The world’s first ransomware attack was child’s play compared to the ransomware attacks of today.
The year was 1989. Thousands of the World Health Organization’s AIDS conference attendees returned home to find floppy disks in their mailboxes that allegedly held a questionnaire about the likelihood of contracting HIV. But they didn’t find any questions. The disks contained a program designed to encrypt the names of their computer files. If they wanted their files restored, they were told to send $189 to a Panamanian P.O. box.
Fast-forward a few years to see the evolution of ransomware, enabled by the rise of the internet, society’s shift to an interconnected digital world and the introduction of cryptocurrency. Malicious actors organized. Ransomware as a service (RaaS) emerged. Double and triple extortion attacks became the norm.
Consequently, the number of victims, the amount of money demanded and the impact of successful attacks have soared.
NCC Group’s Global Threat Intelligence team reported a record 502 ransomware attacks in July 2023 — a 16% increase from the 434 attacks in June 2023 and more than twice the number of ransomware attacks observed in July 2022. Malwarebytes’ “2023 State of Ransomware” report also found record totals of ransomware, counting 1,900 total attacks in just four countries — the United States, France, Germany and the United Kingdom — in one year, with the U.S. accounting for almost half of those attacks.
The damages companies suffer due to ransomware attacks are also rising. Cybersecurity Ventures predicted such attacks will cost victims $265 billion by 2031 — a staggering increase from the $5 billion ransomware targets shelled out in 2017.
But dollars and cents are only part of ransomware’s impact. Beyond costs, organizations face business downtime, reputational damage and diminished customer trust. Plus, ransomware has downstream effects, impacting people and systems that weren’t even targeted in the initial strike. In addition, the actual amount of money companies spend to rescue or recover their systems — including the ransom, if paid, and beyond — isn’t always publicly disclosed, if the attack is even disclosed in the first place.
Quantifying the biggest attacks, therefore, can be difficult. The following is a list identified by TechTarget Editorial as the 10 most impactful ransomware attacks to date, listed in alphabetical order.
1. Colonial Pipeline
Type of ransomware: DarkSide RaaS
Date: May 7, 2021
Losses: $4.4 million (approximately $2.3 million was recovered)
The attack on Colonial Pipeline became one of the most famous ransomware attacks due largely to its impact on everyday Americans, with those living in Southeast states suddenly facing gas supply shortages.
Colonial Pipeline, owner of a pipeline system carrying fuel from Texas to the Southeast, suffered a ransomware attack on the computer systems that managed the pipeline. DarkSide attackers accessed the systems through a compromised credential for a legacy VPN. Working with the FBI, the company paid a $4.4 million ransom within hours of the attack. The impact lasted for days, however, as the company struggled to fully restore operations.
Federal and state officials, including U.S. President Joe Biden, issued emergency declarations in the days after the attack to ensure fuel could reach the affected region and limit damages. The attack also led to Biden issuing on May 12, 2021, an executive order to improve the country’s cybersecurity.
Nearly a month later, the U.S. Department of Justice announced it had seized $2.3 million of the $4.4 million in bitcoin used to pay the ransom.
2. Costa Rica
Type of ransomware: Conti
Attacker: Conti gang
Date: April 17, 2022
Losses: $30 million a day
The Conti ransomware gang launched a monthslong attack against Costa Rican government institutions. The initial attack on the Ministry of Finance used compromised credentials to install malware on its systems. The Costa Rican Ministry of Science, Innovation, Technology and Telecommunications and the Ministry of Labor and Social Security were also later attacked. The government was forced to shut down multiple systems, resulting in delayed government payments, slowed and halted trade, and limited services.
Within the first week of the attack, former President Carlos Alvarado refused to pay the purported $10 million fine. The Conti ransomware gang then leaked almost all the 672 GB of data it stole during the attacks. It took months before systems were restored but not before the country’s newly elected president, Rodrigo Chaves Robles, declared a state of emergency.
Type of ransomware: Lapsus$
Date: Jan. 1, 2022
Losses: Not reported
Ransomware group Lapsus$ launched one of the world’s most conspicuous ransomware attacks when it struck Impresa, Portugal’s largest media conglomerate. The attack took down all its websites, its weekly newspaper and its TV channels. Attackers also gained control of the company’s Twitter account and claimed it had access to the company’s AWS account. According to news reports, Impresa confirmed the attack but said no ransom demand was made.
Lapsus$, which had previously attacked Brazil’s Ministry of Health in late 2021, posted a ransom message that threatened to release company data. Portuguese authorities labeled the Impresa attack the largest cyber attack in the country’s history.
4. JBS USA
Type of ransomware: REvil RaaS
Date: May 30, 2021
Losses: $11 million ransom payment
Beef manufacturer JBS USA Holdings Inc. paid an $11 million ransom in bitcoin to malicious actors after an attack forced it to shut down operations. IT staffers initially noticed problems with some of the company’s servers, and shortly thereafter, the company received a message demanding a ransom. Pilgrim’s Pride Corp., a unit of JBS, was also affected by the attack. Operations were restored within days but not before JBS made the hefty payment.
Type of ransomware: Not reported
Attacker: Not reported
Date: Dec. 11, 2021
Losses: In addition to a reported ransom payment, in 2023, Kronos paid $6 million to settle a class-action lawsuit filed by Kronos clients who alleged the company didn’t do enough to protect its systems.
Ultimate Kronos Group, a workforce management software maker doing business in more than 100 countries, was hit by a ransomware attack on its private cloud in late 2021. The incident affected customers around the globe, spawned yearslong ripple effects and exposed an earlier breach that magnified the impact.
Kronos discovered the ransomware on Dec. 11, 2021, but later determined attackers had earlier breached the company’s cloud and stolen corporate data. That attack exposed employee data for many of the company’s enterprise clients. As a result, these clients faced interruptions, delays and errors in issuing paychecks to their workers.
The Kronos attack raised questions about vendor accountability and highlighted the importance of third-party risk management, as organizations recognized that attacks on their business partners could affect them as well.
Type of ransomware: NotPetya
Attacker: Russian-backed hackers suspected in the attack
Date: June 27, 2017
Losses: Approximately $300 million
Danish shipping giant A.P. Moller-Maersk suffered approximately $300 million in losses after it was hit as part of the global NotPetya attacks. The malware, which exploited the EternalBlue Windows vulnerability and spread via a backdoor in the legitimate financial software MeDoc, locked the company out of the systems it used to operate shipping terminals all over the world. As wiperware, NotPetya was designed to inflict maximum damage by not only encrypting all files on infected computers, but also completely wiping or rewriting them so they could not be recovered — even through decryption. It took Maersk two weeks to recover its computer operations.
Type of ransomware: BlackCat RaaS
Date: Feb. 3, 2022
Losses: Air service disruptions; no financial data reported
Swissport, a Swiss company providing airport ground and cargo handling services, announced in February 2022 that its systems had been hit by a ransomware attack. The incident had relatively minimal impact, delaying only a small number of flights before Swissport restored its systems. The company said it had contained the incident within 24 hours. Ransomware group BlackCat, however, soon indicated it had not only encrypted the company’s files, but also had stolen 1.6 TB of Swissport data it was looking to sell in a classic example of a double extortion attack.
Type of ransomware: REvil RaaS
Date: Dec. 31, 2019
Losses: $2.3 million ransom paid; company forced into administration in 2020 in part due to the attack
At the time it was hit by the REvil ransomware gang, Travelex was the world’s largest foreign exchange bureau. Attackers targeted a known vulnerability in Pulse Secure VPN servers to infiltrate the company’s systems and encrypt 5 GB of data. They demanded a $6 million ransom, which was negotiated down to $2.3 million.
9. UK National Health Service
Type of ransomware: WannaCry
Attacker: Linked to North Korea
Date: May 2017
Losses: £92 million (approximately $100 million)
Companies around the world felt the impact of the WannaCry ransomware attack, which began in spring 2017. WannaCry was the first ransomware to exploit the EternalBlue flaw in Windows systems.
The U.K.’s National Health Service (NHS) was one of the most prominent WannaCry victims, with multiple hospitals, general practitioners and pharmacies affected in England and Scotland. NHS facilities were forced to delay and divert medical services. No deaths were directly related to the attack, according to reports.
Type of ransomware: NotPetya
Attacker: Russia’s GRU military spy agency named as attacker, according to the CIA
Date: June 27, 2017
Losses: Estimated at $10 billion globally
While more than 60 countries were affected, the initial global NotPetya attacks in June 2017 mainly targeted victims in France, Germany and Ukraine, the latter of which sustained about 80% of the attacks, according to researchers from cybersecurity software company ESET. The country’s computer systems were affected, as well as networks operated by private companies and electric utilities. The aforementioned Maersk ransomware attack was also part of this series of attacks.