Ransomware Attacks: Death Threats, Endangered Patients and Millions of Dollars in Damages

The actual number of attacks annually is much higher, as there are thousands of incidents in the private sector, while many organizations are indirectly impacted through the computer systems of their service providers.

“Unfortunately, the only change we’re really seeing is that these ransomware actors are getting bolder. They’re going after softer targets, like health care and public health sector organizations … the things that are most critical to our everyday lives,” said Gabriel Davis, chief of the Risk Intelligence and Operations Section at the Cybersecurity and Infrastructure Security Agency, or CISA.

Schools are vulnerable to ransomware because they often do not have enough resources for adequate protection, while they are attractive to criminals because they possess a large amount of sensitive information. At least 1,899 K-12 schools were attacked in the U.S. in 2023, per Emsisoft.

In an attack on Minneapolis Public Schools, not only was learning disrupted, but about 200,000 documents were stolen and posted online, including details on reports of sexual abuse of students, accusations of bad behavior by teachers, students’ psychological reports and Social Security numbers.

More Money, More Problems
Reuters reported that UnitedHealth Group, owner of Change Healthcare, paid $22 million to hackers in a bid to recover access to encrypted data and systems, which both sides declined to comment on.

Payments to ransomware gangs rose significantly in the last five years.

According to Emsisoft, the average ransom payment in 2023 was about $1.5 million, compared with 2018, when criminals were paid about $5,000. The only solution, they noted, is to completely ban the payments.

There is no consensus among experts and governments on a ban.

Brett Callow, Emsisoft’s threat analyst, told VOA a complete ban is doable: “It’s commonly said that a ban would push ransomware underground. The reality is that it’s already far underground, with only about 20% of organizations reporting incidents. Yes, a ban may cause problems for victims in the short term, but isn’t that preferable to ransomware causing problems for everyone in the long term?”

Cybersecurity expert Ivan Markovic told VOA it is recommended not to pay ransomware, “because once someone has been in your system, you must consider that everything has been compromised.”

A total ban, the introduction of some laws, would be good on one hand, but there are some extreme cases that must enter public debates and have experts discuss them,” said Markovic, citing situations in which it is necessary to act quickly because people’s lives are at risk.

CISA is focused on preventing attacks and helping organizations recover from incidents.

“We’re not going to be able to prevent everything, unfortunately. However, when things do happen, we do want to minimize and consolidate the damage and the impact. And if we can do that and continue doing that year over year, but also reducing the exposure of these organizations and the vulnerable devices, we’re going to start to see very significant reduction in these attacks,” Davis told VOA.

Dino Jahic is a VOA News reporter. This article is published courtesy of the Voice of America (VOA).