In 2021, following a series of high-profile incidents, the United States government appeared to have had enough, and decided to take ransomware seriously. Meetings were held, committees formed, and a general sense of urgency took shape around the threat. In 2022, we got to see how that would all play out – and, unfortunately, it was a case of same old, same old. The number of government, education and healthcare sector organizations impacted by ransomware this year was very similar to the number impacted in previous years.
When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information. What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported. While this report aggregates data from disclosure statements, press reports, the dark web, and third-party information feeds, some incidents will have escaped our attention and so all numbers should be considered to be minimums.
So what does the data that we do have actually show?
Ransomware continued to be a significant challenge for subnational governments and adjacent entities.
In 2022, 106 state or municipal governments or agencies were affected by ransomware. This is an increase from 2021, when there were 77 ransomware attacks on governments. However, it is important to note that this year’s figures were dramatically affected by a single incident in Miller County, AK, where one compromised mainframe spread malware to endpoints in 55 different counties.
Data was stolen in at least 27 of the 106 incidents (25 percent). However, if the 55-county incident in Arkansas is disregarded, that increases to 53 percent. In 2021, data was stolen in 36 of 77 incidents (47 percent).
Quincy, MA., paid a demand of $500,000 and is the only local government known to have paid a ransom in 2022. The highest ransom to become public knowledge was the $5 million demanded from Wheat Ridge, CO.
In total, 89 education sector organizations were impacted by ransomware, which one more than the 88 which were impacted in 2021. However, there was a large difference in the total number of individual schools potentially affected. In 2021, the impacted districts had 1,043 schools between them but, in 2022, this almost doubled to 1,981 schools.
Breaking the numbers down, 45 school districts were impacted as were 44 colleges and universities. In 2021, 58 districts and 26 colleges and universities were impacted.
Data was exfiltrated in at least 58 incidents (65 percent) compared to in 44 incidents the previous year (50 percent).
The most significant incident of the year was the attack on Los Angeles Unified School District which, with more than 1,300 schools and 500,000 students, is the second largest district in the U.S.
At least three organizations paid a demand, including the Glenn County Eduction Office, CA. which paid $400,000.
In previous years, we tracked incidents across the healthcare sector, however, due to the volume of incidents and unclear disclosures, tracking this year was limited to only hospitals.
There were 25 incidents involving hospitals and multi-hospital health systems, potentially impacting patient care at up to 290 hospitals. Note that we cannot say how many of the hospitals in each health system were actually impacted as this information was not made public in every case.
The most significant incident of the year was the attack on CommonSpirit Health, which operates almost 150 hospitals.
Data including Protected Health Information (PHI) was exfiltrated in at least 17 cases (68 percent).
Damages were not limited to monetary losses. For example, the ransomware attack on CommonSpirit Health resulted in the personal data of 623,774 patients being compromised. In one of the affected hospitals, a computer system for calculating doses of medication was offline and, as a result, a 3-year-old patient was reported to have received a massive overdose of pain medicine. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals.
The most significant concern in these incidents is, of course, the impact on medical outcomes. While the immediate disruption to critical services presents the most obvious risk to patients, outcomes may also be affected in the longer term as the effects of delayed procedures or treatments may not be apparent until weeks, months, or even years after the event.
Just looking at stroke patients should give a sense of what the harm might have been, he says — if people having a stroke don’t make it to a health facility that can handle the emergency quickly, they’re more likely to have a bad outcome. During a few days of the WannaCry attack, there were no stroke centers open in London. “The official line is that no one died. It strains credulity,” he says. “There’s such a palpable, visceral reluctance to admit that we’ve lost lives because of cybersecurity.” — Josh Corman, senior advisor to CISA, speaking to The Verge.
Only a minority of ransomware attacks on private sector companies are publicly disclosed or reported to law enforcement, which results in a dearth of statistical information. The reality is that nobody knows for sure whether the number of attacks are flat or trending up or down. It is for this reason that this report focuses on the government, education and health sectors. Incidents in these sectors are more likely to be made public, leading to more consistent data availability. And, of course, what’s happening in the public sector may provide some indication as to what’s happening in the private sector and overall ransomware activity levels.
So, what is happening? First, the numbers are very similar to previous years. For example, the number of state and local governments impacted by ransomware has remained surprisingly consistent since 2019.
The number of incidents involving the education sector has also remained surprisingly consistent.
Second, in previous years, major cities such as Baltimore and Atlanta fell victim to ransomware attacks but, in 2022, only smaller governments seem to have been impacted. This may indicate that larger governments are now making better use of their larger cybersecurity budgets, while smaller governments with smaller budgets remain vulnerable.
The fact that there seems not to have been any decrease in the number of incidents is concerning. Counter-ransomware initiatives have included executive orders, international summits, increased efforts to disrupt the ransomware ecosystem, and the creation by Congress of an interagency body, the Joint Ransomware Task Force (JRTF), to unify and strengthen efforts. Yet, despite these initiatives, ransomware appears to be no less of a problem.
That said, it should be noted that the number of incidents does not provide a complete picture of the ransomware landscape or necessarily indicate whether the government’s counter-ransomware initiatives are succeeding or failing. For example, a decrease in the level of disruption caused by attacks or in the amount paid in ransoms could be regarded as a win even if the number of incidents had increased. To further explain this point, consider that implementing best practices can limit the scope of an attack by, for example, preventing lateral movement (see Ransomware Prevention Best Practices.) An organization which detects and blocks an attack in its early stages may experience only a few encrypted endpoints whereas one which does not may experience a catastrophic multi-week, organization-wide outage. These are obviously very different events in terms of their scope and impact, but simply counting incidents does not distinguish between them. The best measure of the effectiveness of counter-ransomware initiatives would be whether the dollar losses resulting from incidents had increased or decreased but, unfortunately, that data is not available.
As we mentioned above, there will be some incidents that did not come to our attention. The question is: how many did we miss? While we obviously can’t answer that, we can point to an report by The Herald-Sun which stated:
In the first half of this year, two cities, two counties, two K-12 school districts, three colleges and one state agency in North Carolina were hit with ransomware.
Who got attacked isn’t fully clear — the state declined to release that information, citing security concerns — but what is known is that none of the hackers got paid to end their attack.
We had logged only one incident in North Carolina during the first six months of 2022, which raises the possibility that the real number of incidents could be considerably greater than stated in this report.
It should also be noted that this report only includes incidents involving attacks on infrastructure belonging to the government, education and health sector organizations. It does not include attacks on private sector companies – such as payroll and other service and solution providers – which may have disrupted operations in these sectors. This means that more organizations will have been disrupted by ransomware than indicated by the numbers this report.
Florida and North Carolina introduced legislation that prohibits public sector bodies from paying ransom demands. While the aims are admirable, the legislation may not deter attacks and could ultimately result in some government bodies permanently losing access to their data. For a prohibition on the payments of ransoms to be effective, it would likely need to be more wide-reaching than only the public sector in certain states. That said, it will be interesting to see what, if any, impact the legislation has.
Georgia introduced legislation allowing “certain information, data, and reports related to cybersecurity and cyber-attacks to be exempt from public disclosure and inspection.” This is concerning. While withholding certain facts may be necessary in the short-term in order to avoid exposing attacked entities to additional risk, further restricting the already limited amount of information that is publicly available could be counterproductive. To borrow a quote, “Information is power and, in cybersecurity, it’s the power to prevent other similar events.” — Algirde Pipikaite (World Economic Forum) and Marc Barrachin (S&P)
On a final note, we believe the time has come to retire the term “ransomware.” Historically, the word was used to describe the malicious software which is used to lock data so that a ransom can be demanded to unlock it. Early ransomware attacks were simple and mostly automated. However, today’s attacks are often complex, human-directed events in which data is exfiltrated and encryption, if it happens at all, is the very last step in the attack chain. To put it another way, attacks can be exfiltration-only, even when carried out by groups that usually encrypt data – and that means we have ransomewareless attacks by ransomware groups. This creates confusion as to what should and should not be counted as a “ransomware” attack for the purpose of statistics.
A better way of thinking about incidents is simply “data extortion events.” “Encryption-based data extortion” and “exfiltration-based data extortion,” which are not mutually exclusive, are subcategories to that. These descriptors may not be ideal replacements for “ransomware,” but we are sure that somebody can come up with better alternatives.