What was the biggest ransomware attack?

by
What was the biggest ransomware attack

Ransomware attacks, where cybercriminals encrypt an organization’s files and demand payment to unlock them, have been rapidly escalating in recent years. These attacks can be highly disruptive and costly for businesses and government agencies. So what has been the biggest and most damaging ransomware attack to date?

The WannaCry Attack

One of the largest ransomware attacks to date was the WannaCry outbreak in May 2017. WannaCry was a devastating global attack that affected over 200,000 computers across 150 countries. It targeted computers running Microsoft Windows by exploiting a vulnerability in older Windows versions.

Scale and Impact

WannaCry spread extremely quickly. Within just one day, it had infected over 230,000 computers in over 150 countries. Major organizations around the world were impacted, including healthcare services, transportation systems, logistics companies, banks, telecoms providers, universities, and government entities.

The ransomware encrypted files on infected systems and demanded ransom payments of $300-$600 in Bitcoin to unlock them. It caused massive disruption, including:

  • In the UK, parts of the National Health Service (NHS) were paralyzed, with appointments cancelled, ambulances diverted, and operations postponed.
  • In Spain, the telecoms provider Telefónica was hit badly, infecting thousands of computers.
  • FedEx reported major disruptions to operations in the US after their Windows systems were infected.
  • Germany’s railway system Deutsche Bahn was impacted, causing delays and cancellations.
  • Nissan had to halt production at one of its UK manufacturing plants.
  • In China, around 40,000 institutions were affected.

The total financial damages caused by WannaCry were estimated to exceed $4 billion.

Origin and Spread

WannaCry was created using leaked hacking tools that were stolen from the National Security Agency (NSA) of the United States and released online by a hacker group called the Shadow Brokers. It exploited a Windows vulnerability that was patched by Microsoft in March 2017, but many organizations had not yet updated their systems, leaving them exposed.

Once on a network, WannaCry was able to quickly and automatically spread between computers using the SMB networking protocol. This enabled it to propagate rapidly across networks, making it difficult to contain.

The NotPetya Attack

Another hugely destructive ransomware attack was NotPetya in June 2017. NotPetya initially targeted businesses in Ukraine but spread globally, causing over $10 billion in damages.

Impact in Ukraine

Ukraine was hit the hardest by NotPetya. Targets included the Ukranian government, banks, power companies, airports, and public transportation. The virus shredded data on infected systems. Major disruptions in Ukraine included:

  • Radiation monitoring systems at the old Chernobyl nuclear plant were knocked offline
  • ATMs and airport departure boards went blank
  • 80% of all companies based in Ukraine were affected

Global Spread

From Ukraine, NotPetya rapidly spread worldwide. Major international companies that were severely impacted included:

  • Maersk – The shipping giant had to halt operations at 76 port terminals causing huge shipping delays. It cost the company $300 million.
  • FedEx – The courier delivery service was badly affected, slowing global deliveries.
  • Cadbury – The chocolate maker reported significant delays in production and shipping.
  • Merck – The pharmaceutical giant was hit hard with production shutdowns costing $870 million.

In total, NotPetya did over $10 billion in economic damage globally.

The Colonial Pipeline Attack

The Colonial Pipeline ransomware attack in May 2021 also stands out as one of the most notable and damaging attacks to date.

Shutting the Pipeline

Colonial Pipeline, which transports 100 million gallons of fuel daily along the US East Coast, was hit by a ransomware attack that forced them to shut the 5,500 mile pipeline down for nearly a week.

Widespread Fuel Shortages

The shutdown led to fuel shortages and panic buying across the Southeastern US, causing long lines at gas stations and higher fuel prices. At its peak, over 1,000 gas stations ran out of fuel. Flights were disrupted as jet fuel supplies were affected.

Millions in Ransom Paid

The attackers were reportedly paid a ransom of nearly $5 million in cryptocurrency to restore the encrypted systems. This highlighted the dilemmas organizations face over whether to pay cybercriminal ransom demands.

Lasting Damage

The pipeline shutdown and fuel delivery disruptions had significant economic impacts estimated at hundreds of millions of dollars. The FBI blamed the attack on the hacker group DarkSide. It was a major crisis that demonstrated how ransomware could threaten critical national infrastructure.

Recent Major Attacks

Some other major ransomware attacks in the last few years include:

JBS Foods (2021)

JBS, the world’s largest meat producer, was hit in June 2021 forcing them to halt operations at plants in the US, Canada, and Australia. This disrupted about 20% of US meat production.

Kaseya (2021)

A massive ransomware attack via Kaseya software affected over 1,000 businesses globally in July 2021. Many were service providers that then had downstream effects on their customers.

Travelex (2020)

Currency exchange company Travelex was badly affected for over a month after a ransomware attack on New Year’s Eve 2019 forced them to take systems offline and close branches.

Garmin (2020)

Smartwatch and fitness tracker maker Garmin had widespread outages lasting days after a ransomware attack encrypted their systems, causing disruption to production.

Biggest Attacks by Ransom Paid

Looking at the largest ransomware attacks by the size of ransom paid, some of the biggest include:

Organization Ransom Reportedly Paid
CNA Financial $40 million
JBS Foods $11 million
Colonial Pipeline $4.4 million
Brenntag $4.4 million

However, these only reflect publicized payments where amounts have been disclosed – in many cases the ransom deals are confidential.

Government Ransomware Attacks

Some of the most severe ransomware attacks have targeted government entities, including:

  • Multiple cities in Florida had simultaneous attacks in 2019.
  • New Orleans city government was hit in 2019.
  • Baltimore city government attack in 2019, estimated $18 million damages.
  • Atlanta attack in 2018 costing ~$17 million to recover from.

These had major impacts on city services like online payments, email, emergency response systems and more. As essential infrastructure, government systems can be attractive ransomware targets.

Healthcare Ransomware Statistics

Healthcare has been one of the top industries targeted by ransomware, with nearly 90% of organizations hit according to some estimates. Major attacks include:

  • 2021 attack on Ireland’s national healthcare system, causing nationwide care disruptions.
  • 2020 attack on a hospital group in the US with a reported $14 million ransom.
  • 2017 attack on UK hospitals with 19,000 appointments cancelled.

Patient safety is put at risk by such attacks. Lives could even be endangered if hospital emergency response capabilities are impacted.

Most Common Ransomware Variants

Some of the most prevalent ransomware variants used in major attacks include:

  • Ryuk – Used against large enterprises like oil companies and government entities.
  • Cerber – A prolific ransomware-as-a-service afflicting organizations since 2016.
  • Sodinokibi – Also known as REvil, this ransomware hit JBS Foods and Kaseya.
  • Conti – A ransomware group claiming over 1,000 victims worldwide.

These constantly evolve to use new techniques like triple encryption, anti-analysis measures, data exfiltration and more.

Ransomware Trends

Looking at patterns in major ransomware attacks, some notable trends include:

  • Increasingly targeting large enterprises and critical infrastructure.
  • Larger ransom demands, now frequently in the millions.
  • Data theft and extortion in addition to just encrypting files.
  • Ransomware-as-a-service model lowers barriers for cybercriminals.

This demonstrates ransomware becoming more sophisticated, lucrative, and enterprise-focused over time.

Costs and Damages

On top of the ransom payments themselves, ransomware attacks incur major additional costs like:

  • Business disruption and lost revenues while systems are down.
  • Recovery efforts including rebuilding servers and restoring data.
  • Reputational damage and loss of customer trust.

Total damages can therefore vastly exceed the ransom amounts. The average total cost of recovery from a ransomware attack is estimated at $1.85 million.

How Ransomware Works

Ransomware typically spreads through methods like:

  • Phishing emails with malicious attachments.
  • Infected software apps and installers.
  • Exploiting vulnerabilities in organizations’ networks or infrastructure.

Once inside a system, the ransomware encrypts files, programs, databases and more using complex encryption algorithms. It displays a ransom payment demand, often threatening to delete data if payment isn’t received.

Some ransomware strains also steal data before encrypting, enabling additional extortion. Ransomware code is specifically designed to spread fast and be difficult to fully remove from systems.

Prevention Tips

Organizations can apply various cybersecurity measures to help prevent ransomware attacks, like:

  • Backing up data regularly and keeping backups offline.
  • Not paying ransoms, which incentivizes more attacks.
  • Using email security and anti-phishing filters.
  • Patching and updating software regularly.
  • Restricting and monitoring remote desktop access.
  • Deploying endpoint detection and anti-ransomware software.
  • Educating employees on cyber risks.

However, as ransomware tactics evolve, there are no foolproof methods of preventing infections.

Should Ransoms be Paid?

Whether to pay ransom demands is a complex decision organizations face during attacks. Potential pros of paying include:

  • Recovering data that was not adequately backed up.
  • Avoiding business disruption from prolonged downtime.

However, paying ransoms also:

  • Encourages and funds more cybercrime.
  • Is no guarantee files can be restored.
  • Marks the organization as an easy target.

Many experts advise not paying, and warn payments can still leave systems infected. Each case requires cost-benefit analysis of the tradeoffs.

Law Enforcement Actions

Relevant law enforcement agencies and cybercrime authorities are working to crack down on ransomware. Efforts include:

  • The FBI freeing up reporting of ransomware payments.
  • Department of Justice creating a Ransomware and Digital Extortion Task Force.
  • Coordinated efforts to trace cryptocurrency payments.
  • Charging and imposing sanctions on identified culprits in Russia and elsewhere.

However, ransomware developers continue to operate with relative impunity in certain countries. Apprehending and prosecuting them remains challenging.

Conclusion

Major ransomware attacks like WannaCry, NotPetya and Colonial Pipeline have demonstrated how crippling and far-reaching the impacts of ransomware can be. As attacks proliferate, organizations must take concerted action on prevention, response, backups and employee education. Paying ransoms tends to exacerbate the problem. While there are no perfect solutions, robust cybersecurity foundations provide the best protection against ransomware threats. This affords organizations greater resilience in withstanding disruptions with operations intact.