An investigation is underway in the case of a German hospital who fell victim to a ransomware attack making their computer systems inoperable to admit new patients. Ultimately, a woman facing a life-threatening condition died after being turned away and recommended to a more distant hospital, according to WIRED.

The party responsible for the attack is currently unknown but is facing possible charges of negligent manslaughter. The attack occurred in mid-September and encrypted around 30 different hospital servers and left detailed information on how to contact the attackers. When a patient in serious condition arrived, they were forced to turn the patient away and recommended her to a hospital about 20 miles away, which resulted in about an hour in treatment delay. The patient ultimately died.

It is believed the attackers were targeting a nearby university associated with the hospital but ended up encrypting the hospitals systems instead.

When authorities communicated with the attackers and informed them the attack had hit the hospital responsible for treating emergency patients, the ransom was reportedly withdrawn, and a decryption key was provided. After that communication, the attackers are no longer able to be reached.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Tom Loewy of the Quad-City Times reports that a Davenport man who was originally charged with two misdemeanors now faces a felony charge for the possession of a stolen handgun. Ray Watkins was arrested and charged with an aggravated misdemeanor of carrying weapons and possession of marijuana. The charges stem from police seeing Watkins in a Davenport park with a loaded gun. They conducted a traffic stop of Watkins’ vehicle where they found the marijuana on his lap and through a search of the vehicle found a loaded Smith & Wesson semi-automatic pistol under the driver seat.

Officers had determined that the gun found in the vehicle was reported stolen by the Indianapolis Metropolitan Police Department on September 10, 2019. The Davenport Police obtained a search warrant for Watkin’s phone and recovered evidence that led to the addition of the felony charge. Photo and video evidence on the phone showed the accused in possession of the firearm. Additionally, they found a video on the phone that displayed the gun on Watkin’s lap just 12 minutes before officers had made contact.

In this case, the possession of the stolen firearm is considered trafficking. Watkins is currently being held in jail on a $5,000 bond and the preliminary hearing is scheduled for Friday September 25, 2020.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Nikie Mayo of Greenville News reports that Belton mayor Tiffany Ownbey has been a victim of revenge porn, and that the State Law Enforcement Division (SLED) is conducting a computer forensic examination relating to the matter. If you are not familiar with it, revenge porn is the release of sexually explicit material without the consent of the party or parties involved with intent to cause harm to the individual(s) depicted in the acts. The Belton Police Chief, Robert Young passed the case off to SLED in June after Ownbey told him about the video. According to a spokesperson for SLED, the video was published on social media, though they did not say which of the various platforms. Spokesperson Thomas Crosby states “[we] continue to look into the situation, and we’re exhausting all forensics and investigative leads.”

Ownbey’s attorney, former 10^th Judicial Circuit Court Solicitor Druanne White, has said that a man had in the past secretly recorded the video of the intimate encounter with Ownbey and threatened to release the video if she broke up with the unnamed individual. Ownbey is the first woman to have been elected to the position of mayor in Belton, and White has stated “[after] Tiffany was elected Mayor, she began hearing rumors that the recording might be released.” Ownbey is currently waiting on SLED to finish their investigation before any further legal action is pursued in the matter.

“According to the Cyber Civil Rights Initiative, 46 states and the District of Columbia have specific laws against the distribution of sexually graphic images of individuals without consent” Mayo writes. South Carolina is one of the states not included and does not contain such a law. Ownbey has stated that she will work toward advocating for others who have been in situations like hers. A bill was introduced in 2019, but it has not advanced.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Baltimore ABC Affiliate WMAR recently reported on the story of a murder case in which Calum Thomas of Annapolis Maryland was found guilty and sentenced to 55 years in prison for second degree murder and related firearms charges. Digital forensic analysis of Thomas’s cell phone was instrumental in solving the case.

It all started back on January 2, 2017 when Anne Arundel County police were called to a report of shots fired in Annapolis. At the scene, they discovered the victim, Terry Crouse. Crouse had been shot multiple times and unfortunately was pronounced dead at the scene. Through the course of the investigation Mr. Crouse’s son was interviewed. He indicated to police that Thomas may have been involved because he believed Thomas was potentially angry about a debt Thomas thought Crouse’s son owed him.

On January 13, 2017, Maryland State Police pulled over a car Thomas was driving. In the car they located a firearm that fired the same type of ammunition used in the murder. Also found in the car was Thomas’s cell phone. The Digital Forensics Unit of the Anne Arundel County Police analyzed the phone. During the course of the analysis, investigators found browser history indicating the phone had been used to search for both the type of firearm and ammunition which ballistic examiners had already linked to the crime. With the assistance from the FBI, they were able to determine that the phone was connected to cell towers surrounding the crime scene around the time of the murder.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

According to NBC News, Hartford Public Schools in Connecticut was forced to postpone the first day of school after a ransomware attack made the district’s system inaccessible.

In an online message released to students, the district stated that ransomware was responsible for causing an outage of critical systems used by the school’s transportation company, making it impossible for students to return to school. Superintendent Dr. Leslie Torres-Rodriguez told NBC Connecticut that the school does not believe any personal information of students or staff was compromised, however, there will still be an investigation.

In the interview, Torres-Rodriguez stated “This is another example of how flexible we all have to be. We were ready and we were excited, and we still are, to receive our students and staff. This was something that was out of our control and we’re going to give it another try.”

The school will reopen its door officially on September 9^th, one day later than expected.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Back in 2016, Morgan Stanley closed two data centers and hired a vendor to remove old equipment from the buildings. Subsequently, Morgan Stanley learned that some of the machines still contained unencrypted client data and had not been fully wiped clean, according to Think Advisor.

Flash forward to 2020. Morgan Stanley is unable to locate the equipment and have deemed it “missing.” Additionally, back in 2019, Morgan Stanley had replaced multiple servers across various branch locations. A filed complaint alleges that the discarded servers contain unencrypted data and that Morgan Stanley had also deemed those servers missing.

The missing equipment is said to contain “everything unauthorized third parties need to illegally use Morgan Stanley’s current and former customers’ PII (personal identifying information) to steal their identities and to make fraudulent purchases, among other things.”

The complaint states that the customers whose personal information resides on the discarded equipment face a “lifetime risk” of identity theft and their information being sold on the dark web.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Matthew Ormseth of the Los Angeles Times reports that a visiting researcher at the University of California Los Angeles (UCLA) has been arrested and charged with destroying evidence. The FBI originally began investigating Guan Lei in July under suspicions that he had committed visa fraud and possibly shared software or technical data from UCLA to officials in the Chinese military. However, he is not currently charged with those crimes; instead he has been accused of destroying evidence. Agents had been staking out his apartment in Irvine, CA where they observed Lei pull a computer hard drive out of his sock and dispose of it in a trash bin.

The FBI interviewed Lei and Ormseth writes “[t]wo days after being interviewed, Guan tried to board a flight out of LAX to Xiamen, a city in southeast China.” Six days after the interview, the agents saw Lei dispose of the hard drive outside of his apartment. The hard drive was crushed according to an affidavit.

Agents returned to the Lei’s apartment five days later with a search warrant, with authorization to search Lei as well, however the agents were unable to locate him at that time. Ormseth writes that “Guan [Lei], who was doing laundry across the street, saw them arrive and walked briskly away, the affidavit said.” It is currently unclear what was recovered from the apartment with the search warrant, or if any data was salvageable from the hard drive agents recovered from the trash bin.

“Guan is the latest Chinese national studying at a U.S. University to be charged with a federal crime” Ormseth writes. According to the LA Times article, visiting scientists from Stanford, UC San Francisco, and UC Davis have also been arrested and detained. More information is likely to come in the following weeks.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

 
Scott Ferguson of Govinfosecurity.com reported that Sudhish Kasaba Ramesh, an ex-Cisco engineer, has pled guilty to causing $1.4 million in damages to the company. Ramesh has plead guilty to one charge of intentionally accessing a protected computer without authorization and recklessly causing damage. The breach did not cause any damage or compromise to customer data; however, there was damage to Cisco’s internal systems and other expenses Cisco occurred due to the access, estimated at $1.4 million.

The incident occurred in September of 2018 but criminal charges against Ramesh were made in July of 2020. Ramesh resigned from his position with Cisco in April of 2018, and it is alleged that Ramesh accessed Cisco’s systems where he executed malicious code from his own cloud platform. The malicious code then deleted 465 virtual machines that are used to support Cisco’s WebEx application. This caused around 16,000 WebEx accounts to be affected over a course of two weeks.

WebEx, if you are unfamiliar, is an application that allows for video conferencing, screen sharing, and other virtual collaboration tools. The disruption in the WebEx service caused Cisco to refund their clients who were affected, which is part of the calculation of the $1.4 million in damages. Ferguson notes “The court documents in the case do not mention how Ramesh maintained his access to Cisco’s cloud infrastructure after he left or what led the FBI to press criminal charges.”

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

As reported by ZDNet, the University of Utah recently paid out almost $500,000 to a ransomware group. While paying these types of groups is unfortunately not all that remarkable, the fact that they paid even after a relatively successful response by the University is rather remarkable.

Apparently the university was able to identify and halt the attack before 99.98% of their data had been encrypted. Of the data that was encrypted, just .02%, was unable to be recovered from backups. With almost no data loss, the university seemed to have avoided disaster. Then the ransomware group threatened to release documents stolen before the encryption began if a substantial payment wasn’t made. This is a backup maneuver that has become all too common in these types of ransomware attacks. In many cases, the ransomware groups will get two ransom payments, one for giving victims the decryption key and one for (supposedly) deleting the data.

Reportedly, after a review of the matter and consulting with their cyber insurance provider, it was agreed that a payment would be split between the cyber insurance and the university. A university spokesperson was quoted as describing the payment as “a proactive and preventive step to ensure information was not released on the internet”. One has to wonder how much faith anyone can have in the promise of the ransomware group which, of course, stole the data in the first place.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics

Phil Muncaster from Infosecurity Magazine reports that on August 6, the SANS Institute discovered that hundreds of emails from an internal account were forwarded to an unknown third party. SANS has stated that a regular review of email configuration settings revealed a forwarding rule that was flagged as suspicious. The emails that were forwarded contained information such as first and last names, work titles, company name, industry, address and more.

Muncaster writes “SANS Institutes confirmed to Infosecurity that the exposed data belonged to individuals that had registered for one of its virtual summits and ‘was intended for community outreach purposes.’” The investigation into the forwarding revealed that there were a total of 513 emails forwarded to the unknown email address and that a malicious Office 365 add-on was installed on the victim’s machine as part of the attack. The attack vector was a single phishing email that infected the victim’s machine allowing for the setup of the forwarding. SANS has since secured the account to prevent any other release of information. The SANS digital forensics team is looking into the attack to determine if any other information was compromised due to the breach. SANS has posted information on their website about the incident, and has stated that passwords and financial information were not disclosed in the incident.

Email: sensei@senseient.com   Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics