Reports of government ransomware attacks are down, but looks are deceiving
A report earlier this month from the Ransomware Task Force, a group of roughly 60 tech-industry and public-sector cybersecurity experts who’ve been studying the titular threat, found that while organizations worldwide continue to suffer attacks, the clip of incidents affecting local government and health organizations in the United States looks to have slowed.
The task force, citing data compiled by Recorded Future intelligence analyst Allan Liska, said there had been 64 documented attacks on local governments, schools and hospitals so far in 2022, compared with about 150 over the same period a year prior. Yet incidents continue to be financially costly and operationally devastating — the City of Quincy, Illinois, in May paid $500,000 for a decryption key and is still sorting through damage to its services.
But why the overall ransomware tally has fallen off remains an open question.
“There may be fewer attacks,” Liska told StateScoop. “I have trouble believing that because every [incident response] person I know is still booked fully, mostly with ransomware.”
Cataloging ransomware incidents also continues to be meticulous work, depending on a combination of professional contacts, monitoring ransomware gangs’ extortion sites and scanning headlines from local news sources, which are often the first to report if a school, hospital or government office is experiencing a cyberattack.
Liska is also not the only ransomware tracker to notice the numbers are off in 2022.
“We’ve actually seen a decrease in the public sector,” said Brett Callow, an analyst at the antivirus firm Emsisoft who’s also followed ransomware incidents for several years.
Callow said that through the end of June, he’d counted 30 attacks on local governments and 35 on organizations in the education sector, compared with 53 and 59, respectively, over the first six months of 2021.
Similar to Recorded Future, Emsisoft’s numbers are based on a blend of public disclosures, leak sites and the company’s direct engagements with victim organizations.
But the leak sites, where ransomware actors threaten their victims with the publication of stolen data, aren’t as reliable sources as they once were, Liska said. Cybercriminals, he said, are starting to take longer to post their ill-gotten files, or move toward other extortion tactics, like directly contacting and threatening an organization’s customers, patients or students.
“We as an industry have become reliant on extortion sites,” Liska said.
These conditions heighten the importance of new requirements — at both the federal and state levels — that ransomware victims report their incidents to the relevant authorities quickly. While a new federal law signed in March put a 72-hour deadline on critical infrastructure operators to report attacks to the Department of Homeland Security, a growing number of states have or are in the process of creating their own rules for local-government entities and other sectors, like water and sewer operators.
Still, it will take some time for reporting requirements to show a fuller picture of an evolving ransomware landscape.
“I do think part of that is the U.S. makes up a smaller percentage of total victims. The U.S. is bad enough at reporting and other countries are even worse,” Liska said. “I’ve been shouting that we need this for five years now. It’s good to see the progress. We’ll need those reporting requirements in place and hopefully that’ll continue to drive what we know about all of this and allow us to continue to improve.”