Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Critical Infrastructure Ransomware Attack Tracker Reaches 2,000 Incidents

Temple University’s Critical Infrastructure Ransomware Attacks (CIRA) database now contains over 2,000 entries.

Ransomware tracker

Roughly 2,000 ransomware attacks were launched over the past decade against critical infrastructure organizations in the United States and other countries, according to data collected as part of a project maintained at Temple University in Philadelphia.

SecurityWeek first wrote about the project in 2020, when it covered more than 680 ransomware attacks targeting critical infrastructure. By February 2022, the number of entries exceeded 1,100, and it has now reached just over 2,000.

The project is maintained by Aunshul Rege, professor in the Department of Criminal Justice at Temple University, and Rachel Bleiman, PhD candidate and graduate research assistant.

The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013, and includes nearly 300 entries for incidents that came to light in 2024. 

It contains information such as name of the victim, date of the incident, country or US state, targeted critical infrastructure sector, name of the attacking threat group, duration of the incident, MITRE ATT&CK mapping, and — if known — the amount of money that was demanded by the attacker and the ransom paid by the victim.

The data shows that the three most targeted critical infrastructure sectors/subsectors from two years ago remain popular today: government facilities, healthcare and public health, and education facilities. The least targeted continue to be nuclear reactors, materials and waste; defense industrial base; chemical; and water and wastewater. 

While it’s often difficult to find information on ransom payments made by victims, the CIRA data shows an increase in larger ransom demands compared to two years ago. 

“More than USD 5 million went up from a frequency count of 49 to 70. The ransom amount of USD 1 million went up from 45 to 71. The ransom amount of USD 5 million or less went up from 30 to 45,” Rege and Bleiman explained. 

Advertisement. Scroll to continue reading.

The database is available for free upon request. To date it has been requested more than 1,500 times, mainly by researchers and other members of the cybersecurity industry (61%), as well as students, government entities, educators, and reporters. 

The CIRA data has been cited in several reports and research papers over the past years. According to Rege and Bleiman, it has been shared at training sessions or listed as a useful resource by several entities. 

Members of the cybersecurity industry have used it for a wide range of purposes, including research and training of internal teams, education and awareness, incident response planning, threat assessment and modeling, trend analysis, and risk analysis.

In the government sector, it has been useful for developing training classes and exercise scenarios for staff and operators, identifying trends and patterns, assessing incident response efforts, detection and defense strategies, obtaining funding and resources for staff, and developing risk assessment policies.

As for the future of the project, Rege and Bleiman told SecurityWeek that they are considering making several changes and improvements. These include expanding MITRE ATT&CK data (adding threat group ID), capturing the individual phases/types of extortion, and enhancing and expanding the coverage of incidents outside of the Western world (currently only 11% of the entries are from other parts of the globe).

The maintainers of the project are also considering running an annual OSINT challenge around the dataset in an effort to obtain information that may be more difficult to collect.  

“This contributes to creating a more complete dataset with relevant source information. Additionally, it may help identify new variables, such as points of entry, recovery costs and leaked data bidding costs,” Rege explained. “This event would make the CIRA dataset truly community-driven and a fun event/challenge.”

“It would be lovely if we could secure a good set of judges/advisory board members to check for the quality of submissions. So if anyone is interested in this event, please reach out to help plan the event!” Rege noted.

Related: IT Giant Atos Responds to Ransomware Group’s Data Theft Claims

Related: New York Hospital Says Ransomware Attack Data Breach Impacts 670,000

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.