Last month saw a wave of ransomware attacks, which disrupted several municipalities across the United States, leaving some struggling to fully restore their systems. According to TechTarget Editorial’s ransomware database for 2023- which compiles data breach notifications filed to the Office of the Attorney Generals, public disclosures and media reports- in May, 28 confirmed attacks and disclosures were recorded, compared to 29 the previous month. Although the healthcare and education sectors remained highly targeted, municipalities faced prolonged disruptions and one government even had to declare a local public emergency.
Among the municipalities affected was Curry County in Oregon which disclosed an attack by the Royal ransomware group on April 26, that affected all of its departments. The county had to declare a local public emergency due to the sustained disruptions with recovery efforts continuing as of June 1, more than one month after the attack. The county’s Board of Commissioners committed all remaining unallocated American Rescue Plan funds toward addressing the situation, emphasising the need to restore essential services and rebuild the technological infrastructure to enhance security and efficiency for all.
The Royal ransomware group also targeted the City of Dallas on May 3, which caused prolonged disruptions to online payments, municipal courts, emergency response, and other key services. The city government confirmed receiving a ransom demand but did not report the attack vector or the number of devices affected. The authorities have continued to explore all options to remediate the incident, while refusing to delve into any specific details that could risk impeding the criminal investigation or exposing vulnerabilities that could be exploited by attackers. Despite the ongoing investigation, so far, there is no evidence of a data leak.
However, the Royal ransomware group is known for aggressive extortion tactics, as shown by another attack in May against Clarke County Hospital in Iowa. In that incident, the operators actively leaked data on their public leak site, which included an alleged video of a patient collapsing.
As of now, the City of Dallas has restored 90% of its systems, and the authorities are continuing to work on enhancing security and bring operations back to normal. They have also been working with cybersecurity experts on additional measures to further enhance their security posture, including deploying additional software, implementing additional controls, and completely rebuilding impacted systems in a new, secure environment.
Moreover, ransomware attacks also cause significant data leaks for the healthcare sector. This is evident from the recent attack against Point32Health company in April, which may have affected more than two million patients, according to a disclosure by Harvard Pilgrim Health Care. Similarly, Managed Care of North America Inc. reported to the Office of the Maine Attorney General that nearly nine million patients had their data breached. The LockBit ransomware gang is responsible for that attack, which dates back to March of this year.
Education was also not spared from ransomware attacks, as Rochester Public Schools (RPS) in Minnesota experienced a network disruption that occurred on April 6, caused by a ransomware attack. RPS assured the public that no student data was affected, but the attackers gained access to some employee data. The attack forced the school system to shut down its internet connection and cancel classes for two days. As of May 4, the school system is still working with a third party to fully restore all systems, and they are still investigating the attack.
In addition to widespread disruptions, ransomware attacks continue to be a significant threat to public services, healthcare, and education, causing massive disruptions and potential data breaches. Cybercrime gangs have proven to be adept at adapting their tactics, making it imperative for organisations to prioritise their security posture and implement robust cybersecurity measures. This is necessary to detect, prevent, and respond quickly to potential threats to protect their systems and data.