© Reuters. FILE PHOTO: A hooded man holds a laptop while cyber code is projected onto it in this illustration taken May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo
James Pearson and Raphael Satter
LONDON/WASHINGTON (Reuters) – A global ransomware outbreak has crippled servers belonging to the Florida Supreme Court and several universities in the United States and Central Europe, according to a Reuters analysis of ransom messages posted online on affected servers.
The organizations are among more than 3,800 victims of a fast-spreading digital extortion campaign that locked down thousands of servers in Europe over the weekend, according to figures compiled by Ransomwhere, a platform that tracks digital extortion attempts and online ransom payments and whose figures are drawn from online scans.
Ransomware is among the most powerful scourges on the Internet. While this particular extortion campaign wasn’t sophisticated, it drew warnings from national cyber watchdogs in part because of the speed of its spread.
Ransomwhere did not name individual victims, but Reuters was able to identify some by searching Internet Protocol address data associated with the affected servers through widely used Internet scanning tools such as Shodan.
The extent of disruption to affected organizations, if any, is unclear.
Florida Supreme Court spokesman Paul Flemming told Reuters that the affected infrastructure was used to manage other elements of the Florida state court system and was separate from the Supreme Court’s main network.
“The network and data of the Florida Supreme Court are secure,” he said, adding that the integrity of the rest of the state court system was also unaffected.
A dozen universities contacted by Reuters, including the Georgia Institute of Technology in Atlanta, Rice University in Houston and higher education institutions in Hungary and Slovakia, did not immediately return messages seeking comment.
Reuters also contacted the hackers through the account advertised in their ransom messages, but received only a payment request in return. They did not answer additional questions.
Ransomwhere said cybercriminals appear to have extorted only $88,000, a modest amount by the standard of multimillion-dollar ransoms regularly demanded by some hacking groups.
One cyber security expert said the outbreak – believed to have exploited a two-year-old vulnerability in VMWare Inc’s software – was typical of automated attacks on servers and databases that hackers have been carrying out for years.
VMWare has urged users to upgrade to the latest versions of its software.
“This is nothing unusual,” said Patrice Auffret, founder of French Internet scanning company Onyphe. “The difference is the scale.”
Also unusual is the highly visible nature of the outbreak, which began earlier this month. Because internet-facing servers were affected, researchers and tracking services like Ransomwhere or Onyphe could easily follow the trail of criminals.
Digital security officials in Italy said Monday there was no evidence to suggest “aggression by a state or a hostile state-like entity.”
Samuli Kononen, an information security expert at Finland’s National Cyber Security Center, said the attack was likely carried out by a criminal group, although he added that it was not particularly sophisticated as many victims were able to rescue their data without paying a ransom.
“More experienced ransomware groups usually don’t make that kind of mistake,” he said.