Cyber Incident Victim: Florida Supreme Court
Date:
Feb 2023
Location:
United States of America
Summary
A global ransomware outbreak impacted Florida's Supreme Court's administrative infrastructure and multiple universities across the U.S. and Central Europe, exploiting a known vulnerability in VMware software. The attack affected over 3,800 victims, though disruptions were limited as the court's primary network remained secure and segregated. Cybercriminals demanded ransoms but secured only $88,000, with experts noting the operation's lack of sophistication as many victims recovered data without paying. National cybersecurity agencies attributed the incident to criminal actors rather than state-sponsored activity, highlighting its automated nature and broad visibility due to targeting internet-exposed servers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2023, a widespread ransomware outbreak affected Florida’s Supreme Court and multiple universities across the United States and Central Europe. The incident, first publicly reported on February 7, exploited a two-year-old vulnerability in VMware software, enabling attackers to rapidly compromise internet-facing servers. Over 3,800 victims were identified globally through ransom notes posted on infected systems, with the attack’s speed prompting alerts from national cybersecurity agencies. Reuters confirmed victims by analyzing server IP addresses linked to the ransomware notes using scanning tools like Shodan. Florida Supreme Court spokesman Paul Flemming acknowledged the compromise of ancillary infrastructure supporting the broader state court system but emphasized segregation from the Court’s primary network, asserting no breach of core judicial data or operations. Affected universities included the Georgia Institute of Technology, Rice University, and institutions in Hungary and Slovakia, though none provided immediate comment on disruptions. The attackers, contacted via a payment portal listed in their notes, demanded ransoms but did not respond to Reuters’ inquiries. Ransomwhere, a ransomware tracking platform, estimated the hackers collected only $88,000, significantly below typical ransomware gang demands.
The attack’s impact on organizational operations remained unclear, though its scale drew attention due to the visibility of compromised servers. Cybersecurity experts characterized the campaign as unsophisticated, citing its reliance on automated exploitation of known vulnerabilities rather than novel techniques. Patrice Auffret of Onyphe noted the incident’s distinction lay in its breadth, not its methodology. VMware had previously advised customers to update affected software, a mitigation step many victims likely implemented post-incident. Finnish cybersecurity official Samuli Kononen observed the attackers’ operational flaws, including victims recovering data without paying ransoms—a rarity among more established ransomware groups. Italian digital safety officials ruled out state-sponsored involvement, attributing the campaign to criminal actors. Despite the disruption to targeted servers, Florida’s court system reported no degradation of core functions, maintaining continuity in judicial services. The limited financial gain for attackers and the absence of widespread operational paralysis suggested a contained incident, though it underscored persistent risks associated with unpatched infrastructure.