When a public community college in the state of Washington suffered a ransomware attack, the effects were catastrophic.
"They lost every server. Everything -- email, coursework, lectures -- everything was gone," said Steve Garcia, information security officer at Wenatchee Valley College (WVC) in Wenatchee, Wash., which is part of the same educational system as the targeted school. "It was pretty devastating."
The breach occurred several years ago when an IT employee logged in to a server from a home computer to perform routine weekend maintenance, according to Garcia. The employee then checked email and accidentally clicked on a phishing link that initiated the attack.
The malware infected and encrypted the backup server, requiring the college to rebuild its entire IT environment from scratch. The rebuilding process took months and caused student enrollment to plummet. "It was an eye-opener," Garcia said. "You read about it, you hear about it, but it's typically a private sector company, far away. It's different when it hits that close."
That college isn't alone. According to a 2023 global survey of 3,000 IT professionals by cybersecurity vendor Sophos, around two in three organizations suffered a ransomware incident in the previous 12 months. The education sector took the hardest hit, with about four in five of those organizations fielding attacks.
But experts cautioned that, while some organizations might be at higher risk of becoming ransomware targets than others, no single industry shoulders all, or even most, of the risk. To that point, ransomware attacks struck at least half of organizations across all industries represented in the Sophos survey. The takeaway: No one is safe.
That said, ransomware incidents in certain industries, such as critical infrastructure and healthcare, tend to garner the most attention. Incidents involving lower-profile targets -- local governments and small businesses, for example -- typically attract less notice, sometimes leading to the misperception they are not particularly attractive ransomware targets. Unfortunately, that's far from the case.
Chris SilvaAnalyst, Gartner
"Whether a 500-person company or a 50,000-person company, everybody's a target," said Chris Silva, analyst at Gartner. Why? Ransomware gangs are businesses. "What attackers really seem to be looking at is where they can expect the maximum financial impact," he explained. That might mean a single, massive attack on a natural gas pipeline or many attacks spread across dozens of smaller organizations.
Bearing all of that in mind, what follows are 13 of the top -- but by no means the only -- ransomware targets by sector, based on the Sophos survey and other data.
The education sector had the highest ransomware attack rate as of 2023, according to Sophos' most recent "State of Ransomware" report. Eighty percent of elementary, middle and high schools and 79% of higher education institutions reported sustaining attacks in the year leading up to the survey. Additionally, lower education organizations were the most likely -- across all sectors -- to report losing business or revenue due to ransomware incidents.
In one recent example, the ransomware gang Vice Society struck the Los Angeles Unified School District, California's largest public school system. When the district refused to pay the ransom demand, the operators leaked 500 GB of stolen data on the dark web.
Higher education victims include the Savannah College of Art and Design in Savannah, Ga.; William Carey University in Hattiesburg, Miss.; and North Carolina Agricultural and Technical State University in Greensboro, N.C.
2. Construction and property
In early 2023, 71% of businesses dealing in construction and property told Sophos they had experienced recent ransomware attacks -- a 129% increase in two years. These organizations were also overwhelmingly likely to report losing business and revenue as a result of the incidents, second only to lower education.
Publicly traded real estate investment firm Marcus & Millichap disclosed in late 2021 that it had experienced a cybersecurity attack, which TechTarget found may have been the work of the BlackMatter ransomware gang.
3. Central and federal government
Seventy percent of central government organizations from around the globe told Sophos they had experienced ransomware attacks in the 12 months leading up to the survey.
In one example, the Conti gang waged a ransomware attack on the central government of Costa Rica, prompting the country's president to declare a national state of emergency. The government refused to pay the ransom, and the cybercriminals leaked nearly all the stolen data.
In another high-profile incident, Ireland's national health service fell victim to a ransomware attack that forced the government to shut down all hospital IT systems, seriously disrupting patient care.
4. Media, entertainment and leisure
Businesses in the media, entertainment and leisure sector remained among the top ransomware targets in 2023, with a 70% attack rate. In more than half of those incidents, the root cause was an exploited vulnerability, which Sophos analysts suggested points to particularly widespread security gaps.
According to Publishers Weekly, when Macmillan Publishers experienced a cyber attack involving "the encryption of certain files" -- almost certainly a ransomware incident -- it had to take all of its IT systems offline, halting book orders. Confirmed ransomware attacks have also hit Cox Media Group and Sinclair Broadcast Group, causing operational disruptions.
5. Local and state government
Local and state government organizations experienced a similar attack rate to central government agencies, with 69% getting hit in the months leading up to the 2023 Sophos survey.
In September 2022, for instance, a massive ransomware attack forced Suffolk County, N.Y., to take all its systems offline, seriously compromising emergency services and forcing county employees to work without the internet.
More recently, a May 2023 ransomware attack on the City of Dallas disrupted multiple services, including 911 emergency response, municipal courts, animal services and the police department website.
Notably, North Carolina and Florida have banned their state agencies and local governments from making ransom payments, a move other states have also considered.
The retail sector tied with local and state governments in the Sophos 2023 survey, with 69% reporting recent ransomware attacks. While that figure is high, it does represent an 8 percentage-point improvement over the sector's attack rate the previous year.
In one example of a ransomware attack on a retail company, Computer Weekly learned in 2021 that British retailer FatFace had paid the Conti ransomware gang $2 million to return company data.
Several months later, an unprecedented ransomware supply chain attack on software provider Kaseya ultimately infected as many as 1,500 businesses. Among them was Swedish grocery store chain Coop, which had to temporarily close the majority of its 800 retail stores in response. The retailer said the malware prevented many of its cash registers from working.
7. Energy and utilities infrastructure
Ransomware struck 67% of the oil, gas and utilities organizations that Sophos surveyed in 2023, a slight decline over the previous year. These attacks can cause particularly catastrophic damage and disruption, making the sector of perennial interest to cybercriminals.
"They are quite good at understanding where critical infrastructure pieces exist, how they can hit them and how they can use that to really put the heat on their victims," Gartner's Silva said.
One of the most infamous ransomware attacks to date happened when the DarkSide gang reportedly infiltrated Colonial Pipeline Co. via a legacy VPN account, shutting down operations and disrupting the U.S. East Coast's fuel supply for days. Although the ransomware operators successfully collected $4.4 million, the Department of Justice said it later recovered half of that payment using a private key.
8. Distribution and transport
Cybercriminals have long viewed organizations in the logistics sector as attractive ransomware targets. Almost a decade ago, for example, a still-infamous NotPetya attack cost Danish shipping giant Maersk up to $300 million in lost revenue.
As of 2023, two out of three distribution and transport companies told Sophos they had recently experienced ransomware incidents. In one such attack, ransomware hit German fuel logistics firm OilTanking, disrupting deliveries at around 200 gas stations.
9. Financial services
Sophos' "State of Ransomware 2023" report found good news and bad news for financial services: While the sector's attack rate increased year over year -- from 55% to 64% -- it still had a lower attack rate than many other sectors.
Ransomware's impact on the financial services sector has the potential to be widespread and catastrophic. New York's Department of Financial Services has warned that a major ransomware attack could cause "the next great financial crisis" by crippling key organizations and causing a loss of consumer confidence.
In March 2021, ransomware operators hit CNA Financial, one of the largest commercial insurers in the U.S. Bloomberg reported CNA paid a $40 million ransom demand, although the firm has not confirmed that figure.
10. Business, professional and legal services
Unit 42, Palo Alto Networks' threat research and consulting group, considers professional and legal services to be one of today's most-targeted sectors, second only to manufacturing. The researchers based their conclusion on data they found on ransomware leak sites, where criminals post victims' stolen data.
Unit 42 researchers speculated these companies -- which include accounting, advertising, consulting, engineering, marketing and law firms -- may make attractive ransomware targets for the following two reasons:
- They often rely on outdated and unpatched systems and software, making it easier for criminals to gain access to their networks.
- They cannot provide their products and services without functional IT, incentivizing them to pay ransoms quickly or experience significant business fallout.
In the Sophos 2023 survey, three in five business and professional services organizations said they had suffered ransomware attacks over the previous year.
In a major 2021 incident, ransomware operators accessed and encrypted files belonging to major law firm Campbell Conroy & O'Neil, including sensitive personal information such as Social Security numbers and financial data. The high-profile trial attorneys have represented numerous Fortune 500 companies, including Boeing, Chrysler, FedEx, Home Depot, Johnson & Johnson, Liberty Mutual and Marriott International.
Medical centers' high stakes work and widespread security vulnerabilities make them a favorite target of cybercriminals, according to the Ransomware Task Force, a group of tech executives that makes recommendations to the White House. The good news: The percentage of healthcare organizations that told Sophos researchers they had recently experienced ransomware attacks fell from 66% in 2022 to 60% in 2023.
Still, the effects of ransomware incidents in this sector can be particularly disastrous. An attack on a hospital in Düsseldorf, Germany, forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient later died, with German prosecutors saying it might have been one of the first ransomware-related fatalities. Investigators opened a negligent homicide case but abandoned it when they couldn't prove the breach directly caused the woman's death.
Although officials haven't yet successfully held cybercriminals accountable for negative patient outcomes, research strongly suggests ransomware attacks have already contributed to unnecessary deaths.
12. Manufacturing and production
Sophos researchers found more than half of manufacturers had fielded recent ransomware attacks in the 12 months leading up to the survey. For instance, operators hit a number of big corporations in early 2023, including major produce company Dole. The attack affected the company's systems throughout North America, according to an email shared by one of Dole's Texas-based retail partners on Facebook.
In a particularly notorious example of an attack on this sector, the REvil ransomware gang brought operations to a total halt at beef manufacturer JBS USA, one of the United States' largest meat suppliers. Although the company said it was back up and running within four days, thanks to its backup servers, JBS USA later confirmed paying $11 million to the hackers to stop data exfiltration and leaks.
13. IT, technology and telecoms
One in two organizations in the IT, technology and telecommunications industries dealt with ransomware attacks between January 2022 and March 2023, Sophos researchers found. They attributed this relatively low attack rate to greater cyber-readiness and better cyber defenses. Organizations from this sector were also the only ones who saw their data encrypted in fewer than half of ransomware attacks. Across the other industries, malicious actors successfully encrypted data in more than two thirds of attacks.
Recent ransomware targets in the IT, technology and telecoms sector include Taiwan-based PC manufacturer Acer, which received one of the largest ransom demands on record at the time -- $50 million -- from the REvil gang. Whether the company paid the ransom is unknown.
MSPs are also ransomware targets -- and not just the major players. For example, the owner of ITRMS, a small MSP based in Riverside, Calif., has described fielding multiple such attacks over the years, against both his own firm and his clients.
Everyone is a potential ransomware target
While research suggested organizations across these 13 industries are among the top ransomware targets, experts emphasized that no organization -- regardless of size or sector -- is immune.
That reality -- and memories of the attack on his nearby peer institution -- keep WVC's Garcia up at night. The information security officer said that, after learning of the ransomware incident at WVC's sister college, he immediately dropped everything he was working on to assess his own organization's network infrastructure and cybersecurity posture.
Garcia reviewed server access, application activity, data classification and retention policies, endpoint security and more. His team also deployed a new air-gapped backup system using technology from Veeam and ExaGrid, going over every account setting with a fine-toothed comb. "If our entire infrastructure is compromised, I want to know my backup data is going to be secure," he said.
His counterparts at other schools in the Washington community college system went through similar exercises after the attack, Garcia added, describing a sudden "flurry of awareness" in the region. He and other college security leaders even held a series of emergency meetings to share knowledge, brainstorm and engage in ransomware tabletop exercises.
Garcia said his goal is not to dodge a ransomware attack altogether, which experts and statistics suggest is next to impossible. Rather, it's to survive it.
"Maybe we lose half our servers and some specific subnets, and we're restoring from backup," he said. "But at least it's a survivable scenario, versus having everything gone, like what happened to that other community college."