Getty Images

Ransomware ravaged schools and cities in May

The public sector took the brunt of ransomware in May, while another damaging attack against a healthcare company disrupted patient access to pharmacy services.

Ransomware caused significant disruptions across the public sector in May, forcing school closures and hindering one city's emergency services.

The widespread threat continued last month following several vendors' reports of record high ransomware activity levels for 2023. Despite recent law enforcement efforts to disrupt the LockBit ransomware gang, the prolific group claimed responsibility for many of the attacks in May that affected schools, cities and healthcare organizations.

Ransomware gangs heavily targeted the education sector last month. Several U.S. cities, hospitals and a public library also reported attacks that caused significant disruptions and led to data breaches involving highly sensitive information.

Two such attacks occurred during Memorial Day weekend. Ransomware gangs commonly target victim organizations during holidays when businesses are understaffed.

The Seattle Public Library disclosed it suffered a ransomware attack on May 25 that affected computer access, its online catalog, e-book services and Wi-Fi network. The library, which has 27 locations across the state, forced systems offline because of the attack and contacted law enforcement.

In a series of updates beginning on May 28, the library said the attack occurred just one day before planned server maintenance that required a system shutdown. As of June 3, all locations are open but online services, including account access and Wi-Fi, remain down.

"At this time, we do not have an estimated time for restoring impacted services," the Seattle Public Library wrote in an update.

Center Line Public Schools in Michigan also experienced a ransomware attack on May 25. C & G Newspapers reported that Center Line was forced to cancel classes the following Tuesday because of the attack that affected the school's Wi-Fi, internet, security cameras and educational software. Center Line told the news outlet that students were still able to use Chromebooks, and classes resumed on May 28. An investigation to determine whether a data breach occurred remains ongoing.

On May 15, another Michigan-based school also suffered a ransomware attack. Fox 17 reported that students and staff at Rockford Public Schools discovered ransom notes in printers on the morning of the attack. Attackers threatened to leak stolen data if the school did not pay the undisclosed ransom demand. Fox 17 said the attackers claimed to "not be a politically motivated group" and promised to provide a decryptor once the ransom was paid. It also warned the school not to engage law enforcement.

Superintendent Steve Matthews told the news outlet that the attack shut down access to computers, internet and phones across all district buildings, which includes 15 schools with more than 7,000 students. Classes continued, but students and staff were forced to revert to pen and paper as systems remained down.

The City of Richland in Washington was also hit by ransomware on May 15. Richland officials disclosed the attack in a Facebook post on May 17. The city warned citizens that the attack potentially exposed sensitive personal information of residents, including names, addresses and contact details. Additionally, the attack disrupted emergency services.

"We want to inform you that we have confirmed that there has been a data breach incident affecting our servers and systems at Benton County Emergency Services (BCES) and the City of Richland (City)," City of Richland wrote on Facebook.

Richland provided more updates to its website. As of May 31, the city said systems were restored and Richland citizens should have access to most services and be able to make utility payments. However, the city was still in the process of upgrading its building and permitting software, which it anticipated would be operational by June 3. An investigation into the attack remained ongoing.

LockBit threat continues

LockBit was behind an attack against the Union Township School District in New Jersey on May 11. RLS Media reported that the district's superintendent Gerry Benaquista said the school officials forced systems offline because of the ransomware attack. Benaquista added that it caused significant network disruptions, but no school closures were reported. The notorious ransomware gang claimed responsibility for the attack on its dark web leak site.

On May 3, Ewing Marion Kauffman School in Kansas City suffered an attack by LockBit as well. The charter school issued a statement to Fox 4 that revealed threat actors posted stolen data on its public data leak site, used to pressure victim organizations to pay. In addition to a data breach, Ewing was forced to cancel classes following the attack. The school added that it was working with law enforcement during an ongoing investigation.

On May 5, the City of Wichita disclosed it suffered an attack that allowed threat actors to gain unauthorized system access between May 3 and May 4. City officials posted a series of updates to its website that revealed threat actors exfiltrated sensitive data including law enforcement incident and traffic information that contained Social Security numbers, driver's license numbers, card numbers and payment card information. LockBit posted Wichita to its public data leak site with a May 15 payment deadline.

Wichita officials forced systems offline to contain the threat, which disrupted resident access to city services. On May 30, the city reported some systems were restored but the rest would be rolled out in stages. As of June 6, a cyber security incident message still pops up when accessing the city's website.

Attack disrupts patient healthcare

One of May's most damaging attacks occurred against Missouri-based Ascension on May 8. The health system disclosed the attack on May 9 and cited disruptions to its electronic health record (EHR) systems as well as some phone systems, patient portals and other systems used to order tests, procedures and medications.

An attack against UnitedHealth Group's Change Healthcare in February highlighted how dire ransomware can be for healthcare organizations. Like the attack on Change Healthcare, Ascension's pharmacy and prescription operations were also affected.

"Patients should bring their appointment notes on their systems and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies," Ascension wrote in the update.

On June 5, the healthcare system said it restored EHR services for Florida, Alabama, Austin, Tennessee and Maryland locations. Ascension also said it expects all EHR services to be restored by June 14.

On May 6, Trego County Lemke Memorial Hospital in Kansas faced a ransomware attack. Media outlet Hays Post disclosed the attack on May 21. The hospital told the outlet it was working to restore systems and that an investigation remained ongoing. Trego has not released an official statement and no ransomware gang has claimed responsibility.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Next Steps

Ransomware hits CDK Global, public sector targets in June

Dig Deeper on Data security and privacy