Geeks for your information
The State of Ransomware in the US: Report and Statistics 2020 - Printable Version

+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: Security (https://www.geeks.fyi/forumdisplay.php?fid=68)
+--- Forum: Security Vendors (https://www.geeks.fyi/forumdisplay.php?fid=87)
+---- Forum: EmsiSoft (https://www.geeks.fyi/forumdisplay.php?fid=89)
+----- Forum: Emsisoft Blog Articles (https://www.geeks.fyi/forumdisplay.php?fid=140)
+----- Thread: The State of Ransomware in the US: Report and Statistics 2020 (/showthread.php?tid=14103)



The State of Ransomware in the US: Report and Statistics 2020 - harlan4096 - 21 January 21

Quote:
[Image: The-State-of-Ransomware-in-the-US_-Repor...s-2020.png]
 
Another banner year for cybercriminals

“In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks.

Those were the opening words of our last State of Ransomware report. Unfortunately, the barrage continued into 2020 with at least 2,354 US governments, healthcare facilities and schools being impacted.

The impacted organizations included:
  • 113 federal, state and municipal governments and agencies
  • 560 healthcare facilities
  • 1,681 schools, colleges and universities
The attacks caused significant, and sometimes life-threatening, disruption: ambulances carrying emergency patients had to be redirected, cancer treatments were delayed, lab test results were inaccessible, hospital employees were furloughed and 911 services were interrupted.

“The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost.”  — Fabian Wosar, CTO, Emsisoft

As the year progressed, more and more groups started to exfiltrate data, using the threat of releasing the stolen information as additional leverage to extort payment. At the beginning of 2020, only the Maze group used this tactic. By the end of the year, at least 17 others had adopted it and were publishing stolen data on so-called leak sites.

A total of 58 public sector bodies are known to have had data stolen during 2020, but the actual number is almost certainly higher. Of those 58 cases, all but two occurred in the second half of the year. The data that was published included Protected Health Information (PHI), sensitive information related to school children, and police records related to ongoing investigations. In addition to these 58 cases, an unknown number of public sector organizations’ had data exposed as a result of ransomware attacks on vendors and other third-parties. For example, the May attack on cloud-based software vendor Blackbaud reportedly affected more than 170 organizations, many in the health and education sectors, and exposed records relating to more than 2.5 million individuals.

The private sector was hit hard too. Globally, more than 1,300 companies, many US-based, lost data including intellectual property and other sensitive information. Note, this is simply the number of companies which had data published on leak sites and takes no account of the companies which paid to prevent publication. Multiple companies in the US Defense Industrial Base sector also had data stolen, including a contractor which supports the Minuteman III nuclear missile program. 

We believe it is probable that some data was sold to companies’ competitors or passed to other governments. A number of threat actors are known to auction data or to invite offers from interested third parties, while others may contract to other governments or even be in their direct employ.

Federal, state and municipal governments

At least 113 federal, state, county and municipal governments and agencies were impacted by ransomware in 2020 which, coincidentally, is the exact same number which were impacted in 2019. Given the many predictions that Covid-19 and remote working would result in organizations becoming less secure, this could be seen as a positive. However, the fact that governments have seemingly not improved their security and remain as vulnerable as ever is extremely concerning.

“In some sense, I suppose the numbers staying the same could be seen as a victory given how dependent we were on our networks and connectivity this year, though in general, it’s hard to feel that no progress can really be seen as a big victory. My hope is that everyone’s reliance on remote work and online connectivity during the pandemic will bring to bear more attention and resources for addressing these issues in the future.” — Josephine Wolff, Assistant Professor of Cybersecurity Policy, The Fletcher School, Tufts University

Notable incidents in 2020 included the attacks on the cities of Knoxville and Torrance, the Office of Court Administration of Texas, the Texas Department of Transportation and the 4th Judicial Court of Louisiana. Delaware County in Pennsylvania paid a $500,000 demand and Tillamook County Oregon paid a $300,000 demand. An October attack on Hall County in Georgia reportedly disabled a database used to verify voter signatures. The attack was carried out by DoppelPaymer, a group which is known to steal data.

Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4.

The data that was exposed in these incidents was often extremely sensitive – payroll information, court documents, and information related to ongoing police investigations, for example.

The healthcare sector

The healthcare sector, which was already stretched and stressed by the pandemic, continued to be heavily targeted in 2020 with at least 560 facilities being impacted in 80 separate incidents (an attack on a health system can impact multiple facilities).

The most significant incident of the year was the attack on the Universal Health Services which operates around 400 hospitals and other healthcare facilities.

Other significant incidents included the attacks on Boston Children’s Hospital, Crozer-Keystone Health System, University of Vermont Health Network, and Lake Region Healthcare.

The impact of the attacks was alarming: ambulances were rerouted, radiation treatments for cancer patients were delayed, medical records were rendered temporarily inaccessible and, in some cases, permanently lost, while hundreds of staff were furloughed as a result of the disruptions. The University of Vermont Health Network, which furloughed 300 staff, estimated the cost of the attack at $1.5 million per day.

PHI and other sensitive data was stolen in multiple incidents and published online in at least 12 incidents. The 12 incidents all occurred in the second half of the year.

The education sector

At least 1,681 schools, colleges and universities were impacted in 84 incidents (an attack on a school district can impact multiple schools). Of those 84 incidents, 26 involved colleges and universities while 58 involved school districts.

Some of the nation’s largest districts fell victim including Clark County Public Schools, Fairfax County Public Schools, and Baltimore County Public Schools. The higher education establishments to be impacted included UCSF, MSU and the University of Utah.

The attacks caused schools to cancel both in-class and virtual classes, disrupting learning during a year in which academic schedules had already been significantly disrupted. UCSF paid a $1.4 million ransom, the University of Utah paid just under $500,000 and Sheldon Independent School district paid just over $200,000.

The number of incidents in the education sector increased from eight to 31 between Q2 and Q3, a 388 percent jump. In 2019, incidents increased from five to 51 between Q2 and Q3, a 1020 percent jump. The most likely explanation for these back-to-back increases is that networks were compromised in Q2 but not encrypted until Q3 in order to avoid giving schools the summer months to recover. In other words, the cybercriminals intentionally delayed deploying ransomware until students had returned to school and districts would be under more pressure to pay in order to resolve incidents quickly. If this assumption is correct, it means a window of opportunity exists: if schools can detect and neutralize the initial compromise, they can avert the ransomware attack that would otherwise follow.

Information relating to both staff and students was stolen and published in at least 22 incidents, all but one of which occurred between Q3 and Q4. Some of the information was extremely sensitive – details of alleged sexual assaults by named students, for example.

What was the cost?

“Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.” — Gus Genter, CIO, Winnebago County

This 2019 statement is probably the best indication of cost of ransomware attacks on governments. If correct, it would put the cost of the 2020’s 113 attacks governments at $915 million.

Previously, we attempted to estimate costs for the public sector as a whole but are unable to do so this year due to a lack of data and potential variance. It is, however, safe to assume that the total cost runs to multiple billions.
...
Continue Reading