November was a busy month in the ransomware world. Two of the highest impact attacks were on Ardent Health Services and Fidelity National Financial, disrupting patient care and causing chaos in the housing market, respectively. But it wasn’t all bad news, thanks to the capture of ransomware criminals in Ukraine.
Ardent Health Services was breached by an as yet unknown ransomware gang on November 23rd. As a result of the attack, some of Ardent’s 30 hospitals had to divert patients and postpone scheduled procedures. It is not yet known whether Ardent’s attackers successfully stole sensitive data in addition to encrypting files.
As of December 11th, Ardent is still not fully operational. While the healthcare provider reports that “access to core clinical and business systems has been restored,” it also notes that some elective surgeries are being postponed and that MyChart and on-demand video visits remain unavailable.
Unfortunately, ransomware attacks are common in the healthcare industry. In fact, according to data from ecrime.ch, 40 different healthcare organizations were listed on ransomware leak sites in November alone.
These attacks can have deadly consequences for patients. New research estimates that between 42 and 67 Medicare patients were killed by ransomware attacks between 2016 and 2021.
Housing market woes
Fidelity National Financial (FNF), a Fortune 500 company offering title insurance and transaction management services, was breached by the AlphV ransomware gang on November 21st.
The attack took down title and escrow companies owned by FNF, preventing many real-estate transactions from closing on schedule. It also left homeowners worrying their mortgages would not get paid when mortgaging companies owned by FNF went offline as a result of the hack.
The group responsible for this breach, AlphV, was also behind the high-profile breach of MGM Resorts. The gang has been very active of late, listing 46 organizations on its leak site in November alone, according to data from eCrime.ch.
A whopping 484 organizations were named on data leak sites in November, according to data from eCrime.ch. On average, that’s just over 16 organizations per day. The true number of successful ransomware attacks is likely higher, however, as organizations that cooperate will not (usually) be listed on a leak site.
LockBit 3.0 was the most prolific gang in November, claiming 121 breached organizations. The Play ransomware gang was the second most active group, naming 49 companies. AlphV were the third most prolific group, listing 46 organizations. Blackbasta and 8Base rounded out the top five most active groups, adding 36 and 33 companies to their respective leak sites.
Fortunately, there was also some good news this November: key members of a ransomware gang based in Ukraine were arrested. The gang, which deployed a variety of different ransomware, had attacked organizations spanning 71 countries and encrypted at least 250 servers, according to Europol.
The ringleader of the gang and four of his associates were caught on November 21st, after law enforcement officers searched 30 properties across four Ukrainian cities. The successful operation was the result of cooperation between law enforcement agencies from seven different countries.
When an organization is breached by ransomware, those depending on it can be harmed or even killed. Fortunately, international efforts to take down ransomware gangs are having some success. However, with 484 victim organizations listed on leak sites in November, there is still much more work to do.