Yet another banner year for cybercriminals
Predictably, 2021 was largely a replay of the previous two years, with the US public sector again experiencing a barrage of financially-motivated ransomware attacks. The attacks impacted a total of 2,323 local governments, schools and healthcare providers.
- 77 state and municipal governments and agencies.
- 1,043 schools.
- 1,203 healthcare providers.
The attacks were disruptive, costly and were the cause of at least 118 data breaches, most of which resulted in sensitive information being posted online.
State and municipal governments and agencies
As noted above, 77 local governments and agencies were impacted by ransomware in 2021. While it is hard to see this as a win, the fact is that it is an improvement on the 113 governments which were hit in both 2019 and 2020.
Additionally, while major cities such as Baltimore and Atlanta had been hit in previous years, that was not the case in 2021 and the victims were generally smaller municipalities and counties. This could be an indication that larger governments have used their larger budgets wisely and shored-up their defences.
The cost of these incidents is difficult to calculate. Perhaps the best estimate of the potential cost comes from Gus Genter, the CIO of Winnebago County, who in 2019 stated, “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.” Using that same figure puts the cost of 2021’s year 77 incidents at $623,700,000.
Genter’s statistics also suggest that the incidents would have caused a total of 22,099 days of disruption – and, in some cases, that disruption was significant and even life threatening. For example, dispatch services were impacted in at least one case.
At least 36 of the 77 incidents resulted in data breaches, including incidents involving police departments and a state attorney general, and saw extremely sensitive information being released online.
A total of 88 education sector organizations were impacted by ransomware in 2021: 62 school districts and the campuses of 26 colleges and universities. The attacks disrupted learning at 1,043 individual schools.
The numbers were almost identical in 2020: 84 incidents impacting 58 districts, and 26 colleges and universities. The number of schools impacted was, however, significantly greater at 1,681. This means that the average number of schools impacted by each incident decreased from 20 in 2020 to only 12 in 2021 – perhaps signalling that, as with governments, larger organizations are using their larger budgets wisely.
While the cost of these incidents is impossible to estimate, it is undoubtedly significant. Baltimore County Public Schools, for example, spent more than $8.1 million on recovery after an attack at the end of 2019.
Data was stolen in at least 44 of the 88 incidents, resulting in sensitive information relating to both employees and students being released online.
At least 68 healthcare providers were impacted by ransomware in 2021, including multiple hospitals and multi-hospital health systems. The impacted organizations operated a total of 1,203 sites between them.
In 2020, 80 providers operating 560 sites were impacted.
The providers hit in 2021 included Sanford Health which operates more than 600 locations, including 46 hospitals, and Scripps Health which operates 24 locations, including 5 hospitals.
The cost of the incidents will be significant. Scripps Health, for example, put the cost of its attack at $112.7 million.
While last year’s numbers are not significantly different to 2020’s, there is nonetheless reason to be hopeful.
The May attacks on Colonial Pipeline and JBS – which is responsible for around 20% of the global meat supply – seemed to finally focus governments’ attention on the ransomware problem and there has since been multiple initiatives and actions aimed at both bolstering security domestically and at putting more risk in the risk-reward ratio. Ransom payments have been recovered, gangs have been disrupted and arrests have been made. Perhaps most significantly, Russia arrested multiple members of REvil, one of the most active operations, in January 2022 at the request of the US, possibly indicating that the country may now be less of a safe haven for cybercriminals.
While it is too early to say what impact these actions will have, they are certainly a step in the right direction. Ransomware became so much of a problem because the cybercriminals were able to operate with almost complete impunity. That is finally starting to change.
Finally, it’s worth noting that the numbers are minimums, as not all incidents will have been counted. Some incidents will not have been disclosed, others will have been referred to in the press as “cyberattacks” rather than “ransomware attacks,” and others will simply have been missed. The numbers also do not take account of attacks on third party service and solution providers which impacted the public sector. The attack on payroll provider Kronos, for example, resulted in multiple public sector organizations needing to scramble to put alternative solutions in place in order to pay their employees.