The number of reported ransomware attacks rose slightly in October, with the education sector remaining a popular target for cybercriminals.
TechTarget Editorial has tracked ransomware attack disclosures and public reports in the U.S. since January and analyzed the data to determine trends as well as heightened activity. For the first time in months, the number of publicly disclosed U.S. ransomware incidents tracked by TechTarget Editorial surpassed the teens.
While the 20 victims included healthcare, transportation, IT and food manufacturers, attacks against the education sector persisted -- and in at least one case caused prolonged disruptions. Ransomware attacks on schools and higher education typically increase in late summer and early fall as classes resume.
California-based Hartnell College, which suffered an attack at the beginning of October, reported this week that its phone and internet systems continued to be affected. Hartnell had 2,000 devices connected to the school's network during the attack, including 300 laptops, which contributed to the prolonged downtime, according to local news coverage. As a result of the attack, Hartnell told KION 46 news channel it will implement new security measures, including two-factor authentication, a method vendors have been advising for years that's only grown more urgent.
Kenosha Unified School District (KUSD) also experienced extended disruptions from an attack back in September. What the Wisconsin K-12 district initially referred to as a "cybersecurity incident" was not confirmed as ransomware until Oct. 24, when The Record reported that a ransomware group claimed responsibility for the attack. The Snatch ransomware gang added KUSD, a school district with more than 19,000 students, to its public data leak site last month, according to the report. In a separate statement on KUSD's website, the district said an investigation with law enforcement is ongoing.
Another significant attack in October forced CommonSpirit Health, which encompasses 140 hospitals and more than 1,000 care sites in 21 states, to take its systems offline, including electronic health records and patient portals. The nonprofit Chicago-based hospital chain disclosed the ransomware attack in a statement to its website on Oct. 17. Under frequently asked questions, CommonSpirit said it's still investigating to determine if patient data was accessed.
In an advisory last month, the Cybersecurity and Infrastructure Security Agency warned that ransomware attacks against the healthcare sector are on the rise. The alert highlighted one group, known as the Daixin Team, that it says is "actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations."
For attacks on the public sector, Indianapolis news station WRTV reported a ransomware attack Oct. 6 against the federally funded Indianapolis Housing Agency with an ongoing investigation with law enforcement. According to multiple reports since, the attack delayed October rent payments, which affected low-income families, older adults and people with disabilities. The Indianapolis Star also stated that the attack was ongoing as of Oct. 26.
While investigations and additional factors can delay ransomware disclosures, appliance manufacturer Felix Storch Inc. didn't report an attack that occurred in 2020 until just last month. However, its data breach notification did provide specific attack details, including attribution to the PYSA ransomware group.
Felix Storch said PYSA sent two letters within two and a half hours demanding 10 bitcoin to decrypt the files, but the company said it did not respond to communications. In addition, Felix Storch said it did not learn that "personal information may have been accessed and exfiltrated" until August of this year, which prompted the breach notification letters.
As stated in prior ransomware roundups, the confirmed reports and disclosures in October collected by TechTarget Editorial likely represent only a portion of the actual ransomware activity that took place last month. Many data breach notification letters published by various state attorney general offices described security incidents that suggest a ransomware attack had occurred, but did not explicitly state that one took place.
TechTarget Editorial only includes notifications that either explicitly state that ransomware was involved or disclose that systems and data were encrypted by malicious actors. Similarly, the database does not include extortion attacks in which cybercriminals steal and threaten to leak data, but do not deploy actual ransomware on victims' systems.