Ransomware is going down, if you count the number of attacks reported on news sites and to regulators.
Or, it’s going up, if you count the number of victims listed by ransomware gangs.
Or it was down in the first seven months of the year, but now it’s up …
The truth is, says an end-of-the-year analysis of numbers in the U.S. by researchers at Emsisoft, we don’t know what the truth is.
“Only a minority of ransomware attacks on private sector companies [in the U.S.] are publicly disclosed or reported to law enforcement,” says the report, “which results in a dearth of statistical information. The reality is that nobody knows for sure whether the number of attacks are flat or trending up or down.”
For that reason, the Emsisoft report focuses on only four sectors: By Emsisoft’s count, last year 105 local governments, 44 universities and colleges, 45 school districts operating 1,981 schools and 24 healthcare providers operating 289 hospitals were hit by ransomware. The numbers come from disclosure statements, press reports, the dark web, and verified third-party information feeds.
Missing are attacks on the technology, services, hospitality and retail sectors.
As in many countries around the world, U.S. organizations aren’t obliged to publicly report breaches of security controls.
“The fact that there seems not to have been any decrease in the number of incidents [in the U.S.] is concerning,” say Emsisoft researchers. Counter-ransomware initiatives have included executive orders from the White House, international summits, increased efforts to disrupt the ransomware ecosystem, and the creation by Congress of an interagency body, the Joint Ransomware Task Force (JRTF), to unify and strengthen efforts. “Yet, despite these initiatives, ransomware appears to be no less of a problem” so far, the report says.
The number of local governments hit increased from 2021, when there were 77 ransomware attacks on governments. However, the researchers point out the 2022 figures were dramatically affected by a single incident in Miller County, Arkansas, where one compromised mainframe spread malware to endpoints in 55 different counties. Data was stolen in at least 27 of the 105 incidents.
The 89 education sector organizations that were impacted by ransomware last year were one more than the 88 in 2021. However, there was a large difference in the total number of individual schools potentially affected. In 2021, the impacted districts had 1,043 schools between them but, in 2022, this almost doubled to 1,981 schools. Data was exfiltrated in at least 58 incidents.
The most significant incident of the year was the September attack on Los Angeles Unified School District which, with more than 1,300 schools and 500,000 students, is the second-largest district in the U.S. According to TechCrunch, some 500GB of data was copied and released.
At least three organizations paid a ransom demand, including the Glenn County Education Office, CA, which paid US$400,000.
The most significant healthcare-related incident of the year was the attack on CommonSpirit Health, which operates almost 150 hospitals across the U.S. The personal data of 623,774 patients was compromised.
The Emsisoft researchers note that the number of incidents does not provide a complete picture of the ransomware landscape, or necessarily indicate whether the government’s counter-ransomware initiatives are succeeding or failing. For example, a decrease in the level of disruption caused by attacks or in the amount paid in ransoms could be regarded as a win, even if the number of incidents had increased.
Implementing best practices can limit the scope of an attack by, for example, preventing lateral movement (see Ransomware Prevention Best Practices), they argue. An organization that detects and blocks an attack in its early stages may experience only a few encrypted endpoints, whereas one which does not may experience a catastrophic multi-week, organization-wide outage. “These are obviously very different events in terms of their scope and impact, but simply counting incidents does not distinguish between them. The best measure of the effectiveness of counter-ransomware initiatives would be whether the dollar losses resulting from incidents had increased or decreased but, unfortunately, that data is not available.”
Finally, the researchers say it’s time to stop calling this category of malware “ransomware,” because some attacks are data theft only by ransomware groups.
“A better way of thinking about incidents is simply “data extortion events.” “Encryption-based data extortion” and “exfiltration-based data extortion” are subcategories to data extortion events. “These descriptors may not be ideal replacements for ‘ransomware,’ but we are sure that somebody can come up with better alternatives,” said the researchers.
Another version of this argument was made by a threat analyst at last fall’s SecTor conference in Toronto.