During 2020 – according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft – healthcare, education, and government entities were the main focus of ransomware threat groups with 2,354 attacks being registered.
Towards the end of 2019 ransomware was being extensively used in cyberattacks on the healthcare industry. The attacks dwindled in the first half of 2020 but rose considerably in the second half of the year. There was a major spike in attacks in September and the attacks continued to increase for the rest of the year.
113 ransomware attacks were recorded on federal, state, and municipal governments and agencies, 560 healthcare facilities were impacted by 80 separate attacks, and there were 1,681 attacks on schools, colleges, and university networks.
Due to these ransomware campaigns, great financial harm has been inflicted and, in some instances, there have been life threatening consequences. Fabian Wosar, CTO, Emsisoft. said: “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost.”
Some examples include:
- An attack on Universal Health Services, a health system that manages over 400 hospitals and healthcare facilities in the United States. All of its offices and clinics were affected.
- Databases and networks at the University of Vermont Health Network, including its EHR system, were forced offline. A number of systems remained unusable for many weeks following the attack, costing up to $1.5m per day in additional expenses and lost revenue while it recovered.
A typical feature of these attacks is for threat actors to steal sensitive data before file encryption takes place. This is followed by threats being made that the private data will be sold if the ransom is not paid. Emsisoft revealed that only the Maze ransomware gang was stealing private data before file encryption at the beginning of 2020, but now up to 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not transferred.
In a number of instances, payment of the ransom has not resulted in the illegally taken data being deleted. Many ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza. are known to have leaked stolen data even after the victim paid the ransom.
Emsisoft says that, in the first six months of 2020, just a single attack – out of a total of 60 ransomware attacks on federal, state, county, and municipal governments and agencies – resulted in stolen data being made publicly available. However, in the second six months of the year, 23 out of the 53 attacks resulted in data being made available on leak sites. A minimum of 12 healthcare groups that were infected with ransomware had sensitive data stolen and leaked on the Internet.
In the report, Emsisoft said: “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals”.