Critical components of U.S. infrastructure, including hospitals and power plants, are increasingly connected to the internet and are at risk of exploitation from cybercriminals lurking in the world's darkest corners.
And one specific kind of malware attack has leaders in the private and public sectors sounding the alarm over the last two years: ransomware.
Twingate collected data from the FBI's 2021 Internet Crime Report to show which infrastructure sectors were most often targeted by ransomware attacks. 2021 was the first year in which the FBI's Internet Crime Complaint Center began tracking ransomware incidents in sectors considered critical infrastructure.
The FBI's Internet Crime Complaint Center received 649 reports of ransomware incidents targeting critical infrastructure in 2021. In a memo in the latest report, FBI Deputy Director Paul Abbate described the increase in cyberattacks seen last year—not only in infrastructure sectors but overall—as "unprecedented."
The FBI defines critical infrastructure as assets or systems that "are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our security, national economy, public health or safety."
Dozens of attacks last year were leveled at government entities, leading the National Association of State Chief Information Officers to name ransomware its top cybersecurity concern in 2021.
But the frequency of ransomware incidents was even more pronounced in the health care, financial services, and information technology sectors, which saw the most recorded attacks of any other infrastructure sector last year, according to the FBI. The military and defense sector reported the fewest incidents, with just one ransomware attack in 2021.
And these culprits aren't always lone wolf operations seeking the biggest payout. Most ransomware attacks can be linked to state actors who would harbor more motives than financial gain in sponsoring ransomware attacks. Crypto-tracking company Chainalysis reported that most ransomware payments eventually went to Russian-linked hackers.
The FBI recommends updating operating systems and software, implementing training on phishing, securing remote access points, and making an offline backup of all data to protect against ransomware attacks. Large businesses may also want to contract with a cybersecurity consulting or insurance firm.
Most subject matter experts, the FBI included, recommend against paying ransoms because doing so does not guarantee the deletion of stolen data and could potentially encourage more of the same illegal behavior.
- Ransomware incidents: 17
In 2021, the Government Accountability Office published a report recommending the federal Cybersecurity and Infrastructure Security Agency visit with communications industry stakeholders to develop a plan for how it can best support their cybersecurity. The industry includes wireless calling and internet service providers as well as broadcasters. "Its incapacitation or destruction could have a debilitating impact on the safety and security of our nation," the GAO warned.
Just a month before the report's publication, TV conglomerate Sinclair Broadcast Group was targeted by a ransomware attack that disrupted news reporting and took stations around the country off the air for a time.
- Ransomware incidents: 31
The Colonial Pipeline suffered a security breach in 2021, garnering a full-throated response from the highest levels of the U.S. government. The attackers were a criminal organization believed to be linked to the Russian government. The pipeline, which carries gas and jet fuel from Texas to much of the eastern U.S., was completely shut down within an hour of receiving the ransom note.
The unprecedented pause in operations caused fuel shortages, panic, and a run on gas stations across Atlantic states, illustrating the potentially severe consequences of an even larger attack on U.S. energy infrastructures like oil pipelines and refineries. The company reportedly paid out $5 million to the attackers, allowing fuel to flow again but not without generating some controversy for encouraging the hackers. The U.S. Department of Justice later recovered a portion of the ransom payment from the perpetrators.
- Ransomware incidents: 38
Only 3 in 5 public transit agencies had a plan to deal with a cyberattack, according to a 2020 study published by the Mineta Transportation Institute at San José State University.
An August 2020 ransomware attack on Philadelphia's Southeastern Pennsylvania Transportation Authority created operational troubles for the transportation provider months after the security breach. Shortly after, the New York Metropolitan Transportation Authority, the largest public transit agency in the country, made public that it, too, had experienced a cyberattack.
Private companies can also be targeted. Forward Air, a $1.6 billion-a-year Tennessee-based logistics company, disclosed in 2021 that a ransomware breach cost the company $7.5 million.
- Ransomware incidents: 52
Cybercriminals struck two major U.S. farming organizations in late 2021, leading the FBI to issue an industrywide warning about ransomware attacks—especially those coinciding around critical seasons for the industry.
The 60-member farming cooperative in Iowa called New Cooperative, which manages a portion of the country's corn production, was struck. The other victim was a co-op called Crystal Valley, based in Minnesota, which serves 2,500 farmers, according to a local news report. Neither attack had a considerable impact on U.S. food supplies but served as a cautionary tale for other small-time agricultural organizations that may be vulnerable.
In 2021, this sector was most frequently a victim of attacks utilizing the Conti ransomware variant, the most common variant the IC3 tracks. The method uses Microsoft Word documents to gain remote access to the victim's system, allowing the attacker to deploy ransomware. Attackers that lean on this method to breach networks have reportedly demanded as much as $25 million in ransom, according to the FBI.
- Ransomware incidents: 56
Commercial facilities include theme parks, stadiums, office buildings, conference centers, and hotels. In general, commercial facilities entail places that draw large crowds for entertainment, shopping, or business purposes.
In 2021, Oregon-based venue operator McMenamins was the victim of a ransomware attack that compromised more than two decades' worth of employee data including sensitive details like Social Security numbers. In another scenario outside of the U.S., a Scandinavian hotel chain suffered a ransomware hack that locked guests out of their rooms and hindered the hotel from managing reservations, including checking guests in and out of their rooms as well as creating new room keys.
- Ransomware incidents: 60
Reports of ransomware attacks leveled at government organizations, including first responders and schools, have been increasing since at least 2019. These incidents now represent a sizable share of those reported to the IC3.
The D.C. Police Department suffered a ransomware attack in 2021 in which the hackers published alleged internal documents and threatened to make more public if it didn't pay a ransom. A ransomware attack on a private human resources software provider also affected the government of Prince George's County last year, forcing the county to track pay for government employees manually. As more government agencies lean on private sector software, they will continue to rely on those vendors to maintain secure networks that keep them safe.
Laws exist in every state requiring businesses to report security breaches to consumers. Many state governments have laws similar to this for affected government agencies. The states without such laws include Mississippi, Oregon, Utah, South Dakota, New Mexico, and Wyoming, according to the National Conference of State Legislatures.
In 2022, the Los Angeles Unified School District has already dealt with a ransomware attack, and federal officials, including the FBI, have warned that attacks on schools may increase.
- Ransomware incidents: 65
As supply chains worldwide adjust to the shifting COVID-19 pandemic environment and consumer demand, manufacturers have become an obvious target for criminals looking to leverage a ransom payment.
Honeywell, a Fortune 100 aerospace and tech manufacturer, based out of North Carolina, revealed it suffered a malware attack in March 2021 that disrupted some of its computer systems. The company gave very little public detail about the intrusion, using the term malware generally and not specifying whether the attack method included holding data or access to computer systems ransom.
Industry publication CyberScoop has noted that a stigma lingers in the manufacturing sectors of Europe and the U.S., dissuading companies from speaking when they are attacked. This means the industry and experts have less-than-ideal insight into whether criminals are successfully—and quietly—extracting millions in revenues from critical manufacturing firms.
- Ransomware incidents: 74
Companies and contractors operating in the information technology sector can often be a vector to other industries for which they provide services.
A ransomware attack against Synnex in 2021 drew concern not only for infrastructure security and clients' business interest but for American democracy; this was due to the company's relationship with the Republican National Committee and the attacker's alleged connection with Russia.
- Ransomware incidents: 89
Financial services providers such as banks, insurance firms, and other organizations that generate income from providing loans and credit were the second-most affected sector of critical U.S. infrastructure in 2021. Central banks are known for having some of the most substantial security measures of any other private entity. Financial tech startups, however, have boomed in recent years thanks to a flood of venture capital, fueling innovative ways for consumers to take out loans or handle digital banking.
The U.S. Treasury Department found that the sums of money paid to ransomware schemes by financial services firms based in the U.S. began skyrocketing in the first half of 2021. Through its Financial Crimes Enforcement Network, the department identified around $600 million in payments made to criminals, more than the amount paid for all of 2020.
- Ransomware incidents: 148
Health care and public health institutions were the most-targeted organizations for ransomware attacks in 2021. They've become a common target due to the troves of sensitive patient data health care providers collect.
In the best-case scenario, these attacks can expose email addresses and personal information like phone numbers. In the worst, Social Security numbers and other sensitive data can be leaked onto the dark web. In 2021, the first death linked to a ransomware attack was recorded at a Mobile, Alabama, medical center. The facility was forced to shut down, preventing staff from using potentially lifesaving medical equipment on a baby, alleged a lawsuit from the mother.
The Department of Justice this year made an example of three Iranian nationals, charging them with conducting ransomware attacks against critical infrastructure, including health care centers, since 2020.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.