The State of Ransomware in the US Report and Statistics 2023

pFrom 2016 to 2021 we estimate that ransomware attacks killed between 42 and 67 Medicare patients McGlave Neprash and Nikpay University of Minnesota School of Public Health1ppIn 2023 the US was once again battered by a barrage of financiallymotivated ransomware attacks that denied Americans access to critical services compromised their personal information and probably killed some of themppIn total 2207 US hospitals schools and governments were directly impacted by ransomware over the course of the year with many more being indirectly impacted via attacks on their supply chains Additionally thousands of private sector companies were either directly or indirectly impactedppWe believe that the only solution to the ransomware crisis which is as bad as it has ever been is to completely ban the payment of ransoms Well discuss why we believe this action is necessary in the next sectionppThe table below shows the number of organizations which were impacted in each of the last three yearsppHospital systems are compromised of multiple hospitals and school districts of multiple schools The total number of hospitals and schools impacted is explained in the sectorspecific sections belowppNote that it is far from easy to compile statistical information in relation to ransomware incidents because only a minority of incidents are reported or disclosed Additionally even when incidents are disclosed it is not uncommon for organizations to use obfuscatory language for example referring to incidents as encryption events rather than ransomware attacks which makes searchbased tracking challenging While this report aggregates data from multiple sources it is inevitable that some incidents will not have been counted and consequently the extent of the problem is almost certainly understatedppAs already noted ransomware is estimated to have killed about one American per month between 2016 and 2021 and it likely continues to do so The longer the ransomware problem remains unfixed the more people will be killed by it And of course the economic harm and myriad of societal harms that ransomware causes will also continue for as long as the problem remains unfixedppGovernments have formed task forces international coalitions and pledged at the federal level not to pay ransoms2 while law enforcement has disrupted operations across the ransomware ecosystem dismantled botnets seized crypto assets and made arrests But despite all of this ransomware stubbornly remains as much of a problem as everppThe only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments Ransomware is a profitdriven enterprise If it is made unprofitable most attacks will quickly stop Security researcher Kevin Beaumont had this to say3ppI mean it ransomware payments to these groups need to be outlawed internationally We have to push through the shortterm pain because it is the safer option Start planning for this signal it loudly and do it This one needs firm leadership from the very top as the lobbying against will be real Civil society needs protection via firm leadership not leadership by a small number of firms profiting from the status quo This is a chance for world leaders to lead when others haventppHe is right A ban is indeed the safer option We can either stop ransom payments now and stop ransomware now or we can continue to incur the human and financial costs while we attempt to come up with alternative strategiesppAllan Liska a threat intelligence analyst at Recorded Future agreesppIve resisted the idea of blanket bans on ransom payments for years but I think that has to change Ransomware is getting worse not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them What we are doing simply isnt working Yes law enforcement has gotten better but law enforcement cannot act fast enough and is powerless against recalcitrant states like Russia that refuse to cooperate A ban on ransom payments will be painful and if history is any guide will likely lead to a short term increase in ransomware attacks but it seems like this is the only solution that has a chance of long term success at this point That is unfortunate but it is the reality we faceppBrett Callow a threat analyst with Emsisoft is also a proponent of a banppCurrent counterransomware strategies amount to little more than building speed bumps and whacking moles The reality is that were not going to defend our way out of this situation and were not going to police our way out of it either For as long as ransomware payments remain lawful cybercriminals will do whatever it takes to collect them The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands At this point a ban is the only approach that is likely to work ppUntil now governments have avoided introducing bans probably due to the potential impact on victims impacts which The Ransomware Task Force touched on in a 2021 report4ppThe challenge comes in determining how to make such a measure practical as there remains a lack of organizational cybersecurity maturity across sectors sizes of organization and geographies Ransomware attackers require little risk or effort to launch attacks so a prohibition on ransom payments would not necessarily lead them to move into other areas Rather they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities To apply additional pressure they would target organizations considered more essential to society such as healthcare providers local governments and other custodians of critical infrastructureppWere there to be a ban we believe that bad actors would quickly pivot and move from high impact encryptionbased attacks to other less disruptive forms of cybercrime It would really make no sense for them to expend time and effort attacking organizations which could not pay Additionally bad actors already do attack healthcare providers local governments and other custodians of critical infrastructure relentlessly day in day out and its far from certain that they would have either the incentive or the resources to attack them any more frequentlyppAnother reason thats often put forward to argue against a ban   and this is also briefly mentioned in the Task Forces report is that some organizations would break the law and pay anyway While that is likely correct it doesnt mean that a ban would not be effective A ban would not need to stop all payments it would simply need to stop enough to ensure that ransomware ceased to be profitable and as most companies would abide by the law this would likely be achievedppYes banning payments may cause problems in the shortterm for some victims but not banning them causes even more problems and it causes them longterm and for everybody It ensures that organizations will continue to be attacked that hospitals schools and government services will continue to be disrupted that the US will continue to take a multibillion dollar economic hit and most significantly that ransomware will continue to be a risktolife threatppOf course there are other mechanisms that could be tried and which are currently being tried but they are unlikely to have a significant impact on ransomware volumes in the shortterm A ban really is the only quick solutionppIt should be noted that a ban would not be without precedent In 2022 both North Carolina and Florida banned public sector entities from paying demands5 As far as we are aware no entity in either state has experienced catastrophic data loss as a result of the ban and nor have any experienced unusually excessive downtimeppRansomware is without question a risktolife threat In medical emergencies every second counts If access to treatment is delayed because the ambulances need to be rerouted from ransomed hospitals bad outcomes become more likely Patients may die or be left with permanent disabilities that could have been avoided with speedier treatmentppRerouted ambulances are not the only risk to patient safety Delayed requisitions and tests inaccessible electronic health records and mistakes related to manual record keeping can also negatively impact medical outcomes For example in 2022 a 3yearold patient was reportedly given a megadose of an opioid pain medication as a result of a hospitals computer systems being down6 The frequency of such incidents and their impact on patient care and medical outcomes is unknownppPatient care can also be impacted at hospitals adjacent to ransomed facilities A research paper published in May 2023 concluded that nearby hospitals which need to deal with the additional patients may experience resource constraints affecting timesensitive care for conditions such as acute stroke These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster7ppIn 2023 46 hospital systems with a total of 141 hospitals were impacted by ransomware and at least 32 of the 46 had information including protected health information stolenppNotable incidents included the November attack on Ardent Health Services a 30hospital health system which resulted in hospitals in three states rerouting ambulances8ppAt least 108 K12 districts were impacted by ransomware in 2023 more than double the 45 that were impacted in 2022 We have no explanation for this increase The impacted districts had a total of 1899 schools between them and at least 77 of the 108 had data stolenppNotable incidents included the attack on Minneapolis Public Schools which disrupted learning at multiple of the districts schools and resulted in nearly 200000 stolen files being posted online The files included details of campus rape and teacher abuse cases students psychological reports and other extremely sensitive information9ppAt least 72 postsecondary schools were impacted by ransomware up from 44 in 2022 and 26 in 2021 At least 60 of the 72 had data stolenppImpacted schools included the University of Hawaii Southern Arkansas University and StanfordppAt least 95 government entities were impacted in 2023 down from 106 in 2022 While only 60 of the 95 are known to have had data stolen based on public reporting it is likely that most if not all didppNote that the decrease is due to the fact that 2022s numbers include 55 governments in Arkansas which were affected by an attack on a shared solutions provider10 Were this incident to be disregarded for statistical purposes the number of incidents in 2023 would represent more than a 50 percent increase over the previous yearppImpacted governments included the cities of Dallas Modesto and Oakland San Bernardino County paid a 11 million ransom11 while another victim the City of Lowell spent 1 million on credit protection for affected individuals12ppThe US Marshals Service experienced a ransomware attack in February during which information pertaining to subjects of USMS investigations third parties and certain USMS employees was stolen13 Subsequently data purportedly stolen from USMS was put up for sale on a Russianlanguage cybercrime forum14ppUnderreporting and intentional obfuscation make it challenging to produce statistics in relation to incidents involving the private sector Because of this even the most basic questions such as the total number of incidents and the percentage of victims that pay cannot be reliably answeredppThat said we do know that multiple householdname companies were impacted in 2023 with the list of victims including Boeing MGM Resorts Caesars Entertainment DISH network and Johnson ControlsppAccording to Chainalysis midyear update15 449 million in ransoms was paid in the first six months of the year and 2023 was tracking to be the second most profitable year to date for ransomware actors The bulk of that 449 million was likely paid by US organizationsppOther ransomwarerelated costs include business disruption incident response loss of intellectual property and a plethora of other postbreach expenses including regulatory filings and notificationsppWhile we have insufficient data to estimate the overall cost of ransomware to the US economy its safe to assume it runs to billions of dollars For context MGM Resorts estimated the cost of its September attack at 100 million16 while the August attack on Clorox has cost 356 million so far16ppIt should be noted that the financial impacts of ransomware are not necessarily limited to the targeted companies Attacks on solution and service providers for example can disrupt their corporate customers as well as have a ripple effect that is felt more broadly In December about 60 credit unions experienced outages as a result of an attack on a technology provider reportedly leaving customers unable to access their accounts17ppThe MOVEit incident was an attack in which a ransomware operation Cl0p exploited a zero day vulnerability to steal data via the widelyused MOVEit file transfer platform The incident affected more than 2600 organizations mostly USbased with many victims in the public and education sectors and may have had a total cost of around 15 billionppWe decided to not to count the affected organizations for the purpose of this report as doing so would heavily skew the numbers Also the incident does not necessarily meet everybodys definition of ransomware as no data was encrypted and not every affected organization received a ransom demandppIn 2018 ransom payments averaged 500018 but by 2023 that had increased by 29900 percent to about 15 million19 This snowballing was key to the explosion in ransomware volumes The more money ransomware actors have and they now have 29900 percent more than they previously did  the more they can invest in scaling their operations purchasing zero days and buying and bribing their way into networks This makes them harder to stop and if payments continue to climb theyll become even harder to stopppIt should be noted that the tactics used by threat actors have become more extreme and because of the amount of money now on the line will likely become even more extreme For example in December a bad actor was reported to have attempted to pressure a cancer hospital into paying a ransom by threatening to swat its patients20 Swatting is the weaponization of the police calling 911 with hoax reports of criminal activity in order to trigger a SWAT teamlike response at target addresses The practice has resulted in multiple injuries and deaths21 The potential for further escalation makes it even more critical that swift action be takenppFinally it is critical that governments work to understand the conditions which enabled ransomware to rapidly morph from a nuisancelevel inconvenience to a multibillion dollar crisis For example was cyber insurance a driver of the 29900 percent increase in demands and if so how could that have been avoided The lessons learned may enable more effective legislative responses to future threatspp1We tried to quantify how harmful hospital ransomware attacks are for patients Heres what we found httpswwwstatnewscom20231117hospitalransomwareattackpatientdeathsstudypp2USled cybersecurity coalition vows to not pay hackers ransom demands httpstechcrunchcom20231031unitedstatescybersecuritycoalitiondenyransomdemandspp3What it means CitrixBleed ransomware group woes grow as over 60 credit unions hospitals financial services and more breached in US httpsdoublepulsarcomwhatitmeanscitrixbleedransomgroupwoesgrowasover60creditunionshospitals47766a091d4fpp4RTF Report Combating Ransomware httpssecurityandtechnologyorgwpcontentuploads202109ISTRansomwareTaskForceReportpdfpp5An inside look into states efforts to ban govt ransomware payments httpstherecordmediaaninsidelookintostateseffortstobangovtransomwarepaymentspp63yearold given too much pain medication after cyberattack shut down MercyOne computers parents say httpswwwdesmoinesregistercomstorynewshealth20221013apparentransomwareattackmercyoneiowaaffectshospitalpatients69553280007pp7Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US httpspubmedncbinlmnihgov37155166pp8Emergency rooms in at least 3 states diverting patients after ransomware attack httpswwwnbcnewscomtechsecurityemergencyroomsleast3statesdivertingpatientsransomwareattackrcna126890pp9Students psychological reports abuse allegations leaked by ransomware hackers httpswwwnbcnewscomtechsecuritystudentspsychologicalreportsabuseallegationsleakedransomwarehacrcna79414pp10Miller County offices impacted by cyber attack httpswwwktbscomnewstexarkanamillercountyofficesimpactedbycyberattackarticle5e175af4679411ed96b853186a21f676htmlpp11San Bernardino County pays 11 million to settle ransomware attack httpsktlacomnewslocalnewssanbernardinocountypays11milliontosettleransomwareattackpp12LifeLock protection to cost Lowell 1 million httpswwwlowellsuncom20230525lifelockprotectiontocostlowell1millionpp13US Marshals Service suffers major security breach that compromises sensitive information senior law enforcement officials say httpswwwnbcnewscompoliticspoliticsnewsmajorusmarshalsservicehackcompromisessensitiveinforcna72581pp14Hacker selling data allegedly stolen in US Marshals Service hack httpswwwbleepingcomputercomnewssecurityhackersellingdataallegedlystoleninusmarshalsservicehackpp15Hopewell credit union hit by ransomware attack blocking customers access to accounts httpswwwwriccomnewstakingactionhopewellcreditunionhitbyransomwareattackblockingcustomersaccesstoaccountspp16Crypto Crime Midyear Update httpswwwchainalysiscomblogcryptocrimemidyear2023updateransomwarescamspp17MGMG Resorts International 8K httpswwwsecgovixdocArchivesedgardata789570000119312523251667d461062d8khtmpp18The Clorox Companys 2023 Cyberattack Major Fallout System Disruptions Product Shortages httpsthrivedxcomresourcesarticlecloroxcompanys2023cyberattackfalloutpp19Global Ransomware Marketplace Report httpsstatic1squarespacecomstatic5ab16578e2ccd10898976178t5bc541a4419202fbc6ce34341539654309673CovewareGlobalRansomwareReportpdfpp20The Path to Banning Ransomware Payments httpswwwcenterforcybersecuritypolicyorginsightsandresearchthepathtobanningransomwarepaymentspp21Recent attacks on Fred Hutch and Integris Is attempting to extort patients directly becoming the new normal httpswwwdatabreachesnetrecentattacksonfredhutchandintegrisisattemptingtoextortpatientsdirectlybecomingthenewnormalpp The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products help organizations respond to security incidents and create analysis that helps decisionmakers understand the threat landscape ppTo find out what may be in store in 2024 we asked some of the best and brightest minds in cybersecurity for their predictions Heres what they had to say ppHow many organizations were affected by the MOVEit attack This post looks at the statistics and how we may be able to prevent similar attacks in futureppThis report presents a comprehensive analysis of the current state of ransomware attacks in the United States with a focus on the government education and healthcare sectors It includes insights and statistical data on the frequency impact and trends of ransomware attacks in these sectors in 2022ppMalware never sleeps Be sure to stay uptodate on emerging threatsp