Another banner year for cybercriminals
“In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks.
Those were the opening words of our last State of Ransomware report. Unfortunately, the barrage continued into 2020 with at least 2,354 US governments, healthcare facilities and schools being impacted. The impacted organizations included:
- 113 federal, state and municipal governments and agencies
- 560 healthcare facilities
- 1,681 schools, colleges and universities
The attacks caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted.
“The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost.” — Fabian Wosar, CTO, Emsisoft
As the year progressed, more and more groups started to exfiltrate data, using the threat of releasing the stolen information as additional leverage to extort payment. At the beginning of 2020, only the Maze group used this tactic. By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites.
A total of 58 public sector bodies are known to have had data stolen during 2020, but the actual number is almost certainly higher. Of those 58 cases, all but two occurred in the second half of the year. The data that was published included Protected Health Information (PHI), sensitive information related to school children, and police records related to ongoing investigations. In addition to these 58 cases, an unknown number of public sector organizations’ had data exposed as a result of ransomware attacks on vendors and other third-parties. For example, the May attack on cloud-based software vendor Blackbaud reportedly affected more than 170 organizations, many in the health and education sectors, and exposed records relating to more than 2.5 million individuals.
The private sector was hit hard too. Globally, more than 1,300 companies, many US-based, lost data including intellectual property and other sensitive information. Note, this is simply the number of companies which had data published on leak sites and takes no account of the companies which paid to prevent publication. Multiple companies in the US Defense Industrial Base sector also had data stolen, including a contractor which supports the Minuteman III nuclear missile program.
We believe it is probable that some data was sold to companies’ competitors or passed to other governments. A number of threat actors are known to auction data or to invite offers from interested third parties, while others may contract to other governments or even be in their direct employ.
Federal, state and municipal governments
At least 113 federal, state, county and municipal governments and agencies were impacted by ransomware in 2020 which, coincidentally, is the exact same number which were impacted in 2019. Given the many predictions that Covid-19 and remote working would result in organizations becoming less secure, this could be seen as a positive. However, the fact that governments have seemingly not improved their security and remain as vulnerable as ever is extremely concerning.
“In some sense, I suppose the numbers staying the same could be seen as a victory given how dependent we were on our networks and connectivity this year, though in general, it’s hard to feel that no progress can really be seen as a big victory. My hope is that everyone’s reliance on remote work and online connectivity during the pandemic will bring to bear more attention and resources for addressing these issues in the future.” — Josephine Wolff, Assistant Professor of Cybersecurity Policy, The Fletcher School, Tufts University
Notable incidents in 2020 included the attacks on the cities of Knoxville and Torrance, the Office of Court Administration of Texas, the Texas Department of Transportation and the 4th Judicial Court of Louisiana. Delaware County in Pennsylvania paid a $500,000 demand and Tillamook County Oregon paid a $300,000 demand. An October attack on Hall County in Georgia reportedly disabled a database used to verify voter signatures. The attack was carried out by DoppelPaymer, a group which is known to steal data.
Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4.
The data that was exposed in these incidents was often extremely sensitive – payroll information, court documents, and information related to ongoing police investigations, for example.
The healthcare sector
The healthcare sector, which was already stretched and stressed by the pandemic, continued to be heavily targeted in 2020 with at least 560 facilities being impacted in 80 separate incidents (an attack on a health system can impact multiple facilities).
The most significant incident of the year was the attack on the Universal Health Services which operates around 400 hospitals and other healthcare facilities. Other significant incidents included the attacks on Boston Children’s Hospital, Crozer-Keystone Health System, University of Vermont Health Network, and Lake Region Healthcare.
The impact of the attacks was alarming: ambulances were rerouted, radiation treatments for cancer patients were delayed, medical records were rendered temporarily inaccessible and, in some cases, permanently lost, while hundreds of staff were furloughed as a result of the disruptions. The University of Vermont Health Network, which furloughed 300 staff, estimated the cost of the attack at $1.5 million per day.
PHI and other sensitive data was stolen in multiple incidents and published online in at least 12 incidents. The 12 incidents all occurred in the second half of the year.
The education sector
At least 1,681 schools, colleges and universities were impacted in 84 incidents (an attack on a school district can impact multiple schools). Of those 84 incidents, 26 involved colleges and universities while 58 involved school districts.
Some of the nation’s largest districts fell victim including Clark County Public Schools, Fairfax County Public Schools, and Baltimore County Public Schools. The higher education establishments to be impacted included UCSF, MSU and the University of Utah.
The attacks caused schools to cancel both in-class and virtual classes, disrupting learning during a year in which academic schedules had already been significantly disrupted. UCSF paid a $1.4 million ransom, the University of Utah paid just under $500,000 and Sheldon Independent School district paid just over $200,000.
The number of incidents in the education sector increased from eight to 31 between Q2 and Q3, a 388 percent jump. In 2019, incidents increased from five to 51 between Q2 and Q3, a 1020 percent jump. The most likely explanation for these back-to-back increases is that networks were compromised in Q2 but not encrypted until Q3 in order to avoid giving schools the summer months to recover. In other words, the cybercriminals intentionally delayed deploying ransomware until students had returned to school and districts would be under more pressure to pay in order to resolve incidents quickly. If this assumption is correct, it means a window of opportunity exists: if schools can detect and neutralize the initial compromise, they can avert the ransomware attack that would otherwise follow.
Information relating to both staff and students was stolen and published in at least 22 incidents, all but one of which occurred between Q3 and Q4. Some of the information was extremely sensitive – details of alleged sexual assaults by named students, for example.
What was the cost?
“Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.” — Gus Genter, CIO, Winnebago County
This 2019 statement is probably the best indication of cost of ransomware attacks on governments. If correct, it would put the cost of the 2020’s 113 attacks governments at $915 million.
Previously, we attempted to estimate costs for the public sector as a whole but are unable to do so this year due to a lack of data and potential variance. It is, however, safe to assume that the total cost runs to multiple billions.
Looking forward and recommendations
Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals.
Attacks on the public sector accelerated in early 2019 and have remained at an elevated level ever since. Yet despite knowing the public sector is squarely in ransomware groups’ crosshairs, the statistics indicate that little, if any, progress has been in improving security across the sector as a whole. Put another way, attacks succeed at the same rate as ever because the public sector is as insecure as ever.
We anticipate there will be more cases of data theft in 2021 than there were in 2020 – likely, at least twice as many. Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work. Some organizations which were able use backups to recover from attacks still paid the ransom simply to prevent their data being published. This resulted in a greater percentage of attacks being monetized and, as a result, better ROI for the cybercriminals.
We also anticipate that cybercriminals will put stolen data to more use, using it to attack the individuals to which it relates in order to put additional pressure on the organizations from which it was stolen.
The ransomware problem will not be easy to solve – both academic studies and audits have repeatedly pointed to serious and deep-rooted shortcomings in public sector security – but solutions must nonetheless be found. Our 2019 report outlined a number of possible strategies while a 2018 report from Third Way discussed policy solutions that could help create a deterrent by closing what the organization described as a “stunning enforcement gap” (the effective enforcement rate for cybercrime in the US is estimated at only about 0.05%.)
“Information is power and, in cybersecurity, it’s the power to prevent other similar events.” — Algirde Pipikaite, World Economic Forum and Marc Barrachin, S&P
There is a dearth of available information in relation to ransomware incidents, and this represents a problematic intelligence gap. Public sector bodies are not typically required to disclose attacks and, as a result, nobody – including policymakers – knows exactly how many incidents there are. Nor is it known why attacks succeed, how many demands are paid, or the total cost of ransomware to the public sector. Without such information, policymakers cannot formulate an evidence-based response to the problem.
To provide an example of why data collection and sharing is important, consider the spike in education incidents that occurred between Q2 and Q3 in each of the last two years. This represents actionable intelligence. Knowing when schools are most likely to be attacked is the first step in stopping the attacks from succeeding.
To close the intelligence gap, it is critical that reporting requirements be introduced and that the data collected be shared. Cybercriminals learn from each others’ strategies and benefit from cooperation and information-sharing. The public and private sectors need to adopt an equally collaborative and data-driven approach.
In closing, we would point out that ransomware attacks can generally be fended off or, at least, their scope limited. While organizations can never completely eliminate the possibility of human error, they can design their networks in such a way that they do not collapse like houses of cards when those errors occur. To update and reuse a comment our CTO made in last year’s report:
“2021 need not be a repeat of 2020. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.” — Fabian Wosar, CTO, Emsisoft.
THANKS AND NOTES
We’d like to thank the academics, journalists, security researchers and other individuals who kindly shared information with us over the course of last year.
This report is based on data from multiple sources, including press reports, and almost certainly understates the actual number of incidents. The report does not include data relating to attacks on private companies as these incidents are too infrequently disclosed to allow for the production of meaningful statistics.