Disruptive new wave of ransomware hits critical infrastructure

Driving the news: Several critical infrastructure organizations are responding to ransomware this week.

• Some hospitals across the U.S. had to divert ambulances from their emergency rooms and cancel elective procedures throughout the week due to a ransomware attack.
• The North Texas Municipal Water District is investigating a suspected ransomware attack this week.
• Ransomware hit Fidelity National Financial, a real estate services company, last week — making it impossible for some customers to pay their mortgages for several days.
• The Cybersecurity and Infrastructure Security Agency warned right before Thanksgiving that ransomware hackers are still exploiting a vulnerability in a popular Citrix product — months after a patch became available.

By the numbers: Ransomware targeting critical infrastructure appears to be up so far in 2023, Allan Liska, a ransomware expert at Recorded Future, told Axios.

• So far this year, there have been 317 publicly reported ransomware attacks against health care entities, according to Liska's count. That's already surpassed the 245 total last year.
• The same goes for schools: In 2023, Liska counted 243 publicly reported attacks so far, compared to last year's 189 total incidents.

What they're saying: "We are seeing an uptick and that is normal for this time of year," Liska said. "I think it's a bigger [post-Thanksgiving] uptick than we normally see."

The big picture: Many of the federal government's investments in the ransomware fight will take years to yield the results needed to contain the problem.

• New cyber incident reporting laws — which will help officials track how many attacks there are — haven't gone into effect yet.
• Cyber funding measures the Biden administration and Congress have implemented, such as a relatively new state and local cyber grant program, have only just started doling out the allocated dollars.
• And law enforcement investigations often take years to collect enough evidence before they can make an arrest, Liska added.

Zoom in: Even when the federal government and the broader tech industry do start to offer new cybersecurity tools, affected organizations can be slow to adopt them.

• For example, only 137 K-12 schools have signed up for a free program that started in August to help monitor their email security and provide safer internet browsing, per Politico. A total of 9,100 schools are eligible to participate.

Meanwhile, frustration is building across the country as more Americans experience the life-altering impacts of ransomware.

• In this week's hospital cyberattack, at least one patient's open-heart surgery was canceled, and another patient had an annual cancer check postponed, according to CBS News.
• Some facilities have been doing the bulk of their work on paper until networks are restored, per CNN.
• "It's having real impacts on people's lives," Chester Wisniewski, global field CTO director at Sophos, told Axios. "People are getting angry and starting to demand answers from government."

Yes, but: Progress is still being made — even if it's slow.

• International law enforcement has made several key arrests this years — including a handful on Tuesday.
• Lawmakers have established new cybersecurity positions in the federal government — including a cyber ambassador position and a national cyber director — and agencies have started improving their own internal security postures after a 2021 executive order.

Between the lines: Part of the problem is that no one knows exactly how big the ransomware crisis is — which makes it difficult for law enforcement and federal agencies to even know what they're up against, Wisniewski added.

• Not all victims come forward and publicly share details about the ransomware attacks they've faced out of fear of consumer backlash and potential lawsuits.
• But this puts federal officials in a bind: The FBI can't go to lawmakers to ask for hundreds of additional cyber investigators if they can't back up the request with real numbers, Wisniewski said.

Be smart: While these investments slowly but surely pay off, companies and organizations can still implement basic cyber hygiene to help stymie attacks — including implementing multi-factor authentication, creating strong passwords and quickly patching security vulnerabilities.