A global ransomware outbreak has scrambled servers belonging to Florida's Supreme Court and several universities in the United States and central Europe, according to a report by the Reuters analysis of ransom notes posted online to stricken servers.
More than 3,800 organizations are among the victims of a fast-spreading digital extortion campaign that locked up thousands of servers in Europe over the weekend, according to figures tallied by Ransomwhere, a crowdsourced platform that tracks digital extortion attempts and online ransom payments, and whose figures are drawn from internet scans.
Ransomware is one of the most potent scourges on the internet. The extortion campaign was not sophisticated, but it drew warnings from national cyber watchdogs in part because of the speed of its spread.
Ransomwhere did not name individual victims, but Reuters was able to identify some by looking up Internet protocol address data tied to the affected servers via widely used internet scanning tools such as Shodan.
The extent of the disruption to the affected organizations was not known.
The Florida Supreme Court spokesman Paul Flemming told Reuters that the affected infrastructure had been used to administer other elements of the Florida state court system, and that it was segregated from the Supreme Court's main network.
He said that the Florida Supreme Court's network and data is secure and that the rest of the state court system is not affected.
A dozen universities contacted by Reuters, including the Georgia Institute of Technology in Atlanta, Rice University in Houston and institutions of higher learning in Hungary and Slovakia, did not immediately return messages seeking comment.
Reuters only received a payment demand in return for the ransom notes, but contacted the hackers via an account advertised on their ransom notes. They did not respond to additional questions.
Ransomwhere said the cybercriminals seem to have extorted only $88,000, a modest haul by the standard of multimillion-dollar ransoms demanded by some hacking gangs.
One cybersecurity expert said that the outbreak, thought to have exploited a two-year old vulnerability in VMWare Inc software, was typical of automated attacks on servers and databases that have been carried out by hackers for years.
VMWare has urged customers to upgrade to the latest versions of its software.
This is nothing unusual, said Patrice Auffret, founder of French internet scanning company Onyphe. The scale is the difference. The highly visible nature of the outbreak, which began earlier this month, is also unusual. Because internet-facing servers were affected, researchers and tracking services like Ransomwhere or Onyphe could easily follow the criminals' trail.
Digital safety officials in Italy said there was no evidence that a state or a hostile state-like entity was behind the attack. Samuli Kononen, an information security specialist at the Finnish National Cyber Security Centre, said the attack was likely carried out by a criminal gang, although he said it was not particularly sophisticated as many victims had managed to salvage their data without paying a ransom.
He said that experienced ransomware groups usually don't make that kind of mistake.