RansomHub genius tries to put the squeeze on Delaware Libraries
Extorting underfunded public services for $1M isn't a good look
Despite being top of the ransomware tree at the moment, RansomHub – specifically, one of its affiliates – clearly isn't that bright as they are reportedly trying to extort Delaware Libraries for around $1 million.
Public libraries are a core facility of any town or city and the pillars of society, supporting the community through various means, yet they're notoriously underfunded, raising the question of why they'd be targeted.
RansomHub hits 210 victims in just 6 months
READ MORERegardless, targeted they were – all across the state of Delaware. Delaware Libraries oversees 35 sites across the state, many of which are battling IT issues caused by a ransomware attack that has forced computer labs to shut.
The Georgetown Public Library replied to a social media post on Tuesday asking visitors to call before arriving, adding that the site had no printing, internet, or computer services available.
Several others across the state have warned that their phone services may also be "intermittently disrupted," while others such as the Rehoboth Beach Public Library said its phones are completely down, as are its scanning and faxing services.
A statement posted to its website attributes the ongoing issues to "an extended system/internet outage." However, the organization confirmed to The Register that ransomware is the cause.
"There has been a ransomware attack on one of the virtual servers," a spokesperson at Rehoboth Beach Public Library told us. "Internet connections have been affected at the public libraries in the state. There is an ongoing, active investigation of the outage and temporary solutions are in place to provide traditional library services."
Delaware Libraries' website also states that some sites across the state are shut as a result, and it hasn't determined how long it will take to restore its services.
RansomHub claims to have stolen a bunch of documents from Delaware Libraries, leaking what appears to be a small number of financial documents from previous years.
A screenshot of a single folder shows it contains more than 80,000 files totaling 56 GB, created on September 20, the day before the organization confirmed the IT issues.
The RansomHub blog post that allegedly leaked Delaware Libraries' data mentioned the Delaware Library for the Blind and Physically Handicapped specifically – the old name of what's now known as Delaware Library Access Services. It's unclear if this was the intended target of the attack, whether the criminals just mentioned it for effect, or for another reason.
- Planned Parenthood confirms cyber-attack as RansomHub threatens to leak data
- RansomHub hits 210 victims in just 6 months
- RansomHub-linked EDR-killing malware spotted in the wild
- British Library's candid ransomware comms driven by 'emotional intelligence'
The prolific ransomware group, which hit more than 200 organizations in six months, made no claims regarding the theft of any other kinds of sensitive or personal data, suggesting it may not have the deep level of access it usually enjoys.
That suggestion is supported by the words of Annie Norman, state librarian of Delaware and director at the Delaware Division of Libraries.
Speaking to local media, she said: "The good news is – thank God there's some good news – it's not affecting the catalog, which is where there's patron information."
The libraries' catalog can still be queried from its website and its digital services such as magazine subscriptions, audiobooks, and children's book portals remain online.
Norman added that the decision was made to rebuild systems instead of paying the ransom, which is in line with the longstanding guidance from federal agencies such as CISA, but as many will know it isn't necessarily followed in every case.
Delaware Libraries is working with Microsoft and the Delaware Department of Technology and Information on its recovery efforts, which are still very much in the early stages.
It can often take weeks or even months to determine the root cause of a cybersecurity incident and to fully understand what data was compromised. ®