Ransomware remains one of the biggest cybersecurity threats facing businesses in every industry, and these attacks are costly. According to IBM, in the most extreme cases, cybercriminals have demanded $40 million and even up to $80 million in ransom payments from victims. Cybercriminals are also developing increasingly sophisticated attack methods, leveraging social engineering, vishing (a form of phishing), digital extortion, and triple extortion tactics employing DDoS. The increased use of vulnerable services such as remote desktop access has provided even more opportunities for hackers to gain access to sensitive data.
The average ransom payment is also on the rise, increasing 31% between Q2 and Q3 2022 to $233,817, and more attackers are threatening to release the stolen data to extort victims. Not all ransomware is financially motivated; some ransomware groups have political or moral aims and set out to destroy an organization's data rather than encrypt it and demand a ransom.
This changing landscape means that it's more important than ever for companies to be aware of the current state of ransomware, the types of ransomware attacks, how to recognize potential ransomware attacks, what to do to respond to an incident, and most importantly, how to protect the organization from ransomware.
Examples of Ransomware Attacks in 2021-2022
To gain some insight into recent ransomware attacks, we've curated this list of 50 ransomware examples spanning from December 2021 to December 2022, including:
- Axis Communications ransomware attack in February 2022 that disrupted services but was halted before the attack was complete
- Lapsus$ ransomware group attack on Impresa on January 1, 2022 that took websites offline and involved a Twitter account takeover
- Financially motivated Karakurt ransomware group attacks on Montreal tourism agency and Weldco-Beales Manufacturing
- Ransomware attack on Finalsite that took thousands of school websites offline
- Maryland Department of Health ransomware attack in December 2021 that had long-lasting impacts
- Conti ransomware attack on R.R. Donnelly that stole and leaked 2.5 GB of data
- AGCO ransomware attack in May 2022 that caused significant production disruption and slowed sales during a peak sales season
- Professional Finance Company ransomware attack that exposed 1.9 million patient records
- An attempted ransomware attack of Cisco by Lapsus$ using an Initial Access Broker and social engineering
- Ransomware attack on Practice Resources in April 2022 that impacted more than 940,000 patients
- ...and more
Keep reading to learn more about these and other ransomware attacks that targeted businesses of all sizes from December 2021 - December 2022.
50 Ransomware Examples from the Past Year
1. Ransomware group Lapsus$ leaks password hashes for Nvidia employees. In February 2022, Nvidia announced that it was investigating an incident that compromised its systems for two days. The Lapsus$ ransomware gang claimed responsibility for leaking password hashes for Nvidia's employees and threatened to leak 1TB of additional stolen data, such as source code and information related to RTX GPUs. Twitter: @verge
2. McDonald's has 500 GB of data stolen in a ransomware attack. Snatch, a Russia-linked hacker group claimed to have stolen 500 GB of data from the McDonald's Corporation's Chicago headquarters. The group posted a demand on the dark web for an undisclosed amount. Twitter: @Audacy
3. Conti ransomware hacks and encrypts Costa Rica's government systems. The Conti ransomware operation gained access to the Costa Rican government's network in April 2022, conducting reconnaissance activity, exfiltrating 672GB of data, and executing the ransomware attack. Twitter: @BleepinComputer
4. Bernalillo County in New Mexico takes systems offline and closes county offices due to suspected ransomware attack. In January 2022, the New Mexico government discovered what it suspected was a ransomware attack, forcing the government to take affected systems offline, close most county buildings to the public, and put the detention center on lockdown. Twitter: @usnews, @TheRegister
5. Crawford County, Arkansas struggles to deal with Christmas ransomware attack. Crawford County in Arkansas experienced a ransomware attack around Christmas 2021, targeting the county's servers. Crawford County's technology provider immediately took the systems offline when the attack was discovered. In January 2022, the county was still experiencing the effects of the attack, which created challenges in day-to-day county operations. Twitter: @KNWAFOX24
6. Toyota Motor Corp. suspended the operation of 28 lines at 14 plants in Japan due to an attack targeting a supplier. A supplier of plastic parts and electronic components was hit by a ransomware attack in early 2022, forcing Toyota to suspend operations of 14 plants in Japan, accounting for approximately one-third of Toyota's global production and causing a loss in output of about 13,000 vehicles. Twitter: @Reuters
7. Insurance brokerage Aon Plc targeted by ransomware. The second-largest insurance brokerage in the world, Aon Plc, was hit by a ransomware attack in February 2022. The attack wasn't expected to have a significant impact on operations, although as a cyber insurance provider, the company holds a large volume of highly sensitive data, such as details of attack techniques that are not made public and the names of victims — meaning a breach exposing this data could have devastating consequences. Twitter: @ijournal
8. Axis Communications operations disrupted by a cyberattack. In February 2022, Axis Communications' cybersecurity systems detected a breach, prompting the company to shut down public-facing services worldwide to limit the potential impact. Days later, Axis shut down network access globally, disrupting employee and partner services. According to Axis, the attack involved social engineering and account takeovers, with the attackers successfully bypassing multi-factor authentication. Malware was found in the company's systems, but no servers appeared to be encrypted. A forensic investigation revealed that the attack was likely a ransomware attack that was discovered and halted in progress before it could encrypt files and complete. Twitter: @SecurityWeek, @AxisIPVideo
9. Indian airline SpiceJet Ltd. forced to cancel flights after ransomware attack. In May 2022, the low-cost airline based in India, SpiceJet Ltd., announced that some of its systems faced a ransomware attack impacting some of its flight operations. While the company said it was able to contain the attack, it resulted in unavailable booking systems, flight delays, and no way for customers to contact customer service. Twitter: @SiliconANGLE
10. Impresa victimized by a New Year ransomware attack. A few hours into January 1, 2022, the Portugal media giant Impresa was hit by a ransomware attack carried out by the Lapsus$ ransomware group. The attack targeted critical server infrastructure, and as a result, company websites, the website for its newspaper, and its TV channels were taken offline. Websites were replaced with a ransom note indicating that Lapsus$ had access to Impresa's Amazon Web Services account and demanding an undisclosed ransom. Additionally, one of the company's Twitter accounts was hacked and taken over, which was used to pressure Impresa into paying the ransom. Twitter: @cybernewsgroup
11. Montreal tourism agency hit by ransomware in late 2021. Montreal's tourism agency became another victim of the Karakurt hacking group, which had been targeting Canadian and American victim organizations in the preceding months. Karakurt is a financially motivated group that exfiltrates data and extorts victims, rather than encrypting data like many ransomware attacks, and threatens to release the stolen data unless the ransom demand is met. Twitter: @itworldca
12. Canadian heavy equipment manufacturer attacked by Karakurt ransomware. Weldco-Beales Manufacturing, a heavy equipment manufacturer based in Canada with regional sales offices in the U.S., confirmed that it was attacked by the Karakurt ransomware gang. The hackers left a trail on Weldco-Beales servers, a company spokesperson said, and also left a few voicemails demanding a ransom in an undisclosed amount of bitcoin. Twitter: @itworldca
13. Minnesota trucking company faces second ransomware attack. In December 2021, Minnesota trucking company, Bay & Bay Transportation, suffered another ransomware attack following a 2018 attack that crippled the company's systems. In the 2018 incident, the company was forced to pay the ransom. In 2021, Bay & Bay Transportation was better prepared, but the Conti ransomware group deployed malware to encrypt the company's data through a known vulnerability in a Microsoft Exchange server. However, Bay & Bay refused to pay the ransom as it now had systems in place, such as network segmentation, to recover its data in the event of an attack. Because Bay & Bay refused to pay the ransom, Conti released a small amount of stolen data, including potentially sensitive employee information, and threatened to release more. Bay & Bay planned to take the necessary precautions to prevent further damage to anyone impacted by the breach. Twitter: @FreightWaves
14. Ransomware attack forces thousands of schools offline. A web design, hosting, and content management company for schools, Finalsite, was targeted by a ransomware attack in early January 2022. The attack impacted 5,000 of Finalsite's 8,000 customers, resulting in websites being taken offline and email systems and registration forms being unavailable. @TechCrunch
15. Telecom analytics company Subex and cybersecurity subsidiary Sectrio hit by ransomware. The RagnarLocker ransomware group claimed that it had successfully compromised both companies' systems, and unconfirmed reports indicated that RagnarLocker gained access to firewall settings, routers, VPNs, company passwords, employee personal documents, and other sensitive information, some of which it posted on the dark web. Experts speculated that the ransomware group was mocking the cybersecurity company Sectrio for its inability to secure its own network despite offering network security solutions to customers. Twitter: @iicsorg
16. Maryland Department of Health experiences long-term disruption due to ransomware recovery. The Maryland Department of Health discovered that it had been hit by ransomware in December 2021, resulting in system downtime and leaving employees with limited resources. Its COVID-19 surveillance data and Maryland's Medicaid benefits and healthcare licensing services were also disrupted. The recovery and the impacts of the attack were expected to continue for months. Twitter: @SecurityHIT
17. World's second-largest automotive supplier targeted by ransomware. In March 2022,Denso Corporation discovered that hackers accessed the network of a subsidiary, Denso Automotive Deutschland GmbH, which handles sales and engineering in Germany. To minimize the impacts, Denso Corporation disconnected the affected systems but stated that there would be no production disruptions and that all plants would remain operational. Twitter: @cpomagazine
18. Multinational defense contractor hit by Lorenz ransomware. Hensoldt disclosed a ransomware attack that infected part of its UK subsidiary's systems in early 2022, believed to be carried out by Lorenz ransomware operators. Aside from confirming that the attack impacted a small number of mobile devices in its UK subsidiary's systems, Hensoldt declined to provide further detail. Twitter: @IT_securitynews
19. UK school targeted in a ransomware attack. Durham Johnston School, located in Durham in the UK, suffered a ransomware attack. The attack was carried out by Vice-Society, which published personal information about students and teachers on the dark web. The National Crime Agency investigated the attack, under the lead of Durham County Council. Twitter: @TheNorthernEcho
20. Ransomware attacks leave two umbrella companies struggling to pay contractors. In January 2022, two umbrella companies in the UK, Brookson and Parasol, were attacked in separate ransomware attacks. Both companies proactively disabled some customer-facing systems to limit the spread of ransomware, leaving Brookson's website inaccessible for several days and Parasol's communication systems disrupted. This delayed many of the companies' contractors' payments, prompting many negative reviews on sites like TrustPilot. Twitter: @ComputerWeekly
21. Ransomware attack results in a data breach for Italian luxury fashion brand. Moncler, a luxury fashion brand in Italy, refused to pay the ransom demanded in a December 2021 ransomware attack. In response, the attackers published the stolen data on the dark web, including information about some former and current employees, business partners, suppliers, consultants, and customers. No payment data was stolen in the attack, which is believed to have been carried out by AlphV/BlackCat, a new ransomware-as-a-service operation launched in December 2021. Twitter: @techradar
22. R.R. Donnelly is hit by Conti ransomware in December 2021. Another incident in December 2021, the Fortune 500 integrated services firm, R.R. Donnelly, reported a system intrusion in which hackers successfully stole and leaked 2.5 GB of data. After identifying the attack, R.R. Donnelly isolated a portion of its IT environment to contain the intrusion, shut down its servers and systems, and initiated a forensic investigation. Twitter: @threatpost
23. Vice Society dumps data stolen in a school district ransomware attack. Griggsville-Perry School District in Illinois suffered a ransomware attack in January 2022, with attackers holding files hostage in exchange for a ransom. After two months, threat actors from Vice Society dumped more than 3,000 stolen files on its leak site, most of which didn't contain personal information. However, the dump did include some W-9 forms, contract information, disciplinary documentation containing students' names, and most concerning, 300 payment-related files from 2012-2015 containing employee names, payment information, and bank direct deposit information.
24. France's Ministry of Justice hit by Lockbit 2.0 ransomware. In January 2022, the French Ministry of Justice experienced a ransomware attack. The attackers used Lockbit 2.0 ransomware to carry out the attack, for which they claimed responsibility. The attackers threatened to publish the stolen data if the Ministry of Justice didn't pay the ransom. The amount of the demand was not disclosed. Twitter: @CyberSecInt
25. Ransomware attack on Massachusetts-based nonprofit affects 68,000 individuals. In September 2021, a four-day attack on Advocates, a nonprofit based in Massachusetts, resulted in the theft of personal and protected health information related to 68,000 individuals who have received services from the organization, as well as some employees. The information exfiltrated by the cyber attackers included names, Social Security numbers, dates of birth, identification numbers, health insurance information, and information on diagnoses and treatments. Twitter: @SCMagazine
26. Lactaid shortage driven by a ransomware attack. In March 2022, HD Hood Dairy, the company that makes Lactaid, was hit by what experts say was likely a ransomware attack. In response, the company took all of its plants offline in order to prevent further damage. While the plants have since been returned to operational status, the incident resulted in a shortage of Lactaid, making it difficult for some consumers to find the product on shelves. Twitter: @qz
27. Snap-on Tools targeted by Conti ransomware in separate attacks. In March 2022, the Conti ransomware group attacked Snap-on Tools, based in Wisconsin. The ransomware group stole 1 GB of data, including names, Social Security numbers, and employee identification information of franchisees and associates, and threatened to disclose the data if Snap-on refused to pay the ransom. A few weeks later, the stolen data was published on the Conti website but was later removed, which suggests that a ransom was paid following negotiations, according to Cybersecurity Insider. Twitter: @Cybersecinsider
28. Stormous ransomware steals 161 GB of Coca-Cola data. A Russia-linked hacking group behind Stormous ransomware claimed to have stolen 161 GB of data from Coca-Cola, which is believed to include commercial accounts, passwords, and financial information, in early 2022. The group offered the stolen data for sale on the dark web for just under 1.65 bitcoin, valued at about $64,000 at the time, in exchange for the return of the stolen data. Twitter: @InfosecurityMag
29. Ransomware attack on AGCO disrupts tractor sales. A ransomware attack targeting U.S. agricultural equipment manufacturer, AGCO, in May 2022 caused significant disruption to the company's production facilities and impacted sales during planting season, the busiest season of the year for agricultural equipment sales. The industry was already dealing with continued supply chain disruptions and labor strikes. As a result, dealers were unable to access AGCO's website to look up parts and place orders, potentially having downstream impacts on dealers' businesses and ultimately, their farming customers and farm production. Twitter: @Reuters
30. Campaign finance firm's web hosting provider hit by ransomware. Just one week before the state's primary election, Opus Interactive, the web hosting provider used by campaign finance firm C&E Systems, suffered a ransomware attack. The attack compromised C&E's database, which included account login credentials for the state campaign finance reporting system, ORESTAR. The Oregon Secretary of State required all 1,100 users to reset their passwords but assured Oregon residents that the Secretary of State was not hacked, noting that the attack on Opus Interactive did not expose any of its sensitive data or compromise any systems involved in election administration. Twitter: @SecurityWeek
31. Christus Health targeted by AvosLocker ransomware attack. Christus Health, a Texas-based, nonprofit health system, identified and blocked unauthorized activity on its systems in May 2022. AvosLocker, a Ransomware as a Service (RaaS) group, later claimed responsibility for the attack. Christus Health reported that it believed the attack had been effectively contained and that it didn't impact patient care or clinical operations. Twitter: @SecurityHIT
32. Ransomware attack on Palomo, Italy disrupts municipal services. The city of Palermo was targeted by a highly disruptive ransomware attack in June 2022 that affected the city's entire infrastructure, as well as all connected workstations. Residents and visitors were unable to contact the city through digital systems, acquire traffic zone cards to enter restricted areas, access tickets to theaters and other events with online booking, to name a few of the ways the attack impacted the city's operations. Additionally, authorities were unable to enforce penalties for violations. The city took some systems offline to isolate them from the network but ultimately attempting to reconstruct its systems from backups and preparing a private network that could connect to a small number of verified workstations. The Vice Society ransomware group claimed responsibility for the attack. Twitter: @cpomagazine
33. Ransomware attack disables city education office's internet-based services. In June 2022, Glenn County Office of Education in California was targeted by a ransomware attack that disrupted all of its internet-based services, such as emails, phones operating over the internet, and financial software. The Quantum ransomware gang claimed responsibility for the attack and demanded $1 million in ransom. The Glenn County Office of Education did eventually pay $400,000 to the hackers.
34. Baton Rouge General Hospital ransomware attack disrupts patient transportation. A ransomware attack targeting Baton Rouge General Hospital in June 2022 temporarily compromised its internal systems. The hackers forwarded a screenshot of the ransom message to a national media outlet. While the healthcare provider was able to take new patients, ambulances were unable to transport patients to any of its hospitals for several days following the attack. Twitter: @idstrong
35. Ransomware attack on debt collection agency exposes 1.9 million patient records. Professional Finance Company, a debt collection firm that works with healthcare providers, suffered a ransomware attack in February 2022 that exposed 1.9 million patient records across 657 healthcare providers, making it one of the largest attacks targeting medical information in 2022. The compromised data included names, birthdates, Social Security numbers, health insurance information, healthcare treatment information, and information on payments made to accounts. Twitter: @CNET
36. Lapsus$ uses social engineering in an attempted ransomware attack on Cisco. In May 2022, Cisco discovered that its systems had been breached by an Initial Access Broker (IAB), after which the Lapsus$ ransomware group initiated the attack. After gaining access to an employee's personal Google account, the attackers used voice phishing and social engineering to convince the user to accept MFA push notifications, thus enabling the threat actors to log into VPN's using the victim's identity. Attackers then compromised Cisco's systems, creating backdoor access points and deploying malware such as Cobalt Strike. An investigation showed that the tactics used were consistent with pre-ransomware activities. Twitter: @DarkReading
37. Ransomware attack impacts 96 healthcare practices and 380,000 records or more. A group of post-acute care companies called Avamere Health Services discovered that an unauthorized party accessed a third-party network and removed files and folders between January 19, 2022 and March 17, 2022. These records included names, driver's license numbers, state identification numbers, Social Security numbers, financial account numbers, and information on medical diagnoses, lab results, and medications. A total of 96 organizations and more than 380,000 individuals were affected by the attack. Twitter: @SecurityHIT
38. 940,000+ patients impacted by ransomware attack on healthcare billing vendor. Practice Resources, a billing and professional services company based out of Syracuse, New York, suffered a ransomware attack in April 2022. An investigation showed that the hackers may have infiltrated clients' protected health information before encrypting the parts of the network targeted. This information included health plan numbers, medical record numbers, names, addresses, and treatment dates. This attack affected the records of 942,000 individuals across 28 Practice Resources clients. Twitter: @HIPAAJournal
39. LockBit ransomware group targets Orion Innovation. In August 2022, LockBit ransomware group claimed to have carried out an attack on Orion Innovation, which provides digital transformation solutions across industries such as telecom and media, financial services, healthcare and life sciences, sports and entertainment, and eduction. The attackers demanded an undisclosed ransom amount, giving Orion until September 1, 2022 to pay. Twitter: @TheTechOutlook
40. Ransomware attack impacts 75,000+ EmergeOrtho patients. Orthopedic healthcare services company EmergeOrtho detected and blocked a ransomware attack targeting some of its systems in May 2022. An investigation found that the hackers had gained access to files containing 75,200 patient records, including names, addresses, birthdates, Social Security numbers, information on financial accounts, and healthcare and treatment information. EmergeOrtho says there's no evidence that any of the accessed data was misused. However, the company is now facing a lawsuit brought by affected patients. Twitter: @BeckersSpine, @TriangleBIZJrnl
41. Hive ransomware group targets medical billing service. In August 2022, the Hive ransomware group targeted NGC Medical, a medical billing company based in Florida, claiming that it had encrypted NGC's files related to more than 50,000 patients. According to DataBreaches.net, "DataBreaches is still investigating the data that have been dumped so far but can see that it includes information on NCG's clients who are covered entities under HIPAA. The files also include records of insurance-coded submissions for named patients with information on their diagnoses. One small archive alone had almost 10,000 coded records on named patients."
42. 500 GB of data leaked in Los Angeles Unified School District ransomware attack. The Vice Society claimed responsibility for a ransomware attack on the Los Angeles Unified School District (LAUSD) that disrupted its email, applications, and computer systems in September 2022. In October, the Vice Society published the stolen data to its leak site on the dark web. The data contained personal identifying information such as passport details, Social Security numbers, and tax forms, as well as contracts and legal documents, financial reports, bank account information, health information, students' psychological assessments, and previous conviction reports. Twitter: @TechCrunch
43. Holiday Inn experiences significant disruptions as a result of ransomware attack. In September 2022, Holiday Inn suffered a ransomware attack that breached its IT infrastructure, shutting down the hotel's reservation booking portal and impacted bookings from third-party websites like Expedia.com. Estimates indicated that just half of customers who attempted to book reservations within the previous week had been successful, and multiple Holiday Inn locations were operating significantly under capacity in the wake of the attack. Twitter: @CaseGuards
44. Venus ransomware group targets remote desktop services. Venus ransomware kicked off a spree of attacks in August 2022 targeting remote desktop services. The attackers exploited unsecure access points to gain access to the networks, disabled services and stopped processes, then encrypted the files and issued a ransom note to the victims. Twitter: @Malwarebytes
45. Savannah College of Art and Design attacked by Avos Locker ransomware. In August, the Avos Locker ransomware group claimed that it had successfully attacked the Savannah College of Art and Design (SCAD) and stole a significant amount of data. In this attack, the data was exfiltrated but not encrypted. The stolen data included 69,000 files; one file contained a spreadsheet with more than 60,000 records of both past and present SCAD students. Another file contained 15,000 records, mostly relating to minor student offenses, dating back to 2015. Twitter: @jgreigj
46. Hackers leverage compromised contractor account to attack Uber. In September 2022, a threat actor targeting Uber accessed and exfiltrated Slack messages, data from an invoice management tool, and Uber's HackerOne database. Uber's codebase was not altered and its services remained fully operational. Uber believes that a Lapsus$ ransomware group-affiliated threat actor is behind the attack. Twitter: @CyberSecDive
47. Patient information stolen in ransomware attack on emergency services provider. In May 2022, Empress EMS, an ambulance services provider based in New York, was targeted in a ransomware attack that exposed personal information related to 320,000 individuals. After gaining access to the company's network, the attackers stole sensitive patient information and deployed ransomware on the compromised systems. Twitter: @ITSecurityWire
48. Attackers demand $5 million to unlock Denver suburb's data. In late August 2022, the city of Wheat Ridge, a Denver, Colorado suburb, was attacked by a threat actor who demanded $5 million to restore access to the city's municipal systems. After discovering the attack, the city shut down its phone and email servers to evaluate the incident, resultling in the closure of the city hall to the public for over a week. Fortunately, Wheat Ridge had the adequate redundancies and resources necessary to recover from the incident and refused to pay the ransom. Twitter: @denverpost
49. 243,000 patients impacted by attack on Family Medical Center Services. In July 2022, a ransomware attack targeted Family Medical Center Services, a network of 74 primary care clinics in Texas. The attack compromised and potentially exposed data that included protected health information of up to 233,948 patients. Twitter: @SCMagazine
50. Ransomware attack follows leak of online retailer's data. Esquimal, an online retailer based in Mexico, leaked 77,000 records containing personal identifiable information on an open server, or about 9.2 GB of sensitive data, as well as plaintext credentials for the retailer's support email. The open server also contained 33 employees' emails, names, and passwords, although this data was hashed to prevent unauthorized access. A malicious actor noticed the open server and accessed it, issuing a ransom demand for EUR3,000. Twitter: @CyberNews
From attempted ransomware attacks to successful attacks on city and state government entities, healthcare organizations, school districts and many others, these ransomware examples showcase the variety of ransomware techniques, targets, motivations, and impacts. Understanding the various forms ransomware may take and what potentially motivates attackers will help you bolster your organization's security posture against ransomware and other threats.
