FBI: At Least 148 Healthcare Organizations Suffered Ransomware Attacks in 2021

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released its 2021 Internet Crime Report, which reveals there were at least 649 ransomware attacks on critical infrastructure organizations from June 2021 to December 2021.

14 of the 16 critical infrastructure sectors reported at least one ransomware attack, although the healthcare and public health sector was the worst affected, accounting for 148 of those attacks, followed by financial services with 89 attacks, and the information technology sector with 74.

The Conti ransomware gang was the most active in 2021 with 87 reported attacks on critical infrastructure organizations, followed LockBit ransomware (58), and the now-disbanded REvil/Sodinokibi ransomware operation (51). The Conti gang favored targets in critical manufacturing, commercial facilities, and the food and agriculture sectors, LockBit most frequently attacked healthcare and public health, government facilities, and financial services, and REvil targeted healthcare and public health, financial services, and the information technology sectors.

Ransomware gangs use a variety of methods to gain access to victim networks; however, the most common attack vectors in 2021 were phishing emails, Remote Desktop Protocol (RDP) exploitation, and the exploitation of software vulnerabilities. While 2021 saw several major ransomware operations shut down, others have taken their place. IC3 anticipates 2022 will see an increase in ransomware attacks on critical infrastructure.

IC3 said there was an unprecedented increase in cyberattacks and malicious cyber activity in 2021 targeting a wide range of business sectors and individuals. A record number of complaints were submitted to IC3 by the American public in 2021, increasing by 7% from 2020 to 847,376 complaints. Across those complaints there were reported losses of more than $6.9 billion – a 64.29% increase from the $4.2 billion in losses reported in 2020.

Losses to Cybercrime over the Past 5 Years. Source IC3

Phishing – including vishing, smishing, and harming – was the most prevalent type of cybercrime in 2021, with 323,972 complaints about phishing incidents reported to IC3 in 2021, up 34% from 2020. Nonpayment/non-delivery crimes were the second most reported incidents, which claimed 82,478 victims.

19,954 complaints were received about business email compromise (BEC)/email account compromise (EAC) scams in 2021, which ranked top for victim losses with adjusted losses of almost $2.4 billion in 2021 – a 28% increase from 2020. IC3 said BEC attacks have become much more sophisticated. While they used to involve compromised email accounts that were used to request W2 forms or fraudulent wire transfers, scammers have exploited the increased reliance on telework and virtual communications platforms.

A compromised email account of an employer or financial director is often used to request employees participate in virtual meeting platforms. “In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a “deep fake” audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly,” explained IC3.

More than $44 million was lost to phishing scams in 2021, and the 3,729 reported ransomware attacks involved losses of at least $49 million. Losses to ransomware are difficult to determine. The $49 million does not include associated costs such as remediation, only reported ransom payments, and ransom payments are not always reported to IC3.

IC3 reported on the successes of its Recovery Asset Team (RAT) in freezing funds for victims of cybercrime. “In 2021, the IC3’s RAT initiated the Financial Fraud Kill Chain on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.