BlogLine

Ransomware Attacks Reached Unprecedented Numbers in 2019

1/15/20

By: Melissa Santalone

According to a study published by Emsisoft Malware Lab, an unparalleled number of ransomware attacks hit U.S. businesses and government agencies in 2019.  In total, 113 state and municipal governments and agencies, 764 healthcare providers, and 89 universities, colleges, and school districts were targeted at a potential cost of more than $7.5 billion.  In many instances, these attacks caused disruptions that placed lives at risk, like when 911 services were interrupted, emergency patients had to be sent to other hospitals, and police were unable to run background checks and check criminal histories and active warrants.
The report analyzed the “why” of the sharp increase of ransomware attacks in 2019 and concluded that organizations continue to have security weaknesses and attackers have developed better ways of exploiting those weaknesses, creating a “perfect storm.”  Emsisoft referenced a 2019 University of Maryland, Baltimore County report based on data from a national survey of cybersecurity in local governments that found a lack of preparedness within the local governments and a lack of funding for cybersecurity.  Many local governments do not even have mechanisms in place to detect or track cyberattacks and even basic best practices are going unused.  The report cited the city of Baltimore’s loss of data after a ransomware attack because data resided only on users’ individual systems for which there was no mechanism for back-up.
It is clear that state and local governments, healthcare providers, and schools need to be better at preventing, detecting and recovering from ransomware and other cyberattacks.  The Emsisoft report recommends multiple actions that should be taken to make public entities more secure, including improved oversight, more guidance, better funding, and mandatory reporting requirements for ransomware and other cybersecurity incidents.  While there are numerous federal and state laws requiring entities to take protective measures to secure the data with which they are trusted, many organizations are failing to comply.  Emsisoft suggests that authorities should implement auditing systems and corrective measures for those entities that fail to meet minimum standards.  Further, the report argues, clear minimum standards must be adopted so organizations can make appropriate decisions about how best to protect themselves and can allocate their resources in better ways.  Because ransomware and other cyberattacks are not always required to be reported, it is also proposed that entities be legally required to do so in an effort to better pool information on such attacks to detect, prevent, and recover from them.
The Data Security, Privacy & Technology attorneys at Freeman Mathis & Gary, LLP are ready, willing, and able to assist entities with compliance with data security and privacy laws and preparing for attacks before they occur.  If you have any questions about detecting, preventing, or responding to ransomware or other cyberattacks, contact Melissa Santalone at msantalone@fmglaw.com or any other member of our Data Security, Privacy & Technology team.