Disruptive new wave of ransomware hits critical infrastructure
A wave of ransomware attacks targeting critical infrastructure in recent weeks is a stark reminder that the ransomware problem will continue to get worse before it slows down — despite the U.S. government's best efforts.
Why it matters: In the meantime, hackers will keep disrupting critical services at schools, hospitals, financial service institutions and more.
Driving the news: Several critical infrastructure organizations are responding to ransomware this week.
- Some hospitals across the U.S. had to divert ambulances from their emergency rooms and cancel elective procedures throughout the week due to a ransomware attack.
- The North Texas Municipal Water District is investigating a suspected ransomware attack this week.
- Ransomware hit Fidelity National Financial, a real estate services company, last week — making it impossible for some customers to pay their mortgages for several days.
- The Cybersecurity and Infrastructure Security Agency warned right before Thanksgiving that ransomware hackers are still exploiting a vulnerability in a popular Citrix product — months after a patch became available.
By the numbers: Ransomware targeting critical infrastructure appears to be up so far in 2023, Allan Liska, a ransomware expert at Recorded Future, told Axios.
- So far this year, there have been 317 publicly reported ransomware attacks against health care entities, according to Liska's count. That's already surpassed the 245 total last year.
- The same goes for schools: In 2023, Liska counted 243 publicly reported attacks so far, compared to last year's 189 total incidents.
What they're saying: "We are seeing an uptick and that is normal for this time of year," Liska said. "I think it's a bigger [post-Thanksgiving] uptick than we normally see."
The big picture: Many of the federal government's investments in the ransomware fight will take years to yield the results needed to contain the problem.
- New cyber incident reporting laws — which will help officials track how many attacks there are — haven't gone into effect yet.
- Cyber funding measures the Biden administration and Congress have implemented, such as a relatively new state and local cyber grant program, have only just started doling out the allocated dollars.
- And law enforcement investigations often take years to collect enough evidence before they can make an arrest, Liska added.
Zoom in: Even when the federal government and the broader tech industry do start to offer new cybersecurity tools, affected organizations can be slow to adopt them.
- For example, only 137 K-12 schools have signed up for a free program that started in August to help monitor their email security and provide safer internet browsing, per Politico. A total of 9,100 schools are eligible to participate.
Meanwhile, frustration is building across the country as more Americans experience the life-altering impacts of ransomware.
- In this week's hospital cyberattack, at least one patient's open-heart surgery was canceled, and another patient had an annual cancer check postponed, according to CBS News.
- Some facilities have been doing the bulk of their work on paper until networks are restored, per CNN.
- "It's having real impacts on people's lives," Chester Wisniewski, global field CTO director at Sophos, told Axios. "People are getting angry and starting to demand answers from government."
Yes, but: Progress is still being made — even if it's slow.
- International law enforcement has made several key arrests this years — including a handful on Tuesday.
- Lawmakers have established new cybersecurity positions in the federal government — including a cyber ambassador position and a national cyber director — and agencies have started improving their own internal security postures after a 2021 executive order.
Between the lines: Part of the problem is that no one knows exactly how big the ransomware crisis is — which makes it difficult for law enforcement and federal agencies to even know what they're up against, Wisniewski added.
- Not all victims come forward and publicly share details about the ransomware attacks they've faced out of fear of consumer backlash and potential lawsuits.
- But this puts federal officials in a bind: The FBI can't go to lawmakers to ask for hundreds of additional cyber investigators if they can't back up the request with real numbers, Wisniewski said.
Be smart: While these investments slowly but surely pay off, companies and organizations can still implement basic cyber hygiene to help stymie attacks — including implementing multi-factor authentication, creating strong passwords and quickly patching security vulnerabilities.