More than 200 U.S. institutions hit with ransomware in 2022: report

More than 200 local governments, schools and hospitals in the U.S. were affected by ransomware in 2022, according to research conducted by cybersecurity firm Emsisoft.

The annual “State of Ransomware in the US” report found that 105 local governments; 44 universities and colleges; 45 school districts; and 25 healthcare providers operating 290 hospitals dealt with ransomware attacks last year.

These figures are based only on public reports, and Emsisoft noted that they are likely significant undercounts of how many entities were actually affected by ransomware in 2022.

The 105 state or municipal governments or agencies affected by ransomware marked a steep increase from the 77 such attacks seen in 2021. At least 27 of the incidents involved data theft, and the only confirmed ransom payment was made by the government of Quincy, Massachusetts, which paid $500,000 to resolve a May ransomware incident. 

The highest ransom demand was the $5 million issued to Wheat Ridge, Colorado, which refused to pay

The researchers explained that in past years, major cities like Baltimore and Atlanta suffered ransomware attacks but that in 2022 gangs made a point of going after poorly-resourced local governments across the U.S., targeting small governments in New JerseyColoradoOregonNew York and several other states.  

“This may indicate that larger governments are now making better use of their larger cybersecurity budgets, while smaller governments with smaller budgets remain vulnerable,” the researchers said. 

“The fact that there seems not to have been any decrease in the number of incidents is concerning. Counter-ransomware initiatives have included executive orders, international summits, increased efforts to disrupt the ransomware ecosystem, and the creation by Congress of an interagency body, the Joint Ransomware Task Force (JRTF), to unify and strengthen efforts.”


The education sector held steady at 89 ransomware attacks, just one more than what was seen in 2021. 

While fewer school districts were targeted in 2022, the impact of attacks was greater considering that larger school districts were affected. In 2022, 1,981 individual schools were impacted by ransomware, compared to 1,043 schools the year before.

That trend was highlighted by the headline-grabbing attack on the Los Angeles Unified School District, the second largest in the country. Emsisoft experts said at least three education organizations paid a ransom, including one district in California that paid $400,000

Attacks on the healthcare industry are more difficult to calculate because several hospitals are part of larger systems that may have been affected. In 2022, 25 hospitals or hospital systems were attacked with ransomware, affecting 290 individual hospitals. 

The incidents had wide-ranging effects, including the forced re-routing of ambulances and alleged overdoses due to malfunctioning computer systems. 

Personal data was exfiltrated in nearly 70% of the healthcare attacks, resembling both government and education sector attacks. 

Troubling trends

Deep Instinct’s Mark Vaitzman said the key to getting a payment from a victim in 2022 was through stealing data and not necessarily encrypting it.

Most companies today implement advanced backup solutions, making data leakage much more damaging and sensitive. 

“The threat actors manage leak sites for these purposes and even publish the chat with the victim in some cases (Lockbit is doing that very often). I believe this trend is very profitable and will continue to grow in popularity in 2023 as well,” he said. 

Allan Liska, a ransomware expert at cybersecurity company Recorded Future, told The Record that one alarming trend seen in 2022 was the prevalence of governments and militaries that are now incorporating ransomware into their attack methodology. 

“We've seen what appear to be government-backed ransomware attacks from Russia, China, Iran and North Korea. Now, North Korea has always used ransomware attacks, dating back to 2017 but they seem to have really stepped up their attacks this year, making them even more dangerous as an adversary,” he said. 

Liska added that Recorded Future has tracked more than 50 national governments or national government agencies that have been hit by ransomware in 2022, including devastating attacks on Costa Rica and Albania

The continued tenor of ransomware incidents in 2022 was due largely to the fact that groups don’t fear any repercussions from carrying out these attacks, Liska explained. 

“So, these groups feel they can carry out ransomware attacks against national governments with impunity. Even if it is unlikely that the ransomware group will get paid, the credibility built by taking out a national government helps bolster these groups,” he said. 

Several experts, including Huntress’ John Hammond and (ISC)² CISO Jon France, noted that attacks by the now-defunct Conti ransomware group stood out in 2022 as particularly damaging and targeted.

But Hammond added that Hive and LockBit’s activities raised a lot of eyebrows as well. 

“Hive continued its attacks on healthcare and industrial targets, predominantly in the U.S. and U.K. and encrypts data extremely quickly,” he said. “LockBit also made headlines with attacks on smaller targets, but also had its own data leak from a disgruntled developer. This is just one in a series of many insider risks we’ll likely continue to see from threat groups.”

He noted that he continues to be surprised by the sophistication and organization of ransomware groups. In his company’s surveys of the dark web, they continue to come across new malware marketplaces, threat actors tools for sale, and even so-called cybercriminal universities.

Cybercriminals are offering courses on credit card fraud, wifi-hacking, phishing and more, educating their workforce to create the next generation of attackers.

Emsisoft threat analyst Brett Callow told The Record that although they know the number of incidents was similar in 2022 to the year before, it is still unclear whether those incidents caused more or less in dollar losses than in previous years, nor how many organizations found it necessary to pay the ransom.

Those numbers, he said, would be the best measure of how well government policies and counter-ransomware efforts are working. 

“The bottom line is that more data is needed in order to be able to work out whether we’re really making headway in tackling the ransomware problem,” Callow said.

As is, we can’t say whether things are getting better or worse.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.