21 April 2023

5 min read

Ransomware incidents show no sign of decreasing | Cyber Intelligence Briefing: 21 April

April 2023
Ransomware incidents show no sign of decreasing | Cyber Intelligence Briefing: 21 April placeholder thumbnail



Top news stories this week

  1. Ransomware rising. March is a record-breaking month for ransomware incidents.
  2. Red dawn. Russian hackers target critical infrastructure and the NCSC issues advisory on Cisco router vulnerabilities.
  3. 831`Hackers. extort Western Digital and LockBit shows remorse for medical facility hack.
  4. Mayday, mayday. Software update failure causes military helicopter crash.
  5. The threat within. Former UK government employee steals top secret data.
  6. Expanding horizons. macOS encryptors found in latest LockBit ransomware


1. Ransomware incidents show no sign of decreasing

Ransomware attacks surged in March 2023, with a record-breaking 450 publicly reported incidents. According to global data seen by S-RM, over 100 of these were due to Cl0p exploiting Fortra's zero-day GoAnywhere MFT file transfer vulnerability.

Recent high profile ransomware incidents include an attack on NCR, a major payment software provider. Meanwhile, ransomware gang Black Basta has reportedly leaked sensitive data stolen from IT services firm Capita on the dark web.

So what?

Ransomware incidents are increasing in severity and frequency, and proactive measures need to be taken to safeguard data and vital assets. Consider performing a ransomware readiness assessment to evaluate your organisation’s resilience to such an attack.


2. Russian hackers targeting critical infrastructure and NCSC issues joint advisory report

The UK’s National Cyber Security Centre (NCSC) has warned of an emerging threat from Russian hackers targeting critical infrastructure. This coincides with the advisory report issued by the NCSC and US intelligence agencies that outlines tactics used by the Russian state hacking group, APT28, to exploit Cisco routers.

So what for security teams? 

If Cisco routers are within your network, follow the vendor’s security guidance which can be found here.



3. ALPHV demand attention and LockBit apologise to latest victim 

Frustrated over an apparent lack of contact from their victim, the ransomware group ALPHV has released a “final warning” on their leak site to Western Digital. The post included allegations that the company mislead the US Securities and Exchange Commission.

Separately, LockBit has apologised for targeting the Home and Heart Health medical facility in Virginia, USA. The threat group offered a free decryptor key to enable the restoration of systems. LockBit has previously stated that it would not target medical care facilities.

So what?

Communication with threat actors can be unpredictable. It is important to consider your threat actor engagement strategy to best manage volatile negotiations.



4. Software update failure causes military helicopter crash

An Australian military helicopter crashed during a training operation due to engine failure, stemming from missed software updates. The update would have prevented “hot starts”; an operational error where engine fuel ignites uncontrollably during start-up. Thankfully no-one was seriously injured in the crash.

So what?

Keeping software and technology up to date is critical for maintaining the security and safety of systems and personnel that rely on them.



Cyber Security Insights Report


5. Insider threat steals top secret government data

A former employee of a ‘sensitive UK government organisation’ has been accused of transferring top secret data to his personal computer. The ex-employee reportedly exfiltrated sensitive information from a restricted workstation to his work phone before taking it home.

So what?

Organisations can mitigate the risk of an insider threat through a formalised joiners, movers, leavers procedure as well as stringent access controls, and regular monitoring of network activity.



6. Mac OS encryptors found in LockBit ransomware

Researchers have discovered encryptors under development for Mac operating systems when examining LockBit operations. The ransomware group, which typically target Windows, Linux, and ESXi servers, operate a Ransomware-as-a-Service business model, allowing different threat actor groups access to their malware.

So what?

As ransomware groups look to target macOS, users should take proactive measures to protect their systems, such as regularly updating their software, implementing strong password practices, and being vigilant against phishing attacks.



Cyber Intelligence Briefing

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.

To discuss this briefing or other industry developments, please reach out to one of our experts.


Miles Arkwright
Miles Arkwright
Associate, Cyber Security
James Tytler
James Tytler
Associate, Cyber Security

James Tytler is a cyber security associate in S-RM’s incident response team. In addition to responding to a wide range of cyber security incidents, he also supports clients with cyber threat intelligence services.

Before joining S-RM’s cyber security team, James worked at a London-based corporate intelligence firm, where he specialised in Middle Eastern subjects.

James has a BA in Arabic and Persian from the University of Cambridge, and an MA in International Security from Sciences Po Paris. He speaks fluent French.

Miles Arkwright
Miles Arkwright

Associate, Cyber Security

James Tytler
James Tytler

Associate, Cyber Security

Share this post

Subscribe to our insights

Get industry news and expert insights straight to your inbox.