The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) says it received 649 complaints of ransomware attacks targeting critical infrastructure organizations in 2021.
Ransomware attacks hit 14 out of 16 critical infrastructure sectors last year, with healthcare and public health impacted the most, the IC3 notes in its 2021 Internet Crime Report (PDF).
The IC3 received a total of 148 complaints of ransomware attacks on the healthcare sector, far more than the number of reported hits on the next most targeted sectors, namely financial services (89) and information technology (74).
[ Read: US Charges Russian Hackers Over Triton, Havex Cyberattacks on Energy Sector ]
At 65 complaints, critical manufacturing was also a popular target for ransomware operators, with government facilities rounding up top five with 60 reported attacks.
Of the top three ransomware families targeting critical infrastructure, Conti mostly focused on critical manufacturing, commercial facilities, and food and agriculture; LockBit frequently hit government, healthcare, and financial organizations; while REvil/Sodinokibi targeted financial services, IT, and healthcare and public health sectors.
In a joint advisory in February, the US, UK, and Australia warned of an increase in the sophistication of ransomware attacks, and also pointed out that ransomware operators increasingly rely on cybercriminal ‘services-for-hire’ in operations.
[ READ: Ransomware, Malware-as-a-Service Dominate Threat Landscape ]
Overall in 2021, the IC3 received 3,729 complaints of ransomware attacks, with adjusted losses in excess of $49.2 million. However, these represent only a fraction of the estimated losses of more than $6.9 billion caused by the reported cybercrime last year.
The IC3 received close to 850,000 complaints related to internet cybercrime in 2021, up roughly 50,000 from 2020 (when estimated losses topped $4.2 billion) and nearly double compared to 2019 (when estimated losses reached $3.5 billion).
Phishing remained the top cybercrime type reported last year, accounting for roughly 324,000 of the received complaints, followed by non-payment/non-delivery, personal data breach, and identity theft. Extortion was the fifth most common crime type, at roughly 39,000 complaints.
A total of 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints were received in 2021, with adjusted losses close to $2.4 billion, roughly on par with 2020 (19,369 complaints and adjusted losses of $1.8 billion).
In 2021, the IC3 received the majority of internet crime complaints from victims in the US (more than 466,000 reports) and in the UK (more than 300,000 complaints).
Related: U.S. Security Vendors Launch Critical Infrastructure Defense Project