US MSP XenWerx became a victim of INC ransomware
XenWerx Initiatives, LLC serves small and midsize businesses, providing a full suite of services and products for virtualization initiatives. INC ransom group posted a demand for ransom on April 1 stating that they had hacked XenWerx and exfiltrated private and personal confidential data, client documents, budgets, payroll, taxes, IDs, financial information, etc. The attack vectors were most likely spear phishing, malicious scripts and RDP access via stolen credentials.
That’s not the first and will not be the last case in the U.S., where MSPs are being heavily attacked. Overall, Acronis threat intelligence shows a very high level of cyberthreats in the U.S., with 33.7% of users experiencing at least one malware detection during April and 19.6% trying to visit a malicious URL at least once.
Fluent Home Group in Canada was another victim of BlackBasta
The company offers home security technology, energy management, security automation and mobile products and associated installation services, enhancing the quality of life and protecting homes and families in a user-friendly manner. With revenue of around $70 million it was a good target for bad guys and the BlackBasta ransomware gang compromised them, which was announced on April 19. A phishing email most likely was the way BlackBasta got it and, as a result, Fluent Home Group lost around 600 GB of data.
While Canada has a relatively low threat level, according to Acronis threat intelligence, we are still talking about 14.4% of users experiencing at least one malware detection during April and 6% trying to visit a malicious URL at least once.
Japanese company Hoya hit by Hunters International ransomware
Hoya is a big company with revenue of more than 5 billion ISD in 2023 that specializes in optical instruments, medical equipment and electronic components. It operates globally, with 160 offices, subsidiaries in over 30 countries, and 43 laboratories. Hunters International compromised them — most likely through spear-phishing, that led to the ransomware payload. It was confirmed on April 3. As a result, their production was disrupted as well as order processing across several business divisions, leading to IT outages. The ransomware group demanded a $10 million ransom to prevent the release of an alleged 1.7 million stolen files totaling 2 TB.
Manufacturing companies in Japan are often hit by ransomware, and in April, Acronis threat intelligence recorded a steep rise in attacks compared to March: 16.7% of users experienced at least one malware detection during the month and 17.7% tried to visit a malicious URL at least once.
Australia’s OracleCMS became a victim of LockBit ransomware
OracleCMS’s services encompass call centers in Adelaide, Perth, Brisbane, Melbourne and Sydney. OracleCMS also provides services to industry leaders in various market sectors, such as BHP, South 32, Myer, Lion, AMP, 7-Eleven, Starbucks, etc. It was compromised by LockBit 3.0, which was confirmed on April 12. Available evidence suggests that the impacted data was limited to corporate information, contract details, invoices and triage process workflows.
In April, according to Acronis threat intelligence, 23.4% of users experienced at least one malware detection and 14.5% tried to visit a malicious URL at least once.