While the number of ransomware attacks disclosed and reported in December did not increase from the previous month, many victims were high-profile companies such as cloud service provider Rackspace.
For the past year, TechTarget Editorial has tracked ransomware incidents against U.S. organizations through public disclosures from the offices of state attorneys general and various media reports. There were 22 confirmed disclosures and public reports in December, compared with 25 in November; however, like past months, the number is likely higher due to ongoing security investigations.
The education and public sectors remained popular targets throughout the month, but perhaps the most damaging fallout resulted from an attack against Rackspace on Dec. 2. The attack struck the cloud provider's Hosted Exchange environment, forcing Rackspace to shut down the service and migrate customers to Microsoft 365.
Other major enterprises suffered attacks, according to reports and disclosures last month.
Chicago-based engineering firm Sargent & Lundy suffered a ransomware attack in October, which CNN confirmed in December. While the company, which has worked with the U.S. Department of Defense and Department of Energy, has not issued a statement, CNN said it obtained a memo that confirmed data belonging to multiple electric utilities was stolen during the intrusion.
Another significant attack occurred against Wabtec Corporation in June, but the rail and transportation technology company, which has 27,000 employees around the world, did not report it until Dec. 30. In a statement posted to its website, Wabtec confirmed stolen data was "posted to the threat actor's leak site." Affected information included medical records, health insurance information, financial account information, payment card information, and account usernames and passwords.
A December data breach notification by commercial roofing company CentiMark disclosed that it stopped a ransomware attack that occurred in August, but not before threat actors accessed some of its network. Potentially viewed or stolen information included names, dates of birth, Social Security numbers and driver's license numbers. Based in Pennsylvania, the company has more than 95 offices across the U.S., Canada and Mexico.
While details into ransomware attacks are often scarce or delayed, two incidents last month offered some insight into recovery efforts and costs.
On Dec. 1, Little Rock School District (LRSD) in Arkansas confirmed a network issue occurred on Nov. 11. Subsequently, Little Rock KATV reported that the school board voted to pay a $250,000 ransom demand to recover stolen data. However, it appears there was backlash over the district's transparency and how it handled the incident.
Greg Adams, LRSD board president, issued a statement to stakeholders on Dec. 15 to address the concerns, citing input from cybersecurity firms and legal teams. "Under the advice of these advisors, we were told to minimize the public messaging regarding the incident, as it could cause drastic and harmful actions by the Threat Actors," Adams wrote in the statement.
In addition, Mayor Lori Klein Quinn confirmed the City of Tomball, Texas, was hit by ransomware on Dec. 20, which resulted in an emergency city council meeting on Dec. 30. During the meeting, David Esquivel, city manager, was authorized to spend $50,000 for "recovery of city systems and data," according to a report by Community Impact. As of Jan. 1, Klein Quinn said the city did not have a date for when systems would be fully restored, and the city's network and online services remained down Wednesday.
Attacks on the education sector also continued last month.
Bristol Community College (BCC) in Massachusetts reported that ransomware encrypted its network on Dec. 23, and as of Wednesday, email and other online services remained unavailable. BCC recommended changing passwords on both professional and personal accounts.
Knox College in Illinois also experienced prolonged downtime following a ransomware attack on Nov. 26, which the Galesburg Register-Mail publicly disclosed on Dec. 2. In addition, NBC News reported that the threat actors sent ransom demand emails directly to students.