Ransomware, Content, Content

Ransomware Attacks Slid in March as Hackers Hit Western Digital, Check Point

A total of 28 ransomware attacks occurred in March 2023, according to figures provided by cybersecurity company BlackFog. The number of attacks were fewer than in the prior two months, but still amounting to a four-year high and a 12% bump over previous years.

The mixed ransomware news comes along with reports by Western Digital, which makes the SanDisk removable memory card, of a cyberattack on its networks, and a distributed denial of service (DDoS) blitz on the Israeli cybersecurity firm Check Point.

A Closer Look at BlackFog's Study

As for BlackFog’s ransomware study, March saw 1,403% of attacks going unreported, up from 478% and 543% in January and February respectively for a nearly three-fold increase from previous months.

Here are some additional data from the BlackFog study:

  • Education increased its lead as the most targeted sector, pumped up by more than 53%, with 26 attacks for the year, followed by government and healthcare with increases of 33% and 13%, respectively.
  • LockBit continues to dominate as the key ransomware variant with 24.3% of reported attacks and 41.4% of unreported attacks.
  • Both CLop and Royal were highly leveraged in unreported attacks with 11.4% each.
  • It is becoming less common for attacks to remain unclaimed as ransomware gangs seek notoriety, with only 14% unclaimed this month.
  • Data exfiltration has been used in more that 88% of attacks, with March accounting for a significant increase in the use of illegal networks, up 14% to 94% since February.

Meanwhile, Western Digital, which reported $19 billion in 2022 revenue, acknowledged that hackers had gained access to its networks and pilfered some company data in an ongoing attack that began last week. The company said it discovered the digital break in on March 26. At this point Western Digital doesn’t know how much data was taken.

Western Digital issued a statement on the matter:

“In connection with the ongoing incident, an unauthorized third party gained access to a number of the company’s systems. Upon discovery of the incident, the company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts."

The company added that the investigation is in its early stages and Western Digital is coordinating with law enforcement authorities.

It’s not known if Western Digital has engaged with managed security service providers. Still, the company said it is “implementing proactive measures” and has taken systems and services offline in some cases.

Considering that officials warned that business operations may be disrupted, it seems likely that the company is dealing with a ransomware event even though no mention so far has been made of it.

Anonymous Sudan Takes Down Check Point Website

In Check Point’s case, hackers calling themselves "Anonymous Sudan" earlier this week took down Check Point’s website. However, after a short while, the website seemed to return to normal operations, the Jerusalem Post reported. The websites of multiple major universities in Israel were also attacked by the same group, and were down for several hours, the news outlet said.

Check Point's spokesperson stated:

"All our sites are functioning well despite a large-scale attack on them. The company's website is protected against DDoS (Distributed Denial of Service) attacks at the highest level. one of the strongest websites in the world."

While the current attacks are service-preventing infiltrations, Check Point said “it can be assumed” that they and other hackers at some point will try to produce ransom attacks and data theft, the company told the Israeli newspaper Maariv.

In unrelated research, Check Point said its incident response team has uncovered a previously unnamed ransomware family it dubbed Rorschach that had been used to attack an unidentified U.S.-based company.  Check Point said in an analysis that the Rorschach ransomware appears to be unique in that it does not appear to have any overlaps that could tie it to any known ransomware strain. It does not bear any kind of branding which is a common practice among ransomware groups, Check Point said.

The ransomware is also partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment. Similar functionality has been linked to LockBit 2.0, Check Point said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.