The State of Ransomware in the US: Report and Statistics 2019

The State of Ransomware in the US: Report and Statistics 2019

December 12th, 2019: This report was originally scheduled to be published on January 1st, 2020. We have, however, decided to release it immediately due to a recent incident in which a ransomware attack may have resulted in a municipal government’s data falling into the hands of cybercriminals. We believe this development elevates the ransomware threat to crisis level and that governments must act immediately to improve their security and mitigate risks. If they do not, it is likely that similar incidents will also result in the extremely sensitive information which governments hold being stolen and leaked.  We hope that releasing this report early will help kickstart discussions and enable solutions to be found sooner rather than later. Those solutions are desperately needed. The numbers contained in the report will be updated at the end of the year and, unfortunately, will almost certainly be greater than the numbers currently stated. 

Update – December 23rd, 2019: The Maze Group today published on the clear web 2GBs of data stolen from the City of Pensacola. We repeat the warning made above: the threat level is now extreme and governments must act immediately to improve their preparedness and mitigate their risks. 

Update – December 31st, 2019: The numbers in this report have been updated and now reflect the end of year totals. 

What happened?

In 2019, the U.S. was hit by an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion. The impacted organizations included:

The incidents were not simply expensive inconveniences; the disruption they caused put people’s health, safety and lives at risk.

“The fact that there were no confirmed ransomware-related deaths in 2019 is simply due to good luck, and that luck may not continue into 2020. Governments and the health and education sectors must do better. ” — Fabian Wosar, CTO, Emsisoft.

Other effects of the incidents included:

This report examines the cost and the causes of the incidents, discusses the courses of action that should be taken and breaks down the numbers by sector.

What was the cost?

Due to the lack of publicly available data, it is not possible to accurately estimate the cost of these incidents. Perhaps the best indication of the potential cost comes from a statement made by Winnebago County’s Chief Information Officer, Gus Gentner, in September: “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.”

We cannot comment on the accuracy of that statement but, if correct, the combined cost of 2019’s ransomware incidents could be in excess of $7.5 billion. While we believe this overstates the actual costs – a small school district’s recovery expenses are unlikely to run to seven figures – it nonetheless provides an indication of the enormous financial impact of these incidents.

It should be noted that these incidents also had a broader economic impact. For example, in some instances, companies were unable to obtain the necessary permits and documentation to carry out certain work, disrupting and delaying their operations. Estimating these costs is beyond the scope of this report.

Why did it happen?

Ransomware incidents increased sharply in 2019 due to organizations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses. Combined, these factors created a near-perfect storm. In previous years, organizations with substandard security often escaped unpunished; in 2019, far more were made to pay the price, both figuratively and literally.

A report issued by the State Auditor of Mississippi in October 2019 stated there was a “disregard for cybersecurity in state government,” that “many state entities are operating like state and federal cybersecurity laws do not apply to them,” and identified problems including:

The report also stated that “Over half of the respondents were less than 75 percent compliant with the Enterprise Security Program.” The program establishes minimum security requirements and compliance is required by law.

It should be noted that only a minority of states conduct statewide audits and, despite the multiple serious deficiencies that Mississippi’s audit identified, it was nonetheless one of the states least affected by ransomware in 2019. This gives rise to an obvious question: would audits in other states reveal that their security is even worse?

A 2019 University of Maryland, Baltimore County research report based on data from a nationwide survey of cybersecurity in U.S. local governments stated that “Serious barriers to their practice of cybersecurity include a lack of cybersecurity preparedness within these governments and funding for it,” and that “Local governments as a whole do a poor job of managing their cybersecurity.” The issues identified included:

In some cases, governments failed to implement even the most basic of IT best practices. For example, Baltimore experienced data loss because data resided only on end-user systems for which there was no backup mechanism in place.

“Our research has shown that most American local governments do a poor job practicing cybersecurity. They must do better. And they can start by establishing a culture of cybersecurity throughout their organizations to best protect citizen information and maintain continuous service delivery.” — Donald F. Norris, PhD, Professor Emeritus, UMBC; Laura Mateczun, JD, PhD student in Public Policy, UMBC.

The fact that governments are failing to implement basic and well-established best practices, even when legally required to do so, can only be described as grossly negligent – especially as these entities know fully well that they are likely to be targeted in the ongoing campaign of cyberattacks. There is no excuse for this. They need to do better. They must be made to do better.

Unless governments improve their cybersecurity posture, cyberattacks attacks against them will continue to succeed.

What needs to be done?

There is no single silver bullet. Multiple initiatives are necessary in order to make public entities more secure and less susceptible to ransomware attacks and other security incidents.

Insights and observations

Breakdown by sector

State, municipal and other government agencies

At least 113 government entities were impacted by ransomware in 2019 with notable incidents including:

Education

There were at least 89 universities, colleges and school districts impacted, disrupting operations at up to 1,233 individual schools.

Healthcare

Healthcare organizations are under immense pressure to pay ransom demands as failure to comply could result in disruption that may endanger the lives of patients. The healthcare sector was the most popular target in 2019, with at least 764 providers being impacted by ransomware.

Conclusion

Like other businesses, criminal enterprises pursue strategies that have been proven to work. Given that ransomware attacks against governments, healthcare providers and educational institutions have indeed been proven to work, these sectors are likely to continue to be heavily targeted in 2020. Additionally, given the financial resources now available to bad actors and the significant profits that can be made, organizations in these sectors should expect that attacks will increase in both sophistication and frequency, possibly with the threat of the release of exfiltrated data being used as additional leverage to extort payment.

Payments are the fuel that drive ransomware. The only way to stop ransomware is to make it unprofitable, and that means the public sector must practice better cybersecurity so that ransoms need not be paid.

Governments must act, and they must act now.

“2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.” — Fabian Wosar, CTO, Emsisoft.

 

THANKS AND NOTES

We’d like to thank the academics, journalists, security researchers and other individuals who kindly shared information with us over the course of 2019. Without that information, we would not have been able to help as many ransomware victims as we did. We hope the information we were able to share with them was equally useful. 

This report is based on data from multiple sources, including press reports, and almost certainly understates the actual number of incidents. The report does not include data relating to attacks on private companies as these incidents are too infrequently disclosed to enable the production of meaningful statistics.

 

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next