Ransomware incidents have increased in frequency over the past several years, to the point where this method has become the weapon of choice for many bad actors, who can now launch attacks through ransomware service providers that resemble legitimate technology outfits. Verizon reports a dramatic surge in the attack method in 2022 — a quarter of all breaches for the year included ransomware. Meanwhile, as Sophos reports in its “State of Ransomware 2022” report, ransomware impacted 66% of organizations in 2021, an increase of nearly 80% over the prior year.
Let’s take a look at 8 prominent ransomware attacks that illustrate the ways modern cyber criminals are approaching ransomware. These attacks also show how damaging ransomware can be to not only corporate organizations, but also to the general public when personal data and entities like municipal infrastructure organizations are targeted.
The aptly named WannaCry ransomware attack had thousands of security teams near tears when it swept across the globe, hitting more than 200,000 computers across 150 countries. The attack involved a demand for crypto funds ($300 in Bitcoin) in exchange for decryption. The ransomware infiltrated systems through a now-closed Microsoft Windows exploit. WannaCry hit targets big and small, from medium size businesses to institutions like the National Health Service in the UK and FedEx.
NotPetya made headlines not only because of its massive reach, which included systems across the globe, but because it was at the center of a conflict between geopolitical adversaries Ukraine and Russia. The infections were first discovered in Ukraine, attached to a popular accounting software. Ukraine pinned the origin on Russia, which denied the claim and a months-long dispute played out in the global media. Ultimately, the attack caused $10 billion in damage globally and impacted companies like Merck, Maersk, and FedEx — notably, this motive for this attack was to disrupt Ukraine’s infrastructure.
Ryuk, another large-scale ransomware attack, centered on large organizations with big pockets that could meet demands that sometimes exceeded $1 million per target. In addition to victims like the media giant Tribune Publishing, entities like the city of Pensacola, Florida and the San Francisco Municipal Transportation Agency (SFMTA) were hit. Attacks on organizations responsible for public safety, transportation and municipal functions have been on the increase in recent years.
REvil is an example of ransomware-as-a-serve (RaaS). Similar to software-as-a-service (SaaS) models, RaaS is a subscription-based model that requires bad actors to simply request and pay for attacks from a service provider who carries out the attacks. In this case, attackers used REvil against large enterprises, including JBS (a global food and beverage conglomerate), CD Projekt RED (a gaming company) and tech giant Acer. Ransoms often topped $1 million. In early 2022, Russian authorities reported they had dismantled the REvil ransomware “gang” and had jailed several of its key members.
Another RaaS, DoppelPaymer, is still an active ransomware threat, typically wielded against large organizations with $1 million+ ransom demands. In addition to commercial entities like computer manufacturer ASUS, DoppelPaymer has been used in attacks targeting municipalities like Augusta, George and energy giant ConocoPhillips.
San Francisco 49ers
The San Francisco 49ers experienced a ransomware attack to its corporate network in Feb. 2022 (on Super Bowl Sunday) after the organization experienced a data breach that was made public online via the BlackByte (a RaaS provider) dark web leak site. Such public leaks have become more common in recent years. In this case, BlackByte lists victim organizations on its site in an effort to publicly shame them into paying its ransom demands.
Glenn County Office of Education
A large California school district, Glenn County was the target of a ransomware attack on its Office of Education in June, 2022 that disrupted network access to key systems and databases. The district paid a $400,000 ransom to the Quantum ransomware gang for decryption and notified teachers and current and former students about the breach, which included names and Social Security numbers.
In late 2022, Rackspace Technology, a cloud computing company, fell victim to a significant ransomware attack. Rackspace’s mail service clients lost access to their accounts handled by Microsoft Hosted Exchange. The company later confirmed that the ransomware attack was created via “OWASSRF,” an exploit method that bypasses PoxyNotShell vulnerability mitigations in Microsoft Exchange Server.
From WannaCry to ransom-as-a-service attacks on entities like public school systems, it’s clear that ransomware has become a present and clear danger to organizations around the world. A proactive approach to preventing and reducing the negative impact of ransomware attacks must incorporate holistic network oversight, comprehensive cybersecurity prevention policies, investments into modern technology solutions and a focus on employee training.