On Sept. 6, two Utah-based newspapers reported that their company files had been encrypted and rendered inaccessible, delaying the publishing presses for 24 hours.
Days earlier, something similar happened at Savannah College of Art and Design (SCAD) in Georgia, this time leading to a breach of sensitive student and staff data.
In California, it was the Los Angeles Unified School District’s (LAUSD) turn to suffer an “unusual activity” which led to various systems becoming unavailable, including its email server.
And it’s not just American organizations that have been having network trouble. In the United Kingdom, an attack on National Health Service (NHS) supplier Advance led to disruption in patient check-in and the 111 telephone service.
Meanwhile, airline TAP Air Portugal claimed it had resisted an attack on its systems despite some evidence to the contrary. In Greece, the threat group blamed for this incident reportedly breached gas transporter DESFA.
It’s not a big reveal to say that every one of these incidents was caused by ransomware across a range of strikingly everyday sectors—newspapers, education, healthcare, airlines, and energy.
Despite the disruptive nature of these attacks, the chances are most people won’t have heard about any of them, let alone the numerous other ransomware attacks that occurred during August 2022.
It’s as if the population has become so used to ransomware that they barely notice attacks. Even when they do, the details are quickly forgotten.
This shouldn’t be a surprise. Many organizations downplay incidents, rarely offering more than the most basic information the wider population could use to assess their longer-term consequences.
More often, organizations seem more interested in reassuring people about what didn’t happen than what did. For example, it’s become standard for commercial companies to tell customers that no credit card data was taken during an attack, even though this is probably not the biggest worry (card data is encrypted and direct losses from a breach would be reimbursed anyway).
This approach must seem reasonable, except that every organization says the same thing for fear of alarming people.
Was a ransom paid? Even public sector organizations seem reluctant to give a clear answer to that question.
The net effect is the opposite of the transparency some in the industry have been advocating, especially where payments were made.
The occasional exceptions to this rule stand out like beacons. Take, for example, the late 2020 ransomware attack on green energy company Volue, which resulted in regular updates on indicators of compromise (IoCs) and the vulnerabilities exploited. It even offered the contact details of the company’s senior management.
Or the Irish Health Service Executive (HSE), which suffered one of the biggest ransomware attacks of all time in May 2021. That led to a model 150-page analysis teardown published only months later.
Transparency shouldn’t be about alarming people. Instead, the focus should be on admitting that something went wrong, and how it’s being addressed. That, ultimately, is the biggest weakness of the current culture of evasion and secrecy—nobody is held accountable, which makes it more likely mistakes will keep happening.