According to a Reuters analysis of ransom notes posted online to stricken servers, a global ransomware outbreak has scrambled servers belonging to Florida’s Supreme Court and several universities in the United States and Central Europe.
Those organizations are among more than 3,800 victims of a fast-spreading digital extortion campaign that locked up thousands of servers in Europe over the weekend, according to figures tallied by Ransomwhere, a crowdsourced platform that tracks digital extortion attempts and online ransom payments and whose figures are drawn from internet scans.
Ransomware is one of the internet’s most dangerous scourges. Although this extortion campaign was not sophisticated, it drew warnings from national cyber watchdogs due to the speed with which it spread.
Ransomwhere did not identify individual victims, but Reuters was able to identify some by using widely used internet scanning tools such as Shodan to look up internet protocol address data associated with the affected servers.
The extent, if any, of the disruption to the affected organizations was unclear.
According to Florida Supreme Court spokesman Paul Flemming, the affected infrastructure was used to administer other elements of the Florida state court system and was isolated from the Supreme Court’s main network.
“The network and data of the Florida Supreme Court are secure,” he said, adding that the integrity of the rest of the state court system was not jeopardized.
A dozen universities contacted by Reuters, including the Georgia Institute of Technology in Atlanta, Rice University in Houston, and universities in Hungary and Slovakia, did not respond to requests for comment.
Reuters also attempted to contact the hackers via an email address listed on their ransom notes, but received only a payment demand. They did not respond to any further questions.
According to Ransomwhere, the cybercriminals appear to have extorted only $88,000, a pittance in comparison to the multimillion-dollar ransoms routinely demanded by some hacking gangs.
According to one cybersecurity expert, the outbreak, which is believed to have exploited a two-year-old vulnerability in VMWare Inc software, was typical of automated attacks on servers and databases carried out by hackers for years.
VMWare has urged customers to update their software to the most recent versions.
“This is nothing out of the ordinary,” said Patrice Auffret, founder of the French internet scanning firm Onyphe. “The scale makes a difference.”
The outbreak’s high visibility, which began earlier this month, is also unusual. Researchers and tracking services such as Ransomwhere and Onyphe were able to easily follow the criminals’ trail because internet-facing servers were affected.
On Monday, Italy’s digital safety officials stated that there was no evidence of “aggression by a state or hostile state-like entity.”
According to Samuli Kononen, an information security specialist at the Finnish National Cyber Security Centre, the attack was most likely carried out by a criminal gang, but it was not particularly sophisticated because many victims were able to recover their data without paying a ransom.
“More experienced ransomware groups don’t typically make that kind of mistake,” he explained.