---
title: "Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment, Cybersecurity News [February 26, 2024] | DuoCircle"
description: "Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment - Cybersecurity News [February 26."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/"
---

Quick Answer

Week ending February 26, 2024 covered: the Rhysida ransomware gang demanding $3.6 million (60 BTC) from Chicago's Lurie Children's Hospital after exfiltrating 600 GB and forcing a shutdown that delayed care, ultrasound, and CT results; the BlackCat/ALPHV ransomware attack on the Hessen Consumer Center in Germany, with data samples posted on the gang's extortion page; the UAC-0184 campaign delivering Remcos RAT to a Finnish entity operated by Ukraine using steganography (malicious code hidden in image pixels) and the IDAT modular loader with runtime-decrypted API calls; PayPal's patent application 'Super-Cookie Identification for Stolen Cookie Detection,' which scores LSO/UIDH cookie storage locations and encrypts retrieved values with public-key cryptography to detect fraudulent logins; and Apple's PQ3 post-quantum protocol for iMessage, a hybrid combining ECC with the Kyber algorithm and periodic post-quantum rekeying.

Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment, Cybersecurity News \[February 26, 2024\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/03/Child-Data-Ransom-Hessen-Encryption-Report-Steganography-RAT-Deployment---Cybersecurity-News.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-10-of-2024%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Child%20Data%20Ransom%2C%20Hessen%20Encryption%20Report%2C%20Steganography%20RAT%20Deployment%2C%20Cybersecurity%20News%20%5BFebruary%2026%2C%202024%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-10-of-2024%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-10-of-2024%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-10-of-2024%2F&title=Child%20Data%20Ransom%2C%20Hessen%20Encryption%20Report%2C%20Steganography%20RAT%20Deployment%2C%20Cybersecurity%20News%20%5BFebruary%2026%2C%202024%5D "Share on Reddit") [ ](mailto:?subject=Child%20Data%20Ransom%2C%20Hessen%20Encryption%20Report%2C%20Steganography%20RAT%20Deployment%2C%20Cybersecurity%20News%20%5BFebruary%2026%2C%202024%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-10-of-2024%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2024/03/buy-smtp-3.jpg) 

We’re back again with the latest in [cybersecurity](/) news this week! Join us for a detailed look into the Rhysida ransomware and the Hessen attack to get updates on how you can **stay safe**. We’ll also share news of the new IDAT loader targeting the Ukrainian Armed Forces, PayPal’s new patent for browser cookie security, and Apple’s latest PQ3 encryption for iMessages. Stay tuned.

## Rhysida Ransomware Demands $3.6 Million Ransom for Encrypted Children’s Data

The [Rhysida ransomware gang](https://www.computerweekly.com/news/366561917/Rhysida-ransomware-gang-hits-hospital-holding-royal-familys-data) claimed they had breached Chicago’s Lurie **Children’s Hospital** at the beginning of February 2024\. 

_Following the attack, the hospital had to **take down its IT systems** and even postpone medical care for select individuals, as the breach impacted email, phone, MyCharts, and on-premises Internet_. The breach also affected Ultrasound and CT scan results, which were unavailable, and doctors had to resort to pen and paper prescriptions.

This week, Rhysida added Lurie Children’s Hospital to its extortion portal and has claimed they have access to 600 GB of [hospital data](https://www.usatoday.com/story/news/health/2024/02/18/health-data-breaches-hit-new-record-2023/72507651007/), which they’re selling for **60 BTC** to a single buyer. They also added a deadline of 7 days, after which it would be sold to multiple threat actors.

Lurie Children’s Hospital has not released an [update](https://twitter.com/LurieChildrens/status/1760777632155586866) since February 23, 2024, when it shared news of an **ongoing effort to restore** its IT systems. If you’re a patient, you should carry a printed insurance card for your appointments and your children’s medication bottles. 

Currently, some systems are online, but the health record systems and MyChart are still offline. So are [the payment systems](https://www.npr.org/2024/03/01/1235255804/pharmacies-ransomware-prescriptions-unitedhealth), the timeframe has been extended as long as the **outage persists**. 

## Hessen Consumer Center Reports Encryption of Its Systems by Ransomware

[![ransomware protection](https://media.mailhop.org/duocircle/images/2024/03/dkim-validation-4982.jpg)](https://media.mailhop.org/duocircle/images/2024/03/dkim-validation-4982.jpg)

The Hessen Consumer Center in Germany was the victim of a [ransomware attack](/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/) that **shut down all IT systems** and disrupted their availability. 

_Hessen has over 6 million people, and its Consumer Center is a [non-profit](https://therecord.media/save-the-children-charity-cyberattack) that advises state residents regarding consumer law, finance, insurance, Internet, energy saving, healthcare, telephone, food, and more._

The organization shared an [announcement](https://www.verbraucherzentrale-hessen.de/pressemeldungen/verbraucherzentrale/hackerangriff-auf-verbraucherzentrale-hessen-92732) detailing how it suffered an attack on its IT infrastructure and how communication would be disrupted. Most things have been addressed, and the **website is fully operational**, but people still face trouble connecting to the organization. Little detail was shared about the ransomware attack, but the data of the citizens of Hessen might be at risk. 

The state’s data protection and IT security offices were investigating the incident when its responsibility was claimed by the [Blackcat ransomware gang](https://www.reuters.com/technology/cybersecurity/cyber-security-outage-change-healthcare-continues-sixth-straight-day-2024-02-26/), along with **data samples** on the gang’s dark web extortion page. 

The occurrence of such attacks emphasizes the importance of implementing [ransomware protection](/resources/locky-ransomware) measures, which will assist in ensuring your continued security.

## IDAT Loader’s Latest Version Deploys Steganography to Deliver Remcos RAT

A **new hacker group** has been delivering the Remcos RAT (Remote Access Trojan) using [steganography](https://www.techtarget.com/searchsecurity/definition/steganography) to an entity in Finland operated by Ukraine. 

The threat actor group is being tracked as “UAC-0184” and has been carrying out attacks against the **Ukrainian Armed Forces** since 2023\. Morphisec [spotted](https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga) their latest activity and has shed light on their latest attack methods.

_Steganography is a **rare tactic** where threat actors encode malicious code into the pixels of images to avoid detection._ Since the payload chunks are small, they do not result in an altered image but might distort it. The threat actors start a chain attack with a phishing email, posing as Ukrainian or Israeli Defense, and trick innocent victims into opening short **file attachments** with an infection chain.

The chain launches an executable that activates a [malware loader called “IDAT”](https://www.hivepro.com/threat-advisory/new-idat-loader-unleashes-infostealers-in-fake-browser-update-campaign/). It’s a modular loader that can **inject code** and execution modules as well. Furthermore, to **avoid detection**, the [API (Application Programming Interface)](/email-security/working-with-apis-successfully/) calls are not written in plaintext but resolved at runtime with the help of a decryption key. 

IDAT executes the Remcos RAT at the final stage, which the threat actors can use for **data exfiltration** and activity monitoring. You can find more details on Ukraine’s state [website](https://cert.gov.ua/article/6276988).

## PayPal Seeks Patent for Innovative Technique to Identify Pilfered Cookies

PayPal **filed a patent** this week for a new method that will identify when a [super-cookie](https://www.techtarget.com/searchsecurity/definition/supercookie#:~:text=A%20supercookie%20is%20a%20data,and%20times%20of%20those%20visits.) is stolen.

_If such an event is identified, it can help improve cookie-based authentication and limit account takeovers._ Super-cookies are [LSOs (Local Shared Objects)](https://en.wikipedia.org/wiki/Local%5Fshared%5Fobject) injected into the network as **UIDHs (Unique Identifier Headers)** instead of standard cookies stored locally.

The super-cookies allow **cross-site tracking** and can follow multiple browsers on the same system, collecting all browsing activity. They’re challenging to detect and wipe as they’re not local. Still, PayPal has identified a new method to calculate a [fraud risk score](https://www.fraud.com/post/fraud-risk-scoring#:~:text=Fraud%20risk%20scoring%20is%20an,transaction%20history%2C%20and%20network%20connections.) in its authentication mechanism to identify fraudulent logins on its platform.

Whenever a system gets an authentication request, it identifies the **cookie storage locations** and sorts them (based on the fraud risk they pose). Then, the system assesses the risk score by comparing expected values with those assigned and manages the authentication accordingly. Also, the cookie values retrieved are encrypted using [public key cryptography](https://www.ibm.com/docs/en/ztpf/1.1.0.15?topic=concepts-public-key-cryptography). 

PayPal’s patent application, incorporating [phishing protection](/email/phishing-protection), has the potential to fortify [defenses against cyber threats](/phishing-protection/protecting-retail-businesses-from-cyber-attacks/). It was published **a few days ago**, but they filed it back in July 2022 under “[Super-Cookie Identification for Stolen Cookie Detection](https://www.documentcloud.org/documents/24439473-20240037279).”

## Apple Introduces PQ3 Quantum-Resistant Encryption to iMessage

Apple is adding a PQ3 protocol to its iMessages to **defend its encryption** against [quantum attacks](https://coingape.com/everything-you-need-to-know-about-quantum-attacks/).

_PQ3 is a post-quantum cryptographic protocol that will enhance iMessage’s E2EE (end-to-end encryption)_. Quantum computing threatens messaging applications because it can crack algorithms instantly, and applications like [Signal](https://signal.org/) have also strengthened their offerings by adding **NIST-approved algorithms** for quantum-resistance.

[![Cryptography](https://media.mailhop.org/duocircle/images/2024/03/phishing-protection-1-1.jpg)](https://media.mailhop.org/duocircle/images/2024/03/phishing-protection-1-1.jpg)

Apple shared how the PQ3 is the most substantial security in any at-scale messaging protocol in the world but has not swapped its pre-existing [ECC (Elliptic Curve Cryptography)](https://avinetworks.com/glossary/elliptic-curve-cryptography/). It has adopted a hybrid model combining both protocols for robust defense. PQ3 uses the **Kyber algorithm** and has a periodic post-quantum rekeying mechanism, the first of its kind for messaging applications. 

The [new algorithm](https://security.apple.com/blog/imessage-pq3/) will bring **high security** to its application and a large consumer base. It’s a significant development because it will set an industry standard for competitors to follow.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment, Cybersecurity News [February 26, 2024]","description":"Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment - Cybersecurity News [February 26.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/","datePublished":"2024-03-04T15:02:54.000Z","dateModified":"2025-08-25T12:03:16.000Z","dateCreated":"2024-03-04T15:02:54.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1043,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/03/buy-smtp-3.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment, Cybersecurity News [February 26, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment, Cybersecurity News [February 26, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment, Cybersecurity News [February 26, 2024]","description":"Child Data Ransom, Hessen Encryption Report, Steganography RAT Deployment - Cybersecurity News [February 26.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/","datePublished":"2024-03-04T15:02:54.000Z","dateModified":"2025-08-25T12:03:16.000Z","dateCreated":"2024-03-04T15:02:54.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-10-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":1043,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/03/buy-smtp-3.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```
