“From 2016 to 2021, we estimate that ransomware attacks killed between 42 and 67 Medicare patients.” — McGlave, Neprash, and Nikpay; University of Minnesota School of Public Health1
In 2023, the U.S. was once again battered by a barrage of financially-motivated ransomware attacks that denied Americans access to critical services, compromised their personal information, and probably killed some of them.
In total, 2,207 U.S. hospitals, schools and governments were directly impacted by ransomware over the course of the year, with many more being indirectly impacted via attacks on their supply chains. Additionally, thousands of private sector companies were either directly or indirectly impacted.
We believe that the only solution to the ransomware crisis – which is as bad as it has ever been – is to completely ban the payment of ransoms. We’ll discuss why we believe this action is necessary in the next section.
The table below shows the number of organizations which were impacted in each of the last three years.
2021 | 2022 | 2023 | |
Hospital systems* | 27 | 25 | 46 |
K-12 school districts* | 62 | 45 | 108 |
Post-secondary schools | 26 | 44 | 72 |
Governments | 77 | 106 | 95 |
Totals | 192 | 220 | 321 |
*Hospital systems are compromised of multiple hospitals and school districts of multiple schools. The total number of hospitals and schools impacted is explained in the sector-specific sections below.
Note that it is far from easy to compile statistical information in relation to ransomware incidents because only a minority of incidents are reported or disclosed. Additionally, even when incidents are disclosed, it is not uncommon for organizations to use obfuscatory language – for example, referring to incidents as “encryption events” rather than “ransomware attacks” – which makes search-based tracking challenging. While this report aggregates data from multiple sources, it is inevitable that some incidents will not have been counted and, consequently, the extent of the problem is almost certainly understated.
Why ransom payments should be banned
As already noted, ransomware is estimated to have killed about one American per month between 2016 and 2021, and it likely continues to do so. The longer the ransomware problem remains unfixed, the more people will be killed by it. And, of course, the economic harm and myriad of societal harms that ransomware causes will also continue for as long as the problem remains unfixed.
Governments have formed task forces, international coalitions, and pledged at the federal level not to pay ransoms,2 while law enforcement has disrupted operations across the ransomware ecosystem, dismantled botnets, seized crypto assets, and made arrests. But despite all of this, ransomware stubbornly remains as much of a problem as ever.
The only viable mechanism by which governments can quickly reduce ransomware volumes is to ban ransom payments. Ransomware is a profit-driven enterprise. If it is made unprofitable, most attacks will quickly stop. Security researcher Kevin Beaumont had this to say.3
“I mean it — ransomware payments to these groups need to be outlawed, internationally. We have to push through the short-term pain because it is the safer option. Start planning for this, signal it loudly, and do it. This one needs firm leadership from the very top, as the lobbying against will be real. Civil society needs protection via firm leadership, not leadership by a small number of firms profiting from the status quo. This is a chance for world leaders to lead when others haven’t.”
He is right. A ban is indeed the safer option. We can either stop ransom payments now, and stop ransomware now, or we can continue to incur the human and financial costs while we attempt to come up with alternative strategies.
Allan Liska, a threat intelligence analyst at Recorded Future, agrees.
“I’ve resisted the idea of blanket bans on ransom payments for years, but I think that has to change. Ransomware is getting worse, not just in the number of attacks but in the aggressive nature of the attacks and the groups behind them. What we are doing simply isn’t working. Yes, law enforcement has gotten better, but law enforcement cannot act fast enough and is powerless against recalcitrant states, like Russia, that refuse to cooperate. A ban on ransom payments will be painful and, if history is any guide, will likely lead to a short term increase in ransomware attacks, but it seems like this is the only solution that has a chance of long term success at this point. That is unfortunate, but it is the reality we face.”
Brett Callow, a threat analyst with Emsisoft, is also a proponent of a ban.
“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them. The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.
Until now, governments have avoided introducing bans, probably due to the potential impact on victims – impacts which The Ransomware Task Force touched on in a 2021 report.4
“The challenge comes in determining how to make such a measure practical, as there remains a lack of organizational cybersecurity maturity across sectors, sizes of organization, and geographies. Ransomware attackers require little risk or effort to launch attacks, so a prohibition on ransom payments would not necessarily lead them to move into other areas. Rather, they would likely continue to mount attacks and test the resolve of both victim organizations and their regulatory authorities. To apply additional pressure, they would target organizations considered more essential to society, such as healthcare providers, local governments, and other custodians of critical infrastructure.”
Were there to be a ban, we believe that bad actors would quickly pivot and move from high impact encryption-based attacks to other less disruptive forms of cybercrime. It would really make no sense for them to expend time and effort attacking organizations which could not pay. Additionally, bad actors already do attack healthcare providers, local governments, and other custodians of critical infrastructure – relentlessly, day in, day out – and it’s far from certain that they would have either the incentive or the resources to attack them any more frequently.
Another reason that’s often put forward to argue against a ban – and this is also briefly mentioned in the Task Force’s report – is that some organizations would break the law and pay anyway. While that is likely correct, it doesn’t mean that a ban would not be effective. A ban would not need to stop all payments, it would simply need to stop enough to ensure that ransomware ceased to be profitable and, as most companies would abide by the law, this would likely be achieved.
Yes, banning payments may cause problems in the short-term for some victims, but not banning them causes even more problems, and it causes them long-term and for everybody. It ensures that organizations will continue to be attacked, that hospitals, schools and government services will continue to be disrupted, that the U.S. will continue to take a multi-billion dollar economic hit, and, most significantly, that ransomware will continue to be a risk-to-life threat.
Of course, there are other mechanisms that could be tried – and which are currently being tried – but they are unlikely to have a significant impact on ransomware volumes in the short-term. A ban really is the only quick solution.
It should be noted that a ban would not be without precedent. In 2022, both North Carolina and Florida banned public sector entities from paying demands.5 As far as we are aware, no entity in either state has experienced catastrophic data loss as a result of the ban, and nor have any experienced unusually excessive downtime.
Hospitals
Ransomware is without question a risk-to-life threat. In medical emergencies, every second counts. If access to treatment is delayed because the ambulances need to be rerouted from ransomed hospitals, bad outcomes become more likely. Patients may die or be left with permanent disabilities that could have been avoided with speedier treatment.
Rerouted ambulances are not the only risk to patient safety. Delayed requisitions and tests, inaccessible electronic health records, and mistakes related to manual record keeping can also negatively impact medical outcomes. For example, in 2022, a 3-year-old patient was reportedly given a “megadose” of an opioid pain medication as a result of a hospital’s computer systems being down.6 The frequency of such incidents and their impact on patient care and medical outcomes is unknown.
Patient care can also be impacted at hospitals adjacent to ransomed facilities. A research paper published in May 2023 concluded that nearby hospitals which need to deal with the additional patients may experience “resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.”7
In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.
Notable incidents included the November attack on Ardent Health Services – a 30-hospital health system – which resulted in hospitals in three states rerouting ambulances.8
K-12 schools
At least 108 K-12 districts were impacted by ransomware in 2023, more than double the 45 that were impacted in 2022. We have no explanation for this increase. The impacted districts had a total of 1,899 schools between them and at least 77 of the 108 had data stolen.
Notable incidents included the attack on Minneapolis Public Schools which disrupted learning at multiple of the district’s schools and resulted in nearly 200,000 stolen files being posted online. The files included details of campus rape and teacher abuse cases, students’ psychological reports, and other extremely sensitive information.9
Post-secondary schools
At least 72 post-secondary schools were impacted by ransomware, up from 44 in 2022, and 26 in 2021. At least 60 of the 72 had data stolen.
Impacted schools included the University of Hawaii, Southern Arkansas University, and Stanford.
Governments
At least 95 government entities were impacted in 2023, down from 106 in 2022. While only 60 of the 95 are known to have had data stolen based on public reporting, it is likely that most, if not all, did.
Note that the decrease is due to the fact that 2022’s numbers include 55 governments in Arkansas which were affected by an attack on a shared solutions provider.10 Were this incident to be disregarded for statistical purposes, the number of incidents in 2023 would represent more than a 50 percent increase over the previous year.
Impacted governments included the cities of Dallas, Modesto, and Oakland. San Bernardino County paid a $1.1 million ransom11 while another victim, the City of Lowell, spent $1 million on credit protection for affected individuals.12
The U.S Marshals Service experienced a ransomware attack in February during which “information pertaining to subjects of USMS investigations, third parties, and certain USMS employees” was stolen.13 Subsequently, data purportedly stolen from USMS was put up for sale on a Russian-language cybercrime forum.14
The private sector
Underreporting and intentional obfuscation make it challenging to produce statistics in relation to incidents involving the private sector. Because of this, even the most basic questions – such as the total number of incidents and the percentage of victims that pay – cannot be reliably answered.
That said, we do know that multiple household-name companies were impacted in 2023 with the list of victims including Boeing, MGM Resorts, Caesars Entertainment, DISH network, and Johnson Controls.
The economic impact
According to Chainalysis’ mid-year update,15 $449 million in ransoms was paid in the first six months of the year, and 2023 was tracking to be the second most profitable year to date for ransomware actors. The bulk of that $449 million was likely paid by U.S. organizations.
Other ransomware-related costs include business disruption, incident response, loss of intellectual property, and a plethora of other post-breach expenses including regulatory filings and notifications.
While we have insufficient data to estimate the overall cost of ransomware to the U.S. economy, it’s safe to assume it runs to billions of dollars. For context, MGM Resorts estimated the cost of its September attack at $100 million,16 while the August attack on Clorox has cost $356 million so far.16
It should be noted that the financial impacts of ransomware are not necessarily limited to the targeted companies. Attacks on solution and service providers, for example, can disrupt their corporate customers as well as have a ripple effect that is felt more broadly. In December, about 60 credit unions experienced outages as a result of an attack on a technology provider, reportedly leaving customers unable to access their accounts.17
MOVEit
The MOVEit incident was an attack in which a ransomware operation – Cl0p – exploited a zero day vulnerability to steal data via the widely-used MOVEit file transfer platform. The incident affected more than 2,600 organizations – mostly U.S.-based with many victims in the public and education sectors – and may have had a total cost of around $15 billion.
We decided to not to count the affected organizations for the purpose of this report as doing so would heavily skew the numbers. Also, the incident does not necessarily meet everybody’s definition of “ransomware” as no data was encrypted and not every affected organization received a ransom demand.
Wrapping up
In 2018, ransom payments averaged $5,000,18 but by 2023 that had increased by 29,900 percent to about $1.5 million.19 This snowballing was key to the explosion in ransomware volumes. The more money ransomware actors have – and they now have 29,900 percent more than they previously did – the more they can invest in scaling their operations, purchasing zero days, and buying and bribing their way into networks. This makes them harder to stop and, if payments continue to climb, they’ll become even harder to stop.
It should be noted that the tactics used by threat actors have become more extreme and, because of the amount of money now on the line, will likely become even more extreme. For example, in December a bad actor was reported to have attempted to pressure a cancer hospital into paying a ransom by threatening to swat its patients.20 Swatting is the weaponization of the police: calling 911 with hoax reports of criminal activity in order to trigger a SWAT team-like response at target addresses. The practice has resulted in multiple injuries and deaths.21 The potential for further escalation makes it even more critical that swift action be taken.
Finally, it is critical that governments work to understand the conditions which enabled ransomware to rapidly morph from a nuisance-level inconvenience to a multi-billion dollar crisis. For example, was cyber insurance a driver of the 29,900 percent increase in demands and, if so, how could that have been avoided? The lessons learned may enable more effective legislative responses to future threats.
References
1We tried to quantify how harmful hospital ransomware attacks are for patients. Here’s what we found https://www.statnews.com/2023/11/17/hospital-ransomware-attack-patient-deaths-study/
2US-led cybersecurity coalition vows to not pay hackers’ ransom demands https://techcrunch.com/2023/10/31/united-states-cybersecurity-coalition-deny-ransom-demands
3What it means — CitrixBleed ransomware group woes grow as over 60 credit unions, hospitals, financial services and more breached in US https://doublepulsar.com/what-it-means-citrixbleed-ransom-group-woes-grow-as-over-60-credit-unions-hospitals-47766a091d4f
4RTF Report: Combating Ransomware https://securityandtechnology.org/wp-content/uploads/2021/09/IST-Ransomware-Task-Force-Report.pdf
5An inside look into states’ efforts to ban gov’t ransomware payments https://therecord.media/an-inside-look-into-states-efforts-to-ban-govt-ransomware-payments
63-year-old given too much pain medication after cyberattack shut down MercyOne computers, parents say https://www.desmoinesregister.com/story/news/health/2022/10/13/apparent-ransomware-attack-mercyone-iowa-affects-hospital-patients/69553280007/
7Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US https://pubmed.ncbi.nlm.nih.gov/37155166/
8Emergency rooms in at least 3 states diverting patients after ransomware attack https://www.nbcnews.com/tech/security/emergency-rooms-least-3-states-diverting-patients-ransomware-attack-rcna126890
9Students’ psychological reports, abuse allegations leaked by ransomware hackers https://www.nbcnews.com/tech/security/students-psychological-reports-abuse-allegations-leaked-ransomware-hac-rcna79414
10Miller County offices impacted by cyber attack https://www.ktbs.com/news/texarkana/miller-county-offices-impacted-by-cyber-attack/article_5e175af4-6794-11ed-96b8-53186a21f676.html
11San Bernardino County pays $1.1 million to settle ransomware attack https://ktla.com/news/local-news/san-bernardino-county-pays-1-1-million-to-settle-ransomware-attack/
12LifeLock protection to cost Lowell $1 million https://www.lowellsun.com/2023/05/25/lifelock-protection-to-cost-lowell-1-million/
13U.S. Marshals Service suffers ‘major’ security breach that compromises sensitive information, senior law enforcement officials say https://www.nbcnews.com/politics/politics-news/major-us-marshals-service-hack-compromises-sensitive-info-rcna72581
14Hacker selling data allegedly stolen in US Marshals Service hack https://www.bleepingcomputer.com/news/security/hacker-selling-data-allegedly-stolen-in-us-marshals-service-hack/
15Hopewell credit union hit by ransomware attack, blocking customers’ access to accounts https://www.wric.com/news/taking-action/hopewell-credit-union-hit-by-ransomware-attack-blocking-customers-access-to-accounts/
16Crypto Crime Mid-year Update https://www.chainalysis.com/blog/crypto-crime-midyear-2023-update-ransomware-scams/
17MGMG Resorts International 8-K https://www.sec.gov/ix?doc=/Archives/edgar/data/789570/000119312523251667/d461062d8k.htm
18The Clorox Company’s 2023 Cyberattack: Major Fallout, System Disruptions & Product Shortages https://thrivedx.com/resources/article/clorox-companys-2023-cyberattack-fallout
19Global Ransomware Marketplace Report https://static1.squarespace.com/static/5ab16578e2ccd10898976178/t/5bc541a4419202fbc6ce3434/1539654309673/Coveware+Global+Ransomware+Report.pdf
20The Path to Banning Ransomware Payments https://www.centerforcybersecuritypolicy.org/insights-and-research/the-path-to-banning-ransomware-payments
21Recent attacks on Fred Hutch and Integris: Is attempting to extort patients directly becoming the “new normal?” https://www.databreaches.net/recent-attacks-on-fred-hutch-and-integris-is-attempting-to-extort-patients-directly-becoming-the-new-normal/