Emsisoft has published the state of ransomware report for 2022, providing a synopsis of ransomware attacks that occurred in the US last year. The report categorizes the attacks by the areas they affected — local government, education, and healthcare. Overall, 106 local governments, 44 universities, 1,981 schools, and 290 hospitals faced ransomware attacks. Information in the report came from various sources, including the dark web, press reports, third-party feeds, and disclosure statements.
Despite the US government’s best efforts and awareness campaigns since 2019, the ransomware attack figures have remained mostly the same in the years following. The report acknowledged its estimations don’t consider the attacks repelled by government efforts. Since accurate ransomware data collection can be tricky, the report indicated that its findings are on the minimum-range side.
“When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information. What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported,” read the official blog.
Emsisoft State of Ransomware Report: Local Governments
Cyberattacks targeting local governments have jumped from 77 in 2021 to 105 in 2022. However, the figures for this year also include the cyberattack in Miller County, Arkansas. In this incident, a single malware spread to 55 different counties.
A single large-scale incident like that can tip the scales and warp estimations. For example, if you exclude the Arkansas incident, cybercriminals stole data in about 54% of the cases. If you include the incident, the number is down to about 26%.
Only one local government paid ransom to cybercriminals this year: Quincy of Massachusetts paid USD 500,000 in ransom to retrieve stolen files. Five million dollars was the highest local government ransom demanded in 2022 in Wheat Ridge, Colorado.
The following year-by-year comparison shows that the incident figures have remained quite consistent since 2019:
- 2019 — 113
- 2020 — 113
- 2021 — 77
- 2022 — 105
On Christmas, an attack in North Carolina left 6 local governments locked out of their online records. As a result, they couldn’t access wills, birth certificates, death certificates, marriage licenses, and other documentation. They were forced to use pen and paper, bringing their operational efficiency to a standstill.
Emsisoft State of Ransomware Report: Education
The attack on the Los Angeles Unified School District, affecting 1,300 schools and 500,000 students, was the most significant of 2022. The total number of education institutions targeted doubled from the previous year: 1,043 to 1,981. This figure includes 45 school districts and 44 colleges. In these attacks, cybercriminals extracted data in 65% of incidents, up from 50% in the previous year.
Out of all the attacks targeting educational institutions, at least three paid the ransom. This includes the USD 400,000 ransom Glenn County Education Office in California paid. Like the figures of local government attacks, the attacks on educational institutions have also remained stable since 2019:
- 2019 — 89
- 2020 — 84
- 2021 — 88
- 2022 — 89
Attacks on educational institutions carry other costs as well. These attacks bring university operations to a halt and delay module progression. Activities like test markings, accessing online lectures, and submitting assignments are all consequences of ransomware attacks.
Such costs are unbearable for institutions. They would also require proper awareness among both teachers and students about how ransomware attacks happen. Students are susceptible to clicking on malware and Trojans, which can lead to ransomware. In response to the recent breaches, Berkeley has recommended cybersecurity training for all its students and professors.
Emsisoft State of Ransomware Report: Healthcare
The healthcare sector, with its vast, sensitive information collections, remains a favorite target of cybercrime gangs. Administrators in healthcare can’t afford the information leaking out, which forces them to give in to the criminals’ demands. The Emsisoft report revealed that the number of cyberattacks in the healthcare sector is huge. Yet, the industry lacks transparent reporting.
Emsisoft reported 24 healthcare ransomware incidents in 2022, potentially affecting 289 hospitals. In 71% of the cases, cybercriminals exfiltrated Protected Health Information (PHI) and other data. Due to a lack of disclosure, Emsisoft couldn’t ascertain the extent of its reported breaches. However, the most significant cybersecurity incident concerning healthcare in 2022 was the attack on CommonSpirit Health — which operates 150 hospitals.
More recently, a Hive ransomware attack on the Lake Charles Memorial Health System (LCMHS) in Louisiana affected over 270,000 patient records. Leaked information from the Hive attack included patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, and/or limited clinical information regarding care received at LCMH.
In an unexpected event recently, LockBit apologized to the SickKids Hospital in Toronto and even offered the decryptor to the hospital after its affiliates held the hospital’s technology for ransom. The group said the attack on the hospital violated its terms of service. However, apologies are rare, and it’s better to be safe than sorry.
Recommendations, Remedies, and Safeguards
The report focuses on public sector breaches because of the lack of transparency in private organizations. In particular, the lack of transparency around disclosing information related to ransomware or other breaches. Yet, private companies that suppress information related to ransomware and breaches still need to bolster their defenses. This is especially the case since cyberattacks have increased in complexity and extent.
All commercial entities should implement the most highly recommended cybersecurity practices to protect against and mitigate cyberattack aftershocks. These measures include multifactor authentication across all services, regular and automated patching, high-quality antivirus and malware detection tools, and employee awareness campaigns. Penetration testing is also an excellent way to find weaknesses in any network.
While commercial entities can choose to pay the ransom to get their data back, the public sector may no longer have this choice: Florida and North Carolina have introduced legislation preventing public sector entities from paying ransomware demands. But private entities could face severe penalties for neglecting proper security measures and failing to protect user information on their servers.
Ransomware is here to stay, despite public and private organizations’ best efforts to curb it. In fact, ransomware attacks are growing in sophistication. To counter the new ransomware attacks and to spread awareness about them, Emsisoft first recommends calling them by names that more accurately describe the nature of these attacks. Suggested terms include “data extortion events,” “encryption-based data extortion,” and “exfiltration-based data extortion.”
Among the report’s blindspots are the success of government efforts and details about the severity of incidents, such as the spread of lateral infection. Regardless, the fact remains that information is key when it comes to ensuring protection against ransomware. In light of all this, Georgia’s legislation to allow public entities to suppress reporting of cybercrime incidents is alarming.
This could set quite a worrying precedent, as the cybersecurity industry benefits from quick communication regarding the most recent cybercrime breaches. With more sophisticated threats on the horizon, companies can benefit from information sharing and updated defense mechanisms.