A new report documents the disturbing increase in ransomware attacks on critical services in the US, as cybersecurity experts increasingly call for an international ban on making extortion payments to the hackers.
While major ransomware attacks on private companies like MGM Resorts dominated headlines in 2023, an increasing number of schools, hospitals and local governments were also hit by hackers.
A total of 2,207 US hospitals, schools and governments were directly affected by ransomware during the year. This was evident from a report from a cybersecurity company on Tuesday Emsisoft.
Citing research from the University of Minnesota's School of Public Health, the report estimates that errors and delays caused by ransomware attacks on U.S. health care systems are likely to kill about one person per month.
Ransomware gangs operate by infiltrating victim organizations and encrypting their IT infrastructure, demanding payments that can run into the tens of millions of dollars in exchange for the encryption keys to restore access.
The University of Kansas Health System-St. Francis Campus in Topeka is among the hospitals that had to divert ambulances due to a ransomware attack in November
Often, victims quietly pay off hackers to avoid service disruptions and negative headlines.
But a growing chorus of experts are calling for new laws banning such ransom payments, saying it is the only way to end the attacks.
“Current counter-ransomware strategies amount to little more than building speed bumps and hitting moles,” said Brett Callow, a threat analyst at Emsisoft.
He added: “The reality is that we are not going to defend our way out of this situation, and we are not going to defend our way out of this situation.
“As long as ransomware payments remain legitimate, cybercriminals will do everything they can to collect them.
'The only solution is to financially discourage attacks by completely banning the payment of demands. At this point, a ban is the only approach that is likely to work.”
In 2023, high-profile ransomware victims included a November attack on Ardent Health Services, a 30-hospital health care system, which led to hospitals in three states diverting ambulances.
According to Emsisoft, a total of 46 hospital systems, including 141 hospitals, were hit by ransomware attacks last year. At least 32 of the 46 systems had information stolen, including protected health information.
The attacks almost certainly cost lives due to disruptions in healthcare, although the exact death toll is difficult to measure precisely.
The University of Minnesota School of Public Health study found that ransomware attacks killed an estimated 42 to 67 Medicare patients between 2016 and 2021, or about one per month.
“The longer the ransomware problem remains unsolved, the more people it will kill,” the Emsisoft report said.
School systems were also attacked by ransomware last year, with notable victims including the Minneapolis Public Schools, as seen above
Government agencies are also falling victim to ransomware at an alarming rate, with the cities of Dallas (above), Modesto and Oakland all attacked last year.
School systems were also attacked by ransomware last year, with notable victims including Minneapolis Public Schools.
That attack disrupted education at multiple Minneapolis schools and resulted in nearly 200,000 stolen files being posted online, including highly sensitive information such as campus sexual assault reports and teacher abuse cases.
Emsisoft estimates that at least 108 K-12 districts were affected by ransomware in 2023, more than double the 45 affected in 2022.
The affected districts totaled 1,899 schools and at least 77 of the 107 had data stolen.
The report also estimates that at least 72 post-secondary schools were affected by ransomware last year, up from 44 in 2022, and at least 60 of the 72 schools had data stolen.
The University of Hawaii, Southern Arkansas University and Stanford were among the higher education institutions affected last year.
Government agencies are also falling victim to ransomware at an alarming rate, with the cities of Dallas, Modesto and Oakland all attacked last year.
California's San Bernardino County admitted it paid a $1.1 million ransom to end a ransomware attack, while another victim, the government of Lowell, Massachusetts, spent $1 million on credit protection for employees whose data was leaked .
In 2023, at least 95 government agencies were affected, and at least 60 were confirmed to have data stolen.
While the number of government attacks is down slightly from the 106 attacks recorded in 2022, Emsisoft notes that this is due to a 2022 service provider breach that simultaneously affected 55 governments in Arkansas, increasing the number that year.
The company noted that accurately tracking ransomware attacks is notoriously difficult, not least because victims often hide that they are being targeted, or describe the attack with obscure terms such as an “encryption event.”
“The only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments,” the report states.
'Ransomware is a profit-driven business. If it is made unprofitable, most attacks will quickly stop.”