Ransomware has gone global. While 2022 saw a reprieve in the sheer number of ransomware attacks (the attack rate dropped at the same time as the war between Russia and Ukraine began), it also saw the rise of ransomware-as-a-service, the proliferation of attacks of major organizations, and attacks that stretched across time zones and borders.
In 2022, nine of our top 20 breaches involved ransomware (45%), affecting millions of individuals and their private data. That is up 15% over 2021. While the total dollars lost isn’t calculated yet, the first half of 2022 saw a median ransom demand of $450,000.
In addition, the organizations hit by ransomware in 2022 were not small —, Australian telecoms company Optus, health insurance giant Medibank, and the government of Costa Rica were all in the crosshairs of threat actors over the last 12 months. Criminals were targeting high-value organizations where they knew the consequences would be vast and the data would sell for, or could be held ransom for, millions. Though business email compromise and cloud security find themselves growing as concerns, ransomware is still the king of cybercrime.
How Ransomware Works
Ransomware occurs when a threat actor breaches a network or system, gains access to highly valuable data or operating technology, and then holds it for ransom. This is commonly done through encryption, where the data is encrypted and can only be released once the organization pays the ransom.
The past couple of years have also seen the rise of ransomware-as-a-service where cyber criminals sell ransomware kits, initial access, or other services to other cyber criminals for a flat fee or a cut of the ransom. The act is moving from individual-based robberies to vast networks of criminal activity — think of an individual bank robber banding together with others and forming a mafia-type organization.
While ransomware originated with mass-spray phishing attempts to individuals decades ago, cybercriminals have realized over the years that organizations would rather pay millions than risk the digital and real-world consequences of downtime. Healthcare organizations, along with infrastructure organizations (like the government of Costa Rica), have become top targets for ransomware because the consequences of downtime can be devasting and long– lasting.
The Biggest Ransomware Attacks of 2022
1. Optus (Australia)
Dubbed “the biggest cyber attack in history” in Australia, this ransomware attack targeted the country’s second-largest telecommunications provider, exposed the data of 10 million residents through a double-encryption ransomware attack, ultimately resulting in the release of 10,000 of those records. While the hacker ended up withdrawing the ransom, thousands of Australians still had to replace passports, driver’s licenses, and other personal documents.
2. Medibank (Australia)
It was another breach down-under as Russian-linked cyber criminals stole and released the personal details of over 9.7 million customers of the Australian health insurance giant. The organization had refused to pay the $10 million ransom, which resulted in the release of data on the dark web. Medibank stated that the personal and health data stolen was not enough to constitute “fraud.”
3. Los Angeles Unified School District (US)
“The nation’s second-largest school district was hit with a ransomware attack in early September, with hackers making off with 500 gb of personal information on an untold number of those students, their parents, and the schools’ employees. Vice Society — a ransomware gang with a particular taste for attacking the education industry — later claimed responsibility for the breach and, after the school district refused to pay the ransom, dropped all 500 gb of data on the dark web in early October.
4. Expeditors International
This freight forwarding company experienced over a week of downtime after a ransomware attack. While the organization did not confirm it was ransomware, they did have to shut down global operations and restart via backups, which is usually the protocol in a ransomware attack. This attack highlighted how a cyber attack on one organization can have ramifications across a variety of organizations.
5. Marquard & Bahls Group (Germany)
Notorious BlackCat ransomware group shut down hundreds of gas stations in Germany back in February of 2022. It resulted in gas re–routing, supply chain issues, and gas stations having to operate manually while services were restored.
6. Encevo Group (Luxembourg)
Files were exfiltrated and services were taken offline after Encevo, the parent company of Luxembourg electricity and natural gas company Creos, was hit with ransomware from a gang. The gang threatened to release over 100 GB of data, and parts of Creos’ services were offline for more than two weeks.
7. SpiceJet (India)
Delays and cancellations hit low-cost Indian airline SpiceJet after a ransomware attack, causing massive financial loss and taking most of the airline’s website offline. While the airline was able to thwart the attack swiftly, it still impacted thousands of flights.
8. Elgin County (Ontario, Canada)
The county services were down for a month and hundreds of Elgin citizens had their data compromised during an April ransomware attack in Ontario. Targeting government systems is a popular tactic for cybercriminals because the systems contain treasure troves of personal identifying information (PII) and often lack robust cybersecurity protections. In this case, the data was exfiltrated and released on the dark web.
9. Government Departments (Costa Rica)
Conti Gang took down the social security offices, the ministry of finance, and other government systems in Costa Rica in the spring of 2022. It resulted in a state of emergency being declared, and the ransomware gang initially demanded $10 million in ransom, only to double it to $20 million. While Costa Rica was willing to negotiate, the gang eventually disbanded and went offline before any ransom was paid.
Why Is Ransomware So Effective?
As the attacks above illustrate, ransomware works. Even if cybercriminals don’t walk away with the ransom, they often turn to exfiltrating the data during the attack and releasing it anyway. The victims, once attacked, are left with few options — pay the ransom, restore from a backup, or forfeit the data. None of those options are easy, and all take time. Studies show that more than half of organizations attacked end up paying the ransom, as it’s the easiest solution. People pay, so ransomware gangs keep attacking.
The attacks are also successful in causing real-world disruptions, furthering the gangs’ reputations and incentivizing future organizations to pay — fast. As ransomware grows in sophistication and cybercriminals meet up online, this trend will only continue. It has become almost a form of cyber terrorism (sometimes literally when nation-state actors are involved), where yes, the money is nice, but the disruption is a goal of its own.
There are also concerns that the continuing conflict in Ukraine and Russia will only increase ransomware attacks in the future. While the war might be responsible for the statistic dip in attack frequency at the beginning of 2022 (many ransomware gangs originate in Russia), if the war resolves itself, the citizens of both countries may find themselves turning to cybercrime for income.
How Can Organizations Protect Themselves Against Ransomware?
If your organization finds itself in a ransomware situation, it’s advised, first, to not pay the ransom. Hopefully, all systems are backed up, and incident response is ready. But it’s better to be prepared and prevent ransomware from ever happening than deal with a worst-case scenario.
Here are a few strategies to employ to protect against the rising tide of ransomware:
- Follow the NIST framework for your cybersecurity architecture.
- Back. Up. Everything.
- Invest in security operations, which offers both the technology and manpower to monitor and respond to threats.
- Pay attention to vulnerabilities and patch them as soon as they become known. Most data breaches occur because of an exploited vulnerability.
Learn more about the Top Breaches of 2022.