Ransomware: 2,300+ local governments, schools, healthcare providers impacted in 2021

An Emsisoft report found that more than 1,000 schools alone were disrupted by ransomware incidents.
Written by Jonathan Greig, Contributor

More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report from security company Emsisoft. 

The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information. 

Emsisoft noted that while the numbers are still high, the 77 local governments attacked represents a decrease compared to 2020 and 2019, both of which saw 113 governments hit. 

In 2021, ransomware groups targeted smaller counties and towns instead of bigger cities like New Orleans, Baltimore, and Atlanta. Emsisoft theorized that this may have happened because larger cities invested more in cybersecurity following damaging attacks throughout 2019 and 2020. 

In order to calculate the cost of the damage caused by ransomware incidents, Emsisoft used the estimates from Winnebago County, Illinois CIO Gus Genter, who said in 2019 that the average ransomware incident costs $8.1 million and requires 287 days to recover. Based off those numbers, Emsisoft estimated that the 77 incidents in 2021 amounted to $623.7 million in losses. 

In addition to the financial losses, at least one incident involved dispatch services that were affected. Nearly half of the 77 incidents led to data breaches.

For public educational organizations, there was a small uptick in attacks for 2021. In total, 88 organizations were hit with ransomware attacks, including 62 school districts and 26 colleges or universities. There were 84 attacks on the education sector in 2020. 

Of the 88 educational organizations attacked in 2021, 44 led to data breaches involving the information of both students and employees. 

While more districts were attacked in 2021, the number of individual schools affected was less than what was seen in 2020. At least 1,043 schools were impacted in 2021 compared to 1,681 in 2020. 

Last year also saw dozens of ransomware attacks on hospitals and healthcare institutions, with 68 healthcare providers reporting impacts from ransomware in 2021. In total, about 1,203 individual healthcare sites were affected. While more healthcare providers were attacked in 2020, only 560 individual sites were impacted. 

"The providers hit in 2021 included... Scripps Health, which operates 24 locations, including 5 hospitals," Emsisoft. Scripps Health estimated its ransomware attack cost $112.7 million.

Emsisoft noted that while the overall numbers are still high, there are signs of progress. Headline-grabbing attacks on companies like Colonial Pipeline and global meat processor JBS seemed to have kicked the government response to ransomware into high-gear. The Biden Administration initiated several efforts aimed at curbing ransomware activity, and the recent arrests of ransomware actors may indicate that some headway is being made internationally. 

The Justice Department has been able to recover several ransom payments from ransomware gangs, and some groups have indicated a tacit fear of attacking certain government institutions due to offensive actions taken by US Cyber Command and other governments

Emsisoft ransomware expert Brett Callow, who tracks ransomware incidents affecting public institutions, told ZDNet the US public sector has experienced a very similar number of incidents in each of the last three years, indicating the sector has not done enough to bolster their security despite knowing it is in the crosshairs. 

"But they may be starting to change. As noted in the report, the size of victim organization seems to have decreased, possibly indicating that bigger organizations have used their bigger budgets to rectify their security shortcomings," Callow said.

"While that would obviously be a good thing, it would still mean that ways would need to be found to help smaller organizations get to where they need to be."

Editorial standards