Top Ransomware Attacks

Ransomware attacks are big business. By the end of 2021, it is estimated that a business will be targeted by a ransomware attack every 11 seconds, causing up to $20 billion in damage. Ransomware attacks are not just a concern for organizations such as businesses, governments, and healthcare providers – they also affect customers and employees, whose data is often the collateral damage of these types of attacks.

Ransomware attacks are those which use malware to encrypt the data and files of targets. They differ from extortion campaigns, which use distributed denial of service (DDoS) to overwhelm targets with traffic with the promise of stopping their onslaught in exchange for payment.

While some organizations choose to pay ransomware demands, it is generally not recommended as there is no guarantee that access to infected systems will be restored and by paying up, victims further incentivize these forms of cyberattack. Many companies don’t disclose ransomware attacks or, if they do, won’t reveal the attackers’ demands.

Here, we review some of the most recent ransomware attacks 2020, from January through to December.

Ransomware attacks in January 2020

1. Travelex ransomware attack

Hackers started the year with an attack on foreign exchange company Travelex, forcing the company to turn off all computer systems and rely on pen and paper. The company had to take down its websites in 30 countries as a result.

A ransomware gang called Sodinokibi (also known as REvil) was behind the attack, demanding $6 million from Travelex. The gang claimed to have accessed the company’s computer network six months previously, enabling it to download 5GB of sensitive customer data – including dates of birth and credit card numbers. The gang said that if Travelex paid the ransom, they would delete the data but if not, the ransom would double every two days. After seven days, they said they would sell the data to other cybercriminals.

Travelex reportedly paid the gang $2.3 million in Bitcoin and restored its online systems after two weeks offline. In August 2020, the company announced it was going into administration (the UK equivalent of going into Chapter 11), blaming a combination of the ransomware attack and the impact of the Covid-19 pandemic.

Other notable attacks this month included:

• Students at the Pittsburgh Unified School District of Pennsylvania were left without internet access after a ransomware attack disabled the district’s network systems during the festive break.
• Patients at a medical practice in Miramar, Florida received ransom demands from a cybercriminal threatening to release their private medical records unless a ransom was paid.

Ransomware attacks in February 2020

2. INA Group ransomware attack

On Valentine’s Day, a cyber-attack crippled some business operations at INA Group, Croatia’s biggest oil company and largest gas station chain. The attack was a ransomware infection that infected and then encrypted some of the company’s back-end servers.

While the attack did not affect the company’s ability to provide gas to customers, it did impact its ability to issue invoices, register loyalty card use, issue new mobile vouchers, and allow customers to pay certain bills.

The attack was reportedly caused by an infection of the Clop ransomware strain. Security researchers regard the Clop gang as “big game ransomware,” a term that refers to criminal groups who target companies to infect their networks, encrypt data, and demand extremely large ransoms.

Other notable attacks this month included:

• NRC Health, a healthcare company that works with 75% of the 200 largest hospitals in the US, received an attack. In response, the company shut down its systems, including client-facing portals, to mitigate the data breach. Data stored by the company includes staff salaries and reimbursement information from programs such as Medicare.

Ransomware attacks in March 2020

3. Communications & Power Industries ransomware attack

In March, it was revealed that California-based Communications & Power Industries (CPI), a major electronics manufacturer, had been hit by a ransomware attack.

The company makes components for military devices and equipment and counts the US Department of Defense amongst its clients. The ransomware attack took place when a domain admin at the company clicked on a malicious link that triggered file-encrypting malware. Because thousands of computers on the network were on the same, unsegmented domain, the ransomware quickly spread to every CPI office, including its on-site backups.

The company reportedly paid $500,000 in response to the attack. It is not known what kind of ransomware was involved.

Other notable attacks this month included:

• In the UK, London-based Hammersmith Medical Centre was attacked by the Maze ransomware group. The Medical Centre performs early clinical trials for drugs and vaccines. The attack came only days after the Maze group promised not to attack medical research organizations during the Covid-19 pandemic. After the Centre declined to pay the ransom, the group published the personal details of thousands of former patients. The Centre’s director, Malcolm Boyce, was quoted in the media saying he would rather go out of business than pay the ransom.

Ransomware attacks in April 2020

4. Energias de Portugal ransomware attack

In April, it was reported that Portuguese energy giant Energias de Portugal (EDP) had fallen victim to an attack. Cybercriminals using the Ragnar Locker ransomware encrypted the company’s systems and demanded a ransom of nearly $10 million.

The attackers claimed to have stolen over 10TB of sensitive company data, which they threatened to leak unless the ransom was paid. The hackers posted screengrabs of some sensitive data on a leak site that purported to show proof of possession. The data supposedly included confidential information about billing, contracts, transactions, clients, and partners.

EDP confirmed that an attack had taken place but said there was no evidence that sensitive customer data had been compromised. However, on the basis that theft of customer data could come to light in the future, the company offered customers a year of Experian identity protection at no cost.

Other notable attacks this month included:

• Cognizant, a Fortune 500 company that provides IT services to companies across various industries, disclosed that they were the target of a ransomware attack. The attack affected their internal systems and involved the deletion of their internal directory, disrupting services to their customers. In their Q2 2020 results reportat the end of July, Cognizant said that revenue across their business segments was down 3.4% to $4 billion. This was due, in part, to the April ransomware attack.

Ransomware attacks in May 2020

5. Grubman Shire Meiselas & Sacks ransomware attack

In May, Grubman Shire Meiselas & Sacks, a New York-based law firm with a host of celebrity clients including Madonna, Elton John, and Robert DeNiro, was a victim of REVil ransomware. 

Cyberattackers claimed to have used the REvil or Sodinokobi ransomware to steal personal data, including client contracts, telephone numbers, email addresses, personal correspondence, and non-disclosure agreements. The attackers threatened to release the data in nine staggered releases unless ransoms totaling $21 million were paid. This demand was doubled to $42 million when the law firm refused to pay.

Celebrities affected by the attack reportedly included Bruce Springsteen, Lady Gaga, Nicki Minaj, Mariah Carey, and Mary J. Blige. The law firm said it would not negotiate with the attackers and called in the FBI to investigate.

Other notable attacks this month included:

• Michigan State University was hit with the NetWalker ransomware. NetWalker, also known as Mailto, is a ransomware strain that made its criminal debut in August 2019. In their demand, the ransomware operators said the university had one week to pay a ransom in exchange for access to their encrypted files. Otherwise, the attackers said they would leak the personal and banking-related data of MSU students. The university opted not to pay the ransom, saying that they were heeding the advice of law enforcement.

Ransomware attacks in June 2020

6. Honda ransomware attack

In June, automotive giant Honda suffered a Snake (also known as Ekans) ransomware attack which targeted its offices in the US, Europe, and Japan. Once the attack was discovered, Honda put production on hold in certain locations to deal with disruption in its computer network. Hackers used ransomware to access and encrypt a Honda internal server and demand ransom in exchange for giving the encryption key. Honda later said that the attackers had not presented any evidence of loss of personally identifiable information.

Other notable attacks this month included:

• Columbia College Chicago was targeted by the NetWalker ransomware gang, who threatened to sell students’ data on the dark webif no payment was made within six days. The College acknowledged that some users’ personal information was accessed in the attack, but it is unclear if they decided to pay the ransom or negotiate with the attackers.

Ransomware attacks in July 2020

7. Orange ransomware attack

In July, French telecommunications company and Europe’s fourth largest mobile operator Orange fell victim to Nefilim ransomware. The company’s business services division was breached, and Orange was added to the Nefilim dark web site which details corporate leaks on July 15^th. Samples of data that the Nefilim group say were exfiltrated from Orange customers were included in a 339MB archive.

Nefilim is a relatively new ransomware operator, discovered in 2020. Orange said that the data of about 20 enterprise-level customers within its business services division was affected.

Other notable attacks this month included:

• The city of Lafayette in Colorado announced in Augustthat they paid $45,000 to ransomware operators after their devices and data became encrypted via ransomware. The payment was made to receive a decryption key after the city could not restore systems from their backups. They chose to pay the ransom to minimize lengthy service outages for residents. Although they did not specify the type of ransomware involved, the city’s disclosure about the outage said that the ransomware disabled the city’s network systems. This impacted everything from online payment systems to email and phone services. It is believed the cause of the attack was a phishing scam or potential brute force attack.

Ransomware attacks in August 2020

8. University of Utah ransomware attack

In August, it was disclosed that the University of Utah had paid a $457,000 ransom to cybercriminals to prevent them from releasing confidential files stolen during a ransomware attack. The attack encrypted servers in the university’s College of Social and Behavioral Science Department. As part of the attack, the criminals stole unencrypted data before encrypting computers.

Because the stolen data contained student and employee information, the university decided to pay the ransom to avoid it being leaked. It also advised all students and employees within the affected College to monitor their credit history for fraudulent activity and to change any passwords they use online.

Other notable attacks this month included:

• R1 RCM Inc.was hit by a ransomware attack. The company, formerly Accretive Health Inc., is one of the biggest medical debt collection companies in the US. They contract with more than 750 US healthcare organizations and handle the personal and health-related data of tens of millions of patients. R1 RCM Inc. chose not to disclose details about the compromise, including which systems or data may have been affected. However, it was reported that the attack used the Defray ransomware – which is a type of targeted ransomware typically spread via phishing emails.

Ransomware attacks in September 2020

9. K-Electric ransomware attack

In September, K-Electric, the sole power distributor in Karachi, Pakistan was reportedly the target of a Netwalker ransomware attack. This led to a disruption of the power company’s billing and online services.

The ransomware operators demanded that K-Electric pay $3.85 million, warning that if it was not paid within seven days, the demand would increase to $7.7 million. Netwalker released an 8.5GB archive of files allegedly stolen during the attack, including financial data and customer details.

Netwalker had previously targeted Argentina’s immigration offices, various US government agencies, and the University of California San Francisco (which paid over $1 million in ransom).

K-Electric acknowledged that a cyber incident had taken place but said that all critical customer services were fully functional.

Other notable attacks this month included:

• The fourth District Court of Louisiana had its website breached, and sensitive documents were published online following a ransomware attack. The agent for the attack was Conti, a relatively new ransomware strain. Documents published by the hackers on their darknet website related to witnesses, jurors, and defendants in ongoing cases.

Ransomware attacks in October 2020

10. Press Trust of India ransomware attack

In October, hackers broke into the servers of the Press Trust of India (PTI) news agency, crippling its services for hours. A company spokesperson described the incident as a massive ransomware attack, which disrupted operations and the delivery of news to subscribers across India.

The ransomware was identified as LockBit, malicious software designed to block user access to computer systems in exchange for a ransom payment.

Other notable attacks this month included:

• Software AG, one of the world’s largest software companies, suffered an attack from the Clop ransomware gang who demanded more than $20 million. After negotiations failed, the gang published screenshots of the company’s data on the dark web, showing employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.

Ransomware attacks in November 2020

11. The Brazilian Superior Court of Justice ransomware attack

In November, the cyberinfrastructure of the Brazilian Superior Court of Justice suffered a massive ransomware attack, which forced its website to go offline.

The ransomware attackers claimed that the Court’s entire database had been encrypted and that any attempts to restore it would be in vain. The hackers left a ransom note asking the Court to contact them via a proton mail email address. The hackers also attempted to attack various other websites related to the Brazilian government.

Other notable attacks this month included:

• Manchester United Football Club made headlines when it was revealed that they had suffered a cyberattack. Later confirmed to be ransomware, the club disclosed that although the attack was sophisticated, they had extensive protocols and procedures in place for such an event, which meant they were prepared. They maintain their cyber-defenses identified the attack and shut down affected systems to contain the damage and protect data.

Ransomware attacks in December 2020

12. GenRx Pharmacy ransomware attack

In December, GenRx Pharmacy, an Arizona-based healthcare organization, warned hundreds of thousands of patients over a potential data breach following a ransomware attack earlier in the year. The company said that malicious hackers were able to remove a number of files, including healthcare information the pharmacy used to process and ship prescribed products to patients.

Other notable attacks this month included:

• Home appliance giant Whirlpool suffered a ransomware attack by the Netfilim gang, who stole data before encrypting their devices. The hackers later published the stolen data, which included documents relating to employee benefits, medical information requests, and background checks.

The latest ransomware attacks are becoming more selective about who to target and how much to demand. Kaspersky’s Anti-Ransomware Tool offers protection for both home and business. As with any cybersecurity threat, the key to protection is vigilance.

Related Articles:

• What Are the Different Types of Ransomware?
• Worst Ransomware Attacks
• How to Prevent Ransomware Attacks
• Data Theft and Data Loss