June represented a new low for disclosed ransomware attacks in the U.S. this year, which have been steadily declining since the end of March.
SearchSecurity has tracked this decline in a database of public reports and disclosures, as well as a series of articles covering the most notable ransomware attacks for each month. According to the data gathered, the number of reported ransomware attacks in the U.S. hit its peak in January and its low in June. Comparing just January to June, there was more than a 300% decrease in the number of reported attacks.
According to an NCC Group report, ransomware attacks are also down worldwide, falling 18% from April to May. The cybersecurity company said the decrease may stem from the apparent closure of Conti, a Russian ransomware group. Conti was breached by an anonymous security researcher known as "Conti Leaks" on Twitter, who leaked the group's source code, documents and private communications.
However, the drop in attacks does not mean that ransomware has ceased in the U.S., as several public and private entities continue to suffer attacks. Experts also suggested that while there has been a dip following Russia's invasion of Ukraine and resulting sanctions, nation-state threat groups and Russian ransomware operations could be targeting the U.S. and other Western allies.
During a recent panel discussion for the U.S. Chamber of Commerce, Mike Herrington, section chief of the FBI's cyber division, said that increased sanctions on Russia could lead to an increased pressure to respond with cyber attacks on U.S. targets. Conti has already shown its willingness to respond to with threats against critical infrastructure and repeated attacks on U.S. entities.
Attacks on public services
The trend of attacks on public entities continued at the start of the month, with the Cape Cod Regional Transit Authority (CCRTA) announcing an attack following Memorial Day weekend.
The CCRTA announced that service remained mostly unaffected by the attack, with most of their services able to be coordinated manually. According to Tom Cahir, administrator of the CCRTA, critical systems were recovered within a couple days of the attack and backup restoration was expected to be complete by the end of the month.
The same day, the city of Alexandria, La., confirmed it was investigating an attack after the city was claimed as a victim by the BlackCat ransomware group. SearchSecurity attempted to contact the city about the status of the attack and potential recovery, but the city government did not respond.
Ellsworth, Kan., was another municipal government that was hit last month. According to the city's press release, the attack occurred on June 2, causing the city to take down its systems.
The city said that no services for the public were affected by the ransomware attack, but some internal operations were limited.
In addition, the Tenafly public school district in New Jersey confirmed a ransomware attack that forced the school to cancel final exams. The attack that took down the school's computer systems also prevented access to Google classroom and email systems heavily used by the teachers and students.
Higher education also faced ransomware attacks this month as Napa Valley College had its network taken down for weeks following an attack on June 10, according to the Napa Valley Register. On July 6, the college announced that the recovery effort was ongoing, and the school's main website was still only intermittently available. However, Napa Valley College did say that no personal information seemed to be at risk and that most systems had backups in place.
The private sector also disclosed several ransomware attacks this month. The Montrose Environmental Group in Little Rock, Ark., disclosed a ransomware attack on June 14 that disrupted servers and computers within one of its lab networks. At the time, Montrose said it did not believe that any other systems were impacted or that any personal information was stolen. The company did not respond to requests for comment.
The same day as the Montrose incident, the Allison Inn and Spa, a luxury resort in Newberg, Ore., confirmed an apparent ransomware attack. Threat actors reportedly exposed the personal information of employees and ledgers of guests from the hotel and threatened to release further information on 1,500 employees and over 2,000 reservations.
The month closed with Nichirin, a Japanese car parts manufacturer, disclosing a ransomware attack on the company's U.S. subsidiary. Nichirin said that manufacturing and shipping operations were adjusted to maintain business after its systems were taken down.
Other organizations in the private sector disclosed ransomware attacks in June that occurred in prior months. At least five private organizations disclosed attacks to state attorneys general over the month, ranging from local seafood distributors to national job placement companies.
The largest attack affected 81,455 victims when Qualified Temporary Services Inc. was hit, according to Maine's Attorney General Office. The attack occurred in 2021 but was not disclosed until last month.