Ransomware remains a prevalent threat as threat actors use extortion tactics to pressure victim organizations to pay the ransom. They deny access to encrypted files, steal data, and threaten a data breach by posting on public ransomware leak sites or releasing the stolen data to regulators, clients, or patients. The NJCCIC continues to receive reports of ransomware incidents impacting New Jersey public sector organizations, including local governments and educational institutions, and private sector organizations, including healthcare, manufacturing, construction, and third-party vendors providing critical services and resources to organizations.

For the first half of 2024, ransomware incidents reported to the NJCCIC included Akira, Play, Qilin, INC, and Clop ransomware; however, LockBit 3.0 (Black) ransomware dominated the cyber threat landscape. Threat actors exploited vulnerabilities to infiltrate systems and networks by targeting organizations running a virtual private network (VPN) service, primarily lacking proper MFA implementation. Other reported points of entry were users clicking on phishing and malvertising links.

Once threat actors gained unauthorized access, they infiltrated the target organization, gained access to internal systems, and moved laterally to other critical systems. Once they exfiltrated data, they encrypted systems and servers, shutting down access to essential services and files containing personally identifiable information (PII) and financial information. Other impacted systems and information included emergency communications, transportation, human resources, employee records, payroll, and student information. Additionally, the ransomware incidents affected onsite backups; therefore, victim organizations had to resort to offsite backups, if available and viable for restoration.

Heading into the second half of 2024, the NJCCIC has received similar ransomware reports of LockBit 3.0 (Black) and Rhysida ransomware as threat actors continue targeting public sector organizations and phishing for PII and VPN credentials.

Recommendations

• Establish a comprehensive data backup plan that includes regularly performing scheduled backups, keeping an updated copy offline in a separate and secure location, and testing it regularly.
• Avoid clicking links, responding to, or otherwise acting on unsolicited emails.
• Keep systems up to date and apply patches after appropriate testing.
• Use strong, unique passwords for all accounts and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes.
• Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware.
• Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools.
• Report ransomware and other malicious cyber activity to the FBI’s IC3 and the NJCCIC.