Critical Infrastructure Security , Fraud Management & Cybercrime , Healthcare

Healthcare Most Hit by Ransomware Last Year, FBI Finds

Bureau Warns Underreporting Remains Rife, Including by Critical Infrastructure
Healthcare Most Hit by Ransomware Last Year, FBI Finds

Healthcare and public health bore the brunt of ransomware attacks on critical infrastructure sectors launched during the last year, says the FBI.

See Also: The 2022 Aftermath of Ransomware on Healthcare

The FBI's Internet Complaint Center last year received 870 complaints that "indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," said David Scott, deputy assistant director of the FBI's Cyber Division, speaking at the Futurescot conference Monday in Glasgow, Scotland.

Critical manufacturing and the government, including schools, followed healthcare as the most-attacked sectors, IC3 data shows.

The top strain of observed ransomware was LockBit, followed by BlackCat and Hive, IC3 found.

"That's just a small portion of the overall ransomware attacks; there are obviously many, many more that didn't impact critical infrastructure," Scott said.

Two caveats are that many more attacks have hit organizations outside critical infrastructure and that the findings don't factor in unknown victims. "We only think that we know about 20% to 25% of the attacks that actually occur," Scott said. "If the victims aren't reporting, then there's only so much we can do to assist those victims."

Ransom Payments Decline

Based on known ransomware attacks, security researchers say the volume of such attacks seems to have remained constant in recent years. Ransomware incident response firm Coveware and cryptocurrency intelligence firm Chainalysis last month reported that blockchain analysis revealed a notable decline of 40% in the dollar volume of ransoms being paid to criminals.

Coveware ascribed the decline directly to the FBI, which has "subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable." Making a particular impact, Coveware says, is FBI agents quickly landing on-site to assist, including by helping senior executives and boards of directors understand their options.

Quick access by the private sector to a G-man isn't an accident. "We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attaches and cyber assistant legal attaches," Bryan A. Vorndran, assistant director of the FBI's Cyber Division, testified before the House Judiciary Committee last year.

Scott said this mandate very much persists, driving field offices to place agents on-site to help victims get back up and running as fast as possible. He added that the question of whether or not to pay a ransom remains a decision only the victim can make and that it's up to the victim whether or not they want to publicly say that the attack occurred.

Pushing Actionable Intelligence to Victims

Scott offered multiple examples of how the bureau was able to both alert victims and help them remediate attacks, thanks in no small part to working with domestic and international partners.

In August 2021, the FBI learned about an "imminent" attack on Boston Children's Hospital by an Iranian group - he declined to identify how - and its Boston field office sprang into action, using existing relationships inside the institution.

"We immediately notified the hospital and their IT staff and deployed personnel on-site, including our Cyber Action Team," Scott said. "Through joint efforts, we were able to successfully prevent the attack. A significant crisis was averted because of timely information sharing and the rapid deployment of experienced cyber personnel."

Ireland's national police force, the Garda Síochána, in July 2022 warned the FBI's legal attache in London that it had spotted an intrusion at a hospital in Omaha, Nebraska, that appeared to be precursor activity to ransomware. He said that alert immediately went to the FBI's 24/7 watch center in northern Virginia, which provided it to the hospital 37 minutes later.

"The hospital was able to take immediate action, and they did confirm that they had not been aware of this activity before. They did not realize this attack was about to occur," he said. "So the hospital was able to take this information, prevent any data exfiltration, prevent any ransomware deployment and prevent any impact on medical services for patients. All of that occurred in an hour to two hours total."

The FBI last fall responded after the Russian group Vice Society hit the Los Angeles Unified School District, days before 500,000 students across thousands of schools were meant to start the new school year. "Luckily, we were able to deploy our Cyber Action Team on-site, and we were able to get them back up and running prior to the first day of school occurring, so it didn't leave them without a single day of school," Scott said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.