Ransomware attacks affected more than 2,300 U.S. government entities, health care facilities and schools in 2020, according to security software company Emsisoft.
Ransomware is malicious software that requires payment from its victims in exchange for restoring access to systems or data held hostage by the cyberattackers. Emsisoft’s report did not analyze private sector cyberattacks because the company said such attacks were too infrequently disclosed to provide an accurate portrayal of the threats.
“The fact that there were no ransomware-related deaths in the U.S. last year was simply due to good luck,” said Fabian Wosar, Emsisoft chief technology officer, in the report. “Security needs to be bolstered across the public sector before that luck runs out and lives are lost.”
The total cost of the 113 ransomware attacks observed by Emsisoft on federal, state and local government entities cost an estimated $915 million. As a result, Emsisoft is advocating that government entities make changes quickly or risk turning 2021 into a “banner year for cybercriminals.”
“We anticipate there will be more cases of data theft in 2021 than there were in 2020 — likely, at least twice as many,” Emsisoft said in the report. “Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work.”
Emsisoft’s report said part of the problem facing those targeted with ransomware is that public sector victims of ransomware are not required to disclose the attacks, which makes it difficult for policymakers to know precisely how many incidents there are, how many demands are paid and what the full cost of the cyberattacks are.
“2021 need not be a repeat of 2020,” Mr. Wosar said in the report. “Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.”
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.