Emsisoft has published the state of ransomware report for 2022, providing a synopsis of ransomware attacks that occurred in the US last year. The report categorizes the attacks by the areas they affected — local government, education, and healthcare. Overall, 106 local governments, 44 universities, 1,981 schools, and 290 hospitals faced ransomware attacks. Information in the report came from various sources, including the dark web, press reports, third-party feeds, and disclosure statements. 

Despite the US government’s best efforts and awareness campaigns since 2019, the ransomware attack figures have remained mostly the same in the years following. The report acknowledged its estimations don’t consider the attacks repelled by government efforts. Since accurate ransomware data collection can be tricky, the report indicated that its findings are on the minimum-range side. 

“When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information. What data is available is based largely on publicly available reports, but not all incidents are made public, even in the public sector and, consequently, the true number of incidents in all sectors of the economy is and has always been higher than reported,” read the official blog.

Emsisoft State of Ransomware Report: Local Governments

Cyberattacks targeting local governments have jumped from 77 in 2021 to 105 in 2022. However, the figures for this year also include the cyberattack in Miller County, Arkansas. In this incident, a single malware spread to 55 different counties.

A single large-scale incident like that can tip the scales and warp estimations. For example, if you exclude the Arkansas incident, cybercriminals stole data in about 54% of the cases. If you include the incident, the number is down to about 26%. 

Only one local government paid ransom to cybercriminals this year: Quincy of Massachusetts paid  USD 500,000 in ransom to retrieve stolen files. Five million dollars was the highest local government ransom demanded in 2022 in Wheat Ridge, Colorado. 

The following year-by-year comparison shows that the incident figures have remained quite consistent since 2019: 

• 2019 — 113
• 2020 — 113
• 2021 — 77
• 2022 — 105

On Christmas, an attack in North Carolina left 6 local governments locked out of their online records. As a result, they couldn’t access wills, birth certificates, death certificates, marriage licenses, and other documentation. They were forced to use pen and paper, bringing their operational efficiency to a standstill. 

Emsisoft State of Ransomware Report: Education

The attack on the Los Angeles Unified School District, affecting 1,300 schools and 500,000 students, was the most significant of 2022. The total number of education institutions targeted doubled from the previous year: 1,043 to 1,981. This figure includes 45 school districts and 44 colleges. In these attacks, cybercriminals extracted data in 65% of incidents, up from 50% in the previous year. 

Out of all the attacks targeting educational institutions, at least three paid the ransom. This includes the USD 400,000 ransom Glenn County Education Office in California paid. Like the figures of local government attacks, the attacks on educational institutions have also remained stable since 2019:

• 2019 — 89
• 2020 — 84
• 2021 — 88
• 2022 — 89

Attacks on educational institutions carry other costs as well. These attacks bring university operations to a halt and delay module progression. Activities like test markings, accessing online lectures, and submitting assignments are all consequences of ransomware attacks. 

Such costs are unbearable for institutions. They would also require proper awareness among both teachers and students about how ransomware attacks happen. Students are susceptible to clicking on malware and Trojans, which can lead to ransomware. In response to the recent breaches, Berkeley has recommended cybersecurity training for all its students and professors. 

Emsisoft State of Ransomware Report: Healthcare

The healthcare sector, with its vast, sensitive information collections, remains a favorite target of cybercrime gangs. Administrators in healthcare can’t afford the information leaking out, which forces them to give in to the criminals’ demands. The Emsisoft report revealed that the number of cyberattacks in the healthcare sector is huge. Yet, the industry lacks transparent reporting. 

Emsisoft reported 24 healthcare ransomware incidents in 2022, potentially affecting 289 hospitals. In 71% of the cases, cybercriminals exfiltrated Protected Health Information (PHI) and other data. Due to a lack of disclosure, Emsisoft couldn’t ascertain the extent of its reported breaches. However, the most significant cybersecurity incident concerning healthcare in 2022 was the attack on CommonSpirit Health — which operates 150 hospitals. 

More recently, a Hive ransomware attack on the Lake Charles Memorial Health System (LCMHS) in Louisiana affected over 270,000 patient records. Leaked information from the Hive attack included patient names, addresses, dates of birth, medical record or patient identification numbers, health insurance information, payment information, and/or limited clinical information regarding care received at LCMH. 

In an unexpected event recently, LockBit apologized to the SickKids Hospital in Toronto and even offered the decryptor to the hospital after its affiliates held the hospital’s technology for ransom. The group said the attack on the hospital violated its terms of service. However, apologies are rare, and it’s better to be safe than sorry. 

Recommendations, Remedies, and Safeguards

The report focuses on public sector breaches because of the lack of transparency in private organizations. In particular, the lack of transparency around disclosing information related to ransomware or other breaches. Yet, private companies that suppress information related to ransomware and breaches still need to bolster their defenses. This is especially the case since cyberattacks have increased in complexity and extent. 

All commercial entities should implement the most highly recommended cybersecurity practices to protect against and mitigate cyberattack aftershocks. These measures include multifactor authentication across all services, regular and automated patching, high-quality antivirus and malware detection tools, and employee awareness campaigns. Penetration testing is also an excellent way to find weaknesses in any network. 

While commercial entities can choose to pay the ransom to get their data back, the public sector may no longer have this choice: Florida and North Carolina have introduced legislation preventing public sector entities from paying ransomware demands. But private entities could face severe penalties for neglecting proper security measures and failing to protect user information on their servers. 

Future Implications 

Ransomware is here to stay, despite public and private organizations’ best efforts to curb it. In fact, ransomware attacks are growing in sophistication. To counter the new ransomware attacks and to spread awareness about them, Emsisoft first recommends calling them by names that more accurately describe the nature of these attacks. Suggested terms include “data extortion events,” “encryption-based data extortion,” and “exfiltration-based data extortion.” 

Among the report’s blindspots are the success of government efforts and details about the severity of incidents, such as the spread of lateral infection. Regardless, the fact remains that information is key when it comes to ensuring protection against ransomware. In light of all this, Georgia’s legislation to allow public entities to suppress reporting of cybercrime incidents is alarming. 

This could set quite a worrying precedent, as the cybersecurity industry benefits from quick communication regarding the most recent cybercrime breaches. With more sophisticated threats on the horizon, companies can benefit from information sharing and updated defense mechanisms. 

The post Emsisoft State of Ransomware Report for 2022 Reveals No Reduction in Attacks appeared first on TechGenix.

After LockBit encrypted information in an attack on the Hospital for Sick Children (SickKids) in Toronto on Dec.18, it has tendered an apology and a free decryptor to the hospital. LockBit has come out against the attack, calling it a violation of its terms of service by an affiliate, and said it doesn’t target institutions where a compromise “could lead to death.” By Jan. 1, SickKids had restored 60% of its operations.

The hospital was forced to declare “System Failure” under its code “Grey”. Despite disrupting hospital phone lines and web pages, the breach didn’t affect patient care. Attempting to ease privacy concerns from such attacks, the hospital claimed the cybercriminals didn’t steal any sensitive patient information — a rarity in such cases.

The decryptor, which includes Linux/VMware ESXi, suggests that the attack could only encrypt virtual machines on the hospital’s network, and no Windows machines were compromised.

LockBit’s Ransomware-as-a-Service Model

LockBit operates a ransomware-as-a-Service (Raas) model. This enables it to lend the software to affiliates whose job is to use the software to penetrate networks and perform operations. At the same time, LockBit itself only has to maintain the encryptors, decryptors, and websites. These affiliates pocket 20-25% of the profits on each extortion.

Once the cybercriminals encrypt a server, they hold it for ransom, refusing to decrypt it unless the victims make the payment. Mostly, a payment results in server and file decryption. Cybercrime groups run on commercial principles, so they have to keep up their end of the bargain.

LockBit, under its terms, forbids encrypting medical data. Nonetheless, it delayed the release of the decryptor in this case. Yet, the same terms and conditions haven’t stopped its affiliates from breaching hospitals in the past. In August, LockBit affiliates compromised the Center Hospitalier Sud Francilien (CHSF) in France and demanded $10 million in ransom. The group leaked staff and patient data online when the hospital failed to meet its demands.

It seems as if these terms and conditions allow LockBit to keep its distance from affiliates in case its vigilante reputation is at stake. It could plead deniability and sever relations with the affiliate if the attack doesn’t go down well. By lending its ransomware, it can just stay back and lurk in the shadows. 

The ransomware it has developed is automated and easy to use. Once it infects a single host on a network, the virus spreads to other hosts on autopilot. It also automatically completes post-exploitation procedures, such as the escalation of privileges. 

LockBit Protection — Staying Safe in the World of Ransomware

According to Blackberry, LockBit is one of the most active ransomware strains worldwide. With its ransom demands averaging at about $85,000 per victim, it’s safe to assume that the group mainly targets small to medium-sized enterprises. However, it has also compromised large federal and commercial organizations, demanding ransoms in the millions of dollars. 

Blackberry research explained how LockBit works: “LockBit seeks initial access to target networks primarily through purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. Second-stage LockBit establishes control of a victim’s system, collects network information, and achieves primary goals such as stealing and encrypting data.”

Knowing these patterns, network administrators can devise their defense mechanisms. Above all, a well-rounded cybersecurity strategy that offers robust protection can thwart any cybercrime group, including LockBit. Networks need high-quality antivirus protection as well as sensitive malware detection systems. Bear in mind that not every security product is made equal — some are far better than others at detecting and preventing infections. 

Better still, network administrators should encourage the use of multifactor authentication across as many services as possible. These vastly reduce the risks of network penetration. For employees, administrators should lay down clear guidelines for changing passwords. Further, they should use automatic patch management that can routinely identify and patch vulnerabilities as they arise. Lastly, reduce user privileges on the network to a functional bare minimum. 

The Continual Critical Infrastructure Threat

As highlighted earlier, hospitals continue to be soft targets for cybercriminals. On Christmas, cyberattacks hit the administrative registrars of six counties in North Carolina. As a result of the attack, processing and access to wills, birth certificates, death certificates, marriage licenses, and other governmental procedures have slowed down or halted completely. Local governments have been reduced to using pen and paper, causing operational efficiency to nosedive. 

LockBit was also busy on Christmas launching an attack on the Port of Lisbon Administration (APL). The Port of Lisbon is a key European port, serving a variety of ships from various countries arriving at its harbors. Currently, the APL website (http://portodelisboa.pt) is offline. LockBit added the APL to its ransomware website on Dec. 29. While the port is operational, the cybercrime gang claims to have accessed financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more.

In Canada, a cyberattack on Dec. 27 shut down the Canadian Copper Mountain Mining Corporation (CMMC) in British Columbia, though no details have been disclosed yet. CMMC is an 18,000-acre estate, producing 100 million pounds of copper on average per year. 

Hospitals Are an Ongoing Target for Ransomware Operations

Despite the odd compassionate turn in tendering an apology and offering decryption, LockBit and other cybercrime groups like it continue to target hospitals. Recently, a Hive ransomware attack exposed 270,000 patient records at Lake Charles Memorial Hospital. 

In another incident, an attack on CommonSpirit Health — a chain of over 150 hospitals — exposed over 600,000 patients’ data. Hospitals are easy targets and contain vast repositories of patient information. From 24 healthcare exploits in 2022, cybercriminals obtained Protected Health Information (PHI) in over 71% of the cases. Poor data protection procedures coupled with sensitive data and many avenues for exploitation make healthcare systems extremely vulnerable and sensitive targets. 

The post LockBit Apologizes, Gives Decryptor to SickKids Hospital in Toronto appeared first on TechGenix.