Newsletter Archive - "eCrime.ch Ransomware Highlights"

For 2025-03-14
Article language: in English - Industry: Government Administration - Organisation/company: Town of Orangeville
No new information available on cyber-attack impacting Town of Orangeville | Orangeville Citizen
2025-03-14
The Town of Orangeville has no new information to share regarding an ongoing cyber-attack that began on Feb. 27.

At that time, the Town was unable to share very much information about the incident due to it being under investigation. The extent of the cyber-attack, nature of its impact, what systems were impacted, and if personal information has been compromised is still not known.

The Town of Orangeville told the Citizen on March 11 that it is continuing to work with cyber security experts and local authorities as their investigations continue. In the meantime, the Town is focused on recovery efforts and the continued delivery of public services.

https://www.orangeville.ca/en/news/town-of-orangeville-responding-to-a-cybersecurity-incident.aspx
Actor/variant: RansomHub - Article language: in English
SocGholishs Intrusion Techniques Facilitate Distribution of RansomHub Ransomware | Trend Micro (US)
2025-03-14
Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.

This blog entry focuses on a cluster that deploys backdoor components to enable initial access for RansomHub ransomware-as-a-service (RaaS) affiliates. Ransomhub is a top ransomware player in terms of the number of organisations impacted by data breaches, just behind Akira in second place and CL0P in first, and SocGholish a key enabler of these attacks.
Article language: in English - Industry: Government Administration - Organisation/company: Department of Health Services, Yap State
Ransomware attack takes down health system network in Micronesia | The Record from Recorded Future News
2025-03-14
One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline.

On Wednesday, the Department of Health Services for the state of Yap warned the island’s 12,000 residents that a ransomware attack hit its systems on March 11.

“In response, the whole network was taken offline. As a result, the Department now doesn’t have internet connectivity, and all computers are returned off to prevent further damage,” officials said in a message on social media.
Article language: in English - Industry: Legal Services - Organisation/company: Brydens Lawyers Pty. Ltd.
Brydens Lawyers: Prominent Sydney law firm hit with cyberattack, massive data breach
2025-03-13
A prominent Sydney law firm with close links to the NRL and A-League has been targeted by foreign cyber-attackers who are now extorting the business over hundreds of gigabytes of confidential documents.

Brydens Lawyers, whose name sat on the front of Wests Tigers jersey for a decade, was hit by a cyberattack around February 20.

The hackers stole more than 600 gigabytes of data related to the firm, its clients and cases, and even staff.
Article language: in English
222 Ransomware Attacks Reported in Japan in 2024: NPA | Nippon.com
2025-03-13
Tokyo, March 13 (Jiji Press)--Japanese police have received 222 reports of damage from ransomware attacks in 2024, up 25 from the previous year, National Police Agency data showed Thursday.

Ransomware attacks, in which attackers use a computer virus to encrypt data and demand payment to restore access, hit their second-highest annual total since police began gathering the statistics in 2020.

According to the results of a survey of companies that fell victim to such attacks, in 49.2 pct of cases it took at least a month until data access was restored, and over half of respondents said it cost 10 million yen or more to investigate the attacks. Cases that took longer to resolve tended to cost more for victims.
Actor/variant: Medusa - Article language: in English
#StopRansomware: Medusa Ransomware | CISA
2025-03-12
Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.
Article language: in English
Dutch police disrupt half of ransomware operations, finds embedded PHD student | Computer Weekly
2025-03-12
Dutch police interventions successfully disrupt approximately half of the ransomware groups they target, according to PhD research at the University of Twente.

Conducted by Tom Meurs, who spent four years embedded with Dutch police cyber teams, the study revealed that even when criminals persist after intervention, they typically do so on a smaller scale, targeting fewer and less prominent victims.

The research offers rare insight into law enforcement effectiveness against ransomware. While public perception suggests that police have a limited impact on cyber crime, the findings demonstrate that targeted interventions yield measurable results when backed by systematic data collection.
Article language: in English - Industry: Hospitality - Organisation/company: TFE Hotels
Australian Apartment Hotels | TFE Hotels - Media Lounge | European Hotels
2025-03-11
We are currently investigating a cyber incident affecting our networks. As soon as we became aware of this incident, our IT security team took precautionary measures. We then partnered with cyber experts to investigate what has occurred, and to work towards safely restoring operations.

Our hotel teams are still able to serve guests, and we have restored systems in many of our hotels. As an interim measure, some hotel teams are manually assisting guests, and our phone lines have been diverted to a central customer service team.

We are working to restore access to all our back-end systems. As a result, some of our systems and interactions may be slower as we restore operations. We thank our valued guests, clients, and partners, suppliers, and our team for their patience.
Article language: in English - Industry: Government Administration - Organisation/company: City of Mission, TX
Texas border city declares state of emergency after cyberattack on government systems | The Record from Recorded Future News
2025-03-08
The government of Mission, Texas, filed a state of emergency declaration this week after a cyberattack exposed all of the data held on city systems.

The city government notified residents of the incident on Wednesday, telling them cybercriminals targeted portions of their network. The attack required them to take systems offline but officials said emergency services were still operational.

A local news outlet disputed this assessment, writing that police officers have lost the ability to run license plates and driver’s licenses through state databases. City leaders sent a memo to government workers on Tuesday warning that much of the IT system was shut down due to the incident.
Article language: in English - Industry: Telecommunications - Organisation/company: NTT Communications Corp.
NTT Com Confirms Potential Information Leak due to Unauthorized System Access
2025-03-07
TOKYO, JAPAN, March 5, 2025 — NTT Communications Corporation (NTT Com), announced today that on February 5th, it determined that unauthorized access to its systems had occurred. On the following day, the company established that certain information may have been leaked.

Following an internal investigation, we determined there was a possibility that some data stored within our internal Order Information Distribution System, which manages and distributes information related to service orders and changes for corporate customers, had been leaked. No information related to services provided to individual customers was leaked.
Actor/variant: Qilin - Article language: in English
Microsoft Threat Intelligence on LinkedIn: Since late February 2025, Microsoft has observed Moonstone Sleet, a North…
2025-03-07
Since late February 2025, Microsoft has observed Moonstone Sleet, a North Korean state actor, deploying Qilin ransomware at a limited number of organizations. Qilin is a ransomware as a service (RaaS) payload used by multiple threat actors, both state-sponsored and cybercriminal groups.

Moonstone Sleet has previously exclusively deployed their own custom ransomware in their attacks, and this represents the first instance they are deploying ransomware developed by a RaaS operator.
Actor/variant: BABUK 2.0 - Article language: in French - Industry: Accounting
Déclaration concernant l’incident de sécurité chez Forvis Mazars en France - Forvis Mazars - France
2025-03-13
10/03/2025 | Chez Forvis Mazars, nous accordons la plus grande importance à la sécurité des données et mettons tout en œuvre pour assurer au quotidien les meilleurs niveaux de protection dans nos activités.
Dans un environnement marqué par la recrudescence des attaques et comportements frauduleux, nous investissons massivement à tous les niveaux de notre organisation depuis de nombreuses années. Malheureusement, nous avons récemment constaté une fuite de données issue d’un composant informatique isolé de nos infrastructures métiers. Nous avons immédiatement lancé notre protocole de sécurité et mobilisé nos équipes techniques afin de mener un examen exhaustif de nos infrastructures IT et contenir l’incident.

Cet incident a pu rendre momentanément accessibles certaines informations personnelles. Les données concernées (issues des notes de frais de nos salariés) se limitent aux éléments suivants : nom, prénom, adresse e-mail. Nous tenons à vous rassurer sur le fait qu’aucune autre donnée, notamment relative aux services que nous rendons à nos clients, n’a été compromise.