The Ransomware Task Force, a group of about 60 cybersecurity experts from the tech sector and the public sector, published a report earlier this month that found that while organizations around the world continue to experience attacks, the rate of incidents affecting local governments and healthcare organizations in the United States appears to have slowed.

The task force reported 64 documented attacks on municipal governments, schools, and hospitals so far in 2022, compared with around 150 during the same period a year earlier, according to statistics collated by Recorded Future intelligence analyst Allan Liska.  However, mishaps still cost money and have a detrimental effect on operations; for example, the City of Quincy, Illinois, spent $500,000 in May to purchase a decryption key and is still assessing the extent of the damage to its services.

But it’s still unclear why the total number of ransomware incidents has decreased.

Liska told StateScoop that there might be fewer attacks. Everyone I know who works in incident response is still completely scheduled, primarily with ransomware, so I find it difficult to believe that.

Monitoring ransomware gangs’ extortion sites, keeping an eye on their websites, and reading the headlines of local news sources—which are frequently the first to announce when a school, hospital, or government office is under attack—are all used to meticulously record ransomware attacks.

The figures are incorrect in 2022, and Liska is not the only ransomware tracker to observe this.

According to Brett Callow, an expert at the antivirus company Emsisoft who has been tracking ransomware attacks for years, “we’ve actually seen a drop in the public sector.”

Through the end of June, according to Callow, he had recorded 30 attacks on local governments and 35 against educational institutions, as opposed to 53 and 59, respectively, during the first half of 2021.

Emsisoft’s figures are based on a combination of open disclosures, leak sites, and the company’s direct interactions with victim groups, much like Recorded Future.

However, Liska claimed that the leak sites, where ransomware perpetrators threaten their victims with the publishing of stolen data, are no longer trustworthy sources. He claimed that cybercriminals are beginning to delay the posting of their stolen data or shift to other forms of extortion, such as directly contacting and threatening clients, patients, or pupils.

According to Liska, “as an industry, we have become dependent on extortion sites.”

These circumstances highlight the significance of recent rules mandating that ransomware victims promptly disclose their instances to the appropriate authorities at both the federal and state levels. While a new federal law signed in March gave operators of critical infrastructure 72 hours to report attacks to the Department of Homeland Security, an increasing number of states have already established their own regulations for local governments and other sectors, such as water and sewer operators, or are in the process of doing so.

It will take time, though, for reporting obligations to paint a more complete picture of the changing ransomware situation.

“I do believe that the United States accounts for a lesser proportion of all victims. Other nations are even poorer at reporting than the United States, according to Liska. “I’ve been screaming for five years that we need this. Good to observe the development. Having those reporting criteria in place will be necessary for us to, hopefully, continue to learn more about everything and advance.