Ransomware has grow to be a favourite assault technique for unhealthy actors, with reviews labeling it the best means for cybercriminals to monetize unlawful entry into networks. Information of ransomware assaults seems every day.
Extra troubling nonetheless are predictions that ransomware gangs have gotten more proficient at utilizing AI, and well-funded ones might quickly use agentic AI to launch much more subtle assaults at scale.
Such advances present how far the world has come from the primary ransomware assault again in 1989, when 1000’s of the World Well being Group’s AIDS Convention attendees returned residence to seek out floppy disks of their mailboxes that allegedly held a questionnaire concerning the chance of contracting HIV. However they did not discover any questions: The disks contained a program designed to encrypt the names of their pc information. In the event that they wished their information restored, they have been instructed to ship $189 to a Panamanian put up workplace field.
Quick-forward a couple of years to see the evolution of ransomware, enabled by the rise of the web, society’s shift to an interconnected digital world and the introduction of cryptocurrency. Malicious actors organized. Ransomware as a service (RaaS) emerged. Double and triple extortion assaults turned frequent.
Consequently, the variety of victims, the amount of cash demanded and the impression of profitable assaults have soared over time.
Information on the variety of ransomware assaults, estimated ransom funds and the whole prices incurred by victims varies from one report back to the subsequent. As a result of victims are typically reluctant to publicly share that they have been hit by ransomware, whether or not they paid a ransom or how a lot they spent to recuperate from such an incident, an correct estimate of the harm is troublesome to find out.
Research, nonetheless, do level to some troubling numbers. For instance, NCC Group counted 5,263 ransomware circumstances in 2024, noting in its “2024 Cyber Risk Monitor Report” that the tally is the best quantity in annual circumstances for the reason that cybersecurity software program and providers firm began monitoring ransomware exercise in 2021. In “The State of Ransomware 2024,” safety vendor Sophos estimated that 59% of organizations have been hit by some kind of ransomware incident within the prior 12 months.
Quantifying the largest assaults may be troublesome, however some stand out. The next is an inventory of 15 of probably the most impactful ransomware assaults thus far, ordered alphabetically.
1. Ascension
Sort of ransomware: Black Basta ransomware
Attacker: Reportedly Black Basta
Date: Might 8, 2024
Losses: $1.3 billion
Ascension, a St. Louis-based Catholic well being system, mentioned it had been hit by ransomware that disrupted its entry to digital well being data, telecommunications programs and a few essential operational programs, together with ones used for affected person care. Ascension was compelled to divert ambulances and shut pharmacies, whereas its clinicians reported that the incident affected their capability to take care of sufferers. Moreover, the assault uncovered the non-public data of 5.6 million people and value the nonprofit system a reported $1.3 billion. It’s unclear whether or not Ascension paid a ransom as a part of its remediation and restoration efforts.
2. Caesars and MGM casinos
Sort of ransomware: Assault on NCR Aloha POS platform
Attacker: ALPHV/BlackCat
Date: September 2023
Losses: Upward of $100 million
Caesars and MGM, two of the largest and most recognizable U.S. resort and on line casino chains, fell sufferer to ransomware assaults launched by the ALPHV/BlackCat group. The assaults on Caesars and MGM stemmed from a bigger assault on the NCR Aloha point-of-sale platform, which was extensively used within the hospitality trade. Each Caesars and MGM misplaced entry to their complete IT infrastructure, together with slot machines. In accordance with cybersecurity firm Kaspersky, Caesars paid a $15 million ransom, which was half the demanded quantity, whereas MGM didn’t pay a ransom, opting to revive its programs at a value of $10 million and struggling a lack of $100 million through the nine-day restoration time.
3. CDK International
Sort of ransomware: Not reported
Attacker: BlackSuit
Date: June 8, 2024
Losses: $1 billion-plus collectively along with a reported ransom cost of $25 million value of bitcoin
The assault on CDK International led to widespread system outages at 15,000 U.S. and Canadian auto dealerships, halting their capability to trace stock, schedule providers and course of gross sales. The preliminary assault, believed to return from the BlackSuit ransomware gang, was adopted by a second assault whereas CDK International was working to recuperate its programs. The assault value auto dealerships greater than $1 billion collectively, in accordance with an estimate from consulting agency Anderson Financial Group.
4. Change Healthcare/UnitedHealth Group
Sort of ransomware: Exploitation of a Citrix portal account
Attacker: ALPHV/BlackCat
Date: Feb. 21, 2024
Losses: Greater than $800 million in direct damages, together with a $22 million ransom, and estimated general prices of roughly $2.5 billion
ALPHV/BlackCat launched a profitable ransomware assault on Change Healthcare, a division of UnitedHealth Group. The attackers, who gained entry by exploiting a Citrix portal account that lacked multifactor authentication, spent 9 days stealing information as they moved undetected throughout the firm’s programs. They then hit the corporate with a ransomware assault that disrupted greater than 100 purposes, ensuing within the incapability for healthcare entities nationwide to course of digital funds and medical claims. The incident is the most important healthcare breach within the U.S. thus far, affecting greater than 100 million individuals. It value the corporate greater than $800 million in direct prices, together with a $22 million ransom cost made in cryptocurrency. Complete prices from the assault have been an estimated $2.5 billion to $3 billion.
5. Colonial Pipeline
Sort of ransomware: DarkSide RaaS
Attacker: DarkSide
Date: Might 7, 2021
Losses: $4.4 million (roughly $2.3 million was recovered)
The assault on Colonial Pipeline turned probably the most infamous ransomware assaults due to its impression on on a regular basis Individuals, with these residing in Southeast states abruptly going through fuel provide shortages.
Colonial Pipeline, proprietor of a pipeline system carrying gasoline from Texas to the Southeast, suffered a ransomware assault on the pc programs that managed the pipeline. DarkSide attackers accessed the programs by way of a compromised credential for a legacy VPN. Working with the FBI, the corporate paid a $4.4 million ransom inside hours of the assault. The impression lasted for days, nonetheless, as the corporate struggled to completely restore operations.
Federal and state officers, together with then-President Joe Biden, issued emergency declarations within the days after the assault to make sure gasoline might attain the affected area and restrict damages. The assault additionally led Biden to concern an govt order to enhance the nation’s cybersecurity.
The U.S. Division of Justice later introduced it had seized $2.3 million of the $4.4 million in bitcoin used to pay the ransom.
6. Costa Rica
Sort of ransomware: Conti
Attacker: Conti gang
Date: April 17, 2022
Losses: $30 million a day
The Conti ransomware gang launched a monthslong assault in opposition to Costa Rican authorities establishments. The preliminary assault on the Ministry of Finance used compromised credentials to put in malware. The Costa Rican Ministry of Science, Innovation, Know-how and Telecommunications and the Ministry of Labor and Social Safety have been later attacked. The federal government shut down a number of programs, leading to delayed authorities funds, slowed and halted commerce, and restricted providers.
Inside the first week of the assault, then-President Carlos Alvarado refused to pay the purported $10 million ransom. The Conti ransomware gang then leaked virtually all of the 672 GB of information it stole through the assaults. It took months earlier than programs have been restored — however not earlier than the nation’s newly elected president, Rodrigo Chaves Robles, declared a state of emergency.
7. Impresa
Sort of ransomware: Lapsus$
Attacker: Lapsus$
Date: Jan. 1, 2022
Losses: Not reported
Ransomware group Lapsus$ launched one of many world’s most conspicuous ransomware assaults when it struck Impresa, Portugal’s largest media conglomerate. The assault took down all its web sites, its weekly newspaper and its TV channels. Attackers additionally gained management of the corporate’s Twitter account and claimed it had entry to the corporate’s AWS account. In accordance with information reviews, Impresa confirmed the assault however mentioned no ransom demand was made.
Lapsus$, which had attacked Brazil’s Ministry of Well being in 2021, posted a ransom message that threatened to launch firm information. Portuguese authorities labeled the Impresa assault the most important cyberattack within the nation’s historical past.
8. JBS USA
Sort of ransomware: REvil RaaS
Attacker: REvil
Date: Might 30, 2021
Losses: $11 million ransom cost
Beef producer JBS USA Holdings Inc. paid an $11 million ransom in bitcoin to malicious actors after an assault compelled it to close down operations. IT staffers initially seen issues with among the firm’s servers, and shortly thereafter, the corporate obtained a message demanding a ransom. Pilgrim’s Pleasure Corp., a unit of JBS, was additionally affected by the assault. Operations have been restored inside days, however not earlier than JBS made the hefty cost.
9. Kronos
Sort of ransomware: Not reported
Attacker: Not reported
Date: Dec. 11, 2021
Losses: Along with a reported ransom cost, Kronos paid $6 million in 2023 to settle a class-action lawsuit filed by Kronos shoppers who alleged the corporate did not do sufficient to guard its programs.
Final Kronos Group, a workforce administration software program maker doing enterprise in additional than 100 nations, was hit by a ransomware assault on its non-public cloud. The incident affected clients across the globe, spawned yearslong ripple results and uncovered an earlier breach that magnified the impression.
The assault uncovered worker information for most of the firm’s enterprise shoppers. In consequence, these shoppers confronted interruptions, delays and errors in issuing paychecks to their staff.
The Kronos assault raised questions on vendor accountability and highlighted the significance of third-party threat administration, as organizations acknowledged that assaults on their enterprise companions might have an effect on them as properly.
10. Maersk
Sort of ransomware: NotPetya
Attacker: Russian-backed hackers suspected within the assault
Date: June 27, 2017
Losses: Roughly $300 million
Danish delivery large A.P. Moller-Maersk suffered roughly $300 million in losses after it was hit as a part of the worldwide NotPetya assaults. The malware, which exploited the EternalBlue Home windows vulnerability and unfold by way of a backdoor within the authentic monetary software program MeDoc, locked the corporate out of the programs it used to function delivery terminals everywhere in the world. As wiperware, NotPetya was designed to inflict most harm by not solely encrypting all information on contaminated computer systems but in addition fully wiping or rewriting them so they might not be recovered — even by way of decryption. It took Maersk two weeks to recuperate its pc operations.
11. Swissport
Sort of ransomware: BlackCat RaaS
Attacker: BlackCat
Date: Feb. 3, 2022
Losses:Â Air service disruptions; no monetary information reported
Swissport, a Swiss firm offering airport ground- and cargo-handling providers, introduced that its programs had been hit by a ransomware assault in 2022. The incident delayed a small variety of flights, however Swissport mentioned it had contained the incident inside 24 hours. Ransomware group BlackCat, nonetheless, quickly indicated it had not solely encrypted the corporate’s information but in addition had stolen 1.6 TB of Swissport information it was trying to promote in a traditional instance of a double extortion assault.
12. Synnovis/U.Ok. Nationwide Well being Service
Sort of ransomware: Not reported
Attacker: Qilin
Date: June 3, 2024
Losses: £33 million
Synnovis, a pathology and laboratory providers supplier to the U.Ok.’s Nationwide Well being Service (NHS), fell sufferer to a ransomware assault launched by the cybercriminal group Qilin. The assault encrypted Synnovis’ IT programs, creating important disruptions to affected person healthcare — specifically, cancelled and postponed procedures, blood transfusions, exams and outpatient appointments. It additionally compelled healthcare suppliers to revert to guide and paper-based programs to course of data. The assault uncovered the information of practically 1 million NHS sufferers, with the attackers stealing and ultimately leaking 400 GB value of delicate information when Synnovis didn’t pay the demanded $50 million ransom.
13. Travelex
Sort of ransomware: REvil RaaS
Attacker: REvil
Date: Dec. 31, 2019
Losses: $2.3 million ransom paid; firm compelled into administration in 2020 partly as a result of assault
On the time it was hit by the REvil ransomware gang, Travelex was the world’s largest overseas change bureau. Attackers focused a identified vulnerability in Pulse Safe VPN servers to infiltrate the corporate’s programs and encrypt 5 GB of information. They demanded a $6 million ransom, which was negotiated right down to $2.3 million.
The assault took down the corporate’s inner programs for practically two weeks. The monetary fallout was so extreme that it finally compelled the corporate into administration in 2020.
14. U.Ok. Nationwide Well being Service
Sort of ransomware: WannaCry
Attacker: Linked to North Korea
Date: Might 2017
Losses: £92 million (roughly $100 million)
Corporations around the globe felt the impression of the WannaCry ransomware assault, the primary ransomware to take advantage of the EternalBlue flaw in Home windows programs.
The U.Ok.’s NHS was probably the most distinguished WannaCry victims, with a number of hospitals, normal practitioners and pharmacies affected in England and Scotland. NHS amenities have been compelled to delay and divert medical providers.
15. Ukraine
Sort of ransomware: NotPetya
Attacker: Russia’s GRU navy spy company named as attacker, in accordance with the CIA
Date: June 27, 2017
Losses: Estimated at $10 billion globally
Whereas greater than 60 nations have been affected, the preliminary world NotPetya assaults in 2017 primarily focused victims in France, Germany and Ukraine, the latter of which sustained about 80% of the assaults, in accordance with researchers from cybersecurity software program firm ESET. The nation’s pc programs have been affected, in addition to networks operated by non-public firms and electrical utilities. The aforementioned Maersk ransomware assault was additionally a part of this collection of assaults.
Mary Ok. Pratt is an award-winning freelance journalist with a deal with protecting enterprise IT and cybersecurity administration.
