Fresh virus misery for Illinois: Public health agency taken down by... web ransomware. Great timing, scumbags

Not like anyone is looking for medical advice right now

As the world tackles the COVID-19 coronavirus pandemic, ransomware creeps have knocked offline a public health agency's website that served nearly a quarter of a million people in the US.

The Champaign Urbana Public Health District (CHUPD) in Illinois, covering 210,000 folks, including the state's biggest university, said today it has had to set up an alternate website as it deals with a ransomware infection that took down its primary site. "We are working to get our website up and running," the district said in a post to a Facebook page that has now become its preferred outlet.

A spokesperson for the district also confirmed an earlier report from Mother Jones that the outage, which began Tuesday morning, was caused by a ransomware infection rather than a crush of traffic. "CUPHD can confirm that our system was attacked by a ransomware virus [called] Netwalker," El Reg was told.

Also known as MailTo, the Netwalker ransomware emerged earlier this year in targeted attacks.


Maersk prepares to lay off the Maidenhead staffers who rescued it from NotPetya super-pwnage


At the time of writing, the district's alternate website was operational and displaying some basic contact information about the deadly coronavirus outbreak. The organization's Facebook page remains active with advice on how to prevent and report further infection.

The Urbana-Champaign area in particular will be affected by the outbreak as the area is home to the University of Illinois, which brings in students from all over. The school, currently on its Spring Break, said yesterday that when classes resume, they will do so online.

The horrible timing of the ransomware attack – right as people turn to state officials for advice and information on a biological virus outbreak – is likely a coincidence, as ransomware infections have for months been spreading on various local government networks.

Ransomware masterminds in particular have found local governments to be easy prey due low IT staffing and a lack of basic security protections. Places as sparsely populated as Nunavut, Canada and as large as Baltimore, Maryland have had to deal with ransomware hijackings that shut down critical city services. ®

Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading

Biting the hand that feeds IT © 1998–2022