The Cybersecurity 202: Ransomware threats barrel back after a slow Labor Day

with Aaron Schaffer

Ransomware may take a holiday, but it doesn’t last long.

The Labor Day weekend concluded without any cyber catastrophes. But once the long weekend’s festivities were over, cybercriminals hit with a one-two punch: 

1.     The REvil ransomware gang, which launched two of the most devastating attacks this year before disappearing in July, suddenly reemerged.

2.     Howard University in Washington D.C. was hit with a major ransomware attack, which forced the historically Black university to cancel classes and likely heralds a coming barrage of similar attacks against universities and K-12 institutions as the school year kicks off.

The stories offer a stark reminder that U.S. institutions remain highly vulnerable to ransomware. 

The Labor Day break was essentially an anomaly. Hackers frequently time attacks to holiday weekends when victims are less likely to notice an intrusion for two or three days. Holidays celebrated in the victim's country, but not where the hackers live, are particularly popular.

Blockbuster ransomware attacks disrupted Mother’s Day, the Fourth of July and Memorial Day weekends this year. Before Labor Day weekend, the White House took the rare step of urging industries to be on alert for ransomware attacks and warned the FBI and Cybersecurity and Infrastructure Security Agency (CISA) were monitoring for such attacks. 

The Howard University campus in Washington. (Jacquelyn Martin/AP)

REvil returned with a blog.

It relaunched the blog where it had posted stolen and often embarrassing data from hacking victims that refused to pay ransoms. 

The gang had disappeared shortly after conducing the most widespread ransomware attack to date, which affected more than 1,500 businesses linked to the software provider Kaseya during the Fourth of July weekend. Previously, REvil was responsible for a Memorial Day weekend ransomware attack against the meat processor JBS that threatened the U.S. meat supply and yielded an $11 million ransom. 

The reemergence essentially dashes hopes that REvil had permanently disbanded — either out of fear of retaliation from the U.S. government or under pressure from the Kremlin. REvil is believed to be based in Russia but not directly allied with the Russian government. President Biden pressed Russian President Vladimir Putin during a summit in June to crack down on such cybercriminal actors operating in Russian territory.

“My personal opinion is they just took a break to rethink what they were doing, how they were doing it and to check their security,” Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike, told me. “They’re back to make money. This is a big business and there’s a lot of money to be made doing it.”

Indeed, cybersecurity researchers say they’ve seen no significant drop in the volume of ransomware attacks hitting U.S. businesses following either the Biden-Putin summit or REvil’s (now temporary) disappearance.

Since June, there have not been any attacks remotely as significant as Kaseya, JBS or the Colonial Pipeline attack, which struck on Mother’s Day weekend and sparked panic buying at gas stations in the southeastern United States. That may be because ransomware gangs are trying to keep their operations at a level that doesn’t spark blowback from the U.S. or Russian governments. Or it could just be a coincidence. 

“It’s hard to read much into the fact there haven’t been any pipeline-level attacks in recent weeks because those types of attacks are fairly few and far between,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told me. “We are seeing [ransomware] attacks on hospitals and water treatment facilities, so they’re not leaving critical infrastructure alone by any means.”

The Howard University attack followed a slew of ransomware attacks against schools this year. 

If history is a guide, even more are coming. That’s because ransomware hackers often target their attacks to the beginning of the school year when they’ll be more disruptive and administrators are more likely to pay ransoms to return to learning. 

Howard will resume in-person classes today but online and hybrid classes are still suspended, according to a notice. The school is working with law enforcement and unsure when its IT systems will be recovered from the attack.