According to statistics from Emisoft, at least 621 organizations in the US, including state and local governments, school districts, health care services and other entities, have been hit with ransomware during the first nine months of 2019. Emisoft breaks the attacks down by sector and also notes trends, including a growing focus on attacking managed service providers (MSPs), which allow attackers to hit multiple customers; increasing ransom demands; and organizations with cyber insurance choosing to pay the ransom rather than restore systems on their own. This is criminal success by any measure. Of course, safe backups can take the money out of it. Businesses can expect these attacks to increase until the profitability goes out of them.
Emisoft reporting states that in the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware. The attacks have caused massive disruption: municipal and emergency services have been interrupted, medical practices have permanently closed, ER patients have been diverted, property transactions halted, the collection of property taxes and water bills delayed, medical procedures canceled, schools closed and data lost.
Note that the healthcare sector continued to be a popular ransomware target. Cybercriminals understand that healthcare providers are often more inclined to pay the ransom as failure to do so may result in data loss that could potentially put lives at risk. From Q1 to Q3 there were a total of 491 ransomware attacks on healthcare providers, including:
- Park DuValle Community Health Center: In June, a ransomware attack resulted in ParkDuvalle Community Health Center being unable to access medical records, patient contact details and insurance information. For seven weeks, ParkDuvalle’s four clinics were unable to make appointments and staff were forced to resort to using a pen and paper system. ParkDuvalle eventually agreed to pay the $70,000 ransom.
- PerCSoft: In late August, PerCSoft, a cloud management service that provides backup solutions for dental practices in the U.S., was infected with a strain of ransomware called Sodinokibi. Approximately 400 dental offices were unable to access patient information. Several sources claim the ransom was paid, although the total amount was not specified.
- Campbell County Health: In September, Campbell County Health, Wyoming, suffered a ransomware attack that caused widespread disruption. Inpatient admissions were halted, surgeries were canceled and ER patients were redirected to other hospitals. Two other institutions connected to Campbell County Health were also affected by the attack.
Other Trends to note
- Emisoft reports that Attacks via MSPs on the rise: Cybercriminals are increasingly targeting software commonly used by MSPs and other third-party service providers. In such attacks, multiple customers of the MSP or service provider can be simultaneously hit, as was the case in the August incident in which 22 cities and towns in Texas were impacted.
- Ransom demands get bigger: The average ransom demand has continued to increase in 2019. Like other businesses, criminal enterprises seek to maximize their profits and charge as much as they can for their “services.” If one organization is willing to pay to $500,000, the next may be willing to pay $600,000.
- Cyber insurance: Insured entities may be more likely to pay demands which results in ransomware being more profitable than it otherwise would be which serves incentivize further attacks.
- Email and Remote Desktop Protocol: Email and attachments and RDP continue to be the attack vectors of choice. The latter is vulnerable to ransomware via exploitation on unpatched systems, misconfigured security settings and brute force attacks on weak login credentials.
Due to a lack of publicly available data, it is not possible to estimate the cost of these incidents. In Baltimore, costs were estimated at $18.2 million; in Albany, NY, which was able to restore its data from backups, at $300,000; while a relatively small healthcare services provider estimated its downtime costs at between $30,000 and $50,000 per day. If the costs in every case were to be similar to Albany’s, the total combined cost of all 621 incidents would be $186,300,000. But that could be a massive underestimate. Winnebago County’s Chief Information Officer, Gus Gentner, recently stated, “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.” We cannot comment on the accuracy of that statement but, if correct, it would put the total cost at more than $5 billion.
It is important to note that not all of the costs will be directly attributable to the ransomware attack. In many cases, a portion will represent catch-up spending to compensate for underinvestment in IT during previous years.
Key Takeaway for people reading this is to be careful about the viability of your backups. Ransomware is an expensive problem and companies are making a mistake if they ignore the risks.