A new report documents the worrying rise in ransomware attacks on critical services in the US, as cybersecurity experts increasingly call for an international ban on victims making extortion payments to the hackers.
While major ransomware attacks on private companies like MGM Resorts dominated headlines in 2023, more schools, hospitals and local governments were also targeted by hackers.
A total of 2,207 hospitals, schools and governments in the U.S. were directly affected by ransomware during the year, according to a report from cybersecurity firm Emsisoft on Tuesday.
Citing research from the University of Minnesota School of Public Health, the report estimates that errors and delays caused by ransomware attacks on U.S. health systems likely result in about one person dying per month.
Ransomware gangs operate by infiltrating victim organizations and encrypting their IT infrastructure. In return for the encryption keys to restore access, they demand payments that can run into tens of millions of dollars.
The University of Kansas Health System-St. The Francis Campus in Topeka is among the hospitals that had to divert ambulances due to a ransomware attack in November
Often, victims quietly pay off hackers to avoid service disruptions and negative publicity.
But more and more experts are calling for new laws to ban such ransom payments, saying this is the only way to stop the attacks.
“Current anti-ransomware strategies consist of little more than building speed bumps and killing moles,” said Brett Callow, threat analyst at Emsisoft.
He added: “The reality is that we are not going to defend ourselves out of this situation, and we are not going to police our way out of this situation.”
“As long as ransomware payments remain legitimate, cybercriminals will do whatever it takes to collect them.”
“The only solution is to financially deter attacks by banning payment of claims entirely.” “At this point, a ban is the only approach that is likely to work.”
Among the most high-profile ransomware victims in 2023 was an attack on Ardent Health Services, a 30-hospital health system, in November that caused hospitals in three states to divert ambulances.
According to Emsisoft, a total of 46 hospital systems, including 141 hospitals, were affected by ransomware attacks last year. Information, including protected health information, was stolen in at least 32 of the 46 systems.
The attacks almost certainly cost lives due to disruptions in supplies, although the exact death toll is difficult to accurately quantify.
The University of Minnesota School of Public Health study found that ransomware attacks killed an estimated 42 to 67 Medicare patients between 2016 and 2021, or about one per month.
“The longer the ransomware problem remains unsolved, the more people it will kill,” the Emsisoft report said.
School systems were also attacked by ransomware last year, with notable victims including the Minneapolis Public Schools (see above).
Government agencies are also falling victim to ransomware at an alarming rate, with the cities of Dallas (above), Modesto and Oakland all hit in the past year
School systems were also attacked by ransomware last year, with notable victims including public schools in Minneapolis.
This attack disrupted classes at several schools in Minneapolis and resulted in nearly 200,000 stolen files being posted online, including extremely sensitive information such as reports of campus sexual assault and cases of teacher abuse.
Emsisoft estimates that at least 108 K-12 districts were affected by ransomware in 2023, more than double the number in 2022.
There were a total of 1,899 schools in the affected districts and at least 77 of the 107 had data stolen.
The report also estimates that at least 72 post-secondary schools were affected by ransomware last year, up from 44 in 2022, and that at least 60 of the 72 schools had data stolen.
The University of Hawaii, Southern Arkansas University and Stanford were among the colleges hit last year.
Government agencies are also falling victim to ransomware at an alarming rate, with the cities of Dallas, Modesto and Oakland being attacked last year.
California's San Bernardino County admitted paying a $1.1 million ransom to stop a ransomware attack, while another victim, the government of Lowell, Massachusetts, paid $1 million for issued credit protection for employees whose data was leaked.
In 2023, at least 95 government entities were affected, with at least 60 confirmed to have had data stolen.
While the number of government attacks decreased slightly compared to the 106 attacks recorded in 2022, Emsisoft notes that this is due to a service provider breach in 2022 that affected 55 Arkansas governments simultaneously, increasing the number this year .
The company noted that it is notoriously difficult to accurately track ransomware attacks, not least because victims often hide the fact that they have been attacked or describe the attack using obscure terms such as “encryption event.”
“The only viable mechanism for governments to quickly reduce ransomware volumes is to ban ransom payments,” the report argues.
“Ransomware is a for-profit company. If it becomes unprofitable, most attacks will quickly come to a halt.”