Up to 1,981 schools, 290 hospitals, 105 local governments and 44 universities and colleges were hit with ransomware in the US alone during 2022, demonstrating how ransomware attacks remain a significant cyber threat to the public sector and civil society.
In total, 105 state and municipal government agencies disclosed that they were affected by ransomware attacks encrypting files and servers during 2022, an increase from 2021 where there were 77 reported attacks on government.
Researchers suggest that much of the rise in reported ransomware attacks against local governments can be linked to a single incident in Miller County, Arkansas, where one compromised mainframe resulted in malware being spread to endpoints in 55 different counties.
Data was stolen by cyber criminals in just over a quarter of the reported incidents -- although Emsisoft notes that if the incident in Arkansas is disregarded, over half the attacks involved data being stolen.
Of the local government agencies hit with ransomware in 2022, only one organization is known to have paid a ransom, which amounted to $500,000. The largest ransom demand made by attackers against a government entity demanded $5 million -- which wasn't paid.
However, the number of schools affected by attackers almost doubled in a year. In 2021, ransomware reached a combined total of 1,043 schools, while the number hit in 2022 was 1,981.
In total, 45 school districts were reported to have fallen victim to ransomware attacks, while 44 colleges and universities were also hit with ransomware attacks. Data was stolen in 65% of incidents against education in 2022, compared with 50% the previous year. According to Emsisoft, at least three victims paid a ransom demand for a decryption key, with one known to have cost $400,000.
Hospitals have long been a target for ransomware attacks because many cyber criminals view them as an easy target due to an unfortunate combination: hospitals need their systems to be operating to treat patients but many hospital networks still rely on old, often unsupported software.
The attacks continued in 2022, with 25 incidents against hospitals and multi-hospital health systems, impacting patient care at up to 290 hospitals, with data, including protected health information, stolen in 68% of the reported incidents.
"While the immediate disruption to critical services presents the most obvious risk to patients, outcomes may also be affected in the longer term as the effects of delayed procedures or treatments may not be apparent until weeks, months, or even years after the event," said the Emsisoft blog post.
Overall, the number of reported ransomware attacks during 2022 remained similar to the number of reported incidents in 2021.
However, the figures only account for the public sector as the private sector doesn't have the same obligations to publicly disclose incidents, so it's difficult to get a real picture about the full extent of ransomware attacks and the disruption they cause.
"This means that more organizations will have been disrupted by ransomware than indicated by the numbers in this report," said researchers.
While ransomware remains a significant cyber threat, there are actions that organizations can take to help them avoid falling victim to attacks or to reduce the impact of an incident.