State of Ransomware in the U.S.: 2019 Report for Q1 to Q3

In the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware. The attacks have caused massive disruption: municipal and emergency services have been interrupted, medical practices have permanently closed, ER patients have been diverted, property transactions halted, the collection of property taxes and water bills delayed, medical procedures canceled, schools closed and data lost.

State, city and county entities

At least 68 state, county and municipal entities have been impacted since the beginning of the year. Incidents include:

• Lake City: In June, Lake City fell victim to a Ryuk attack. The $460,000 ransom demand was covered by an insurance policy subject to a $10,000 deductible. The IT director was fired and is now suing the city. Not all data was recovered.
• Baltimore. In May, Baltimore became the second U.S city to be hit by a strain of ransomware called RobbinHood. The city refused to pay the  demand of $76,000. The attack caused widespread disruption to service delivery, with property transactions, and tax and water billing all being delayed. Recovery costs have been estimated at $18.2 million.
• New Bedford: In July, New Bedford received the largest ever publicly disclosed ransom demand – $5.3 million – after its systems were compromised. The city made a counteroffer of $400,000, which was rejected. Recovery costs are estimated at less than $1 million and will be covered by insurance.

Education

There were a total of at least 62 incidents involving school districts and other educational establishments, which potentially impacted operations at up to 1,051 individual schools, colleges and universities.

• Rockville Centre School District: RCSD, a district with seven schools, fell victim to a Ryuk attack in July. The ransom was paid by the school’s insurance carrier, which was able to negotiate a lower ransom payment, reducing the ransom demand from $176,000 to $88,000. RCSD was charged a $10,000 deductible.
• Louisiana public schools: In July, the school districts of three North Louisiana parishes, Sabine, Morehouse and Ouachita, were hit by ransomware. In response, Governor John Bel Edwards declared a state of emergency, which allowed state resources (such as cybersecurity experts from the Louisiana National Guard, Louisiana State Police, the Office of Technology Services and  others) to be made available to the impacted schools.
• Moses Lake School District: In July, Moses Lake School District, which encompasses 16 schools, was affected by a ransomware attack originating from an IP address in Moscow. The district refused to pay the $1 million ransom, instead choosing to rebuild their systems by restoring servers from offline backups that were four to five months old.

Healthcare

The healthcare sector continued to be a popular ransomware target. Cybercriminals understand that healthcare providers are often more inclined to pay the ransom as failure to do so may result in data loss that could potentially put lives at risk. From Q1 to Q3 there were a total of 491 ransomware attacks on healthcare providers, including:

• Park DuValle Community Health Center: In June, a ransomware attack resulted in ParkDuvalle Community Health Center being unable to access medical records, patient contact details and insurance information. For seven weeks, ParkDuvalle’s four clinics were unable to make appointments and staff were forced to resort to using a pen and paper system. ParkDuvalle eventually agreed to pay the $70,000 ransom.
• PerCSoft: In late August, PerCSoft, a cloud management service that provides backup solutions for dental practices in the U.S., was infected with a strain of ransomware called Sodinokibi. Approximately 400 dental offices were unable to access patient information. Several sources claim the ransom was paid, although the total amount was not specified.
• Campbell County Health: In September, Campbell County Health, Wyoming, suffered a ransomware attack that caused widespread disruption. Inpatient admissions were halted, surgeries were canceled and ER patients were redirected to other hospitals. Two other institutions connected to Campbell County Health were also affected by the attack.

Trends

• Attacks via MSPs on the rise: Cybercriminals are increasingly targeting software commonly used by MSPs and other third-party service providers. In such attacks, multiple customers of the MSP or service provider can be simultaneously hit, as was the case in the August incident in which 22 cities and towns in Texas were impacted.
• Ransom demands get bigger: The average ransom demand has continued to increase in 2019. Like other businesses, criminal enterprises seek to maximize their profits and charge as much as they can for their “services.” If one organization is willing to pay to $500,000, the next may be willing to pay $600,000.
• Cyber insurance: Insured entities may be more likely to pay demands which results in ransomware being more profitable than it otherwise would be which serves incentivize further attacks. See ProPublica’s report The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks.
• Email and Remote Desktop Protocol: Email and attachments and RDP continue to be the attack vectors of choice. The latter is vulnerable to ransomware via exploitation on unpatched systems, misconfigured security settings and brute force attacks on weak login credentials.

Financial Impact

Due to a lack of publicly available data, it is not possible to estimate the cost of these incidents. In Baltimore, costs were estimated at $18.2 million; in Albany, NY, which was able to restore its data from backups, at $300,000; while a relatively small healthcare services provider estimated its downtime costs at between $30,000 and $50,000 per day. If the costs in every case were to be similar to Albany’s, the total combined cost of all 621 incidents would be $186,300,000. But that could be a massive underestimate. Winnebago County’s Chief Information Officer, Gus Gentner, recently stated, “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.” We cannot comment on the accuracy of that statement but, if correct, it would put the total cost at more than $5 billion.

It is important to note that not all of the costs will be directly attributable to the ransomware attack. In many cases, a portion will represent catch-up spending to compensate for underinvestment in IT during previous years.

Takeaway

“There is no reason to believe that attacks will become less frequent in the near future,” said Fabian Wosar, CTO at Emsisoft. “Organizations have a very simple choice to make: prepare now or pay later.”

Recovery options for impacted entities

In some cases, it may be possible to reduce recovery costs. For example, we have developed workarounds for two types of ransomware commonly used in attacks on public entities. These workarounds may, in some cases, either completely eliminate the need for a ransom to be paid or enable recovery for significantly less than the amount of the ransom demand.

Whether all affected entities were aware of these workarounds is not known.

Better private-public sector cooperation needed

Improving coordination and communication channels between the private sector and law enforcement agencies would help ensure that impacted entities are aware of the availability of potential solutions and workarounds which may help minimize recovery costs.

On a positive note, there have been steps in this direction – the DHS Cyber Hunt and Incident Response Teams Act, for example, which was recently passed by the U.S. Senate.

Notes

This report lists only publicly disclosed cases. As incidents are not centrally reported/recorded and data has been collected from press reports, the numbers contained in this report may be less than the actual total. This report does not include ransomware statistics relating to attacks on private companies as these incidents are too infrequently disclosed.