In the summer of 2019, a public community college in the state of Washington suffered a catastrophic ransomware attack. "They lost every server. Everything -- email, coursework, lectures -- everything was gone," said Steve Garcia, information security officer at Wenatchee Valley College (WVC) in Wenatchee, Wash., which is part of the same educational system as the targeted school. "It was pretty devastating."
The breach occurred when an IT employee logged in to a server from a home computer to perform routine weekend maintenance and then checked email, accidentally clicking on a phishing link that initiated the attack, according to Garcia. The malware infected and then encrypted the backup server, requiring the college to rebuild its entire IT environment from scratch. The rebuilding process took months and caused student enrollment to plummet. "It was an eye-opener. You read about it, you hear about it, but it's typically a private sector company, far away. It's different when it hits that close," he said.
That school isn't alone. According to a 2021 survey of 5,400 IT decision-makers by cybersecurity vendor Sophos, one in three organizations had suffered a ransomware incident over the previous 12 months. The education and retail sectors took the hardest hits, with 44% of those organizations fielding attacks. But experts cautioned that, while some organizations might be at slightly higher risk of becoming ransomware targets than others, no single industry shoulders all, or even most, of the risk. To that point, the top 10 most targeted industries' incident rates all hovered within seven percentage points of the 37% cross-sector average. The takeaway: No organization is safe.
Forrester analyst Steve Turner said his own research suggested a relatively even distribution of ransom attacks across verticals. However, ransomware incidents in certain industries, such as critical infrastructure and healthcare, tend to result in the most headlines.
Turner pointed to the recent attack on Ireland's national healthcare system as an example. "That got media coverage because of the scale of the attack," he said. "That's the stuff that folks want to hear about and that kind of strikes the fear of God in them."
On the other hand, incidents involving lower-profile targets, such as local governments and small businesses, typically attract less attention, leading to the misperception that they are less attractive ransomware targets. Unfortunately, that's far from the case.
"Whether a 500-person company or a 50,000-person company, everybody's a target," said Chris Silva, analyst at Gartner. Why? Ransomware gangs are businesses. "What attackers really seem to be looking at is where they can expect the maximum financial impact," he explained. That might mean a single, massive attack on a natural gas pipeline or many attacks spread across dozens of small businesses.
Bearing all of that in mind, what follows are the 10 top -- but by no means the only -- ransomware targets, based on the Sophos survey and other data.
The education sector has become one of the top ransomware targets in recent years. In 2021 alone, 88 attacks disrupted operations across more than 1,000 schools, colleges and universities, according to 2022 research from antimalware vendor Emsisoft.
In one such incident, New York's Buffalo Public Schools system was forced to halt in-person and virtual learning for 34,000 students for a week in March 2021. On the higher education front, Howard University had to cancel two days of classes after discovering a ransomware attack over the 2021 Labor Day weekend.
Emsisoft reported that in at least half of the education sector's 2021 ransomware incidents, hackers stole sensitive employee and student data, some of which they released online.
Along with educational organizations, almost half of all retail companies were ransomware targets in 2020, according to Sophos' survey results. And, of those retail organizations that had not been hit in the past year, 34% said they expect to suffer an attack in the future.
In April 2021, Computer Weekly learned that British retailer FatFace paid the Conti ransomware gang a $2 million ransom following a successful phishing campaign. Then, in July, an unprecedented supply chain attack on software provider Kaseya ultimately infected as many as 1,500 businesses. Among them was Swedish grocery store chain Coop, which had to close the majority of its 800 stores for three days to deal with the attack. The retailer said the malware prevented many of its cash registers from working.
3. Business, professional and legal services
Companies in the business, professional and legal services sector, which includes accounting, advertising, consulting, engineering, marketing and law firms, can make attractive ransomware targets. Many in this sector are in possession of highly sensitive data and may have the financial resources to pay large ransomware demands. Small shops are also more likely to have outdated or lackluster cybersecurity strategies, making it relatively easy for criminals to gain access to their networks.
In February 2021, major law firm Campbell Conroy & O'Neil said ransomware operators had accessed and encrypted files that included sensitive personal information, such as Social Security numbers and financial data. The high-profile trial attorneys have represented numerous Fortune 500 companies, including Boeing, Chrysler, FedEx, Home Depot, Johnson & Johnson, Liberty Mutual and Marriott International.
Fortunately, other recent incidents in this sector, such as an attack in April 2021 on engineering firm Dennis Group and another in August 2021 on IT consulting firm Accenture, resulted in minimal fallout. Both organizations were able to fully restore their systems without engaging the hackers.
4. Central government
Sophos' global survey of 117 IT decision-makers from central government organizations found 40% of them had suffered a ransomware attack in the preceding 12 months. As previously mentioned, Ireland's national health service fell victim to a ransomware attack in May 2021 that forced the government to shut down all hospital IT systems, seriously disrupting patient care. Two years earlier, an attack shut down a U.S. Coast Guard facility for almost three days.
Unit 42, Palo Alto's threat research and consulting group, reported a 65% increase in ransomware incident response cases in the IT sector between 2019 and 2020. The researchers attributed this, in part, to the abrupt migration to remote work, with ransomware operators using pandemic-themed phishing content to prey on victims at an unusually vulnerable time.
In early 2021, ransomware gang REvil compromised Taiwan-based PC manufacturer Acer's network and made one of the largest ransom demands on record: $50 million. It's unknown if the company paid the ransom. Other recent ransomware targets in the IT sector have included Apple laptop manufacturer Quanta Computer, vehicle inspection technology provider Applus Technologies, backup storage vendor ExaGrid and software provider Kaseya.
Threat researchers at Unit 42 also found that, in 2020, ransomware operators published stolen information from 45 manufacturing companies -- the most of any sector -- on leak sites, where criminals post data from victims who don't meet ransom deadlines. Sophos' survey suggested 36% of manufacturers fielded attacks that same year.
In May 2021, a REvil ransomware attack brought operations to a halt at beef manufacturer JBS USA, one of the United States' largest meat suppliers. Although the company said it was back up and running within four days thanks to its backup servers, JBS USA later confirmed paying $11 million to the hackers to prevent data exfiltration and leaks.
Sophos found in its 2021 survey that manufacturing and production companies are the best prepared to restore data from backups and, perhaps consequently, the least likely to pay ransoms.
7. Energy and utilities infrastructure
Organizations from the oil, gas and utilities sector conversely are the most likely to pay ransomware demands, Sophos found, a reality likely well known to cybercriminals. "They are quite good at understanding where critical infrastructure pieces exist, how they can hit them and how they can use that to really put the heat on their victims," Gartner's Silva said.
Perhaps the most infamous ransomware attack to date was discovered in May 2021. After reportedly infiltrating the Colonial Pipeline Co. via a legacy VPN account, the DarkSide gang shut down operations and disrupted the U.S. East Coast's fuel supply for days. Although the ransomware operators successfully collected $4.4 million, the Department of Justice said it later recovered half of that payment using a private key.
Medical centers' high-stakes work and widespread security vulnerabilities make them "a favorite target" of cybercriminals, according to the Ransomware Task Force, a group of tech executives that makes recommendations to the White House. Some gangs seem to have seen the COVID-19 pandemic, in particular, as a business opportunity, with hospitals more likely to bow to ransom demands while grappling with an unprecedented and deadly health crisis.
Ransomware attacks affected more than 1,200 American healthcare facilities in 2021, according to the Emsisoft report. The federal Health Sector Cybersecurity Coordination Center, part of the Department of Health and Human Services, counted 82 separate ransomware incidents in the global healthcare sector in the first five months of the year alone. (Note: A single incident can impact numerous hospitals and clinics.)
A recent ransomware attack on a hospital in Düsseldorf, Germany, forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient later died, with German prosecutors saying it might have been the first ransomware-related fatality. Investigators opened a negligent homicide case but abandoned it when they couldn't prove the breach directly caused the woman's death.
9. Local government
In slightly better news, Emsisoft also found that ransomware struck at least 77 local governments and agencies in the U.S. in 2021. While still considerable, that number is down from the previous two years, which each saw 113 such attacks. In fact, a report from colocation, cloud and disaster recovery services provider Sungard Availability Services found that just 11 states were not affected by a ransomware attack targeting a municipality in 2019 and 2020. In Texas alone, local governments experienced 39 attacks during that period.
In 2021, ransomware gangs seem to have shifted their attention from major cities such as Atlanta to smaller towns and counties, according to the Emsisoft researchers. They theorized this may be because larger local governments have improved security measures and are less vulnerable to attacks.
Alarmingly, however, nearly one in four local government organizations admitted to having no malware recovery plan in place in the 2021 Sophos survey. This sector is also the most likely to see data encrypted in an attack and the second most likely to pay ransom demands.
10. Financial services
Ransomware's impact on the financial services sector has the potential to be widespread and catastrophic. New York's Department of Financial Services recently warned that a major ransomware attack could cause "the next great financial crisis" by crippling key organizations and causing a loss of consumer confidence.
Unfortunately, attacks in this sector appear to be skyrocketing. Financial institutions reported 635 incidents of ransomware-related activity to the Treasury Department in the first half of 2021 alone – 30% more than in all of 2020. Payments were also up, with incidents in that six-month period totaling $590 million. were 42% higher than in all of the previous year.
In March 2021, ransomware operators hit CNA Financial, one of the largest commercial insurers in the U.S. Bloomberg reported that CNA paid a $40 million ransom demand, although the firm has not confirmed that figure. Network operations required almost two months to be fully restored.
Everyone is a potential ransomware target
While research suggested organizations across these 10 industries are among the top ransomware targets, experts emphasized that no organization -- regardless of size or sector -- is immune. That reality and memories of the attack on his nearby peer institution keep WVC's Garcia up at night.
The information security officer said that, after learning of the ransomware incident at WVC's sister college, he immediately dropped everything he was working on to assess his own organization's network infrastructure and cybersecurity posture. Garcia reviewed server access, application activity, data classification and retention policies, endpoint security and more. His team also deployed a new air-gapped backup system using technology from Veeam and ExaGrid, going over every account setting with a fine-toothed comb. "If our entire infrastructure is compromised, I want to know my backup data is going to be secure," he said.
His counterparts at other schools in the Washington community college system went through similar exercises after the attack, Garcia added, describing a sudden "flurry of awareness" in the region. He and other college security leaders even held a series of emergency meetings to share knowledge, brainstorm and engage in ransomware tabletop exercises.
Garcia said his goal is not to dodge a ransomware attack altogether, which experts and statistics suggest is next to impossible. Rather, it's to survive it. "Maybe we lose half our servers and some specific subnets, and we're restoring from backup," he said. "But at least it's a survivable scenario, versus having everything gone, like what happened to that other community college."