[Security Weekly] US School Systems Delay Classes Due to Multiple Ransomware Attacks

2nd Week of September 2020


1. US school systems delay classes after targeted by various ransomware groups

As the Labour Day long weekend brings schools to a start, a number of ransomware operators seized the opportunity to target the vulnerabilities of remote learning, causing school systems to shut down one after another.

On August 17, Haywood County School District in North Carolina was attacked by the SunCrypt ransomware. All the schools’ files were unencrypted and exfiltrated by the attackers. The school system was later forced to halt all remote classes as its entire IT system was infected, shutting down all servers, phone lines, and the Internet.

Next, over the Labour Day weekend, the City of Hartford in Connecticut had to delay the first day of school after being attacked by ransomware, affecting a total of 18,000 students. The ransomware was able to spread into the IT systems of a number of schools.

The Maze ransomware group also claimed to have attacked a number of US school districts. This had affected a total of 11,190 schools and colleges since the beginning of 2020. Fairfax County Public Schools, the 12th-largest school system in the country, was among the victims.

When it comes to remote access, schools are generally less prepared than businesses. All organizations must understand the importance of having security measures in place prior to establishing new connections.

Sources: The New York Times, Infosecurity, Infosecurity, Bleeping Computer


2. Major Chilean bank shuts down all branches after hit by REvil ransomware

BancoEstado, the third-largest bank and the only government-owned financial institution in Chile, also one of the highest-rated banks in South America, suffered an attack by the REvil ransomware over the weekend of September 5, forcing it to close down all its branches on Monday, September 7.

According to sources at ZDNet, the attack originated when an employee of the bank opened a malicious Microsoft Office document received over email, apparently sent by the attackers. This had triggered the installation of a backdoor in the bank’s internal network. The attackers later utilized the backdoor to gain access to the IT system and installed the ransomware.

BancoEstado disclosed the incident on Sunday. The Chilean government immediately issued a national cybersecurity alert warning private enterprises to be aware of a ransomware campaign.

Employees at the bank were not able to access their files, which forced the bank to shut down all manual commercial operations on Monday. Fortunately, the bank’s internal network was properly segmented so that the attackers were not able to intrude on the segment that included customer data. As a result, online banking and ATMs remained unaffected and customers were reassured that their accounts were safe.

Sources: ZDNet, Cointelegraph


3. Argentinian borders forced to shut down following Netwalker ransomware attack

Argentina’s immigration and border control agency, Department of National Migration, suffered a ransomware attack by the Netwalker ransomware group, forcing it to shut down the nation’s border crossings.

The incident took place on August 27 when the agency’s Directorate of Technology and Communications received numerous technical support requests from a number of border crossings across the country. After identifying the Netwalker ransomware, the agency shut down all its internal IT systems to prevent the attack from spreading further. As a result, all of Argentina’s border crossings remained closed for four hours.

According to local media Infobae, the Argentinian government acted tough by showing no interest in negotiating with the attackers, and downplayed the importance of the stolen data. The ransomware operators initially asked for $2 million, and a week later raised the price to $4 million as the government refused to negotiate.

This incident acts as a warning sign showing that the impact of ransomware attacks can reach beyond the organizational or regional level. Clearly, these attacks are capable of damaging infrastructure and disrupt activities at a national level. Before it’s too late, governments and organizations can take action to mitigate this risk by adopting an encryption solution like D’Amo. To learn more about D’Amo, click here.

Sources: Infobae, Bleeping Computer


4. Datacenter giant Equinix falls victim to Netwalker ransomware, $4.7 million demanded

Equinix, a global leader in colocation data centers, suffered from a ransomware attack in early September by the Netwalker ransomware group. As usual, the attackers stole a copy of the data before encrypting them.

The ransomware operators demanded 455 bitcoins, or roughly $4.7 million, in exchange for a decryption key and to prevent the stolen data from being published. The stolen data consisted of a number of remote desktop host servers.

Equinix was able to detect the ransomware in its internal network. However, it claimed that its customers were not affected by the incident, and that all data centers and customer-related services remained fully operational. As of now, no service outage was reported.

Sources: Bleeping Computer, CRN


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security