Dec 1, 2023 - Technology

Disruptive new wave of ransomware hits critical infrastructure

Illustration of a hand holding a cursor like a knife.

Illustration: Allie Carl/Axios

A wave of ransomware attacks targeting critical infrastructure in recent weeks is a stark reminder that the ransomware problem will continue to get worse before it slows down — despite the U.S. government's best efforts.

Why it matters: In the meantime, hackers will keep disrupting critical services at schools, hospitals, financial service institutions and more.

Driving the news: Several critical infrastructure organizations are responding to ransomware this week.

  • Some hospitals across the U.S. had to divert ambulances from their emergency rooms and cancel elective procedures throughout the week due to a ransomware attack.
  • The North Texas Municipal Water District is investigating a suspected ransomware attack this week.
  • Ransomware hit Fidelity National Financial, a real estate services company, last week — making it impossible for some customers to pay their mortgages for several days.
  • The Cybersecurity and Infrastructure Security Agency warned right before Thanksgiving that ransomware hackers are still exploiting a vulnerability in a popular Citrix product — months after a patch became available.

By the numbers: Ransomware targeting critical infrastructure appears to be up so far in 2023, Allan Liska, a ransomware expert at Recorded Future, told Axios.

  • So far this year, there have been 317 publicly reported ransomware attacks against health care entities, according to Liska's count. That's already surpassed the 245 total last year.
  • The same goes for schools: In 2023, Liska counted 243 publicly reported attacks so far, compared to last year's 189 total incidents.

What they're saying: "We are seeing an uptick and that is normal for this time of year," Liska said. "I think it's a bigger [post-Thanksgiving] uptick than we normally see."

The big picture: Many of the federal government's investments in the ransomware fight will take years to yield the results needed to contain the problem.

  • New cyber incident reporting laws — which will help officials track how many attacks there are — haven't gone into effect yet.
  • Cyber funding measures the Biden administration and Congress have implemented, such as a relatively new state and local cyber grant program, have only just started doling out the allocated dollars.
  • And law enforcement investigations often take years to collect enough evidence before they can make an arrest, Liska added.

Zoom in: Even when the federal government and the broader tech industry do start to offer new cybersecurity tools, affected organizations can be slow to adopt them.

  • For example, only 137 K-12 schools have signed up for a free program that started in August to help monitor their email security and provide safer internet browsing, per Politico. A total of 9,100 schools are eligible to participate.

Meanwhile, frustration is building across the country as more Americans experience the life-altering impacts of ransomware.

  • In this week's hospital cyberattack, at least one patient's open-heart surgery was canceled, and another patient had an annual cancer check postponed, according to CBS News.
  • Some facilities have been doing the bulk of their work on paper until networks are restored, per CNN.
  • "It's having real impacts on people's lives," Chester Wisniewski, global field CTO director at Sophos, told Axios. "People are getting angry and starting to demand answers from government."

Yes, but: Progress is still being made — even if it's slow.

Between the lines: Part of the problem is that no one knows exactly how big the ransomware crisis is — which makes it difficult for law enforcement and federal agencies to even know what they're up against, Wisniewski added.

  • Not all victims come forward and publicly share details about the ransomware attacks they've faced out of fear of consumer backlash and potential lawsuits.
  • But this puts federal officials in a bind: The FBI can't go to lawmakers to ask for hundreds of additional cyber investigators if they can't back up the request with real numbers, Wisniewski said.

Be smart: While these investments slowly but surely pay off, companies and organizations can still implement basic cyber hygiene to help stymie attacks — including implementing multi-factor authentication, creating strong passwords and quickly patching security vulnerabilities.

Go deeper