Ransomware continues to be a significant challenge for colleges and universities, school districts, and hospitals across the country, according to a new report.
The 2022 report, released Monday by digital security firm Emsisoft, determined 89 education sector organizations were impacted by ransomware. Broken down, hackers demanded ransoms from 44 universities and colleges, and 45 school districts that operate 1,981 schools. Comparatively, in 2021, 58 districts running 1,043 schools were impacted, as were 26 colleges and universities.
Most notable was a Sept. 2022 attack on the Los Angeles Unified School District, the second largest district in the U.S. which serves 1,300 schools and 500,000 students. Working closely with local law enforcement, the FBI, and the federal Cybersecurity and Infrastructure Security Agency (CISA), Superintendent Alberto Carvalho said he would not negotiate or pay a ransom. The hackers leaked stolen data the following day.
“Unfortunately, as expected, data was recently released by a criminal organization. In partnership with law enforcement, our experts are analyzing the full extent of this data release,” the district wrote in a statement. “Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.”
The statement echoes sentiments from the FBI, which maintains organizations should not pay a ransom because it doesn’t guarantee they’ll get data back and it encourages more ransomware activities. At least three organizations paid a demand last year, including the Glenn County Education Office in Calif., which paid $400,000.
Also notable, just three days into the new year, Swansea (Mass.) Public Schools announced it canceled classes Wednesday due to a ransomware attack. The district has hired a cybersecurity provider to determine the extent of the attack on the district’s network. A study by NBC10 Boston investigators found that at least 10 Massachusetts communities that were victimized by ransomware gangs have paid their hackers to unlock their files.
Overall, the number of incidents involving the education sector has remained consistent over the last four years, highlighting the increased attention to the issue of cyber attacks by both public and private entities.
Nearly 300 Hospitals Impacted by Ransomware in 2022
In previous years, Emsisoft tracked incidents across the healthcare sector. However, due to the volume of incidents and unclear disclosures, tracking in 2022 was limited to only hospitals. Last year, there were 25 incidents involving hospitals and multi-hospital health systems, potentially impacting patient care at up to 290 hospitals, the report found.
Data including Protected Health Information (PHI) was stolen in at least 17 cases (68%). The most significant was an attack on CommonSpirit Health, which operates almost 150 hospitals in 21 states. The incident resulted in the personal data of 623,774 patients being compromised.
Patient safety was also compromised when a computer system for calculating doses of medication was offline. As a result, a three-year-old patient received an extreme overdose of pain medicine. Other affected hospitals temporarily stopped scheduling surgeries or had to redirect ambulances to other hospitals. The latter proved fatal in Germany in 2020 when a woman died after she was diverted to another hospital 20 miles away when a ransomware attack shut down the university-affiliated hospital where she was being admitted.
The report ends with a request to “retire” the term ransomware, which Emsisoft says could help provide more accurate insights into the number of organizations impacted by cyberattacks.
“Historically, the word was used to describe the malicious software which is used to lock data so that a ransom can be demanded to unlock it. Early ransomware attacks were simple and mostly automated. However, today’s attacks are often complex, human-directed events in which data is exfiltrated and encryption, if it happens at all, is the very last step in the attack chain,” reads the report. “To put it another way, attacks can be exfiltration-only, even when carried out by groups that usually encrypt data – and that means we have ransomewareless attacks by ransomware groups. This creates confusion as to what should and should not be counted as a ‘ransomware’ attack for the purpose of statistics.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!