Despite increased awareness among organizations about cybersecurity, ransomware attacks are going up. Cyber extortionists are targeting organizations and governments with impunity, holding their data hostage and demanding ransom in the range of millions of dollars.
Such is the severity that global ransomware damages are expected to cross $30 billion by 2023. And as per the latest Cost of a Data Breach Report by IBM, data breach costs have surged 13% from 2020 to 2022, with the average data breach cost reaching a record high in 2022 at $4.35 million USD.
To help you learn more about ransomware attacks—how they happen, what they look like, and how (or whether) companies are able to recover afterwards, here is a survey of some recent examples of real-life ransomware attacks.
But first, let’s take a look at the state of the ransomware “industry.”
Ransomware by the numbers
Detailed research on ransomware trends by cybersecurity company NordLocker on 5,212 companies between January 2020 and July 2022 reveals that:
- The collective revenue of targeted companies was $4.15 trillion.
- The USA was the number one country most affected by ransomware.
- The top five industries most impacted by ransomware were manufacturing, construction, transportation, IT, and healthcare.
- More than 12 million employees were affected.
- Organizations with annual revenue between $10 and $25 million USD are targeted more by ransomware, but that does not mean smaller companies are safe.
Ransomware gangs are creating havoc, forcing governments to take action. One case in point is the notorious Conti ransomware gang, responsible for several high-profile attacks over the past two years.
Given the seriousness of the situation, the U.S. Department of State even offered a grand reward of $15 million to identify co-conspirators of the Conti ransomware gang and offer information about any individual planning or attempting to participate in a Conti ransomware attack.
However, the effects of ransomware are significant irrespective of the size of a business, says Kenneth Henao, founder and president of BCA IT. After all, paying the ransom money isn’t the only thing business owners have to worry about.
“It’s the cost of downtime, the damage to their reputation, and the costly penalties and fines for non-compliance that often hurt a business the most,” said Henao. “In some cases, the losses can be so damaging that small businesses, in particular, might not be able to recover from the attack.”
4 cautionary examples of ransomware attacks
Ransomware attacks can come in many types, shapes, and sizes—and they can target just about anybody, from a single individual to the largest corporations. (Of course, the bigger the company, the more money the criminals are able to try extorting.) Some of the biggest and most high-profile ransomware attacks in recent memory have been the attacks on Colonial Pipeline, Travelex, Nvidia, and the government of Costa Rica.
Colonial Pipeline attack caused a gas shortage
Ransom demanded: $5 million dollars
On May 7, 2021, Colonial Pipeline was hit by a ransomware attack that crippled the pipeline’s IT systems for days. Fearing that the malware would spread to the operational technology network that controls pipeline operations, the company decided to shut down the entire pipeline of 5,500 miles in an effort to prevent further damage.
But doing so created chaos and panic. Worried about a gas shortage, East Coast residents started panic-buying gasoline, with some hoarding it in plastic bags. Long lines were reported at many outlets, gas prices shot up, and even the airline industry was affected.
The Russian-based DarkSide gang behind the attack gained access to the system through a compromised virtual private network (VPN) password and asked for a ransom of $5 million dollars. Given the escalating situation and the panic all around, Colonial Pipeline agreed to pay the ransom amount. Fortunately, U.S. law enforcement agents managed to recover $2.3 million in Bitcoin of the ransom money.
Following the attack and other similar attacks like SolarWinds and Microsoft Exchange, the Biden administration issued an executive order that includes using a software bill of materials (SBOMs), sharing threat information between the government and private sector, implementing strong cybersecurity standards in the federal government, among other measures intended to curb the threat of ransomware attacks.
Travelex forced to close following ransomware attack
Ransom demanded: £4.6 million ($5.53 million USD)
In January 2020, a ransomware gang called Sodinokibi (also known as REvil) attacked travel insurance brand Travelex, demanding £4.6 million ($5.53 million USD) in ransom money. The gang claimed to have downloaded sensitive customer data that included customers’ birth dates, credit card numbers, and national insurance numbers. The attack forced the company to suspend its websites for over two weeks across 30 countries in an effort to prevent further compromise of personal data.
As a result, the company had to resort to manual methods to serve their customers, causing great inconvenience to online customers. Not only individual customers but banks like Barclays, Sainsbury’s, RBS, and HSBC were also affected, as Travelex was their travel-money supplier.
After about two weeks of disruption and finally paying $2.3 million in Bitcoin, Travelex managed to restore its online services. Nevertheless, COVID-19 and the ransomware attack took its toll, and the company went bankrupt in August 2020.
Nvidia chip data stolen and employee passwords leaked
No monetary ransom demanded
On Feb. 25, 2022, Nvidia, the largest microchip company in the world, was attacked by the ransomware group LAPSUS$, which stole proprietary information and employee personal data totaling 1TB and began leaking it online.
In an untypical move, the group didn’t demand any ransom money but instead wanted Nvidia to disable the lite hast rate (LHR) feature that puts limits on the performance of GPUs—specifically, preventing users from using them for cryptocurrency mining. The group also wanted the company to open-source its GPU drivers for Linux, Windows, and Mac devices.
Although a relatively new entrant, the LAPSUS$ group shot to fame by targeting big companies like Impresa (Portugal’s largest media channel), Brazilian telecommunications company Claro, Brazil’s Ministry of Health, Microsoft, Samsung, and Okta.
The group uses a variety of techniques like redline password-stealing malware to access confidential info, paying company insiders for credential access, social engineering, and SIM swapping to successfully target victims.
What’s interesting is that most of the masterminds behind the LAPSUS$ group are teenagers. The group is lying low after the U.K. police arrested seven people aged 16 to 21 in April 2022 for alleged connections to the LAPSUS$ group. However, how long this lasts is open to speculation.
Costa Rican government forced to declare state of emergency
Ransom demanded: $20 million
Early in April 2022, the government of Costa Rica became the victim of the Russian-based Conti gang. The gang started by attacking eight government institutions and demanded an initial ransom amount of $10 million. It was later increased to $20 million after the government refused to pay up. When no ransom money was paid, the group uploaded some 850GB of files to its website.
The attack crippled the government, as the finance and tax ministries were targeted and had to shutter operations for several hours. Automatic payment services were halted, workers were not paid on time, foreign trade was slowed, and common citizens could not access online services.
The situation was so dire that newly elected President Rodrigo Chaves had to declare a state of emergency. Considering that it was the first time a country declared a national emergency in response to a ransomware attack, this incident received a lot of media coverage.
Future of ransomware attacks
Unfortunately, ransomware attacks are not stopping anytime soon. Rather, we are going to see increasingly more evolved and sophisticated forms of ransomware attacks. In fact, in its latest Emerging Risks Monitor Report, Gartner lists “new ransomware models” as the top concern facing executives.
“We’re especially seeing ransomware as a service (RaaS) becoming more common,” said Henao.
Similar to other as-a-service models, RaaS is a subscription-based model that enables hackers to buy already-built ransomware tools to orchestrate attacks.
“Fully aware of how profitable ransom attacks are, cybercriminals are selling their ransomware kits through the dark web to attackers who might not have the necessary technical skills to launch ransomware attacks themselves,” said Henao.
This makes RaaS all the more dangerous because even hackers with limited skills can now launch attacks.
In addition to RaaS, double extortion ransomware and triple extortion ransomware are the newer forms of ransomware cybercriminals are using. In a double extortion attack, criminals enter the victim’s network, move laterally, encrypt the data, and then demand a ransom. In triple extortion, the ransom is directed not only toward the company but also its customers. Together, these techniques, along with RaaS, have the capability to bring an organization to its knees.
How to prevent ransomware attacks
While preventing attacks completely is not possible, following best practices helps. This includes regularly backing up data, patching vulnerabilities, allowlisting applications, limiting user access to your network and systems, and keeping employees educated on the latest threats and prevention measures.
Be sure to read our complete guide to ransomware protection, backup, and recovery for a complete list of tips and strategies.
While Steve Tcherchian, chief product officer at XYPRO Technology admits that there is currently no technology that can completely block ransomware, he recommends the following approach to prevent ransomware attacks:
- Keep all software, including operating systems and applications, up to date and patched to reduce the risk of vulnerabilities.
- Regularly back up important data to an offsite location to ensure it can be recovered during a ransomware attack.
- Implement network segmentation to limit the ransomware spread within the network and contain the damage caused by an attack.
- Provide regular training to employees to educate them on the dangers of phishing attacks and other types of social engineering tactics used by ransomware gangs.
- Use advanced threat protection technologies, such as next-generation antivirus (NGAV) and endpoint detection and response (EDR), to detect and prevent ransomware attacks.
- Disable Remote Desktop Protocol (RDP) if it’s not needed to reduce the risk of unauthorized system access.
In the words of Ali Allage, CEO of BlueSteel Cybersecurity: “It’s all about doing the fundamentals consistently before you jump too far into the deep end of complication. Fundamentals are: basic access control plan (who, what, where, and why), device management (antivirus, backups, remote wiping), classifying the data you hold as sensitive and non-sensitive, incident response plan (if something were to happen, who would you call, and how will you handle it?), and backing up everything.”
Bottom line: Combating ransomware attacks
These examples show that ransomware has the potential to cause massive damage to organizations, bring down critical institutions, and compromise national security. With ransomware gangs becoming more sophisticated by the day, it can be difficult to anticipate their moves and be one step ahead of them. Although there is no panacea, adopting a clear action plan to combat ransomware helps. Knowing what to do in the event of an attack—and acting quickly and purposefully when it happens—can mean the difference between a setback and a disaster.
To help keep yourself protected from ransomware attacks, be sure to review our ransomware strategies and solution guides: