As investigations into a massive, coordinated ransomware attack against local governments in Texas continues, 13 new victims of ransomware attacks have been publicly identified. Most of them are school districts, thought the victims also include an Indiana county, a hospice in California, and a newspaper in Watertown, New York.
The ransomware involved in the Texas attacks, which hit 22 local-level government entities, has not yet been identified. Multiple sources have suggested that the Texas attacker gained access through a managed service provider that the local governments all had in common, but that has not been confirmed by state officials.
In the case of this latest batch of attacks, Ryuk ransomware has been identified as the malware used on at least three occasions. The victims, based on data collected by the threat research group at cloud security firm Armor, include:
- Lake County, Indiana
- Rockville Center School District in Rockville Center, New York
- Moses Lake School District in Moses Lake, Washington (the attack apparently occured in July but was only reported as ransomware this month
- Mineola Public Schools in Mineola, New York
- The Stevens Institute of Technology in Hoboken, New Jersey
- New Kent County Public Schools in New Kent, Virginia
- Nampa Idaho School District, Nampa, Idaho
- Middletown School District, Middletown, Connecticut
- Wolcott Public Schools, Wolcott, Connecticut
- Wallingford School District, Wallingford, Connecticut
- New Haven Public Schools, New Haven, Connecticut
- The Watertown Daily Times in Watertown, New York
- Hospice of San Joaquin, San Joaquin, California
Pay after pay
According to a report in Newsday, the Rockville Center School District initially received a ransom demand of $176,000. The district’s insurance company negotiated with the ransomware operator, reducing the payout to $88,000. The school district paid a deductible of $10,000.
There’s no word on whether other victims have paid the ransom yet.
As new attacks become public, it’s worth remembering the fallout from such attacks can add up quickly in terms of dollars and require a lengthy recovery period. The leadership of Baltimore City—hit by a ransomware attack in May—recently announced that $6 million of the money needed to cover the city’s more than $10 million ransomware cleanup operation would be pulled from funds earmarked for upkeep of city parks and public facilities. So far, the RobbinHood ransomware cost the city over $8 million in lost revenue and interest on deferred revenue.
Baltimore is also now considering a contract for a $20 million “cyber liability” insurance plan. A vote on the proposed $835,000 contract was deferred until next week.
Add it up
This brings the total known, publicly reported ransomware attacks this year alone to 149, 30 of which have involved educational institutions. As Ars reported in May, school districts are a particularly easy target for ransomware operators because of their low budget for information technology and limited security resources. According to Armor’s data, schools have become the second-largest pool of ransomware victims—slightly behind local governments and closely followed by healthcare organizations.
But these numbers only include publicly reported incidents. Just this week, for instance, CNN reported Percsoft and Digital Dental Record, two companies that handle online services in the dental industry, told roughly 400 customers that the software they use to connect to individual offices had been infected with ransomware earlier in the week. Dental administrators told CNN they couldn’t access basic information such as patient charts, X-ray data, or payment services. Digital Dental provided a statement saying 100 of the affected practices had been restored this week.
As this incident emphasizes, many ransomware attacks initially go unreported, particularly those against small and mid-sized companies who largely turn to insurers to help them pay off attackers quietly. That distinction may help explain why, in its 2018 Internet crime report, the FBI reported a total of 1,493 ransomware cases last year.
“Just like municipalities, which rely on critical systems to manage records and revenue in a community, school districts host data and systems critical to their community and its students,” said Chris Hinkley, head of Armor’s Threat Resistance Unit security team. “Thus, hackers know that schools cannot afford to shut down, that budgets are typically stretched thin, and that they often have few security protections in place, all aspects which make them a viable target.”
Again, outside of Rockville, there is no word yet whether any of the other new public organizations targeted have cyber insurance or plans to pay ransoms. The payouts ransomware operators have recently received from similar targets—such as Rockville Center School District’s $88,000 payment, Riviera City, Florida’s $600,000 ransom and Lake City, Florida’s $500,000 ransom—”have signaled to the hackers that impacting entire communities can be very lucrative,” Hinkley noted.