Ransomware inundated the threat landscape throughout 2023 as ruthless extortion tactics increased and new trends such as dual ransomware attacks made it even more difficult for victim organizations to recover.
Cybersecurity companies reported historic highs for the number of ransomware attacks both month by month and year over year. The threat evolved away from encrypting data to attackers relying solely on data extortion threats to pressure victims into paying, which might have contributed to the surge; TechTarget Editorial only tracks attacks that involved ransomware deployment or attempted deployment. Unfortunately, but not surprisingly, the healthcare sector saw a significant number of ransomware attacks, accounting for four out of the 10 victim organizations on this year's list.
While ransomware gangs dominated the landscape, law enforcement had some wins of its own. Earlier this month, the Department of Justice announced that the FBI seized several websites that belonged to the Alphv/BlackCat ransomware gang and developed decryption tools to help victims recover. As one of the most active threat groups in 2023, BlackCat was behind several attacks featured in this list. Infosec experts say the coordinated takedown could be effective in slowing the group's operations, but a rebrand might be imminent.
Below is a list of 10 of the most notable and damaging ransomware attacks on U.S. organizations in 2023, in chronological order.
Lehigh Valley Health Network
On Feb. 22, Lehigh Valley Health Network (LVHN) CEO Brian Nester disclosed that the Pennsylvania-based organization suffered a ransomware attack on Feb. 6. LVHN initiated an investigation and contacted law enforcement after detecting the unusual activity. Nester confirmed that the attack affected a computer system LVHN uses for "patient images for radiation oncology treatment and other sensitive information."
Unlike many ransomware disclosures, Nester revealed that the BlackCat ransomware group was behind the attack and shed light on the ransom demand. "BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise," he said in the statement.
After LVHN refused to pay, in March, BlackCat operators leaked nude photos of cancer patients to increase the pressure. The group's response was one of many examples in 2023 of increasingly callous extortion tactics taken against victim organizations.
Days later, LVHN began sending out data breach notifications. According to the notifications, BlackCat operators acquired sensitive information including names, addresses, phone numbers, medical record numbers, treatment and diagnosis information, and health insurance information, but that wasn't the worst it.
The notification confirmed that affected data included vulnerable patient images.
"The information for a limited number of individuals include clinical images of patients during treatment," LVHN wrote in the data breach notification.
U.S. Marshals Service
In a statement to NBC News on Feb. 27, Drew Wade, public affairs chief for the U.S. Marshals Service (USMS), confirmed that the government agency suffered a ransomware attack on Feb. 17. Unnamed attackers gained access to sensitive law enforcement data including personally identifiable information on subjects of USMS investigations and some employees, though reports confirmed they did not access the Witness Protection Program.
The ransomware attack only affected one system, which USMS forced offline, according to Wade. However, disruptions continued for at least three months. In May, CNN reported that USMS was continuing to recover from the ransomware attack. While an agency spokesperson told CNN that "critical tools" were restored 30 days after the breach, full restoration was ongoing.
American satellite television provider Dish Network suffered a ransomware attack on Feb. 23 that caused network outages and also affected data for more than 290,000 individuals, mainly employees. Dish filed an 8-K form with the U.S. Securities and Exchange Commission on Feb. 28 that revealed it only took the company four days to determine that data had been acquired by the unnamed threat actor.
No ransomware group claimed responsibility for the attack on public data leak sites. However, a Dish data breach notification published in May indicated that the company paid a ransom.
"We are not aware of any misuse of your information, and we have received confirmation that the extracted data has been deleted," Dish wrote in the data breach notification. The company declined to comment further.
On April 3, data storage vendor Western Digital disclosed that it became aware of a cyberattack on March 26. Subsequently, Western Digital implemented its incident response protocols, restored affected services and contacted law enforcement. Attack fallout included data theft and business disruption as customers were unable to access several services including SanDisk and My Cloud.
BlackCat, one of the most prolific ransomware groups of 2023, claimed responsibility for the attack by leaking alleged stolen data on its public data leak site on April 28. Following a trend of increasingly aggressive extortion tactics, the leaked data included alleged footage taken from a Western Digital video conference meeting.
In an update on May 5, Western Digital confirmed that it was aware of the publicly leaked data and that an investigation into the claims was ongoing.
City of Dallas, Texas
The city of Dallas was attacked by the Royal ransomware gang on May 3, causing significant network outages and forcing Dallas courts to close through May 31. More information came to light after the report "The City of Dallas Ransomware Incident: May 2023" was released in September. The report revealed that Royal operators gained initial access by stealing service account credentials. With that access, the attackers maintained persistence in the victim environment for one month before deploying ransomware. Systems and services restoration started May 9 and was completed June 13.
Following the disruptive attack, the Dallas City Council approved an $8.5 million mitigation and recovery budget. Expenses included external cybersecurity professional services, identity theft and fraud protection services, and breach notification services.
Prospect Medical Holdings
One of the most damaging ransomware attacks of 2023 occurred against California-based Prospect Medical Holdings, which consists of 16 hospitals, 11,000 affiliated physicians and 18,000 employees. News of the attack began on Aug. 3 when Prospect Medical's Rhode Island affiliate, CharterCare Health Partners, announced that its systems were down and the disruptions affected inpatient and outpatient operations.
In a statement to its website the following day, Prospect Medical confirmed that a recent data security incident caused the business disruptions, which continued through Sept. 12, when systems were finally restored.
The Rhysida ransomware gang claimed responsibility for the attack in late August, and Prospect Medical issued a data breach notification on Sept. 29. It revealed that the attackers had access to Prospect Medical's systems from July 31 through Aug. 3. Affected information included names, addresses, dates of birth, diagnoses, lab results, medications, other treatment information and health insurance information. In some cases, attackers might have also accessed Social Security numbers, driver's license numbers and financial information. Rhysida operators put the stolen data up for sale on a dark web marketplace, though it's unclear if anyone purchased the data.
Las Vegas casino giant MGM Resorts suffered prolonged disruptions and significant attack fallout from the now-notorious ransomware attack this summer. On Sept. 12, MGM confirmed that it suffered a cyberattack that forced it to shut down some systems and contact law enforcement. The incident began on Sept. 10, and guests reported problems with room key access, hotel amenities and the gaming floor.
It was later revealed that BlackCat operators gained access to MGM through a previous social engineering attack that targeted the company's identity and access management vendor, Okta. Another Okta customer, Caesars Entertainment, was also affected by a similar attack, but did not experience severe disruptions like MGM.
MGM CEO Bill Hornbuckle revealed additional information in an update and 8-K filing on Oct. 5. Hornbuckle confirmed that attackers obtained personal information that belonged to customers who engaged with the casino prior to March 2019. MGM notified a limited number of customers whose Social Security and passport numbers were also affected.
The most alarming aspect of the 8-K form was how much the ransomware attack cost the casino. MGM reported $100 million in losses that stemmed from business disruptions. That amount did not include the less than $10 million one-time expense MGM forked out for technology consulting services, legal fees and expenses of other third-party advisers. However, MGM was confident that the losses would be covered under its cyber insurance policy.
After the LockBit ransomware gang listed Boeing on its public data leak site, which gangs commonly use to pressure victims into paying a ransom, the aerospace giant started investigating a potential cyberattack in coordination with law enforcement.
LockBit listed Boeing on Oct. 27 and threatened to leak alleged stolen data if a ransom wasn't paid by Nov. 2. Boeing was removed on Nov. 2, but it was only temporary. On Nov. 10, LockBit relisted Boeing and released sensitive data, but its motives remain unclear.
In a statement to TechTarget Editorial on Nov. 13, a Boeing spokesperson confirmed that a recent cybersecurity incident affected its parts and distribution business, but said the threat did not pose a risk to airline safety. The spokesperson acknowledged LockBit's claims and said the company notified potentially affected individuals.
Healthcare giant Henry Schein suffered two adjacent attacks in a one-month timespan from a ransomware group that terrorized victim organizations throughout 2023 -- BlackCat. The first attack against the New York-based dental and medical supplier occurred on Oct. 14 and the second on Nov. 22.
In a statement on Oct. 15, Henry Schein confirmed that a "portion of its manufacturing and distribution businesses experienced a cybersecurity incident." The healthcare supplier proactively forced systems offline, which caused business disruptions.
On Nov. 13, Henry Schein issued a data breach notification to customers and suppliers revealing that bank account and credit card information might have been compromised. Just as the company was restoring systems, BlackCat struck again. On Nov. 22, Henry Schein disclosed that certain applications, including its e-commerce platform, were unavailable.
"Henry Schein has identified the cause of the occurrence. The threat actor from the previously disclosed cyber incident has claimed responsibility," the company wrote in the update.
By Nov. 27, Henry Schein's U.S. e-commerce platform was restored, and Canada and Europe were expected to follow shortly. Dual ransomware attacks were a trend that CISA warned enterprises about in September. Infosec experts suspect the trend could be a response to increasingly successful ransomware negotiations that afford victims lower payment amounts.
Ardent Health Services
Ardent Health Services in Tennessee was attacked on Thanksgiving Day. The company proactively forced systems offline, which affected access to its corporate servers, the internet and clinical programs. One month later, many services remain down.
Due to outages, multiple Ardent-owned hospitals were forced to divert ambulances, including UT Health East Texas, Lovelace Health System in New Mexico and Hackensack Meridian Pascack Valley Medical Center in New Jersey. Nonemergency procedures were temporarily paused through mid-December.
In an update on Dec. 19, Ardent said it's continuing to restore its medical record platform and other clinical systems. Ardent instructed patients to contact providers by phone as restoration continues. An investigation remains ongoing, and no ransomware group has yet claimed responsibility for the devastating attack.
"We sincerely regret the frustration this incident has caused many patients," Ardent wrote in the cybersecurity incident update.
MyChart patient portal access was restored on Dec. 21, but Ardent said, "At this time, we do not have a firm timeline for restoring all systems."
Arielle Waldman is a Boston-based reporter covering enterprise security news.