Hospitals, Schools Get a Crucial Break From Ransomware Attacks

After a year of what felt like nonstop cyberattacks on the most vulnerable targets, healthcare and government organizations started 2021 with ransomware incidents at their lowest point in more than a year.

There were just two ransomware attacks on healthcare organizations in January, a fourfold decrease from the monthly average in 2020. State and local governments reported four ransomware incidents in January—that compares to 14 attacks in December of last year and 15 attacks from one year prior.

The Record will be tracking these incidents across several sectors throughout the year, based on an analysis from Recorded Future that uses data from government agencies, news reports, hacking forums, and other sources.


Allan Liska, a ransomware expert at Recorded Future who is involved in the analysis, said it’s not yet clear if the decrease in attacks is a temporary respite or perhaps a more permanent trend.

One explanation that could spell long-term relief for hospitals, municipalities, and other potential targets is that there has been a coordinated crackdown on ransomware groups. In January, the Justice Department launched a global effort to disrupt operators of the NetWalker ransomware by bringing criminal charges against one individual, disabling dark web resources, and seizing nearly $500,000 in ransomware payments. In February, French and Ukranian law enforcement arrested individuals allegedly tied to the Egregor ransomware-as-a-service operation. Additionally, last month Europol announced an “international coordinated action” to disrupt and take control of the Emotet botnet—Emotet can be used to deliver ransomware or other malware to an infected device.

“There has been an unusual amount of law enforcement action at the beginning of 2021, and for the most part we don’t know what all the ransomware actors are thinking about all these takedowns,” said Liksa. However, there are some signs that it’s had a chilling effect, Liska said: Smaller groups like Fonix and Ziggy have seemed to shut down recently, suggesting that some operators may be getting nervous about law enforcement actions.

“It’s like me saying I’m retiring from the NBA—they’re small and not going after the big targets, but when you see these players dropping out it means it’s a narrower field we have to worry about,” he said.

On the other hand, the drop in attacks could also be a temporary blip. January and February have traditionally been slow months for ransomware attacks against certain industries. In 2019, for example, only about 10% of ransomware attacks against the healthcare sector occurred during those months, and that percentage was only slightly higher in 2020.

Additionally, the “U-shaped” ransomware trend in 2020 suggests that ransomware attacks increase as students start physically going back to school—that could spell trouble for local governments in 2021 as vaccinations make it easier to go back to in-person operations.

“I think what we'll see is that the number will go up as the year progresses—I hope it doesn't happen, but i think we'll see a big, big spike in the fall when everyone starts going back to school en masse,” said Liska. “That's one of those predictions I really hope I'm wrong about.”

The Record by Recorded Future allows outside organizations to share and distribute graphs from this ongoing project with proper attribution.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Adam Janofsky

Adam Janofsky

is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.