Are ransomware attacks in the US rising or falling? Why it’s hard to tell | Informatic direction

Ransomware is down, if you count the number of attacks reported to news sites and regulators.

Or they increase, if you count the number of victims listed by ransomware gangs.

Or it was down in the first seven months of the year, but now it’s up…

The truth, says a year-end analysis of US data by Emsisoft researchers, is that we don’t know what the truth is.

“Only a minority of ransomware attacks against private sector companies [aux États-Unis] are publicly disclosed or reported to law enforcement,” the report states, “resulting in a dearth of statistical information. The reality is that no one knows for sure if the number of attacks is stable or trending up or down. »

For this reason, Emsisoft’s report focuses on just four sectors: according to Emsisoft’s tally, last year, 105 local governments, 44 universities and colleges, 45 school districts operating 1,981 schools, and 24 healthcare providers health operating 289 hospitals were affected by ransomware. The figures come from disclosure statements, news articles, the dark web and verified third-party news feeds.

Missing are the attacks on the technology, service, hospitality and retail sectors.

As in many countries around the world, U.S. organizations are not required to publicly report violations of security controls.

“The fact that there does not appear to have been a decrease in the number of incidents [aux États-Unis] is concerning,” say the Emsisoft researchers. Anti-ransomware initiatives have included White House executive orders, international summits, increased efforts to disrupt the ransomware ecosystem, and the creation by Congress of an interagency body, the Joint Ransomware Task Force (JRTF). , to unify and strengthen efforts. “Yet, despite these initiatives, ransomware so far does not appear to be less of a problem,” the report said.

The number of local governments affected increased from 2021, when 77 ransomware attacks were launched against governments. However, the researchers point out that the 2022 numbers were significantly affected by a single incident in Miller County, Arkansas, where a compromised mainframe spread malware to endpoints in 55 different counties. Data was stolen in at least 27 of the 105 incidents.

The 89 education sector organizations that were hit by ransomware last year was just one more than the 88 in 2021. However, there was a big difference in the total number of individual schools potentially affected. In 2021, the affected districts had 1,043 schools between them but, in 2022, that figure nearly doubled to 1,981 schools. Data was exfiltrated in at least 58 incidents.

The most significant incident of the year was the September attack on the Los Angeles Unified School District, which, with more than 1,300 schools and 500,000 students, is the second largest district in the United States. According to TechCrunch, some 500 GB of data was copied and released.

At least three organizations paid a ransom, including the Glenn County Education Office, CA, which paid US$400,000.

The most significant healthcare incident of the year was the attack on CommonSpirit Health, which operates nearly 150 hospitals across the United States. The personal data of 623,774 patients have been compromised.

Emsisoft researchers note that the number of incidents does not provide a complete picture of the ransomware landscape, nor does it necessarily indicate whether government anti-ransomware initiatives are succeeding or failing. For example, a decrease in the level of disruption caused by attacks or the amount paid in ransoms could be considered a victory, even if the number of incidents had increased.

Implementing best practices can limit the scope of an attack, for example by preventing lateral movement), they argue. An organization that detects and blocks an attack in its early stages may encounter only a few encrypted endpoints, while another may experience a catastrophic, weeks-long organization-wide outage. “These are obviously very different events in terms of scale and impact, but just counting the incidents doesn’t tell them apart. The best measure of the effectiveness of anti-ransomware initiatives would be whether dollar losses from incidents have increased or decreased, but, unfortunately, this data is not available. »

Finally, researchers say it’s time to stop calling this class of malware “ransomware” because some attacks are nothing more than data theft by ransomware groups.

“A better way to look at these incidents would simply be ‘data theft events.’ “Encryption-based data theft” and “exfiltration-based data theft” are subcategories of data theft events. These descriptors may not be ideal substitutes for ‘ransomware’ but we’re sure someone can come up with better alternatives,” the researchers said.

Another version of this argument was offered by a threat analyst at last fall’s SecTor conference in Toronto.

The original article is available at IT World Canadaa sister publication of Informatic direction.

French adaptation and translation by Renaud Larue-Langlois.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.