Overview:
For the year 2022, ransomware affected hundreds of organizations in all job sectors.
Technical Summary:
Since 2022 started ransomware attacks for that year have impacted more than 200 large organizations in multiple public job sectors such as government, education, and healthcare.
Data collected from reports, disclosure statements, leaks on the dark web, and third-party intelligence show that threat actors have stolen data in about half of the ransomware attacks listed in the statements mentioned above.
Ransomware attacks struck the U.S. hard with 105 counties, 44 universities and colleges, 45 school districts, and 24 healthcare providers. Emisoft a cybersecurity company stated that the statistics listed for the sectors affected by ransomware are underlining and do not include all victims.
The numbers in the end-of-the-year report on the state of ransomware in the United States should be considered conservative. Due to them not being able to accurately form a trend. Companies in the public sector that are affected by ransomware incidents are more likely to be disclosed which allows for more consistent data. Many researchers state that because of the information it could serve as a hint to the ransomware activity in the private sector of the U.S.
Attack Tactics, Techniques & Procedures:
Impact (TA0040)
- Data Manipulation (T1565)
- Data Destruction (T1485)
- System Shutdown/Reboot (T1529)
Resource Development (TA0042)
- Compromise Accounts (T1586)
- Stage Capabilities (T1608)
- Compromise Infrastructure (T1584)
Credential Access (TA0006)
- Exploitation for Credential Access (T1212)
Initial Access (TA0001)
- Valid Accounts (T1078)
- Trusted Relationships (T1566)
- Phishing (T1566)
- Exploitation of Public Facing Application (T1190)
Reconnaissance (TA0043)
- Gather Victim Identity Information (T1589)
- Phishing for Information (T1598)
Exfiltration (TA0010)
- Exfiltration Over C2 Channel (T1041)
Privilege Escalation (TA0004)
- Exploitation for Privilege Escalation (T1068)
- Valid Accounts (T1078)
Defense Evasion (TA0005)
- Masquerading (T1036)
Affected Assets and Organizational Impact:
2022 was a rough year for both the public and private sectors in the United States. Hundreds of schools, universities, healthcare organizations, and counties have been hit by ransomware. Some resulted in millions of dollars lost, thousands of customers and employees having their private information leaked, and even in some sad cases, universities forced to shut down.
2022 saw a bigger growth than 2021, compared to 2021 ransomware attacks on local governments grew from 77 to 105. Emisoft also noted that the only company to pay a ransom was Qunicy, MA, which lead to them losing $500,000. Ransomware hit 89 organizations in the education sector including school districts and universities.
44 universities and colleges, and 45 school districts were affected and in at least 58 of those attacks, the threat actors stole data. Although the total number of ransomware attacks is less than 100 in this sector, the amount of potentially impacted organizations is more than 2,000 since the affected school districts are operating 1,981 schools.
One of the most significant targets in 2022 was the Los Angeles Unified School District, claimed by the Vice Society ransomware gang. Only three education organizations paid a ransom to hackers, one of them was the Glenn County Office of Education.
They paid $4000,000 to the Quantum ransomware group. Lastly, 290 hospitals were patiently affected by ransomware. For the healthcare sector, it’s difficult to track the number of victims affected due to there being too many unclear disclosures. Even though there is a small number the impact is more significant. The most notable organization attacked was CommonSpirit Health.
Mitigation and Response:
Some ransomware attacks are still ongoing, unclassified, or unreported at the time the data was compiled. Emsisoft’s report provides valuable insight into ransomware activity in the U.S. And it shows how it compares to statistics from previous years.
Companies can protect themselves from ransomware by implementing a combination of technical and administrative controls. Technical controls include regularly updating software and operating systems, using endpoint protection software, and backing up important data.
Administrative controls include developing an incident response plan, educating employees on how to recognize and avoid phishing emails and other social engineering tactics, and implementing access controls to limit who can access sensitive information. Additionally, it is important for companies to have a disaster recovery plan in place in case a ransomware attack does occur to minimize the damage caused by the attack.
Sincerely,
Dominic Alegrete
#CyberXE #CyberLeadersStartHere