[CanSSOC Advisory] – Incident – Partner Institution Reporting Ransomware
TLP: Amber (Sharing within McMaster Only)
Threat Assessment*: High
On April 23rd, 2024, CanSSOC advised that a partner institution recently reported an incident relating to a ransomware at their institution, tentatively identified as RansomHub. The RansomHub gang has recently attacked health care providers, engaged in double extortion and leaked records online [2].

What Happened? On April 23rd, 2024, CanSSOC advised that a partner institution recently reported an incident relating to a ransomware at their institution, tentatively identified as RansomHub. The RansomHub ransomware gang has recently attacked health care providers, engaged in double extortion and leaked records online [2]. The attackers potentially leveraged a desktop support tool such as AnyDesk for the attack. As CanSSOC explained, at this time, there are limited details they can share related to the incident.

Who is Impacted? • Ransomware Incident at a Partner Institution
When did it Happen?
• April 23rd, 2024
Actions to Take Recommendations:
• Ensure that all systems are up to date and running the latest security patches.
• Use advanced endpoint detection and response anti-virus such as Cortex XDR.
• Review the McMaster Ransomware Playbook [3] on the McMaster IT Cyber Alerts Team
• Reminding the McMaster community to be vigilant of “remote access” computer scams [1]
Where can I learn more? References:
1. https://uts.mcmaster.ca/mcmaster-it-notice-beware-remote-access-computer-scams/
2. https://techcrunch.com/2024/04/15/change-healthcare-stolen-patient-data-ransomhub-leak/
3. https://mcmasteru365.sharepoint.com/:b:/r/sites/McMasterIT/Shared%20Documents/Cyber%20Alerts/Incident%20Response%20Planning%20Guideline/Incident%20Response%20Plan%20Appendix%20B%20Ransomware%20Playbook.pdf?csf=1&web=1&e=DeR6mn
4. https://www.cyber.gc.ca/en/guidance/ransomware

Resources and Support • Need IT Support?
o Contact UTS quickly and easily with Live Chat!
• Familiarize yourself with Phishing Scams and take the training so you don’t take the bait!
o https://informationsecurity.mcmaster.ca/phishing/
• Report all suspicious messages to is-spam@mcmaster.ca
• Join the McMaster IT Team on Microsoft Teams!

*For CanSSOC advisories, the Threat Assessment has the following 4 scores: LOW, MEDIUM, HIGH, SEVERE/CRITICAL. For other advisories, the threat assessment is based on the severity of the highest CVSS score, or based on the available information at the time of the advisory. For TLP protocol, please see https://www.first.org/tlp/