Ransomware attacks are big business. By the end of 2021, it is estimated that a business will be targeted by a ransomware attack every 11 seconds, causing up to $20 billion in damage. Ransomware attacks are not just a concern for organizations such as businesses, governments, and healthcare providers – they also affect customers and employees, whose data is often the collateral damage of these types of attacks.
Ransomware attacks are those which use malware to encrypt the data and files of targets. They differ from extortion campaigns, which use distributed denial of service (DDoS) to overwhelm targets with traffic with the promise of stopping their onslaught in exchange for payment.
While some organizations choose to pay ransomware demands, it is generally not recommended as there is no guarantee that access to infected systems will be restored and by paying up, victims further incentivize these forms of cyberattack. Many companies don’t disclose ransomware attacks or, if they do, won’t reveal the attackers’ demands.
Here, we review some of the most recent ransomware attacks 2020, from January through to December.
Hackers started the year with an attack on foreign exchange company Travelex, forcing the company to turn off all computer systems and rely on pen and paper. The company had to take down its websites in 30 countries as a result.
A ransomware gang called Sodinokibi (also known as REvil) was behind the attack, demanding $6 million from Travelex. The gang claimed to have accessed the company’s computer network six months previously, enabling it to download 5GB of sensitive customer data – including dates of birth and credit card numbers. The gang said that if Travelex paid the ransom, they would delete the data but if not, the ransom would double every two days. After seven days, they said they would sell the data to other cybercriminals.
Travelex reportedly paid the gang $2.3 million in Bitcoin and restored its online systems after two weeks offline. In August 2020, the company announced it was going into administration (the UK equivalent of going into Chapter 11), blaming a combination of the ransomware attack and the impact of the Covid-19 pandemic.
On Valentine’s Day, a cyber-attack crippled some business operations at INA Group, Croatia’s biggest oil company and largest gas station chain. The attack was a ransomware infection that infected and then encrypted some of the company’s back-end servers.
While the attack did not affect the company’s ability to provide gas to customers, it did impact its ability to issue invoices, register loyalty card use, issue new mobile vouchers, and allow customers to pay certain bills.
The attack was reportedly caused by an infection of the Clop ransomware strain. Security researchers regard the Clop gang as “big game ransomware,” a term that refers to criminal groups who target companies to infect their networks, encrypt data, and demand extremely large ransoms.
In March, it was revealed that California-based Communications & Power Industries (CPI), a major electronics manufacturer, had been hit by a ransomware attack.
The company makes components for military devices and equipment and counts the US Department of Defense amongst its clients. The ransomware attack took place when a domain admin at the company clicked on a malicious link that triggered file-encrypting malware. Because thousands of computers on the network were on the same, unsegmented domain, the ransomware quickly spread to every CPI office, including its on-site backups.
The company reportedly paid $500,000 in response to the attack. It is not known what kind of ransomware was involved.
In April, it was reported that Portuguese energy giant Energias de Portugal (EDP) had fallen victim to an attack. Cybercriminals using the Ragnar Locker ransomware encrypted the company’s systems and demanded a ransom of nearly $10 million.
The attackers claimed to have stolen over 10TB of sensitive company data, which they threatened to leak unless the ransom was paid. The hackers posted screengrabs of some sensitive data on a leak site that purported to show proof of possession. The data supposedly included confidential information about billing, contracts, transactions, clients, and partners.
EDP confirmed that an attack had taken place but said there was no evidence that sensitive customer data had been compromised. However, on the basis that theft of customer data could come to light in the future, the company offered customers a year of Experian identity protection at no cost.
In May, Grubman Shire Meiselas & Sacks, a New York-based law firm with a host of celebrity clients including Madonna, Elton John, and Robert DeNiro, was a victim of REVil ransomware.
Cyberattackers claimed to have used the REvil or Sodinokobi ransomware to steal personal data, including client contracts, telephone numbers, email addresses, personal correspondence, and non-disclosure agreements. The attackers threatened to release the data in nine staggered releases unless ransoms totaling $21 million were paid. This demand was doubled to $42 million when the law firm refused to pay.
Celebrities affected by the attack reportedly included Bruce Springsteen, Lady Gaga, Nicki Minaj, Mariah Carey, and Mary J. Blige. The law firm said it would not negotiate with the attackers and called in the FBI to investigate.
In June, automotive giant Honda suffered a Snake (also known as Ekans) ransomware attack which targeted its offices in the US, Europe, and Japan. Once the attack was discovered, Honda put production on hold in certain locations to deal with disruption in its computer network. Hackers used ransomware to access and encrypt a Honda internal server and demand ransom in exchange for giving the encryption key. Honda later said that the attackers had not presented any evidence of loss of personally identifiable information.
In July, French telecommunications company and Europe’s fourth largest mobile operator Orange fell victim to Nefilim ransomware. The company’s business services division was breached, and Orange was added to the Nefilim dark web site which details corporate leaks on July 15th. Samples of data that the Nefilim group say were exfiltrated from Orange customers were included in a 339MB archive.
Nefilim is a relatively new ransomware operator, discovered in 2020. Orange said that the data of about 20 enterprise-level customers within its business services division was affected.
In August, it was disclosed that the University of Utah had paid a $457,000 ransom to cybercriminals to prevent them from releasing confidential files stolen during a ransomware attack. The attack encrypted servers in the university’s College of Social and Behavioral Science Department. As part of the attack, the criminals stole unencrypted data before encrypting computers.
Because the stolen data contained student and employee information, the university decided to pay the ransom to avoid it being leaked. It also advised all students and employees within the affected College to monitor their credit history for fraudulent activity and to change any passwords they use online.
In September, K-Electric, the sole power distributor in Karachi, Pakistan was reportedly the target of a Netwalker ransomware attack. This led to a disruption of the power company’s billing and online services.
The ransomware operators demanded that K-Electric pay $3.85 million, warning that if it was not paid within seven days, the demand would increase to $7.7 million. Netwalker released an 8.5GB archive of files allegedly stolen during the attack, including financial data and customer details.
Netwalker had previously targeted Argentina’s immigration offices, various US government agencies, and the University of California San Francisco (which paid over $1 million in ransom).
K-Electric acknowledged that a cyber incident had taken place but said that all critical customer services were fully functional.
In October, hackers broke into the servers of the Press Trust of India (PTI) news agency, crippling its services for hours. A company spokesperson described the incident as a massive ransomware attack, which disrupted operations and the delivery of news to subscribers across India.
The ransomware was identified as LockBit, malicious software designed to block user access to computer systems in exchange for a ransom payment.
In November, the cyberinfrastructure of the Brazilian Superior Court of Justice suffered a massive ransomware attack, which forced its website to go offline.
The ransomware attackers claimed that the Court’s entire database had been encrypted and that any attempts to restore it would be in vain. The hackers left a ransom note asking the Court to contact them via a proton mail email address. The hackers also attempted to attack various other websites related to the Brazilian government.
In December, GenRx Pharmacy, an Arizona-based healthcare organization, warned hundreds of thousands of patients over a potential data breach following a ransomware attack earlier in the year. The company said that malicious hackers were able to remove a number of files, including healthcare information the pharmacy used to process and ship prescribed products to patients.
The latest ransomware attacks are becoming more selective about who to target and how much to demand. Kaspersky’s Anti-Ransomware Tool offers protection for both home and business. As with any cybersecurity threat, the key to protection is vigilance.