The biggest ransomware attacks in recent history and the groups behind them

Ransomware is a popular form of malware in which files on a device, server, or computer system are encrypted, and the actors (often a hacker group or syndicate) demand a ransom to decrypt the data - and it's on the rise. According to ExpressVPN, ransomware payments exceeded 1 billion USD in 2023, the highest amount ever. In the age of generative AI, increasingly sophisticated encryption methods will see this figure grow even higher.

9

And then there's the rise of Ransomware-as-a-Service (RaaS), which is almost like a marketplace for ransomware tools and services - powered by the anonymity of cryptocurrency, the payment of choice for ransomware groups and hackers. The democratization of cyberattacks has opened the door to virtually anyone launching a cyberattack on unsuspecting individuals, businesses, or government bodies.

In recent years, large-scale ransomware attacks have targeted the healthcare industry, network security companies, Windows users, oil pipelines, and even Costa Rica. Here's a breakdown of the most notable.

Colonial Pipeline Crippled by Ransomware (2021)

9

The Colonial Pipeline, the largest fuel pipeline system in the United States, carries up to 3 million barrels daily between Texas and New York. On May 7, 2021, the Colonial Pipeline's network was breached via an exposed VPN account, and around 100 GB of data was stolen alongside several computer systems being infected.

Seen as a direct attack on critical infrastructure, the White House declared a state of emergency, and the pipeline was shut down, affecting countless people and businesses, including airlines.

The DarkSide hacking group carried out this headline-grabbing ransomware attack. Even though federal agencies were quickly notified and brought in, Colonial Pipeline paid the nearly $5 million USD ransom (75 Bitcoin) for the decryption key to regain control over its network and systems. The Department of Justice recovered approximately $2.2 million from the attackers in the months following the attack.

Lazarus Group Causes Chaos for Windows Users and the UK Healthcare System (2017)

9

This one goes back a few years and is often called the WannaCry ransomware attack. It was a globe-trotting attack that targeted users and businesses by exploiting a Microsoft Windows security vulnerability believed to have been developed by the US National Security Agency (NSA).

With over 230,000 devices hit by the attack, it's estimated that this cyberattack caused $4 billion in losses and damages. High-profile victims like the UK's NHS healthcare system lost roughly £92 million when tens of thousands of appointments and surgeries were affected.

Like all ransomware attacks, infected files were encrypted. Carried out by the Lazarus Group, the hackers demanded $300 worth of cryptocurrency for the decryption key, a figure that doubled after three days. If payment was not made, the affected files were deleted.

What made WannaCry particularly nasty was its self-propagating ability. It could spread through a network without any input from the user, which is how it went global, hitting various finance, healthcare, logistics, and transportation organizations.

The Costa Rica Government Hacked (2022)

9

Over two months, ransomware groups Conti and Hive attacked Costa Rica's public institutions, including the Ministries of Finance, Science, Technology, Telecommunications, Labor, and more. The initial attacks led to significant delays in public services for the financial sector, leading to the Costa Rican government declaring a national emergency.

With control over sensitive financial data and documentation for the country's citizens and businesses, including tax returns, the ransomware group Conti demanded $10 million USD in payment. The group was initially able to breach and install malware on a single device with compromised credentials, which then led to the theft of over 1 TB of data. The Costa Rican government refused to pay the ransom and labeled the group 'terrorists.'

Following this, the Hive Group demanded $5 million USD to restore data for its subsequent attack on the Costa Rican Social Security Fund. With the loss of critical financial systems, the Costa Rican government was estimated to have lost $30 million USD each day its systems were compromised. The governments of the United States, Israel, Spain, and tech giant Microsoft stepped in to provide assistance and restore services.

Lapsus$ Attacks Portuguese Media Conglomorate Impresa (2022)

9

Impresa is Portugal's largest media conglomerate, running major newspapers and TV stations nationwide. In 2022, the ransomware group Lapsus$ attacked the Portuguese newspaper Expresso, accessing its archives, sending Tweets from the paper's official account, and sending phishing emails to its subscribers.

From there, it gained access to Impresa's Amazon Web Services account, ultimately demanding millions for the data not to be leaked or sold. Data that included digital archives of documents and videos, plus information relating to Impresa's many employees and customers.

Lapsus$ leaked what is described as "vast amounts of sensitive data," including the personal information of its employees, causing damages that are still being felt. Interestingly, after payment was not made, the ransomware group Lapsus$ stopped asking for money. According to Micael Pereira, a senior reporter at Expresso, the motivation for the initial attack remains a mystery.

Citrix Bleed Vulnerability Exploited by LockBit Group (2023)

9

Massive companies and organizations running Citrix Servers with the publicly available Citrix Bleed vulnerability exploit were subject to ransomware attacks from LockBit in 2023 - one of the largest Ransomware-as-a-Service (RaaS) groups. The long list of those affected included one of the world's largest banks, the Commercial Bank of China (ICBC), logistics firm DP World, and one of the biggest names in aviation, Boeing.

The Citrix Bleed vulnerability is one of those rare security breaches that is almost impossible to detect. It exploits HTTP requests to keep server and network sessions open without credentials, bypassing authentication.

After the patch to fix the exploit was deployed, the LockBit group took advantage of publicly accessible Citrix Servers that were still vulnerable. For logistics firm DP World, over 30,000 shipping containers were left stranded in Australia due to compromised systems. Paying the ransom to release data was on the table for all involved; however, the hackers published Boeing's data before the company had time to pay.

GandCrab Ransomware Extorts Billions from Businesses and Individuals (2018-2019)

9

The unknown actors behind the widely successful GandCrab Ransomware-as-a-Service (RaaS) program were never caught. Those responsible terminated the program after earning over $2 billion USD in payments from its various victims. GandCrab is viewed as one of the most successful ransomware attacks as it was licensed to multiple affiliated companies that then conducted the attacks, sharing the profits with the original developers.

Like most ransomware attacks, it was spread primarily through phishing emails and exploit kits that don't require advanced networking or programming knowledge. Once an individual system was infected, GandCrab encrypted all of the files with an on-screen prompt demanding ransom in cryptocurrency to restore the files and control over the system. GandCrab ransomware attacks were carried out over a 15-month period, beginning in January 2018, accounting for up to half of the total global ransomware market.

Conclusion

9

Ransomware is big business, and some of the largest groups have their own HR departments and run far-reaching affiliate programs with what you'd call, for lack of a better term, 'customers.' With ransomware payments exceeding 1 billion USD last year, individuals, governments, and businesses shouldn't underestimate the importance of cybersecurity in 2024.

Even something as seemingly simple as keeping security and other software up-to-date could be the difference between having a system's data locked and held for ransom versus not. Industry experts and ethical hackers recommend that victims avoid paying ransom as there's no guarantee that data will be restored, and there are multiple cases where groups have asked for more payment to cover data not being leaked or sold.

Prevention through strong cybersecurity practices is always the best method of reducing the risk of a ransomware attack. In the case of an attack, you should first isolate the affected device, update security credentials, and report it to law enforcement.