Despite federal efforts, Emsisoft data finds that ransomware ‘appears to be no less of a problem’

Data from cybersecurity company Emsisoft disclosed that the number of government, education, and healthcare sector organizations across the U.S. impacted by ransomware in 2022 were ‘very similar to the number impacted in previous years.’ The firm revealed that ransomware affected 105 local governments, 44 universities and colleges, 45 school districts operating 1,981 schools, and 25 healthcare providers operating 290 hospitals. 

“When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information,” researchers from Emsisoft Malware Lab, wrote in a blog post on Monday. “What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported. While this report aggregates data from disclosure statements, press reports, the dark web, and third-party information feeds, some incidents will have escaped our attention and so all numbers should be considered to be minimums,” they added. 

The researchers also pointed out that the fact that there seems not to have been any decrease in the number of incidents is concerning. “Counter-ransomware initiatives have included executive orders, international summits, increased efforts to disrupt the ransomware ecosystem, and the creation by Congress of an interagency body, the Joint Ransomware Task Force (JRTF), to unify and strengthen efforts. Yet, despite these initiatives, ransomware appears to be no less of a problem,” they added. 

“It should be noted that the number of incidents does not provide a complete picture of the ransomware landscape or necessarily indicate whether the government’s counter-ransomware initiatives are succeeding or failing,” the researchers said. “For example, a decrease in the level of disruption caused by attacks or in the amount paid in ransoms could be regarded as a win even if the number of incidents had increased,” they added.

The researchers highlighted that only a minority of ransomware attacks on private sector companies are publicly disclosed or reported to law enforcement, which results in a dearth of statistical information. 

“The reality is that nobody knows for sure whether the number of attacks are flat or trending up or down,” according to Emsisoft data. “It is for this reason that this report focuses on the government, education, and health sectors. Incidents in these sectors are more likely to be made public, leading to more consistent data availability. And, of course, what’s happening in the public sector may provide some indication as to what’s happening in the private sector and overall ransomware activity levels,” they added.

The Emsisoft data comes at a time when Mario Greco, chief executive at insurer Zurich warned in a recent Financial Times article that cyber attacks, rather than natural catastrophes, will become ‘uninsurable’ as the disruption from hacks continues to grow. “Insurance executives have been increasingly vocal in recent years about systemic risks, such as pandemics and climate change, that test the sector’s ability to provide coverage. For the second year in a row, natural catastrophe-related claims are expected to top $100bn,” Greco added.

Ransomware continued to be a significant challenge for subnational governments and adjacent entities, according to Emsisoft. “In 2022, 105 state or municipal governments or agencies were affected by ransomware. This is an increase from 2021 when there were 77 ransomware attacks on governments. However, it is important to note that this year’s figures were dramatically affected by a single incident in Miller County, AK, where one compromised mainframe spread malware to endpoints in 55 different counties,” the post added.

“Data was stolen in at least 27 of the 105 incidents (26 percent). However, if the 55-county incident in Arkansas is disregarded, that increases to 54 percent. In 2021, data was stolen in 36 of 77 incidents (47 percent),” according to the researchers. Additionally, “Quincy, MA., paid a demand of $500,000 and is the only local government known to have paid a ransom in 2022. The highest ransom to become public knowledge was the $5 million demanded from Wheat Ridge, CO,” they added.

Emsisoft identified that there were 25 incidents involving hospitals and multi-hospital health systems, potentially impacting patient care at up to 290 hospitals. “Note that we cannot say how many of the hospitals in each health system were actually impacted as this information was not made public in every case,” they added.

The most significant incident of the year was the attack on CommonSpirit Health, which operates almost 150 hospitals, while data including protected health information (PHI) was exfiltrated in at least 17 cases (68 percent). Furthermore, damages were not limited to monetary losses. 

The Emsisoft researchers cited the instance of the ransomware attack on CommonSpirit Health that resulted in the personal data of 623,774 patients being compromised. “In one of the affected hospitals, a computer system for calculating doses of medication was offline and, as a result, a 3-year-old patient was reported to have received a massive overdose of pain medicine. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals,” the researchers added.

Emsisoft also pointed out that the most significant concern in these incidents is, of course, the impact on medical outcomes. “While the immediate disruption to critical services presents the most obvious risk to patients, outcomes may also be affected in the longer term as the effects of delayed procedures or treatments may not be apparent until weeks, months, or even years after the event,” they added.

The Emsisoft post also said that it believes the time has come to retire the term ‘ransomware.’ Historically, the word was used to describe the malicious software which is used to lock data so that a ransom can be demanded to unlock it. Early ransomware attacks were simple and mostly automated. However, today’s attacks are often complex, human-directed events in which data is exfiltrated, and encryption, if it happens at all, is the very last step in the attack chain. 

“To put it another way, attacks can be exfiltration-only, even when carried out by groups that usually encrypt data – and that means we have ransomwareless attacks by ransomware groups,” according to the researchers. “This creates confusion as to what should and should not be counted as a ‘ransomware’ attack for the purpose of statistics.”

Last October, the U.S. administration said that it was working towards securing cyberspace and strengthening American critical infrastructure. Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging threats, confirmed that the communications, water, and healthcare sectors are looking at new cybersecurity standards.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.