Many reports point to continued increases in ransomware attacks and payments. In 2021, companies in the USA paid $227,266,604¹ in ransomware payments. By mid-year 2022, companies in the USA already paid $136,151,195 in ransomware payments. That is a 17% increase in payments from the prior year!
On average, businesses paid $1.5 million to recover from a ransomware attack and it took, on average, one month to fully recover. These amounts should be deeply disturbing for small and medium-sized organizations (SMOs) who lack the financial and technical resources to respond to a ransomware attack.
A new threat emerged in 2022 – Double Extortion Ransomware. Hackers learnt that organizations with effective back & recovery processes didn’t elect to pay the ransom. With double extortion ransomware, hackers also steal protected data to force the organization to pay the ransom.
In 2023, Hackers will continue to increase focus on financially motivated attacks, i.e. ransomware. There are multiple ways that a hacker could target a ransomware attack. While you can’t defend against all of them, there are a few common ones that you can recognize early. Some simply start with a phishing email to trick your employee to click a malicious link or download files with malware. Other times they take advantage of misconfigured systems or a zero-day vulnerability that you have not fixed.
¹According to Mid-year Update: 2022 SonicWall Cyber Threat Report.
Hackers aren’t discriminating against their targets, they attack businesses of all sizes and types. Companies in Michigan and neighboring states saw attacks across the board, including:
- Hospitals: While Michigan Medicine took the lead on headlines from their data breach from a phishing attack, there were others including Trinity Health System who suffered a ransomware attack and Wright & Filippis, a provider of prosthetics and orthotics.
- Schools & Colleges: Some districts in Michigan were closed for a few days from cyberattacks while others paid ransom payments to the hackers. In December 2022, Hope College in Holland, MI was sued and is facing potential class action lawsuit from the cyber incident.
- Law Firms: In the American Bar Association’s 2022 Technology Survey to its members, 27% confirmed they had a cybersecurity breach. Law firms in Michigan were also a target.
- Restaurants: Even restaurants and bars have experienced cyberattacks. In November 2022, over 10 restaurants using Cincinnati’s Facebook & Instagram accounts were hacked, credit/debit cards on file were used to buy ad-credits, and inappropriate content was published to ban accounts for life. It created mass chaos for these restaurants as they rely heavily on social media to reach out to their customers about events and deals, especially during the holiday season.
- Manufacturers: Cyberattacks occurred on the US subsidiary of a Japanese plastics manufacturer, Sumitomo Bakelite North America, headquartered in Michigan.
- Not-for-Profit: In October, MiTCON, a company that supports non-profit organizations in the Midland area, suffered from a ransomware attack.
- Local Airports: In October, a number of airports suffered a Denial-of-Service (DOS) attack. These include Chicago O’Hare, Phoenix, LaGaurdia, St. Louis, Georgia, Orland, Colorado, Los Angeles, and Des Moines. None of the Michigan airports reported any cyber incidents in 2022.
- Local Government: Both Webster Township and Allegan County experienced ransomware attacks in 2022.
The list above is a small sample of reported attacks. There was no pause in January 2023 and SMOs continue to experience cyber attacks.
2022 continued the upward trend in cyberattacks and the average cost per data breach. IBM surveyed over 500 organizations and reported that the average cost of a data breach increased to $4.35 million in 2022. For small and medium-sized organizations (SMO), a different data point is more important—average cost per record from a data breach:
The average cost per record breach increased in 2022 to $164. An SMO that lost 10,000 records, will incur $1,640,000 in related expenses: