More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report[1] from security company Emsisoft.
The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information.
Emsisoft noted that while the numbers are still high, the 77 local governments attacked represents a decrease compared to 2020 and 2019, both of which saw 113 governments hit.
In 2021, ransomware groups targeted smaller counties and towns instead of bigger cities like New Orleans[2], Baltimore[3], and Atlanta[4]. Emsisoft theorized that this may have happened because larger cities invested more in cybersecurity following damaging attacks throughout 2019 and 2020.
In order to calculate the cost of the damage caused by ransomware incidents, Emsisoft used the estimates from Winnebago County, Illinois CIO Gus Genter, who said in 2019[5] that the average ransomware incident costs $8.1 million and requires 287 days to recover. Based off those numbers, Emsisoft estimated that the 77 incidents in 2021 amounted to $623.7 million in losses.
In addition to the financial losses, at least one incident involved dispatch services[6] that were affected. Nearly half of the 77 incidents led to data breaches.
For public educational organizations, there was a small uptick in attacks for 2021. In total, 88 organizations were hit with ransomware attacks, including 62 school districts and 26 colleges or universities. There were 84 attacks on the education sector in 2020.
Of the 88 educational organizations attacked in 2021, 44 led to data breaches involving the information of both students and