Ransomware attacks on public sector persist in January

Many of the attacks disclosed or reported in January occurred against the public sector, including multiple school districts that were hit within days of one another.

Ransomware caused significant disruptions across the public sector last month, including five school districts and a housing authority that serves 19,000 low-income families and individuals.

TechTarget Editorial has tracked publicly disclosed ransomware attacks in the U.S. for the past year, documenting trends and threat activity patterns. Though the number of reported attacks and disclosures decreased slightly from previous months to a total of 21, several victims in January suffered both sensitive data leaks and prolonged downtimes.

LockBit, one of the more high-profile ransomware-as-a-service groups, claimed responsibility for two attacks last month. Vice Society, which notoriously targeted schools instead, hit one of the busiest rapid transit systems in the U.S.

San Francisco's Bay Area Rapid Transit was listed on the Vice Society public leak site, used to pressure victims into paying, on Jan. 6. However, The Record reported the attack did not affect any services or internal business systems.

Unfortunately, a LockBit attack on Jan. 2 against the Housing Authority of the City of Los Angeles (HACLA) did cause disruptions. The agency operates 6,300 units located throughout the city.

Emsisoft analyst Brett Callow posted a screenshot of the leak site to Twitter that revealed a Jan. 12 deadline to pay the ransom demand. As of Jan. 31, HACLA's website states it is still experiencing technical difficulties and systems are not fully restored.

LockBit was also behind an attack against Ohio's Circleville Municipal Court on Jan. 12. While The Record reported that a spokesperson for the court did not confirm whether ransomware was involved. LockBit claimed it stole 500 GB of data. As of Jan. 31, services on its website remained widely unavailable.

More schools, colleges attacked

Ransomware attacks against the education sector ramped up towards the end of the month with four reported incidents in the span of one week.

On Jan. 31, local news outlet The Inquirer and Mirror reported Nantucket Public Schools in Massachusetts were forced to close early due to compromised systems. Another report by Mass Live revealed all student and staff devices were shut down as a result.

One day prior, Tucson Unified School District, which serves 47,000 students, was forced offline after an attack by Royal ransomware, a group that Cybereason recently warned is on the rise. KOLD News reported the attack took down the Southern Arizona school district's internet and network services.

On Jan. 26, Stratford University sent out data breach notifications addressing an attack it suffered in October. An investigation, which concluded on Nov. 11, revealed names, phone numbers, addresses, passport numbers and Social Security numbers for both employees and students were among the stolen information.

Wawasee Community School Corporation, a district in Indiana with five schools, suffered an attack on Jan. 20 that affected all Windows-based computers, servers and systems, according to a report by Indiana's Ink Free News. The corporation contacted the Indiana Department of Education, the FBI and the Department of Homeland Security following the attack. A statement by superintendent Dr. Steve Troyer confirmed it caused "significant disruption to daily operations."

Earlier in the month, Des Moines Public Schools, the largest district in Iowa, announced it had canceled classes on Jan. 10 and took its network offline after detecting "unusual activity." While the district did not confirm ransomware was involved, school officials told news outlets that the district was treating the incident as a ransomware attack.

Swansea Public School District, another Massachusetts-based institution, suffered a ransomware attack as well. Superintendent John Robidoux confirmed the attack in a Twitter post on Jan. 3, stating school was canceled due to a ransomware attack that shutdown the network. School reopened two days later.

In a press release on Jan. 4, Robidoux said a preliminary investigation showed no student or staff data was stolen in the attack. He applauded Hub Technology, the school's cybersecurity company, for its rapid resolve.

Another commonality for reported January attacks was delayed disclosures. In addition to Stratford University's notification that took five months to issue, Calvary Albuquerque, a church located in New Mexico, reported an attack that occurred last March also through data breach notifications. Stolen information included Social Security numbers, passport numbers and taxpayer identification numbers.

More notably, Lutheran Social Services of Illinois took more than a year to disclose an attack. On Jan. 25, it sent data breach notifications regarding a ransomware attack that started in 2021. While potentially stolen information was redacted, it did state "personal information maintained on our systems was potentially accessed by an unauthorized party from December 31, 2021, to January 27, 2022." It is one of the largest statewide social service providers, according to its website.

Dig Deeper on Data security and privacy