According to the Sophos State of Ransomware Report 2024, while most industries reported a decline in ransomware attacks, healthcare and manufacturing stood out as notable exceptions.
State and local governments reported a drop in ransomware occurrences from 69% of respondents to 34%. Retail businesses experienced a drop of 60% of organizations having reported being hit by ransomware, down to 45% year over year. Other market segments that reported drops include business and professional services. However, a few verticals bucked that trend.
IT, technology, and telecoms witnessed the number of organizations impacted by ransomware rise from 50% to 55%, and financial services barely edged up from 64% to 65%.
Healthcare and manufacturing see rise in attacks
However, with only 56% having been hit by ransomware in the previous year and 65% reporting a ransomware attack this year, manufacturing and production sustained a significant increase. Healthcare also experienced a dramatic increase from 60% reporting being hit by ransomware in the 2023 report to 67% this year.
This year has also witnessed several devastating attacks on healthcare organizations. Earlier this month, the news broke that several Ascension network hospitals were forced to shut down their systems and revert to manual charts and care delivery processes. According to the Detroit Free Press, medical staff reported losing access to medical records and the ability to place orders.
As SC Magazine's Steve Zurier reported in Cybersecurity incident impacts operations at Ascension hospitals:
Ascension, which operates 142 hospitals and 40 senior care facilities nationwide in 19 states and the District of Columbia, is the largest nonprofit and Catholic health system in the United States, with revenues of $28.3 billion in 2023. The nonprofit said in a May 9 statement that it detected unusual activity on "select technology network systems" on May 8 that is believed to be caused by an [unspecified] cybersecurity incident.
"At this time, we continue to investigate the situation," said the Ascension statement. "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible. There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption."
The Ascension attack followed the historic UnitedHealth ransomware attack that affected that company's core services, such as pharmacy, payments, and medical claims processing for well over two months after the attack.
While Change Healthcare finally recovered its primary functions, support functions are still being restored. The Change Healthcare attack, and now the Ascension incident, are proving to be clarion calls for increased regulatory control and direction over healthcare cybersecurity.
Paying the price
According to the Sophos State of Ransomware 2024 Report, healthcare organizations often pay more than the initial ransomware demand in these attacks. Due to their inability to recover quickly and the criticality of the services they're delivering, they frequently end up paying about 111% of the initial ransom demand. Only the education sector paid more, with lower education paying 115% and higher education paying 122% of the initial demand.
By comparison, businesses and professionals pay 74% of the initial ransom demand.
Healthcare has been hit so hard that, according to the SC Magazine story, Minimum US hospital cybersecurity standards mulled, the Biden administration is considering establishing minimum US hospital cybersecurity standards. As reported by BNN Bloomberg, the US Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger disclosed the Biden administration's plans.
Plans include providing free cybersecurity training to the smallest of US hospitals. The proposed new rule is expected in the upcoming weeks.
While free cybersecurity training and minimum security standards for hospitals could prove to be a step in the right direction, many experts worry that smaller healthcare providers need budgetary help to get the people and the security technologies they need to keep their systems secure.
The Sophos State of Ransomware 2024 Report is based on a survey of 5,000 IT and cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific. All respondents represented organizations with between 100 and 5,000 employees, and the survey was conducted between January and February 2024 regarding their ransomware experiences within the previous year.
