Play and LockBit claim responsibility for ransomware attacks. Breach at English school trust. LinkedIn data scraping case update.

At a glance.

• Play takes credit for Antwerp ransomware attack.
• English school trust suffers data breach.
• LockBit claims responsibility for California Department of Finance ransomware attack.
• US Court of Appeals reverses decision in LinkedIn data scraping case.

Play takes credit for Antwerp ransomware attack. 

Digipolis, the IT company responsible for managing the IT systems of the Belgian city of Antwerp, experienced a ransomware attack last week, and the Play ransomware operation has claimed responsibility for the incident, Bleeping Computer reports. The attack disrupted the city’s IT and phone services, and City council member Alexandra d’Archambeau posted on Twitter that the city system email was also down, resulting in the disruption of many city services including job applications, use of libraries, and new agreements with the city. Over the weekend, Play listed Antwerp as one of its victims on its data leak site. The hacking gang claims to have stolen 557 GB of data which include personal information, passports, IDs, and financial documents, and has threatened to begin publishing the data in a week unless their ransom demands are met. 

English school trust suffers data breach. 

Dartmoor Multi Academy Trust (DMAT), a school trust located in the English county of Devon, confirmed that it suffered a data breach last week and has launched an internal investigation, DevonLive reports. Although DMAT has not disclosed what caused the breach or what data were compromised, an anonymous source claims that personal teacher data, including addresses and health information, were exposed to students through a staff Microsoft Team site that was open to all staff and students. A DMAT spokesperson stated, “Despite the range of robust digital security measures we have in place as a Trust, we ascertained the existence of a data protection breach last week…Our investigation into precisely which data was compromised is still underway, however, we have already notified the Information Commissioner’s Office, scheduled additional data protection training for staff in January and are working closely with our digital security providers to ensure any further breach cannot occur. We are also seeking support from external providers to see what more we can do moving forward to prevent a repeat incident.”

LockBit claims responsibility for California Department of Finance ransomware attack. 

The California Governor’s Office of Emergency Services (Cal OES) yesterday disclosed that the California Cybersecurity Integration Center (Cal-CSIC) is responding to a cybersecurity incident impacting the California Department of Finance. The statement reads, “Upon identification of this threat, digital security and online threat-hunting experts were rapidly deployed to assess the extent of the intrusion and to evaluate, contain and mitigate future vulnerabilities.” Though Cal OES cannot yet release details about the breach, the office has confirmed that no state funds were compromised. Cal OES has not disclosed what data exactly were exposed, but the alleged culprits are being a little more loose-lipped. CyberScoop reports that the infamous LockBit ransomware group has claimed responsibility for the attack, alleging that they group walked away with 76 GB of Department of Finance data including “databases, confidential data, financial documents” and “sexual proceedings in court” (whatever that means). The statement on the threat group’s website was accompanied by screenshots of some of the allegedly stolen documents and a file directory. LockBit also stated that it has given the agency until December 24 to meet its ransom demands (which have not been disclosed publicly) before the gang will publish the pilfered data. The US Department of Justice recently described LockBit as one of the “most active and destructive ransomware variants in the world,” but that doesn’t mean they should necessarily be taken at their word. Brett Callow, a threat analyst at Emsisoft, tweeted Monday, “It should be noted that not all of LockBit’s past claims have been true.” Indeed, in June, LockBit claimed to have successfully breached cybersecurity firm Mandiant only to admit later that this was untrue. 

Blake Lohn-Wiley, Security Automation Architect at Swimlane, offered some comment on LockBit and its operations:

“LockBit ransomware originated in September 2019 under the name “.abcd virus.” Since then, the group has become one of the most dangerous cybercriminal groups in the world, claiming responsibility for countless high-profile attacks this year, including those on German auto parts giant Continental and business management software supplier Advanced.

“Unfortunately, local government organizations are often a relatively easy target for ransomware gangs due to the abundance of valuable information that they house and often-limited cybersecurity resources. The attack against California’s Department of Finance follows the footsteps of ‘Play’ ransomware’s attack on Argentina’s Judiciary of Córdoba and Quantum’s attack against the Dominican Republic Instituto Agriculturo in August of this year. Threat groups leverage this easily accessible information to their benefit, ultimately making local citizens the victims.

“Since many local government organizations do not have the manual capacity to deal with these kinds of attacks, security automation must be leveraged to assist with the detection and response of threats in real-time. By adopting low-code security automation, security teams are allowed complete visibility into IT environments and the ability to handle potential threats without the chance of human error. Additionally, endpoint security tools that integrate low-code automation help companies achieve a cohesive protection strategy that prevents cybercriminals from stealing, extorting and exposing sensitive data.”

US Court of Appeals reverses decision in LinkedIn data scraping case.

Last month the US Court of Appeals reversed a year-old ruling against LinkedIn involving data scraping. The original decision ruled in favor of HiQ Labs, a human resources company that used bots to scrape over 150 million LinkedIn users’ usernames, email addresses, and phone numbers without authorization. The reversal, which states that LinkedIn may enforce its user agreement against data scraping, follows the Supreme Court’s ruling in Van Buren v. United States, a case involving the Computer Fraud and Abuse Act. Radware Blog explains how scraped data, though technically public, can become a hot commodity on the dark web when combined with data from other sources. Companies like HiQ use scraped data to increase sales, but if it lands in the wrong hands, (which – spoiler alert – it did) it can be used by cybercriminals for identity fraud or other crimes.