Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



University Project Tracks Ransomware Attacks on Critical Infrastructure

A team at Temple University in Philadelphia has been tracking worldwide ransomware attacks on critical infrastructure, and anyone can request access to the data.

A team at Temple University in Philadelphia has been tracking worldwide ransomware attacks on critical infrastructure, and anyone can request access to the data.

Work on this project, described as a repository of critical infrastructure ransomware attacks (CIRWA), started in September 2019. As of August 2020, the database includes over 680 records of ransomware attacks documented since November 2013.

The repository, offered for free as a Microsoft Excel file, stores information on incidents described by the media and cybersecurity companies.

The information includes the name of the targeted organization, the year the attack was launched, the date when the attack started, location of the targeted organization, the targeted sector, duration of the attack, the ransomware family that was used, the ransom amount, the payment method, whether the amount was paid, how much was paid, the source of the information, and related incidents. Based on the type of ransomware that was used, there are also links to the MITRE ATT&CK framework.

An analysis of the data currently shows that government facilities were the most targeted type of critical infrastructure — followed at a distance by education and healthcare — and Maze was the most common ransomware strain. It’s worth noting that the project tracks incidents affecting critical infrastructure as defined by the U.S. Department of Homeland Security.

The most commonly observed duration of a ransomware attack is one week or less, and the most commonly demanded ransom amount is $50,000 or less, but there are 13 known incidents where the attackers demanded more than $5 million.

Ransomware attacks on critical infrastructure

Ransomware attacks on critical infrastructure – click on the image for the full summary

Aunshul Rege, associate professor in the Department of Criminal Justice at Temple University, leads the project, which is funded by her National Science Foundation (NSF) CAREER award. One of the main contributors to the project is her graduate student, Rachel Bleiman, a PhD student in the university’s Criminal Justice program.

“We started with the goal of just providing a dataset based on open-source information on disclosed CIRW incidents,” Rege told SecurityWeek. “My team and I struggled to find datasets that are free/no strings attached in the [critical infrastructure] space, which could be used by researchers/educators (like myself) and also by students.”

She added, “This dataset was driven by the need to contribute to the education/academic space to help educators and students. My team and I were collecting data for my NSF CAREER grant anyway, so we decided to rehash it in a structured way to share with the academic community. We started the CIRW dataset in Sep 2019 with 162 incidents. Today we have 687 incidents!”

Learn more about critical infrastructure threats at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

According to Rege, a lot of people have found the data useful. She says it has so far been requested by educators in higher education for class projects, research and publications; undergrad students for course projects; grad students for dissertation literature review; government representatives for ICS training classes, raising awareness, and assessing internal responses to critical infrastructure ransomware attacks; researchers for trends and patterns in TTPs across ransomware strains, comparing the data to their own internal datasets, and threat modeling and intelligence; and representatives of the private sector for training, threat intelligence, risk and statistical analysis, raising awareness, and overviewing current trends.

Anyone can request the data for free and Rege says they have approved nearly all the requests they’ve received to date.

“We do get some [requests] that are from personal email addresses (gmail, protonmail, etc), which we follow up on. Two other reasons why we want to keep track of who is using the dataset is so that we can (i) get feedback and (ii) potentially develop collaborative research projects,” Rege explained.

The maintainers of the project have been making improvements based on the feedback they have received from the community, such as mapping attacks to the MITRE ATT&CK framework.

Related: Seven Ransomware Families Target Industrial Software

Related: Honda Ransomware Confirms Findings of Industrial Honeypot Research

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.