Ransomware gangs were busy in 2022, targeting the education sector right at the beginning of the new school year, forcing services offline at major hospitals, and hitting major enterprises such as cloud service providers and a prominent cybersecurity vendor.
Several government advisories were also issued last year, warning of significant threats posed by multiple ransomware groups. Hive was especially active and claimed responsibility for three attacks against the education sector in November and one in December, according to TechTarget Editorial's ransomware database.
Here are 10 of the biggest ransomware attacks of 2022 in chronological order.
1. San Francisco 49ers
Two days after being listed on BlackByte's public leak site, the San Francisco 49ers confirmed it suffered a ransomware attack in a statement to The Record on Feb. 13 -- Super Bowl Sunday. Law enforcement was contacted immediately, and the NFL team said it believed the attack was limited to its corporate network. Following an investigation with law enforcement that concluded on Aug. 9, the popular NFL franchise started sending out data breach notifications to affected customers. The attack was just one of several in February against major enterprises.
2. Glenn County Office of Education
The Glenn County Office of Education (GCOE) in California was one of many ransomware victims in the education sector last year. GCOE was struck by an attack on May 10 that limited network access. According to a DataBreaches.net report, GCOE paid a $400,000 ransom to the Quantum ransomware gang. In October, the office that serves eight school districts began sending out data breach notifications to current and former students as well as teachers whose data may have been stolen. Information included names and Social Security numbers.
3. Opus Interactive, Inc.
Hosting service provider Opus Interactive, Inc., also suffered a ransomware attack in May. On its interactive status page under May, the Oregon-based vendor said there was an "incident affecting its infrastructure" but that all its customer's workloads were restored successfully.
On May 13, Oregon Live reported that the Oregon Secretary of State's office was one of Opus's customers. Campaign finance records stored on Opus systems were subsequently moved ahead of Oregon's primary election. On May 25, Opus updated the incident status page to "resolved."
Networking giant Cisco, which specializes in cybersecurity and incident response services with Cisco Talos, confirmed it was attacked by the Yanluowang ransomware gang on May 24 after threat actors gained access to an employee's credentials through a compromised personal Google account. Nick Biasini, global lead of outreach at Cisco Talos, detailed the attack in an August blog post that revealed a successful voice phishing campaign letting attackers bypass the multifactor authentication settings. However, Cisco apparently detected the intrusion before threat actors could deploy the ransomware. In a September update, Cisco confirmed stolen data posted to Yanluowang's public data leak site matched what Cisco had "already identified and disclosed."
5. Entrust Corporation
In early June, certificate authority giant Entrust Corporation, which provides authentication and identity management technology, was hit by LockBit ransomware. While no official statement was released, the attack was confirmed by BleepingComputer and security researcher Dominic Alvieri, who shared a letter Entrust president Todd Wilkinson sent to employees.
Wilkinson did not specify ransomware was involved but did confirm data was exfiltrated. In August, Entrust appeared on LockBit's public data leak site used to pressure victims into paying. Entrust customers include "some of the biggest companies in the world," according to its website, including Microsoft, VISA and VMware.
6. Macmillan Publishers
Later in June, a ransomware attack temporarily disabled Macmillan Publishers' ability to accept, process or ship orders. Publishers Weekly was the first to report the incident on June 28 after obtaining emails from Macmillan that a "security incident, which involves the encryption of certain files on our network" caused operations to remain closed. A separate report by BleepingComputer confirmed employees were unable to access their emails. Based in New York, Macmillan operates in over 70 countries with eight divisions in the U.S.
7. Los Angeles Unified School District
Ransomware ravaged many school districts and colleges last year. But one of the most significant attacks occurred days before the start of the new school year against Los Angeles Unified School District (LAUSD), the second largest public school system in the U.S. In a statement addressing its response to the Sept. 5 attack, LAUSD said it declined to pay a ransom, arguing that funds would be better spent on students and that it "never guarantees the full recovery of data."
The following month, Vice Society claimed responsibility for the attack through its public data leak site and later posted the stolen data on the dark web. With support from the White House, LAUSD was assisted by the Department of Education, the FBI and the Cybersecurity and Infrastructure Security Agency.
Vice Society has listed the 2nd largest school district in the US: #LAUSD. The same gang has hit at least 8 other US school districts and colleges/universities so far this year. 1/5 pic.twitter.com/DOSq839FDT— Brett Callow (@BrettCallow) September 30, 2022
8. CommonSpirit Health
Following a ransomware attack on October 3, nonprofit Chicago-based hospital chain CommonSpirit Health forced its systems offline to contain the threat. That included electronic health records and patient portals used to schedule appointments. The attack was significant not only because it affected the healthcare sector, a popular target among ransomware actors, but also because of the scope. CommonSpirit encompasses 140 hospitals and more than 1,000 care sites in 21 states.
In an IT issue update on Dec. 1, the hospital chain confirmed the threat actors "gained access to certain files, including files that contained personal information." CommonSpirit Health also said the investigation is ongoing and that it sent data breach notifications to patients from the Franciscan Medical Group and Franciscan Health in Washington state.
9. Apprentice Information Systems
Thirty-one Arkansas counties were affected after Apprentice Information Systems suffered a ransomware attack in early November. On its website, the IT services and consulting vendor advertises its servers as "precisely suited to the government office environment." KARK was the first to report the attack, which forced county services offline, temporary office closures and disabled internet access altogether for at least three counties, while many other county governments experienced partial disruptions. In early December, some of the counties announced that most systems and services had been restored.
10. Rackspace Technology
Rackspace last month suffered one of the most high-profile ransomware attacks of 2022, which caused significant outages and disruptions for its Hosted Exchange services. Beginning Dec. 2, customers were unable to access their mail services in what the cloud service provider called a "security incident." Four days later, Rackspace confirmed the outages were caused by ransomware and began migrating its Hosted Exchange customers to Microsoft 365.
Later, Rackspace confirmed the ransomware attack was caused by the new exploit method called "OWASSRF." First discovered and documented by CrowdStrike, which provided incident response services for Rackspace, OWASSRF bypasses mitigations for ProxyNotShell vulnerabilities in Microsoft Exchange Server. In an update this week, Rackspace said Play threat actors accessed the Personal Storage Tables (PSTs) of 27 Hosted Exchange customers but added that CrowdStrike found no evidence that threat actors viewed, obtained or misused any of the data in the PSTs. Rackspace declined to comment on whether it received or paid a ransom.