Critical Infrastructure Security , Cybercrime , Fraud Management & Cybercrime
Ransomware Attacks on Critical Infrastructure Are Surging
FBI Says It Received Most Attack Reports From Healthcare, Critical ManufacturingCybercrime reports submitted by victims to the FBI's Internet Crime Complaint Center surged last year, and the total reported losses exceeded $12.5 billion. Investment fraud and business email compromise losses dominated, and ransomware attacks spared almost no critical infrastructure sector.
See Also: Best Practices to Protect Communication and Email Fraud with Technology
The latest Internet Crime Report from the FBI's Internet Crime Complaint Center says that in 2023, IC3 received a record-setting 880,418 complaints - a nearly 10% increase from the year before. Reported losses increased by about 22%, exceeding $12.5 billion in 2023.
Based on the quantity of reports filed, the top five most prevalent types of cybercrime last year involved phishing attacks, followed by personal data breaches, nonpayment or nondelivery of goods, extortion, and tech support. That ranking remains unchanged from recent years.
Losses were a different story. These were the types of crime that carried the biggest reported cumulative 2023 losses:
- Investment fraud was the costliest type of crime last year. Reported losses increased by 38% from 2022 to reach $4.57 billion, and individuals aged 30 to 49 years old were most affected
- Business email compromise led to $2.9 billion worth of losses reported in 21,489 complaints.
- Tech and customer support scams produced $1.3 billion in losses - including in government impersonation scams. Over half of the complainants were over 60 years of age, and they reported nearly 60% of all losses.
The greatest number of complaints filed, as well as losses experienced, involved victims in California, followed by Texas, Florida and New York - America's four most populous states.
The IC3 report is notable both for what it highlights and what it doesn't capture. Take the January 2023 Hive infiltration and takedown spearheaded by Dutch, German and U.S. law enforcement agencies, in which the FBI reported that the group had deployed crypto-locking malware at 1,500 organizations and received at least $100 million in ransom payments since June 2021 (see: Co-Working for the Ransomware Age: How Hive Thrived).
"We found that only about 20% of Hive's victims reported to law enforcement," FBI Executive Assistant Director Timothy Langan wrote in an introduction to the new IC3 report. Hence however bad the latest IC3 cybercrime figures might look, "we know they are conservative," he said.
Ransomware Target: Critical Infrastructure
While Hive may be no more, ransomware has continued to cause widespread disruption. IC3 received 2,825 reports from ransomware victims, up 18% from the prior year. Combined losses totaled $60 million, increasing 74% from 2022.
For comparison, blockchain analytics firm Chainalysis has reported, based on cryptocurrency flows, at least $1.1 billion flowed to ransomware groups' crypto wallets in 2023 - although not all paying victims were U.S.-based. This was nearly double what the company traced in 2022 (see: Record-Breaking Ransomware Profits Surpassed $1B in 2023).
However ransomware profits are measured, clearly, attackers who wield crypto-locking malware are seeing a payday. "Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate," the IC3 report says.
Especially under fire are critical services. Healthcare and public health agencies dominated, filing 249 reports to IC3 last year over ransomware attacks, followed by 218 reports from critical manufacturing and 156 from government facilities. Ransomware-wielding attackers are potentially targeting these sectors most because they perceive the victims as having a proclivity to pay, given the risk to life or essential business processes posed by their systems being disrupted.
Last year, IC3 received a ransomware report from at least one victim in all of the 16 critical infrastructure sectors - which include financial services, food and agriculture, energy and communications - except for two: dams and nuclear reactors, materials and waste.
The ransomware group tied to the largest number of successful attacks against critical infrastructure reported to IC3 last year was LockBit, followed by Alphv/BlackCat, Akira, Royal and Black Basta. Law enforcement recently disrupted Alphv/BlackCat, as well as LockBit, after which each group separately claimed to have rebooted before appearing to go dark.
The FBI, like its Western government law enforcement agency counterparts, continues to urge organizations to prepare their cybersecurity defenses and ensure they can wipe and restore systems in the event of a ransomware attack - so they never need to consider paying a ransom. The bureau also continues to warn that paying ransoms drives more attacks and validates the illicit business model for criminals and that paying never guarantees that a victim can get their files back.
FBI to Victims: Please Report Crime
Regardless of whether victims pay or not, the FBI urges them to always report the attack, as quickly as possible. "By reporting the incident, the FBI may be able to provide information on decryption, recover stolen data, possibly seize/recover ransom payments, and gain insight on adversary tactics," it said. "Ultimately, the information you provide will lead us to bring the perpetrators to justice."
Security experts continue to remind victims of the benefit to contacting law enforcement -such as the local FBI field office - early. They say researchers may have found and privately circulated weaknesses in a ransomware group's encryption scheme or other techniques that can be used to quietly and quickly decrypt a victim's files. In some cases, authorities do not disclose these workarounds because once they do, the ransomware group quickly fixes the flaws.
Quick reporting can also lead to the FBI recovering at least some losses or even ransoms paid. In 2018, the bureau launched IC3's Recovery Asset Team, which helps FBI field offices rapidly coordinate with banks to deliver a process called the Financial Fraud Kill Chain. Last year, RAT used this process on 3,008 incidents carrying potential losses of $758 million, and it successfully placed a hold on $538 million, or 71%, of at-risk funds.
Nearly 10% those recovered assets trace to a single case involving "a critical infrastructure construction project entity" located in the New York area, IC3 said. The organization reported suffering a $50 million loss due to a BEC attack, after which RAT used the kill chain to successfully freeze nearly $45 million in an account. It then successfully pursued secondary wire transfers to freeze and recover $1 million more.