September Ransomware Roundup

Last updated on May 8th, 2024 at 11:27 pm

An AI generated image of a slot machine next to an ambulance.
Image created using Midjourney using impainting.

According to data from, 462 organizations were listed on ransomware leak sites in September. This is up approximately 18% from August, which saw 390 organizations named and shamed on the dark web. The true number of successful ransomware attacks in both months is, however, likely much higher. That’s because organizations that are attacked but promptly pay the ransom do not have their names posted on ransomware sites.

According to, the sectors with the most listed organizations in September were construction, law, real estate, healthcare, and government.

LockBit 3.0 was the most prolific ransomware group in August and it continued to be the most active in September, listing 74 organizations on its leak site. LostTrustTeam, a relatively new gang believed to be a rebrand of MetaEncryptor, was not far behind, naming 53 organizations. AlphVM was the third most active gang, listing 44 organizations, including MGM Resorts and McLaren Healthcare (more on that below). Ransomed and Cactus rounded out the top five most active groups, naming and shaming 34 and 33 organizations, respectively.

Now let’s recap two big ransomware attacks making the news in September.

Ransomware goes to Vegas

An AI generated image of a man in a hoodie typing on a laptop, with a Las Vegas type skyline in the background.
Image made using Midjourney. Prompt: Ransomware Roundup in Las Vegas, glitzy, digital art style

MGM Resorts, owner of iconic Las Vegas hotels including the Bellagio, Mandalay Bay and Excalibur, was breached in the highest profile ransomware attack of September. The company’s properties were plunged into chaos as it shut down its systems to thwart the hackers. Guests experienced long check-in lines, digital room keys stopped working, and slot machines were knocked offline, for example.

The group behind the attack, known as Scattered Spider, is an affiliate of the AlphVM ransomware gang, meaning it pays a fee to use the group’s ransomware. Scattered Spider allegedly breached the casino giant by phoning up its IT help desk and pretending to be an employee. It was then able to obtain the employee’s credentials, probably by asking the help desk to reset their password, and access MGM’s systems.

According to current reports, MGM expects the breach to cost $100 million. Guests from before March 2019 also had their personal information stolen during the attack. According to the data breach notification, the stolen data includes names, addresses, dates of birth, phone numbers, driving license numbers and, in some cases, SSNs.

From hotels to healthcare

An AI generated image of an ambulance in front of some skyscrapers.
Image generated using Midjourney. Prompt: An ambulance with its lights blazing in a hopsital parking lot, digital art style

While the MGM attack grabbed headlines, AlphVM was also behind an attack on McLaren Healthcare, a Michigan based healthcare system that includes 15 hospitals. The ransomware gang claims to have stolen “sensitive data” from 2.5 million patients and the healthcare network is investigating claims patient data is available on the dark web.

Unfortunately, AlphVM has a history of targeting healthcare facilities. In the last 30 days, it has posted six different organizations from the healthcare sector on its leak site, according to data from Additionally, back in February, the gang attacked Lehigh Valley Health Network. As part of its efforts to extort the health network, AlphVM stooped to a new low: publishing medical photos of breast cancer patients, referring to them as “nudes.”

The takeaway

Ransomware attacks occur frequently and can severely disrupt businesses and their customers. When threat actors steal highly sensitive personal information, such as customers’ SSNs or medical data, the victims have their privacy violated and are put at significant risk of identity theft. 

To protect yourself, try to minimize the personal information you provide to companies you do business with. Although many companies ask for your SSN, few actually really need it, for example. Also consider using an email aliasing service and a VOIP phone number to keep your real contact details private. Stay safe out there!

Leave a Comment

Your email address will not be published. Required fields are marked *