The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Ransomware threats barrel back after a slow Labor Day


with Aaron Schaffer

Ransomware may take a holiday, but it doesn’t last long.

The Labor Day weekend concluded without any cyber catastrophes. But once the long weekend’s festivities were over, cybercriminals hit with a one-two punch: 

  1. The REvil ransomware gang, which launched two of the most devastating attacks this year before disappearing in July, suddenly reemerged.
  2. Howard University in Washington D.C. was hit with a major ransomware attack, which forced the historically Black university to cancel classes and likely heralds a coming barrage of similar attacks against universities and K-12 institutions as the school year kicks off.

The stories offer a stark reminder that U.S. institutions remain highly vulnerable to ransomware

The Labor Day break was essentially an anomaly. Hackers frequently time attacks to holiday weekends when victims are less likely to notice an intrusion for two or three days. Holidays celebrated in the victim's country, but not where the hackers live, are particularly popular.

Blockbuster ransomware attacks disrupted Mother’s Day, the Fourth of July and Memorial Day weekends this year. Before Labor Day weekend, the White House took the rare step of urging industries to be on alert for ransomware attacks and warned the FBI and Cybersecurity and Infrastructure Security Agency (CISA) were monitoring for such attacks. 

REvil returned with a blog.

It relaunched the blog where it had posted stolen and often embarrassing data from hacking victims that refused to pay ransoms. 

The gang had disappeared shortly after conducing the most widespread ransomware attack to date, which affected more than 1,500 businesses linked to the software provider Kaseya during the Fourth of July weekend. Previously, REvil was responsible for a Memorial Day weekend ransomware attack against the meat processor JBS that threatened the U.S. meat supply and yielded an $11 million ransom. 

The reemergence essentially dashes hopes that REvil had permanently disbanded — either out of fear of retaliation from the U.S. government or under pressure from the Kremlin. REvil is believed to be based in Russia but not directly allied with the Russian government. President Biden pressed Russian President Vladimir Putin during a summit in June to crack down on such cybercriminal actors operating in Russian territory.

My personal opinion is they just took a break to rethink what they were doing, how they were doing it and to check their security,” Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike, told me. “They’re back to make money. This is a big business and there’s a lot of money to be made doing it.”

Indeed, cybersecurity researchers say they’ve seen no significant drop in the volume of ransomware attacks hitting U.S. businesses following either the Biden-Putin summit or REvil’s (now temporary) disappearance.

Since June, there have not been any attacks remotely as significant as Kaseya, JBS or the Colonial Pipeline attack, which struck on Mother’s Day weekend and sparked panic buying at gas stations in the southeastern United States. That may be because ransomware gangs are trying to keep their operations at a level that doesn’t spark blowback from the U.S. or Russian governments. Or it could just be a coincidence. 

“It’s hard to read much into the fact there haven’t been any pipeline-level attacks in recent weeks because those types of attacks are fairly few and far between,” Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, told me. “We are seeing [ransomware] attacks on hospitals and water treatment facilities, so they’re not leaving critical infrastructure alone by any means.”

The Howard University attack followed a slew of ransomware attacks against schools this year. 

If history is a guide, even more are coming. That’s because ransomware hackers often target their attacks to the beginning of the school year when they’ll be more disruptive and administrators are more likely to pay ransoms to return to learning. 

More details from Callow:

Howard will resume in-person classes today but online and hybrid classes are still suspended, according to a notice. The school is working with law enforcement and unsure when its IT systems will be recovered from the attack. 

The keys

Lawmakers introduced a bill to give CISA directors five-year terms.

The bipartisan bill would help shield CISA from partisan politics by making the director’s standard tenure longer than a single presidential term. It comes in the wake of former president Donald Trump firing CISA director Chris Krebs by tweet after Krebs defended the integrity of the 2020 election. 

“By creating five-year terms for CISA’s director, the CISA Leadership Act ensures that this critical agency is a step removed from the day-to-day politics of Washington,” said Rep. Jim Langevin (D-R.I.), a co-sponsor. The bill is also sponsored by other high-profile House lawmakers, including House Homeland Security Committee chairman Bennie G. Thompson (D-Miss.); Rep. John Katko (R-N.Y.), the top Republican on the committee; and the top Democrat and Republican on the committee’s cybersecurity panel.

German police bought NSO Group’s Pegasus spyware.

The country’s Federal Criminal Police Office bought a version of the spyware with some features turned off to conform with strict German privacy laws, government officials told parliament, according to the AFP.

NSO Group and its clients came under fire this year after The Washington Post, Die Zeit, Süddeutsche Zeitung and other news organizations reported that Pegasus was used to target human rights activists, journalists and business executives.

The White House outlined a three-year strategy to boost government cybersecurity.

The program, called “zero trust,” aims to ensure that everyone who accesses a computer system must verify that they are who they say they are. It also focuses on limiting access to computer systems to just what people need to do their jobs. It’s part of a broad-reaching cybersecurity executive order that President Biden issued in May.

Elements of the program include requiring government agencies to encrypt all computer traffic and retire outdated verification procedures such as overly complex password requirements. Here are more details from Politico’s Eric Geller

Chat room

Microsoft software continues to be exploited by hackers, who used a previously unknown vulnerability to create weaponized Microsoft Office documents. Such newly uncovered bugs are called “zero-days.” The New York Times's Nicole Perlroth:

Recorded Future's Allan Liska:

Reuters' Joseph Menn:

Global Cyberspace

New Zealand banks, post office hit by outages in apparent cyber attack (Reuters)

ProtonMail said Swiss court order left no choice but to log activist's IP address - CyberScoop (CyberScoop)


  • Massachusetts’ legislature holds a cybersecurity hearing today at 1 p.m.
  • National Cyber Director Chris Inglis discusses the United States’ cyber defenses at an event hosted by the Reagan Institute on Thursday at 10:30 a.m.
  • Rep. Lauren Underwood (D-Ill.), who previously chaired the House Homeland Security Committee’s cybersecurity subcommittee, discusses cybersecurity diversity and inclusion at an event hosted by The Aspen Institute on Thursday at noon.
  • Retired Adm. Michael S. Rogers, who led the National Security Agency and U.S. Cyber Command, speaks at a Heritage Foundation event on Thursday at noon.
  • Director of National Intelligence ​​Avril Haines; Gen. Paul Nakasone, who leads the NSA and U.S. Cyber Command; National Cyber Director Chris Inglis and others speak at the two-day Intelligence and National Security Summit, which begins Sept. 13.
  • Chris Krebs, the former Cybersecurity and Infrastructure Security Agency, keynotes the Insider Risk Summit on Sept. 14.

Secure log off