When a public community college in the state of Washington suffered a ransomware attack several years ago, the effects were catastrophic. "They lost every server. Everything -- email, coursework, lectures -- everything was gone," said Steve Garcia, information security officer at Wenatchee Valley College, or WVC, in Wenatchee, Wash., which is part of the same educational system as the targeted school. "It was pretty devastating."
The breach occurred when an IT employee logged in to a server from a home computer to perform routine weekend maintenance and then checked email, accidentally clicking on a phishing link that initiated the attack, according to Garcia. The malware infected and then encrypted the backup server, requiring the college to rebuild its entire IT environment from scratch. The rebuilding process took months and caused student enrollment to plummet. "It was an eye-opener. You read about it, you hear about it, but it's typically a private sector company, far away. It's different when it hits that close," he said.
That school isn't alone. According to a 2022 global survey of 5,600 IT professionals by cybersecurity vendor Sophos, around two in three organizations suffered a ransomware incident in the previous 12 months, up 78% over the previous year. The media, entertainment and leisure sector took the hardest hit, with about four in five of those organizations fielding attacks. But experts cautioned that, while some organizations might be at slightly higher risk of becoming ransomware targets than others, no single industry shoulders all, or even most, of the risk. To that point, in each of 14 industries represented in the Sophos survey -- plus a catch-all "other" category -- ransomware attacks struck more than half of organizations. The takeaway: No one is safe.
That said, ransomware incidents in certain industries, such as critical infrastructure and healthcare, tend to result in the most headlines. Incidents involving lower-profile targets, such as local governments and small businesses, typically attract less attention, sometimes leading to the misperception they are not particularly attractive ransomware targets. Unfortunately, that's far from the case.
Chris SilvaAnalyst, Gartner
"Whether a 500-person company or a 50,000-person company, everybody's a target," said Chris Silva, analyst at Gartner. Why? Ransomware gangs are businesses. "What attackers really seem to be looking at is where they can expect the maximum financial impact," he explained. That might mean a single, massive attack on a natural gas pipeline or many attacks spread across dozens of smaller organizations.
Bearing all of that in mind, what follows are 10 of the top -- but by no means the only -- ransomware targets by sector, based on the Sophos survey and other data.
1. Media, entertainment and leisure
In Sophos' 2022 report, the media, entertainment and leisure sector skyrocketed to the top of the ransomware targets list, up 147% over the previous year. Nearly four in five organizations (79%) in this industry reported dealing with ransomware incidents in the previous 12 months.
In June 2022, for example, Publishers Weekly reported Macmillan Publishers had experienced a cyber attack involving "the encryption of certain files" -- almost certainly a ransomware incident -- that prompted it to take all of its IT systems offline, halting book orders. And, the previous year, confirmed ransomware attacks hit Cox Media Group and Sinclair Broadcast Group, causing operational disruptions.
Just behind media, entertainment and leisure, 77% of retail companies reported suffering ransomware attacks in the year leading up to the 2022 Sophos survey, and roughly half of those said they paid the ransoms.
In one such example, Computer Weekly learned that British retailer FatFace sent the Conti ransomware gang a $2 million ransom following a successful phishing campaign in early 2021.
Several months later, an unprecedented ransomware supply chain attack on software provider Kaseya ultimately infected as many as 1,500 businesses. Among them was Swedish grocery store chain Coop, which had to close the majority of its 800 retail stores for three days to deal with the attack. The retailer said the malware prevented many of its cash registers from working.
3. Energy and utilities infrastructure
Ransomware struck three in four oil, gas and utilities organizations Sophos surveyed. This sector is also among the top three industries most likely to pay ransomware demands, the researchers found -- a reality of which cybercriminals are likely well aware.
"They are quite good at understanding where critical infrastructure pieces exist, how they can hit them and how they can use that to really put the heat on their victims," Gartner's Silva said.
One of the most infamous ransomware attacks to date happened when the DarkSide gang reportedly infiltrated Colonial Pipeline Co. via a legacy VPN account, shutting down operations and disrupting the U.S. East Coast's fuel supply for days. Although the ransomware operators successfully collected $4.4 million, the Department of Justice said it later recovered half of that payment using a private key.
4. Distribution and transport
Cybercriminals have long viewed organizations in the logistics sector as attractive ransomware targets. Back in 2016, for example, an infamous NotPetya attack cost Danish shipping giant Maersk up to $300 million in lost revenue.
Six years later, 74% of distribution and transport companies told Sophos they'd recently experienced ransomware incidents. In one such attack, ransomware hit German fuel logistics firm OilTanking in 2022, disrupting deliveries at around 200 gas stations.
Unfortunately, in Sophos' survey, distribution and transport organizations also reported seeing the lowest percentage of data restoration after ransom payments. On average, these companies said ransomware operators restored just 50% of their data.
5. Business, professional and legal services
Unit 42, Palo Alto Networks' threat research and consulting group, considers professional and legal services today's most-targeted sector. The researchers based their conclusion on data they found on ransomware leak sites, where criminals post victims' stolen data.
Unit 42 researchers speculated these companies -- which include accounting, advertising, consulting, engineering, marketing and law firms -- may make attractive ransomware targets for the following two reasons:
- They often rely on outdated and unpatched systems and software, making it easier for criminals to gain access to their networks.
- They cannot provide their products and services without functional IT, incentivizing them to pay ransoms quickly or experience significant business fallout.
In the Sophos survey, business and professional services came in fifth on the list of most-targeted sectors, with 74% of such organizations saying they had suffered ransomware attacks in the previous year.
In one example, ransomware operators accessed and encrypted files belonging to major law firm Campbell Conroy & O'Neil, including sensitive personal information, such as Social Security numbers and financial data. The high-profile trial attorneys have represented numerous Fortune 500 companies, including Boeing, Chrysler, FedEx, Home Depot, Johnson & Johnson, Liberty Mutual and Marriott International.
Fortunately, some other recent incidents in this sector, such as an attack on engineering firm Dennis Group and another on IT consulting firm Accenture, resulted in minimal fallout. Both organizations were able to fully restore their systems from backups without engaging the hackers.
Medical centers' high stakes work and widespread security vulnerabilities make them "a favorite target" of cybercriminals, according to the Ransomware Task Force, a group of tech executives that makes recommendations to the White House.
Some gangs seem to have seen the COVID-19 pandemic, in particular, as a business opportunity, with hospitals more likely to bow to ransom demands while grappling with an unprecedented and deadly health crisis.
Even as the pandemic eases, however, attacks on medical institutions continue to accelerate. The percentage of healthcare organizations that told Sophos they had recently experienced ransomware attacks rose from 34% in 2021 to 66% in 2022. And the healthcare sector was the most likely to meet ransom demands, Sophos found, with 61% paying their attackers.
The effects of ransomware incidents in this sector can be particularly disastrous. An attack on a hospital in Düsseldorf, Germany, forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient later died, with German prosecutors saying it might have been the first ransomware-related fatality. Investigators opened a negligent homicide case but abandoned it when they couldn't prove the breach directly caused the woman's death.
7. Higher education
The education sector has become a top ransomware target in recent years, with colleges and universities sustaining particularly frequent blows. In Sophos' 2022 survey, 64% of higher education institutions said they had experienced ransomware attacks over the previous 12 months. They also had one of the slowest recovery rates, with around two in five taking more than a month to get back to normal.
Savannah College of Art and Design in Savannah, Ga.; William Carey University in Hattiesburg, Miss.; and North Carolina Agricultural and Technical State University in Greensboro, N.C., all reportedly fell victim to ransomware attacks in 2022. The previous year, according to research from antimalware vendor Emsisoft, 88 attacks disrupted operations across more than 1,000 schools, colleges and universities. Howard University in Washington, D.C., for example, had to cancel two days of classes while it responded to a ransomware attack over Labor Day weekend of that year.
8. Construction and property
In Unit 42's list of the most-targeted sectors, construction came in second to professional and legal services. Sophos found construction and property businesses had an attack rate of 63%, placing it eighth in its "State of Ransomware 2022" ranking.
Publicly traded real estate investment firm Marcus & Millichap disclosed in late 2021 that it had experienced a cybersecurity attack, which TechTarget found may have been the work of the BlackMatter ransomware gang. Bird Construction, a major construction company that has landed numerous military and government contracts in Canada, fell victim to a Maze ransomware attack in 2020, according to reporting from the CBC. The cybercriminals claimed to have stolen 60 GB of data.
9. IT, technology and telecoms
Sixty-one percent of organizations in the IT, technology and telecommunications sector dealt with ransomware attacks in the months between January 2021 and February 2022, Sophos found. One of these was Taiwan-based PC manufacturer Acer, which received one of the largest ransom demands on record at the time -- $50 million -- from the ransomware gang REvil. It's unknown if the company paid the ransom.
Other recent ransomware targets in the IT sector have included Apple laptop manufacturer Quanta Computer, vehicle inspection technology provider Applus Technologies, backup storage vendor ExaGrid and software provider Kaseya.
MSPs are also frequent ransomware targets -- and not just the largest players. For example, the owner of ITRMS, a small MSP based in Riverside, Calif., has described fielding multiple such attacks over the years.
10. Central and federal government
In 2022, 60% of central government organizations from around the globe told Sophos they had sustained recent ransomware attacks, up 50% over the previous year. Together with higher education institutions, these groups took the longest to recover -- around two in five hadn't returned to normal operations within a month of an attack.
The Conti gang waged a ransomware attack on the central government of Costa Rica in April 2022, prompting the country's president to declare a national state of emergency. The government refused to pay the ransom, and the cybercriminals leaked nearly all of the stolen data. In another high-profile incident, Ireland's national health service fell victim to a ransomware attack in May 2021 that forced the government to shut down all hospital IT systems, seriously disrupting patient care.
11. Local and state government
Local and state government organizations experienced a similar attack rate to central government agencies -- 58% -- but the year-over-year increase was significantly higher, at 71%. More than 2,800 ransomware incidents affected state, local, tribal and territorial governments between January 2017 and March 2021, according to the Multi State Information Sharing and Analysis Center, part of the Center for Internet Security.
In September 2022, a massive ransomware attack forced Suffolk County, N.Y., to take all its systems offline, seriously compromising emergency services and forcing county employees to work without the internet. The incident caused months-long, far-reaching disruption.
That same year, North Carolina and Florida became the first states to ban state agencies and local governments from making ransom payments, a move several other states are also considering.
12. Lower education
Of the lower education institutions Sophos surveyed in early 2022, 56% said they had experienced ransomware attacks in the previous 12 months.
Later that year, the ransomware gang Vice Society struck the Los Angeles Unified School District, California's largest public school system, in a now-infamous attack. After the district refused to pay the ransom demand, the operators leaked 500 GB of stolen data on the dark web. In another such incident, New York's Buffalo Public Schools system was forced to halt in-person and virtual learning for 34,000 students for several days in March 2021.
According to Emsisoft researchers, in at least half of the education sector's 2021 ransomware incidents, hackers stole sensitive employee and student data, some of which they released online.
13. Manufacturing and production
The Sophos' survey found 55% of manufacturers fielded attacks in the months leading up to the 2022 survey. This sector had the highest average ransom payment: $2.04 million. In better news, however, manufacturing and production also saw the fastest recovery rates, which Sophos attributed to strong ransomware incident response and recovery planning.
In one notorious example of an attack on this sector, REvil ransomware brought operations to a halt at beef manufacturer JBS USA, one of the United States' largest meat suppliers. Although the company said it was back up and running within four days thanks to its backup servers, JBS USA later confirmed paying $11 million to the hackers to prevent data exfiltration and leaks.
14. Financial services
Sophos' "State of Ransomware 2022" report found good news and bad news for financial services: While the sector's attack rate increased year over year, it also had one of the lowest attack rates compared with other sectors. Fifty-five percent of these organizations reported experiencing recent ransomware attacks, while the cross-sector average attack rate was 66%. The financial services industry also had one of the fastest recovery rates, second only to manufacturing.
Ransomware's impact on the financial services sector has the potential to be widespread and catastrophic, however. New York's Department of Financial Services has warned that a major ransomware attack could cause "the next great financial crisis" by crippling key organizations and causing a loss of consumer confidence.
In March 2021, ransomware operators hit CNA Financial, one of the largest commercial insurers in the U.S. Bloomberg reported CNA paid a $40 million ransom demand, although the firm has not confirmed that figure.
Everyone is a potential ransomware target
While research suggested organizations across these 14 industries are among the top ransomware targets, experts emphasized that no organization -- regardless of size or sector -- is immune. That reality, and memories of the attack on his nearby peer institution, keep WVC's Garcia up at night.
The information security officer said that, after learning of the ransomware incident at WVC's sister college, he immediately dropped everything he was working on to assess his own organization's network infrastructure and cybersecurity posture.
Garcia reviewed server access, application activity, data classification and retention policies, endpoint security and more. His team also deployed a new air-gapped backup system using technology from Veeam and ExaGrid, going over every account setting with a fine-toothed comb. "If our entire infrastructure is compromised, I want to know my backup data is going to be secure," he said.
His counterparts at other schools in the Washington community college system went through similar exercises after the attack, Garcia added, describing a sudden "flurry of awareness" in the region. He and other college security leaders even held a series of emergency meetings to share knowledge, brainstorm and engage in ransomware tabletop exercises.
Garcia said his goal is not to dodge a ransomware attack altogether, which experts and statistics suggest is next to impossible. Rather, it's to survive it.
"Maybe we lose half our servers and some specific subnets, and we're restoring from backup," he said. "But at least it's a survivable scenario, versus having everything gone, like what happened to that other community college."