versions use more advanced encoding techniques, making decryption more challenging.

BlackByte is a distinct type of ransomware-as-a-service (RaaS) that allows other attackers to use it for their own ransomware attacks. In return, they must pay a portion of the ransom to the BlackByte service providers [63]. This scheme has limited the spread of BlackByte but has also led to increased damage. In addition to encrypting files, BlackByte has used various tools and methods for moving through networks, stealing data, and avoiding detection [64]. Click Cracking RAR refers to WinRAR, a tool that compresses files before sharing them online. It also disables certain security processes to reduce the likelihood of triggering alerts from security applications.

Figure 7

BlackByte Ransomware Attack Example

[61] Trend Micro Research. (2022, July 5).

Ransomware Spotlight: BlackByte. | Trend Micro (US).

https://www trendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

[62] Trend Micro Research (2022, July 5)

Ransomware Spotlight: BlackByte | Trend Micro (US)

https://www trendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

[63] Trend Micro Research (2022, July 5)

Ransomware Spotlight: BlackByte | Trend Micro (US)

https://www trendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

[64] Trend Micro Research (2022, July 5)

Ransomware Spotlight: BlackByte | Trend Micro (US)

https://www trendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

RansomHub

The June 2024 attack on the Florida Department of Health (FDH) highlights the growing complexity of ransomware attacks and their serious effects on public services and individuals. The group responsible for the attack, known as RansomHub, used a double extortion method. This involved encrypting systems and stealing confidential information to pressure victims for payment[65]. This method focuses on essential systems, such as Vital Statistics, which can disrupt important services like issuing birth certificates[66]. The ransom amount was unclear, but FDH did not make any payment[67]. RansomHub escalated the attack by releasing 100GB of confidential data, including Social Security numbers, medical records, and financial information as a form of retaliation[68].

RansomHub's ransomware displayed a message during the encryption process. Unlike typical ransomware, it did not mention the ransom amount or provide payment instructions. Instead, it assigned each victim a client ID and asked them to reach out to the group through a specific [.onion] URL using the Tor browser[69]. The group mainly accepted a payment period of three to ninety days, depending on the affiliate. If the payment was not made within that time, they threatened to publish the stolen data on the RansomHub Tor data leak website[70].

This event serves as an important reminder of the need for strong cybersecurity practices to protect our critical infrastructure and sensitive information from cyber threats. Organizations can defend against these risks by using multi-factor authentication that is resistant to phishing, keeping offline backups, and employing real-time endpoint detection tools[71]. In addition to network segmentation and secure logging practices, we can limit lateral movement and detect compromises early[72] The FDH cyberattack is a reminder for us to stay proactive and alert against the rising threat of ransomware groups and their evolving tactics

[65] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services https://wwwcisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[66] Florida Senate (2022, May) Summary of CS/SB 7072: Cybersecurity | Committee on Veterans and Military Affairs, Space & Domestic Security https://wwwflsenate gov/Committees/billsummaries/2022/html/2864

[67] Alder, S (2024, August 30) Florida Department of Health Notifies Individuals Affected by June 2024 Cyberattack | HIPAA Journal https://wwwhipaajournal com/ransomhub-florida-departmenthealth-cyberattack/

[68] Alder, S (2024, August 30) Florida Department of Health Notifies Individuals Affected by June 2024 Cyberattack | HIPAA Journal https://wwwhipaajournal com/ransomhub-florida-departmenthealth-cyberattack/

[69] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure

Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services https://wwwcisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[70] CISA (2024 August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services https://wwwcisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[71]CISA (2024 August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services https://wwwcisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[72] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure

Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services https://wwwcisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

Table 2

RansomHub Ransomware Encryption Techniques

Category Details

Encryption Algorithm

Key Features of Curve 25519 Encryption

Processes Terminated by Ransomware

Intermittent Encryption Details

Ransom Note

System Recovery Inhibition

Elliptic Curve Encryption Algorithm: Curve 25519

Unique public/private key per victim organization; 58 bytes appended to encrypted files with metadata including public key, block size, and checksum

"vmms exe", "msaccess exe", "mspub exe", "svchost exe", "vmcompute exe", "notepad exe", "ocautoupds exe", "ocomm exe", "ocssd exe", "oracle exe", "onenote.exe", "outlook.exe", "powerpnt.exe", "explorer.exe", "sql.exe", "steam.exe", "synctime exe", "vmwp exe", "thebat exe", "thunderbird exe", "visio exe", "winword exe", "wordpad exe", "xfssvccon exe", "TeamViewer exe", "agntsvc exe", "dbsnmp exe",

Encrypts files in 0x100000 byte chunks, skips 0x200000 bytes Small files (<0x100000 bytes) fully encrypted. Adds 58 bytes to the file end for metadata.

A ransom note titled 'How To Restore Your Files txt' is left on compromised systems

Leverages 'vssadmin exe' to delete volume shadow copies, preventing system recovery

Description: This table summarizes RansomHub's encryption techniques from the CISA report The text outlines the application of the Curve 25519 Elliptic Curve Encryption Algorithm, which utilizes distinct public/private key pairs for users and incorporates metadata into encrypted files[73] The table enumerates processes designated for termination during encryption and outlines intermittent encryption strategies that guarantee data disruption It also emphasizes recovery inhibition methods, including the elimination of shadow copies and the existence of a ransom note on compromised systems[74]

Table 3

RansomHub Ransomware Tools

Tool Name Description

BITSAdmin

Cobalt Strike [S0154]

Mimikatz [S0002]

PSExec [S0029]

PowerShell

RClone

Sliver

SMBExec

WinSCP

A command-line utility that manages downloads/uploads between a client and server using BITS for asynchronous file transfers.

A penetration testing tool used by security professionals to test network security RansomHub affiliates used it for lateral movement and file execution

A tool that allows users to view and save authentication credentials such as Kerberos tickets, aiding privilege escalation.

A tool designed to run programs and execute commands on remote systems

A cross-platform task automation solution with a command line shell, scripting language, and configuration management framework for Windows, Linux, and macOS.

A command-line program used to sync files with cloud storage services

A penetration testing toolset allowing for remote command and control of systems

A tool designed to manipulate SMB services for remote code execution

A free and open-source SSH File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client used for transferring data to actor-controlled accounts.

CrackMapExec Pentest Toolset

Kerberoast

AngryIPScanne

Kerberos Brute force and Exploitation Tool

A network scanner.

Description: This table delineates the instruments employed by RansomHub affiliates throughout different phases of the attack lifecycle from the CISA report It encompasses penetration testing tools like Cobalt Strike, credential extraction utilities like Mimikatz, and command-line applications like RClone for data exfiltration[75]. Additional tools comprise network scanners (e.g., AngryIPScanner) and remote execution utilities (e.g., PSExec, SMBExec). The function of each tool is delineated to demonstrate its contribution to RansomHub's illicit operations[76].

Table 4

RansomHub Ransomware Indicators of Compromise

Category Details

Filename: CrackMapExec.exe - Location: C:\Users\%USERNAME%\AppData\Local\Programs\Py thon\Python311\Scripts\

Directory Structure TTPs

Filename: kerbrute.exe - Location: C:\Users\%USERNAME%\AppData\Local\Programs\Py thon\Python311\Scripts\

Filename: Anydesk exe - Location: C:\Users\%USERNAME%\Downloads\

Filename: IamBatMan exe - Location: C:\Users\%USERNAME%\Desktop\

[73] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services

https://www cisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[74] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services

https://www cisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[75] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services

https://www cisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

[76] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services

https://www cisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

Filename: stealer cli v2 exe - Location: C:\Users\backupexec\Desktop\ Filename: nmap.exe - Location: C:\Program Files (x86)\Nmap\

Filename: mimikatz exe - Locations: C:\Users\%USERNAME%\Downloads\mimikatz trunk\x64\ and C:\Users\backupexec\Downloads\x64\

Known Malicious IPs (2023-2024) 8 211 2[ ]97

23 96[ ]203

34 188[ ]7

106 175[ ]107

124 125[ ]78

233 254[ ]21

http[:]//188 34 188[ ]7/555

http[:]//188 34 188[ ]7/555/bcrypt dll

http[:]//89 23 96[ ]203/333/1 exe

Known Malicious URLs (2023-2024)

http[:]//89 23 96[ ]203/333/AmbaPDF ico

http[:]//89 23 96[ ]203/333/Cabinet dll

http[:]//samuelelena[ ]co/npm/module tripadvisor/module tripadvisor js

Emails Related to RansomHub brahma2023[@]onionmail.org, <victim organization name>[@]protonmail.com.

Description: This table delineates the principal Indicators of Compromise (IOCs) linked to RansomHub operations from the CISA report It encompasses directory structures for tools such as CrackMapExec and Kerbrute, recognized malicious IP addresses (e g , 8 211 2[ ]97, 89 23 96[ ]203), and URLs linked to the group's activities Furthermore, it enumerates email addresses associated with RansomHub, highlighting their role in phishing operations and correspondence[77]

Table 5

RansomHub Ransomware Tactics and Techniques

Category Technique

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

T1588 005

Obtain Capabilities: Exploits

Phishing; Exploit Public-Facing Application

Command and Scripting Interpreter; Windows Management Instrumentation

Command and Scripting Interpreter; Create Account

T1566; T1190

T1059.001; T1047

T1059 001; T1136

Account Manipulation; Remote Services: Remote Desktop Protocol T1098; T1021 001

Masquerading; Indicator Removal on Host; Impair

Defenses: Disable or Modify Tools

Credential Access

Discovery

OS Credential Dumping; Brute Force: Password Spraying

Remote System Discovery; Network Service Discovery

T1036; T1070; T1562.001

Use

Affiliates may buy, steal, or download exploits for targeting

Mass phishing and spear-phishing emails; exploiting known vulnerabilities for access

Using PowerShell/scripts for automation; abusing WMI for commands and payloads

Creating accounts to maintain access.

Manipulating accounts; logging into systems using RDP for actions as a logged user.

Hiding binaries; removing logs; disabling endpoint detection tools

T1003; T1110 003

Using Mimikatz for credentials; password spraying to gain access

T1018; T1046

Listing other systems and network services for lateral movement

Lateral Movement

Command and Control

Exploitation of Remote Services T1210

Remote Access Software T1219

Exploiting remote services for unauthorized access

Using Anydesk for interactive command and control

[77] CISA (2024, August 29) AA24-242A: Stop Ransomware RansomHub Ransomware | Cybersecurity and Infrastructure Security Agency

Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services

https://www cisa gov/sites/default/files/2024-09/aa24-242a-stopransomware-ransomhub-ransomware 1 pdf

Exfiltration

Exfiltration Over Alternative Protocols; Transfer Data to Cloud Account T1048 002; T1537; T1048 003

Stealing data over encrypted/unencrypted protocols; transferring to cloud accounts

Impact

Data Encrypted for Impact; Inhibit System Recovery T1486; T1490

Encrypting data for ransomware; deleting shadow copies and backups

Description:This table correlates RansomHub's activities with the MITRE ATT&CK framework, specifying the tactics and techniques utilized during the attack from the CISA report. Categories encompass initial access methods (e.g., phishing and exploiting public-facing applications), privilege escalation tactics (e.g., account manipulation), and data exfiltration methodologies[78]. It also emphasizes their utilization of instruments for lateral movement, credential acquisition, and persistence, illustrating a sophisticated and multifaceted attack methodology[79]

Table 6

RansomHub Ransomware Mitigations

Recent and Future Attacks

Since the ransomware attack on Tampa General Hospital on July 27, 2023, there has been a significant increase in cybersecurity incidents affecting organizations in Florida and nationwide Incidents such as the data breach at Slim CD in Florida on September 9, 2024[82], and the compromise of the YMCA of Central Florida's systems on November 14, 2024 [83], exemplify the growing threat landscape These events are just a sample of the many challenges organizations have faced this year, underscoring the urgent need for better cybersecurity measures Additionally, major companies outside of Florida, such as Fortinet and AT&T [84], have also experienced cyberattacks Even though these firms are not based in Florida, their breaches impact the state by exposing sensitive data and diminishing public trust in cybersecurity These incidents highlight the widespread threat of ransomware and data breaches, showing the urgent need for strong cybersecurity strategies in all sectors and industries

In response to rising cyber threats, organizations are increasingly investing in advanced cybersecurity solutions and training programs Key measures, such as multi-factor authentication, regular security assessments, and employee awareness initiatives, are vital for protecting sensitive information from cybercriminals Governments are also taking steps by enforcing stricter regulations and encouraging collaboration between public and private sectors to efficiently share intelligence and best practices

Building a strong cybersecurity culture within organizations is crucial By empowering employees to stay alert and report any suspicious activities, businesses can significantly improve their ability to detect and respond to threats early As cybercriminals continuously adapt their tactics, organizations must keep up with new threats and technological advancements to strengthen their defenses

Global cooperation is becoming increasingly important in addressing cyber threats Many cyber-attacks originate from actors outside national borders, so countries must work together to track, apprehend, and neutralize these dangers Initiatives focused on sharing global threat intelligence, coordinating law enforcement efforts, and establishing international cybersecurity standards can greatly enhance collective defenses against ransomware attacks

The rise of artificial intelligence (AI) and machine learning is transforming the cybersecurity landscape These technologies are used to identify patterns, detect anomalies, and predict potential threats in real time While AI offers great potential for improving cybersecurity, it also presents risks, as cybercriminals may use these same tools for harmful purposes This underscores the importance of applying AI responsibly and ethically in security measures.

As we navigate these challenges, the cybersecurity community is coming together to innovate and adapt, aiming to stay ahead of increasingly sophisticated threats By focusing on a proactive and resilient approach, businesses, governments, and individuals can better protect their digital assets in an interconnected world Prioritizing education, collaboration, and technological advancement is key to reducing the ongoing threat of ransomware and ensuring the integrity of our digital infrastructure

Ransomware attacks are growing at an alarming rate, affecting not just individual states or specific areas but also spreading nationally and internationally This global threat landscape makes it clear that no organization, industry, or region is safe from the risks of cyberattacks Moving forward, we must emphasize collective efforts to prevent these attacks This involves fostering collaboration across various sectors, implementing stronger cybersecurity measures, and educating individuals and organizations on best practices Additionally, we should develop effective incident response strategies that outline actions to take during an attack, ways to lessen its impact, and steps for quick and secure recovery By working together and maintaining vigilance, we can build a more resilient defense against the growing ransomware threat

Finally, as we look to the future of cybersecurity, we must acknowledge the importance of regulatory frameworks and legislation Governments need to continuously assess and update policies to address new threats, ensuring organizations have the guidance and resources necessary for effective protection By promoting a culture of accountability and transparency, we can create an environment where cybersecurity is a priority at all levels, ultimately leading to a safer digital ecosystem for everyone

[82] Uberoi, A (2024, October 1) September 2024: Major Cyber Attacks, Data Breaches, Ransomware Attacks | Cyber Management Alliance https://www cmalliance com/cybersecurity-blog/september-2024-major-cyber-attacks-data-breaches-ransomware-attacks [83] Uberoi, A. (2024, October 1). September 2024: Major Cyber Attacks, Data Breaches, Ransomware Attacks. | Cyber Management Alliance. https://www.cmalliance com/cybersecurity-blog/september-2024-major-cyber-attacks-data-breaches-ransomware-attacks [84] Uberoi, A (2024, October 1) September 2024: Major Cyber Attacks, Data Breaches, Ransomware Attacks | Cyber Management Alliance https://www cmalliance com/cybersecurity-blog/september-2024-major-cyber-attacks-data-breaches-ransomware-attacks

Recommendations/Preventatives/Mitigations

To reduce the serious effects of ransomware attacks on healthcare, we need clear actions focused on both prevention and response Here are five key steps organizations can take to lessen the impact of these attacks:

1 Establish strong backup and recovery procedures: A reliable backup and recovery process helps reduce the damage caused by ransomware attacks Organizations should regularly back up important data and keep these backups secure, both online and offline, to prevent ransomware from accessing or deleting the data[85] Organizations must frequently test their data recovery procedures by simulating data loss This helps ensure they are prepared to quickly restore data in the event of an attack

2 Train Employees on Cybersecurity: As the number of cyber attackers increases every day, human error often leads to ransomware infections Therefore, it is essential to provide training for all employees to help them understand how to work safely in a digital environment[86] Employees should learn to recognize fake emails and be cautious of suspicious links or attachments They should report any unusual activity right away Hosting seminars and running phishing simulations can help emphasize these important principles and increase awareness

3 Implement strong access controls and the principle of least privilege: Preventing unauthorized access to confidential data and essential systems is a key step in reducing the impact of ransomware attacks Organizations should adopt important security measures, such as multi-factor authentication (MFA) and the principle of least privilege, to protect against threats from unauthorized individuals who could gain easy access to critical systems and information[87] Organizations can achieve this by implementing policies that limit access to users with admin rights Along with these policies, regularly reviewing access logs and auditing emails can help reduce the risk of ransomware spreading across the network[88]

4.Keep security software updated: Regularly updating your antivirus and antimalware programs can reduce the impact of ransomware attacks. This software helps manage attacks that can encrypt data or spread quickly throughout a network[89] Organizations should establish a routine for regularly patching and updating their operating systems and software This is essential to protect against vulnerabilities that ransomware can exploit Preventing these vulnerabilities is critical, as it helps avoid situations that could lead to costly and time-consuming consequences[90]

5 Create and test an incident response plan: It is important for organizations to have clear incident response plans to effectively handle ransomware attacks as quickly as possible This plan outlines the steps to take during an attack, which include isolating infected systems, assessing the impact of the attack, and restoring data from backups[91] Organizations should regularly test their incident response plans using tabletop exercises or simulated attacks to ensure they are effective and up to date

To effectively counter ransomware attacks on healthcare organizations, it is important to use a combination of tools, train staff, and have emergency plans in place By implementing these five key measures, organizations can reduce the chances of successful malware infections and lessen the impact if an infection does occur

[85] Alshaikh, H , Ramadan, N , & Ahmed, H (2020) Ransomware prevention and mitigation techniques | International Journal of Computer Applications, 177(40) doi:10 5120/ijca2020919899

[86] Tiu, Y L , and Zolkipli, M F (2021) Study on prevention and solution of ransomware attack | Journal of IT in Asia, 9(1), doi:10 33736/jita 3402 2021

[87] Alshaikh, H , Ramadan, N , & Ahmed, H (2020) Ransomware prevention and mitigation techniques | International Journal of Computer Applications, 177(40) doi:10 5120/ijca2020919899

[88] Alshaikh, H , Ramadan, N , & Ahmed, H (2020) Ransomware prevention and mitigation techniques | International Journal of Computer Applications, 177(40) doi:10 5120/ijca2020919899

[89] Tiu, Y L , and Zolkipli, M F (2021) Study on prevention and solution of ransomware attack | Journal of IT in Asia, 9(1), doi:10 33736/jita 3402 2021

[90] Tiu, Y L , and Zolkipli, M F (2021) Study on prevention and solution of ransomware attack | Journal of IT in Asia, 9(1), doi:10 33736/jita 3402 2021

[91] Tiu, Y L , and Zolkipli, M F (2021) Study on prevention and solution of ransomware attack | Journal of IT in Asia, 9(1), doi:10 33736/jita 3402 2021

Assessment

Ransomware is becoming a major problem in Florida because it is profitable, targets weak spots, and is hard to prosecute Cybercriminals often focus on state public institutions first since these organizations usually have weaker cybersecurity and are more likely to pay ransom fees Repeated attacks on the same targets are also possible because criminals see them as lucrative However, Florida has not yet experienced ransomware that can install backdoors for future attacks.

Ransomware offers cybercriminals a convenient and cost-effective method for launching their attacks For years, phishing has been used to create conditions that support the growth of botnets at a low cost A single point of entry can lead to widespread infections throughout a healthcare facility, increasing the likelihood of attacks and creating a larger outbreak Although the media has not thoroughly examined ransomware cases in Florida, the lack of lawsuits, few consequences for attackers, and the presence of Russia-based cybercriminals suggest that there are minimal punishments for these harmful activities

The trend of ransomware attacks is expected to continue, with both the frequency and the amount of ransom likely to rise With the recent surge in AI, especially Generative (GenAI), it is likely that AI will play a major role in ransomware soon, whether used to develop ransomware, propagate ransomware, request and receive ransoms, or assist with Ransomware as a Service (RaaS) To protect against ransomware, it is important to use the information provided here to strengthen network security

Alder, S "Florida Department of Health Notifies Individuals Affected by June 2024 Cyberattack " | HIPAA Journal August 30, 2024 https://www hipaajournal com/ransomhub-floridadepartment-health-cyberattack/

Alshaikh Hesham Nagy Ramadan and Hesham Ahmed "Ransomware Prevention and Mitigation Techniques " International Journal of Computer Applications 177 no 40 (2020) 31-39 doi:10 5120/ijca2020919899

Ballejos, L "What Is REvil Ransomware?" NinjaOne February 2, 2024 https://www ninjaone com/it-hub/endpoint-security/what-is-revil-ransomware/#

Bischoff, P "Ransomware attacks on US government organizations cost over $70bn from 2018 to October 2022 " Comparitech March 17, 2021 https://www comparitech com/blog/information-security/government-ransomware-attacks/

Bohman, D "Ransomware attack responsible for shuttering St Lucie County tax collector's computer system " WPTV News Channel 5 West Palm November 14, 2023 https://www wptv com/news/treasure-coast/region-st-lucie-county/ransomware-attack-responsible-for-shuttering-st-lucie-county-tax-collectors-computer-system

Cybersecurity and Infrastructure Security Agency (CISA) " AA23-335A IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U S Water and Wastewater Systems Facilities | CISA " Cybersecurity and Infrastructure Security Agency CISA December 2023 https://www cisa gov/news-events/cybersecurity-advisories/aa23-335a

Cybersecurity and Infrastructure Security Agency (CISA) "AA24-242A Stop Ransomware: RansomHub Ransomware " | Cybersecurity and Infrastructure Security Agency Federal Bureau of Investigation Multi-State Information Sharing & Analysis Center Department of Health and Human Services August 29, 2024 https://www cisa gov/sites/default/files/2024-09/aa24242a-stopransomware-ransomhub-ransomware 1 pdf

ESentire "Cybersecurity Ventures Report on Cybercrime " ESentire October 26, 2023 https://esentire com/cybersecurity-fundamentals-defined/glossary/cybersecurity-venturesreport-on-cybercrime#: :text=Global%20cybercrime%20damage%20is%20predicted,exceed%20%24265%20billion%20by%202031

Flashpoint Intel Team "Conti Ransomware: Inside One of the World’s Most Aggressive Ransomware Groups " Flashpoint June 8, 2023 https://flashpoint io/blog/history-of-contiransomware/

Florida Senate "Summary of CS/SB 7072: Cybersecurity " | Committee on Veterans and Military Affairs, Space & Domestic Security May 2022 https://www flsenate gov/Committees/billsummaries/2022/html/2864

Hait, A , and S King "Martin County officials 'in the dark' as to ransomware network issues at tax collector's office " WPBF November 1, 2021 https://www wpbf com/article/martincounty-officials-in-the-dark-as-to-computer-issues-at-tax-collectors-office/38098275

Logue, Kyle D , and Adam B Shniderman "The Case for Banning (and Mandating) Ransomware Insurance " SSRN Electronic Journal, 2021 doi:10 2139/ssrn 3907373

Pearson, J , and R Satter "Reuters com " reuters com February 8, 2023 https://www reuters com/world/us/ransomware-outbreak-hits-florida-supreme-court-us-europeanuniversities-2023-02-07/

Pedersen, J M "Ransomware Attack Shuts Down Central Florida Radiology Imager Sites " Central Florida Public Media October 27, 2023 https://www cfpublic org/health/2023-1027/ransomware-attack-shuts-down-central-florida-radiology-imager-sites

Reuters "Universities, Florida court system hit in ransomware outbreak " Business Insurance February 8, 2023 https://www businessinsurance com/article/20230208/NEWS06/912355435/Universities,-Florida-court-system-hit-in-ransomware-outbreak

SCMagazine "Florida water agency impacted by cyberattack " SC Media December 6, 2023 https://www scmagazine com/brief/florida-water-agency-impacted-by-cyberattack

SCMagazine "Conti Ransomware Gang Hits Broward County Schools with $40M Demand " SC Media June 23, 2022 https://www scmagazine com/news/conti-ransomware-gang-hitsbroward-county-schools-with-40m-demand

Tiu, Yan L , and Mohamad F Zolkipli "Study on Prevention and Solution of Ransomware Attack " Journal of IT in Asia 9, no 1 (2021), 133-139 doi:10 33736/jita 3402 2021

Trend Micro Research "Ransomware spotlight: BlackCat " #1 in Cloud Security & Endpoint Cybersecurity | Trend Micro October 27, 2022

https://www trendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackcat

Trend Micro Research "RYUK ransomware " Trend Micro (US) April 2024 https://www trendmicro com/en us/what-is/ransomware/ryuk-ransomware html

Trend Micro Research "Ransomware Spotlight: BlackByte " Trend Micro (US) | Industry-Leading Cyber Security Platform July 5, 2022

https://www trendmicro com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

Uberoi, Aditi “September 2024: Major Cyber Attacks, Data Breaches, Ransomware Attacks ” Home - Cyber Security Training | | Cyber Management Alliance October 1, 2024

https://www cm-alliance com/cybersecurity-blog/september-2024-major-cyber-attacks-data-breaches-ransomware-attacks

Nov 2020 DoppelPaymer Ransomware Delaware, PA, DoppelPaymer $500,000 00 County paid ransom after attack

Nov 2020 TABCO Towson, MD,

Nov 2020 Canon Melville, NY,

Nov

Nov 2020 Top 5 Business Sectors Targeted by Ransomware Yazoo City, MS,

Nov 2020 Cyber-attacks on Healthcare Providers Katonah, NY,

Nov 2020 Blackbaud Lawsuit Arcadia, CA,

Nov

Nov 2020 Archdiocese of St Louis Shrewsbury, MO,

Nov 2020 Arizona Court System Phoenix, AZ, Unknown

Nov 2020 Week in Ransomware Atlanta, GA,

Nov 2020 Hamburg Township Cybersecurity Whitmore Lake, MI,

Nov

Nov 2020 College Station Utility Payments College Station, TX,

Nov 2020 2M Patients Affected Rochester, MN,

Ransomware attack disrupted operations

Website affected by ransomware attack

Stopped payments due to data breach investigation

Over 2 million patients affected by data breaches

Dec 2020 GenRx Pharmacy Scottsdale, AZ,

Dec 2020 Whirlpool Benton Harbor, MI,

Dec 2020 NAACP Baltimore, MD,

Dec 2020 Roanoke College Roanoke, VA,

Dec 2020 Connecticut Hospital Derby, CT,

Dec

Waco, TX,

Dec 2020 State-Backed Hacks Austin, TX,

Dec 2020 Texarkana Water Utility Texarkana, TX,

Dec 2020 Baltimore Medical Center Baltimore, MD,

Dec 2020 Egregor Ransomware Atlanta, GA, Egregor

Dec 2020 K-12 Schools Advisory Herndon, VA,

Dec

Dec 2020 Jersey City Utilities Agency Jersey City, NJ,

Dec 2020 Largest Data Breaches in November Colorado Springs, CO

Dec 2020 Texas Tech HSC Lubbock, TX

Dec 2020 Pfizer COVID-19 Vaccine Targeted New York, NY

Dec

Dec 2020 Texarkana Water Utility Texarkana, TX

Dec 2020 Snyder City Hall Snyder, TX

Dec 2020 Milton Security Brea, CA

Supported response to ransomware attack

Data stolen from recruiter Randstad

Highlighted dominance of hacking incidents

Informed patients of potential data breach

Affected Allegheny Health Network, UPMC, and others

Jan 2021

DDoS Attacks

Jan 2021 WestRock Ransomware Incident

Jan 2021

Corporations Expecting Attacks

Jan 2021 Children's Hospital Blackbaud Lawsuit

Jan 2021 SonicWall Hacked

Jan 2021 Delphix Data Gap Closure

Jan 2021 Jersey City MUA Systems Not Restored

Jan 2021 Maryland Health System Restores EHR

Jan 2021

Ransomware Attack

Jan 2021 Ryuk Gang Earnings

Jan 2021

Jan

Jan 2021 Biggest Patient Data Breaches of 2020

Feb

Reported ransomware attack.

Corporations anticipating security attacks in 2021

Hacked using zero-days in its own products

critical data gap in ransomware protection

3 months post-cyberattack, systems still not restored

EHR restored one month post ransomware attack

the largest breaches of 2020

May

Appendix B International Ransomware

Incidents 2020-2024 [93}

Oct

Dec

Jan

Feb

Apr

May

Jun

Aug

Nov

Dec

Jan

May

Jun

Nov

Jan

Mar

May

Jun