Critical Infrastructure Security , Fraud Management & Cybercrime , Healthcare
Healthcare Most Hit by Ransomware Last Year, FBI Finds
Bureau Warns Underreporting Remains Rife, Including by Critical InfrastructureHealthcare and public health bore the brunt of ransomware attacks on critical infrastructure sectors launched during the last year, says the FBI.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The FBI's Internet Complaint Center last year received 870 complaints that "indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," said David Scott, deputy assistant director of the FBI's Cyber Division, speaking at the Futurescot conference Monday in Glasgow, Scotland.
Critical manufacturing and the government, including schools, followed healthcare as the most-attacked sectors, IC3 data shows.
The top strain of observed ransomware was LockBit, followed by BlackCat and Hive, IC3 found.
"That's just a small portion of the overall ransomware attacks; there are obviously many, many more that didn't impact critical infrastructure," Scott said.
Two caveats are that many more attacks have hit organizations outside critical infrastructure and that the findings don't factor in unknown victims. "We only think that we know about 20% to 25% of the attacks that actually occur," Scott said. "If the victims aren't reporting, then there's only so much we can do to assist those victims."
Ransom Payments Decline
Based on known ransomware attacks, security researchers say the volume of such attacks seems to have remained constant in recent years. Ransomware incident response firm Coveware and cryptocurrency intelligence firm Chainalysis last month reported that blockchain analysis revealed a notable decline of 40% in the dollar volume of ransoms being paid to criminals.
Coveware ascribed the decline directly to the FBI, which has "subtly but effectively shifted strategy from pursuing just arrests to putting a focus on helping victims, and imposing costs to the economic levers that make cybercrime so profitable." Making a particular impact, Coveware says, is FBI agents quickly landing on-site to assist, including by helping senior executives and boards of directors understand their options.
Quick access by the private sector to a G-man isn't an accident. "We can put a cyber-trained FBI agent on nearly any doorstep in this country within one hour, and we can accomplish the same in more than 70 countries in one day through our network of legal attaches and cyber assistant legal attaches," Bryan A. Vorndran, assistant director of the FBI's Cyber Division, testified before the House Judiciary Committee last year.
Scott said this mandate very much persists, driving field offices to place agents on-site to help victims get back up and running as fast as possible. He added that the question of whether or not to pay a ransom remains a decision only the victim can make and that it's up to the victim whether or not they want to publicly say that the attack occurred.
Pushing Actionable Intelligence to Victims
Scott offered multiple examples of how the bureau was able to both alert victims and help them remediate attacks, thanks in no small part to working with domestic and international partners.
In August 2021, the FBI learned about an "imminent" attack on Boston Children's Hospital by an Iranian group - he declined to identify how - and its Boston field office sprang into action, using existing relationships inside the institution.
"We immediately notified the hospital and their IT staff and deployed personnel on-site, including our Cyber Action Team," Scott said. "Through joint efforts, we were able to successfully prevent the attack. A significant crisis was averted because of timely information sharing and the rapid deployment of experienced cyber personnel."
Ireland's national police force, the Garda Síochána, in July 2022 warned the FBI's legal attache in London that it had spotted an intrusion at a hospital in Omaha, Nebraska, that appeared to be precursor activity to ransomware. He said that alert immediately went to the FBI's 24/7 watch center in northern Virginia, which provided it to the hospital 37 minutes later.
"The hospital was able to take immediate action, and they did confirm that they had not been aware of this activity before. They did not realize this attack was about to occur," he said. "So the hospital was able to take this information, prevent any data exfiltration, prevent any ransomware deployment and prevent any impact on medical services for patients. All of that occurred in an hour to two hours total."
The FBI last fall responded after the Russian group Vice Society hit the Los Angeles Unified School District, days before 500,000 students across thousands of schools were meant to start the new school year. "Luckily, we were able to deploy our Cyber Action Team on-site, and we were able to get them back up and running prior to the first day of school occurring, so it didn't leave them without a single day of school," Scott said.