Healthcare and education remain common ransomware targets

Healthcare and education sectors accounted for most of the ransomware disclosures in August, a month that remained low for confirmed attacks compared with earlier this year.

TechTarget Editorial began compiling a ransomware database in January that tracks public reports and disclosure notifications for each month. While organizations don't always confirm that the attacks have involved ransomware, there are some key factors, including the mention of encrypted services.

Based on recent data, the slow summer of disclosures and confirmed attacks has continued. Last month's list included 17 organizations overall, with four entries likely to have been ransomware but not confirmed. Since June, entries have remained in the teens, which does not necessarily mean ransomware attacks are down, though public reporting and disclosures appear to be. Earlier this year, we tracked between 30 to 50 disclosures and reports per month.

Cybereason CISO Israel Barak told TechTarget Editorial that ransomware remains one of the top three threats observed in incident response cases. And when phishing or identity compromises occur, ransomware is the most prevalent endgame, he said.

Jamie Levy, director of R&D at Huntress, said the cybersecurity vendor has also observed that ransomware is up, though groups have steered away from high ransom demands to target small and medium-sized businesses.

In addition to the frequency of ransomware attacks, the database also highlights the often lengthy time spans between when an attack occurred and when it was disclosed. These gaps were particularly long for some of the healthcare ransomware attacks last month; for example, one organization, Valent U.S.A. LLC, was hit nearly one year ago, but it did not disclose the attack until August.

There were additional healthcare ransomware attacks disclosed in August. Practice Resources, LLC, a healthcare billing provider based in Syracuse, N.Y., disclosed an April attack that exposed the names, addresses, dates of treatment and health plan numbers, though private medical records and payment information were not accessed.

Similarly, a disclosure from Lamoille Health Partners warned patients that Social Security numbers, along with health insurance and medical treatment information, might have been compromised during a ransomware attack.

Another healthcare disclosure came from EmergeOrtho, an orthopedic practice in North Carolina with more than 45 offices. Though it referred to the ransomware attack as "sophisticated," the practice assured patients that no medical records, treatment information or financial information was compromised as a result of the incident.

As for educational institutions, one ransomware attack took down the Mansfield Independent School District in Texas. According to a local media report, the attack shut down the school district's website, email and phone systems. It also affected the visitor and volunteer management systems, which forced the suspension of campus visitors.

Sierra College in Rocklin, Calif., suffered a ransomware attack on Aug. 20, two days before the start of its fall semester. The community college was able to recover quickly due to security improvements implemented after a different ransomware attack in May 2021, according to a report by GovTech.

However, one of the most significant attacks on the education sector occurred against Whitworth University in Washington, which shut down the campus network for weeks just as the new school year was scheduled to start. Prominent ransomware gang LockBit claimed responsibility for the attack by posting about the university on its public leak site.

LockBit also struck Entrust, which was the most well-known victim for the month. Bleeping Computer first reported in July that the digital certificate vendor had been breached by an unnamed ransomware gang the previous month; Entrust sent security notification letters issued by CEO Todd Wilkinson that confirmed an unauthorized party had accessed its systems and stolen some files, though the notifications did not refer to any ransomware.

However, LockBit last month claimed responsibility for the attack and added Entrust on its data leak site. The ransomware gang began leaking data that allegedly belonged to Entrust before its dark web site went offline. Entrust has not confirmed that the incident involved ransomware, and the company did not respond to TechTarget Editorial's request for comment.