The 2023 State of Ransomware in the USA

In 2023, financially-motivated ransomware attacks once again targeted the U.S., causing widespread disruptions to critical services, compromising personal information, and potentially resulting in loss of life.

Throughout the year, ransomware affected a total of 2,207 U.S. hospitals, schools, and government entities, with numerous others suffering indirectly through attacks on their supply chains. Moreover, both directly and indirectly, thousands of private sector companies felt the impact of these attacks.

We advocate for a solution to the ransomware crisis, which has reached unprecedented levels, by advocating for a complete ban on ransom payments. In the following section, we’ll delve into why we believe this measure is imperative.

Here is a table below showing what was impacted in each of the last three years.

It’s important to understand that gathering statistics on ransomware incidents isn’t straightforward. Many incidents go unreported or undisclosed, which makes compiling accurate data difficult. Furthermore, organizations often use vague terms like “encryption events” instead of “ransomware attacks,” making it harder to track through search methods. While this report draws data from various sources, it’s likely that some incidents weren’t accounted for, meaning the true extent of the issue is probably underestimated.

Why We Need to Ban Ransom Payments

Let’s face the grim reality: ransomware has been linked to approximately one American death per month from 2016 to 2021, and it likely hasn’t stopped since. With each passing day that we don’t address this issue head-on, more lives are at risk. Not to mention the ongoing economic and societal havoc ransomware wreaks.

Governments worldwide have mobilized task forces and pledged not to give in to ransom demands. Law enforcement has been proactive in disrupting ransomware operations, seizing assets, and making arrests. Yet, despite these efforts, ransomware remains as pervasive as ever.

The most effective way for governments to tackle this menace swiftly is by banning ransom payments altogether. Ransomware thrives on profit; take away its profitability, and most attacks will grind to a halt. As security researcher Kevin Beaumont aptly puts it, banning payments is the key to dismantling this profit-driven enterprise.

He’s absolutely correct. Implementing a ban is the safer route to take. We’re faced with a choice: either put an end to ransom payments and consequently halt ransomware, or continue bearing the heavy toll it takes on human lives and finances while we scramble to devise alternative strategies.

Allan Liska, a threat intelligence analyst at Recorded Future, shares this sentiment.

Emsisoft’s threat analyst Brett Callow is also for the ban.

Up until this point, governments have shied away from implementing bans, likely because of the potential repercussions it could have on victims. These impacts were highlighted in a 2021 report by The Ransomware Task Force.

If a ban were to be implemented, we believe that malicious actors would swiftly adapt, shifting away from highly impactful encryption-based attacks to less disruptive forms of cybercrime. Attacking organizations incapable of paying wouldn’t make sense for them. Moreover, bad actors already target healthcare providers, local governments, and other custodians of critical infrastructure relentlessly, so it’s doubtful they’d have the motivation or resources to increase their attacks on them.

Another argument often raised against a ban, briefly mentioned in the Task Force’s report, is that some organizations would still break the law and pay the ransom. While this is likely true, it doesn’t negate the effectiveness of a ban. It wouldn’t need to halt all payments; it would just need to stop enough to render ransomware unprofitable. Given that most companies would comply with the law, this objective is achievable.

Sure, banning payments might pose short-term challenges for some victims. But not banning them leads to even more problems, affecting everyone in the long term. It ensures ongoing attacks on organizations, disruptions to essential services like hospitals and schools, substantial economic losses for the U.S., and most importantly, perpetuates the life-threatening risk posed by ransomware.

While other strategies are being explored, they’re unlikely to yield significant results in the short term. A ban stands out as the most immediate solution.

It’s worth noting that implementing a ban wouldn’t be unprecedented. In 2022, both North Carolina and Florida prohibited public sector entities from paying ransoms. To our knowledge, no entity in either state has suffered catastrophic data loss or unusually prolonged downtime due to the ban.

Regarding Hospitals

Ransomware poses a very real danger to human life. In medical emergencies, every moment counts. If ambulances have to be redirected from hospitals under ransomware attack, precious time is lost, increasing the risk of adverse outcomes. Patients might suffer fatalities or end up with permanent disabilities that could’ve been prevented with timely treatment.

But rerouted ambulances aren’t the only threat to patient safety. Delayed procedures, inaccessible medical records, and errors stemming from manual record-keeping can all jeopardize medical outcomes. For instance, in 2022, a 3-year-old patient reportedly received an “overdose” of opioid pain medication due to a hospital’s computer systems being offline. The extent of such incidents and their impact on patient care remains largely unknown.

Moreover, neighboring hospitals to those under ransomware attack also face challenges. A study published in May 2023 revealed that nearby hospitals, burdened with additional patients, may struggle with resource limitations, affecting time-sensitive care such as acute stroke treatment. This suggests that targeted cyberattacks on hospitals can trigger disruptions across the entire community’s healthcare delivery system, akin to a regional disaster.

In 2023 alone, ransomware struck 46 hospital systems comprising a total of 141 hospitals. Of these, at least 32 had sensitive information, including protected health data, stolen.

One notable incident occurred in November, when Ardent Health Services, a health system spanning 30 hospitals across three states, fell victim to an attack. This led to ambulance rerouting in affected areas, further exacerbating the strain on emergency medical services.

The Affect on Kindergarten – High School

Let’s talk about K-12 schools. In 2023, ransomware hit hard, affecting over 108 K-12 districts, which is more than double the 45 impacted in 2022. It’s puzzling why this number surged so dramatically. These districts collectively comprised 1,899 schools, and data theft was reported in at least 77 of them.

One particularly alarming incident occurred at Minneapolis Public Schools, where the attack wreaked havoc across multiple schools within the district. The fallout? Nearly 200,000 stolen files made their way online. These files contained highly sensitive information, ranging from details of campus assaults and teacher misconduct cases to students’ psychological evaluations.

Impacted Universities and Post-Secondary Schools

Let’s dive into the impact on post-secondary schools. In 2023, ransomware incidents hit at least 72 post-secondary institutions, a notable increase from 44 in 2022 and just 26 in 2021. At least 60 out of 72 schools reported data breaches. Among those affected were prestigious institutions like the University of Hawaii, Southern Arkansas University, and Stanford.

Government Infiltration

In 2023, at least 95 government entities were hit by ransomware, representing a slight decrease from the 106 affected in 2022. While only 60 of these 95 have confirmed data theft based on public disclosures, it’s highly likely that most, if not all, suffered data breaches.

It’s worth noting that the drop in numbers is partly due to the inclusion of 55 government entities in Arkansas impacted by an attack on a shared solutions provider in 2022. Excluding this incident, the 2023 figures would represent a more than 50 percent increase over the previous year.

Among the affected governments were cities like Dallas, Modesto, and Oakland. San Bernardino County shelled out a hefty $1.1 million ransom, while the City of Lowell spent $1 million on credit protection for affected individuals.

In a particularly concerning incident, the U.S. Marshals Service fell victim to a ransomware attack in February, resulting in the theft of sensitive information related to ongoing investigations, third parties, and certain employees. Subsequently, data allegedly stolen from the USMS surfaced on a Russian-language cybercrime forum, highlighting the serious implications of such attacks.

The Private Sectors

Gathering statistics on incidents involving the private sector is no walk in the park. Underreporting and deliberate attempts to obscure information make it a real challenge. Consequently, even fundamental questions like the total number of incidents and the percentage of victims who pay remain frustratingly elusive.

However, we do know that some major players took a hit in 2023. Household names such as Boeing, MGM Resorts, Caesars Entertainment, DISH Network, and Johnson Controls found themselves on the list of victims.

The Economic Impact

In the first half of the year, a staggering $449 million was paid out in ransoms based on Chainalysis’ mid-year update. And 2023 seemed to be shaping up as the second most lucrative year on record for ransomware actors. A lion’s share of that ransom money likely came from U.S. organizations.

Beyond ransom payments, the fallout from ransomware attacks encompasses a range of costs: business interruptions, incident response, intellectual property losses, and a slew of post-breach expenses like regulatory filings and notifications. The lack of comprehensive data makes it uncertain, but the economic toll on the U.S. is likely to reach billions of dollars. For instance, MGM Resorts pegged the price tag of its September breach at $100 million, while Clorox’s August attack has already cost a whopping $356 million.

It’s worth noting that the financial repercussions of ransomware don’t just hit the targeted companies. Attacks on solution and service providers can disrupt their corporate clients and trigger broader ripple effects. Case in point: around 60 credit unions grappled with outages in December due to an attack on a tech provider, leaving customers locked out of their accounts.

Ransomware Payment Trends

In 2018, ransom payments were averaging around $5,000, but fast forward to 2023, and that figure has skyrocketed by a staggering 29,900 percent to approximately $1.5 million. This exponential surge played a pivotal role in the rampant rise of ransomware incidents. With ransomware actors now sitting on a whopping 29,900 percent increase in funds compared to before, they’ve got more resources to pump into expanding their operations, acquiring zero-day vulnerabilities, and infiltrating networks through purchasing and bribery. Consequently, they’re becoming increasingly difficult to thwart, and if ransom payments continue to soar, they’ll only become more formidable to combat.

It’s crucial to highlight that threat actors are resorting to more extreme tactics, driven by the hefty sums at stake, and are likely to escalate further. For instance, in December, reports surfaced of a malicious actor attempting to coerce a cancer hospital into paying a ransom by threatening to endanger its patients. This included threats of “swatting” – a dangerous practice where hoax calls to 911 prompt SWAT team-like responses at targeted addresses, resulting in injuries and fatalities. The potential for such situations to escalate underscores the urgent need for decisive action.

Lastly, it’s imperative for governments to delve into the factors that facilitated ransomware’s rapid transformation from a mere nuisance to a multi-billion dollar crisis. For instance, did cyber insurance play a role in driving the 29,900 percent surge in ransom demands, and if so, how could that have been mitigated? Extracting lessons from these developments can inform more effective legislative responses to future threats.

Protect Yourself Personally and Professionally from Ransomware

Protecting yourself from ransomware requires a proactive and comprehensive approach, both in your personal life and at work. Start by keeping all your software up to date, including operating systems and antivirus programs. Cybercriminals often exploit outdated software to launch ransomware attacks. Additionally, regularly back up your important data to an external drive or cloud storage. If hackers manage to breach the security of your system, you have the power to recover your files by restoring them from the backup. This proactive step ensures that you are not left vulnerable or at the mercy of the hackers’ intentions. It empowers you to quickly regain control of your digital assets and mitigate any potential damage resulting from the security breach. For more information, read this article, How to Protect Your Personal Identifiable Information.

On a professional level, it’s crucial to foster a culture of cybersecurity awareness. Conduct regular training sessions to educate employees about the dangers of phishing emails and the importance of strong, unique passwords. Encourage the use of two-factor authentication wherever possible to add an extra layer of security. Businesses should also implement a robust cybersecurity framework, including firewalls, endpoint protection, and secure backup solutions, to safeguard against potential attacks.  You can read more as to why Every Business Needs Cybersecurity Awareness Training.

Lastly, always be skeptical and cautious. Don’t click on links or download attachments from unknown sources. Learn about the 5 Ways to Spot and Prevent Scams. A simple thing to do is verify the authenticity of emails, especially those that request personal or financial information. At work, ensure there are clear protocols for handling suspicious emails and that there is an easy way for employees to report them. By taking these steps, you can significantly reduce your risk of falling victim to ransomware and keep your, and your company’s, digital life secure.

Intech-Hawaii Can Help You Fight Against Ransomware and Cybercriminals

At Intech-Hawaii, we’ve managed cybersecurity training and simulated phishing tests for our clients for a good while now. The modules in our training are fun and engaging.  You can watch videos and cybersecurity games (you read that right, games) all at your own speed. Who ever said learning had to be a drag? Our clients love it!  Our clients shared how these modules boost their business’s security and arm their employees with skills they use in their personal life. Curious about making your team cybersecurity savvy? We’re all ears and ready to chat. Drop us a line or call 808-596-9500 and our friendly pros will explore the best options with you.