In the summer of 2019, a public community college in the state of Washington suffered a catastrophic ransomware attack. "They lost every server. Everything -- email, coursework, lectures -- everything was gone," said Steve Garcia, information security officer at Wenatchee Valley College (WVC) in Wenatchee, Wash., which is part of the same educational system as the targeted school. "It was pretty devastating."
The breach occurred when an IT employee logged in to a server from a home computer to perform routine weekend maintenance and then checked email, accidentally clicking on a phishing link that initiated the attack, according to Garcia. The malware infected and then encrypted the backup server, requiring the college to rebuild its entire IT environment from scratch. The rebuilding process took months and caused student enrollment to plummet. "It was an eye-opener. You read about it, you hear about it, but it's typically a private sector company, far away. It's different when it hits that close," he said.
That school is not alone. Last year, one in three organizations around the world suffered a ransomware incident, according to a survey of 5,400 IT decision-makers by cybersecurity software vendor Sophos. The education and retail sectors took the hardest hits, with 44% of those organizations fielding attacks. But experts cautioned that, while some organizations might be at slightly higher risk of becoming ransomware targets than others, no single industry shoulders all, or even most, of the risk. To that point, the top 10 most targeted industries' incident rates all hovered within seven percentage points of the 37% cross-sector average. The takeaway: No organization is safe.
Forrester analyst Steve Turner said his own research suggested a relatively even distribution of ransom attacks across verticals. However, ransomware incidents in certain industries, such as critical infrastructure and healthcare, tend to result in the most headlines.
Turner pointed to the recent attack on Ireland's national healthcare system as an example. "That got media coverage because of the scale of the attack," he said. "That's the stuff that folks want to hear about and that kind of strikes the fear of God in them."
On the other hand, incidents involving lower-profile targets, such as local governments and small businesses, typically attract less attention, leading to the misperception that they are less attractive ransomware targets. Unfortunately, that's far from the case.
"Whether a 500-person company or a 50,000-person company, everybody's a target," said Chris Silva, analyst at Gartner. Why? Ransomware gangs are businesses. "What attackers really seem to be looking at is where they can expect the maximum financial impact," he explained. That might mean a single, massive attack on a natural gas pipeline or many attacks spread across dozens of small businesses.
Bearing all of that in mind, what follows are the 10 top -- but by no means the only -- ransomware targets in 2021 and beyond, based on the Sophos survey and other data.
The education sector has become one of the top ransomware targets, with nearly 1,700 schools, colleges and universities hit in 2020, according to the Ransomware Task Force (RTF), a group of tech executives that makes recommendations to the White House. A joint report from the FBI, Cybersecurity and Infrastructure Security Agency, and Multi-State Information Sharing and Analysis Center found that 57% of all known ransomware incidents in August and September 2020 involved K-12 schools.
Cybercriminals continued to target educational institutions in 2021, with a March ransomware attack on New York's Buffalo Public Schools system halting for a week in-person and virtual learning for 34,000 students. On the higher education front, Howard University was forced to cancel two days of classes after discovering a ransomware attack over the 2021 Labor Day weekend.
Like educational organizations, almost half of all retail companies were ransomware targets in 2020, according to Sophos' survey results. And, of those retail organizations that had not been hit in the past year, 34% said they expect to suffer an attack in the future.
In April 2021, Computer Weekly learned that British retailer FatFace paid the Conti ransomware gang a $2 million ransom following a successful phishing campaign. Then, in July, an unprecedented supply chain attack on software provider Kaseya ultimately infected as many as 1,500 businesses. Among them was Swedish grocery store chain Coop, which had to close the majority of its 800 stores for three days to deal with the attack. The retailer said the malware prevented many of its cash registers from working.
3. Business, professional and legal services
Companies in the business, professional and legal services sector, which includes accounting, advertising, consulting, engineering, law and marketing firms, can make attractive ransomware targets. Many in this sector are in possession of highly sensitive data and may have the financial resources to pay large ransom demands. Small shops are also more likely to have outdated or lackluster cybersecurity strategies, making it relatively easy for criminals to gain access to their networks.
In February 2021, major law firm Campbell Conroy & O'Neil said ransomware operators had accessed and encrypted files that included sensitive personal information, such as Social Security numbers and financial data. The high-profile trial attorneys have represented numerous Fortune 500 companies, including Boeing, Chrysler, FedEx, Home Depot, Johnson & Johnson, Liberty Mutual and Marriott International.
Fortunately, other recent incidents in this sector, such as an attack in April 2021 on engineering firm Dennis Group and another in August 2021 on IT consulting firm Accenture, resulted in minimal fallout. Both organizations were able to fully restore their systems without engaging the hackers.
4. Central government
Sophos' global survey of 117 IT decision-makers from central government organizations found 40% of them had suffered a ransomware attack in the previous 12 months. As previously mentioned, Ireland's national health service fell victim to a ransomware attack in May 2021 that forced the government to shut down all hospital IT systems, seriously disrupting patient care. Two years earlier, an attack shut down a U.S. Coast Guard facility for almost three days.
Unit 42, Palo Alto's threat research and consulting group, reported a 65% increase in ransomware incident response cases in the IT sector from 2019 to 2020. The researchers attributed this, in part, to the abrupt migration to remote work, with ransomware operators using pandemic-themed phishing content to prey on victims at an unusually vulnerable time.
In early 2021, ransomware gang REvil compromised Taiwan-based PC manufacturer Acer's network and made one of the largest ransom demands on record: $50 million. It's unknown if the company paid the ransom. Other recent ransomware targets in the IT sector have included Apple laptop manufacturer Quanta Computer, vehicle inspection technology provider Applus Technologies, backup storage vendor ExaGrid and software provider Kaseya.
Threat researchers at Unit 42 also found that, in 2020, ransomware operators published stolen information from 45 manufacturing companies -- the most of any sector -- on leak sites, where criminals post data from victims who don't meet ransom deadlines. Sophos' survey suggested 36% of manufacturers fielded attacks that same year.
In May 2021, a REvil ransomware attack brought operations to a halt at beef manufacturer JBS USA, one of the United States' largest meat suppliers. Although the company said it was back up and running within four days thanks to its backup servers, JBS USA later confirmed paying $11 million to the hackers to prevent data exfiltration and leaks.
Sophos found in its 2021 survey that manufacturing and production companies are the best prepared to restore data from backups and, perhaps consequently, the least likely to pay ransoms.
7. Energy and utilities infrastructure
Organizations from the oil, gas and utilities sector conversely are the most likely to pay ransoms, Sophos found, a reality likely well known to cybercriminals. "They are quite good at understanding where critical infrastructure pieces exist, how they can hit them and how they can use that to really put the heat on their victims," Gartner's Silva said.
Perhaps the most infamous ransomware attack to date was discovered in May 2021. After reportedly infiltrating the Colonial Pipeline Co. via a legacy VPN account, the DarkSide gang shut down operations and disrupted the U.S. East Coast's fuel supply for days. Although the ransomware operators successfully collected $4.4 million, the Department of Justice said it later recovered half of that payment using a private key.
Medical centers' high-stakes work and widespread security vulnerabilities make them "a favorite target" of cybercriminals, according to RTF. Some gangs seem to have seen the COVID-19 pandemic, in particular, as a business opportunity, with hospitals more likely to bow to ransom demands while grappling with an unprecedented and deadly health crisis.
The federal Health Sector Cybersecurity Coordination Center, part of the Department of Health and Human Services, counted 82 separate ransomware incidents in the global healthcare sector in the first five months of 2021 alone. (Note: A single incident can impact numerous hospitals and clinics.) In its 2020 "State of Ransomware" report, cybersecurity software company Emsisoft said ransomware attacks affected at least 560 American healthcare facilities that year.
In September 2020, a ransomware attack on a hospital in Düsseldorf, Germany, forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient later died, with German prosecutors saying it might have been the first ransomware-related fatality. Investigators opened a negligent homicide case but abandoned it when they couldn't prove the breach directly caused the woman's death.
9. Local government
Just over a third of local government organizations, 34%, fell victim to a ransomware attack in 2020, Sophos researchers found. More alarming still, nearly one in four admitted they have no malware recovery plan in place. This sector is also the most likely to see its data encrypted in an attack.
A report from colocation, cloud and disaster recovery services provider Sungard Availability Services found that, in 2019 and 2020, only 11 states were not affected by a ransomware attack targeting a municipality. In Texas alone, local governments experienced 39 attacks.
10. Financial services
Ransomware's impact on the financial services sector has the potential to be widespread and catastrophic. New York's Department of Financial Services recently warned that a major ransomware attack could cause "the next great financial crisis" by crippling key organizations and causing a loss of consumer confidence.
Sophos surveyed 550 IT decision-makers from the financial sector and found 34% experienced a ransomware attack in 2020, near the cross-sector average of 37%. The good news, according to the research: 91% of financial services institutions said they have a malware incident recovery plan. The bad news: The average cost of a ransomware attack in this sector was $2.1 million.
In March 2021, ransomware operators hit CNA Financial, one of the largest commercial insurers in the U.S. Bloomberg reported that CNA paid a $40 million ransom demand, although the firm has not confirmed that figure. Network operations required almost two months to be fully restored.
Everyone is a potential ransomware target
While research suggested organizations across these 10 industries are among the top ransomware targets, experts emphasized that no organization -- regardless of size or sector -- is immune. That reality and memories of the attack on his nearby peer institution keep WVC's Garcia up at night.
The information security officer said that, after learning of the ransomware incident at WVC's sister college, he immediately dropped everything he was working on to assess his own organization's network infrastructure and cybersecurity posture. Garcia reviewed server access, application activity, data classification and retention policies, endpoint security and more. His team also deployed a new air-gapped backup system using technology from Veeam and ExaGrid, going over every account setting with a fine-toothed comb. "If our entire infrastructure is compromised, I want to know my backup data is going to be secure," he said.
His counterparts at other schools in the Washington community college system went through similar exercises after the attack, Garcia added, describing a sudden "flurry of awareness" in the region. He and other college security leaders even held a series of emergency meetings to share knowledge, brainstorm and engage in ransomware tabletop exercises.
Garcia said his goal is not to dodge a ransomware attack altogether, which experts and statistics suggest is next to impossible. Rather, it's to survive it. "Maybe we lose half our servers and some specific subnets, and we're restoring from backup," he said. "But at least it's a survivable scenario, versus having everything gone, like what happened to that other community college."