Proofpoint closes acquisition of Tessian.

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

18 Examples of Ransomware Attacks

Friday, March 4th 2022
18 Examples of Ransomware Attacks

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

The ransomware crisis is getting out of control. With recent attacks on critical infrastructure, supply chain IT companies, and hospitals, the world is waking up to how serious this type of cyberattack can be.

IT leaders understand that ransomware is preventable—and they know how to protect against it. But still, increasingly many businesses are finding their computers locked, their files encrypted, or their customers’ personal data stolen.

From the widespread chaos caused by2017’s WannaCry attack to the recent REvil supply chain infection affecting up to 1,500 organizations—these 12 ransomware examples will help you understand what you’re up against.

Want to learn more about what ransomware is and how it’s delivered? Check out this article instead

Nvidia attempts “hack-back” after ransomware gang steals source code

After Nvidia fell victim to ransomware in late February 2022, the semiconductor giant didn’t take the attack lying down. Instead, Nvidia installed ransomware on the perpetrator’s own machines—but appeared not to solve its problem by doing so.

Nvidia was targeted by the ransomware group known as Lapus$, which stole the company’s source code, including a proprietary hash rate limiter that reduces the usefulness of Nvidia’s chips for cryptocurrency mining. In an attempt to safeguard its intellectual property, Nvidia hired security experts to locate the attackers’ infrastructure and target it with a retaliatory ransomware strike.

While the revenge attack succeeded in infecting Lapus$’ computers—an act which, perhaps ironically, led the group to label Nvidia “criminals”—-Nvidia failed to retrieve its data as the group had backed it up. In exchange for keeping Nvidia’s data private, Lapus$ demanded the company publish its GPU drivers as open source—in addition to paying a cryptocurrency ransom, of course.


Oil pipeline ransomware attack forces supply re-route

The BlackCat ransomware group launched a ransomware attack affecting 233 German gas stations on Jan. 29, 2022, causing disruption that forced oil company Shell to re-route supplies to different depots.

The attack is believed to have leveraged vulnerabilities in two software applications, Microsoft Exchange and Zoho AdShelf Service Plus1, enabling the attackers to exfiltrate “business secrets and intellectual property,” according to the German intelligence services.

The agency also said it feared the attackers might have infiltrated “the networks of customers or service providers” as part of the attack. In addition to rerouting supplies to avoid affected fuel depots, Shell said it may have to run some previously automated processes manually.

The attack has been attributed to BlackCat, a cybercrime group that mainly targets US organizations but has extended its operations into Europe.

Flights disrupted after ransomware hits Swiss airport

Airport operator Swissport was hit by a ransomware attack on Feb 3, 2022, resulting in grounded planes and flight delays at Zurich international airport.

The attack on Swissport—which provides air cargo operations and ground services—resulted in the delay of 22 flights. Swissport managed to contain the ransomware threat relatively quickly and most critical systems appear to have remained unaffected.

But because the attack came a week after the series of ransomware attacks on European oil services (detailed above), researchers suspect that the Swissport attack may have been part of a coordinated effort to destabilize European infrastructure.


Attack on Puma exposes nearly half of workforce’s personal information

Sportswear giant Puma lost control of around half of its employees’ personal information in February 2022, after ransomware actors hit the company’s cloud provider, Kronos Private Cloud (KPC).

Puma was forced to provide notification of the data breach to the affected employees and to Attorney General offices in multiple states. News website Republic World reported that the breach lead to the theft of data about 6,632 people.

Puma said no customer data had been leaked as a result of the attack, but that it had to resort to using “pencil and paper” to carry out certain business operations.

Ransomware strike on UK snack company threatens nation’s chips and nuts supply

A ransomware attack on UK food company KP Snacks made headlines in February 2022 after reports that it could lead to shortages of some of the nation’s favorite crisps (potato chips) and roasted nuts.

Following the incident, the snack firm wrote to stores warning them to expect significant disruption to supplies with deliveries expected to be delayed and cancelled until “the end of March at the earliest.” The company said it could not “safely process orders” until it had contained the attack.

News website Bleeping Computer reported that Cybercrime group Conti featured KP Snacks on its “data leak page,” showing examples of “credit card statements, birth certificates, spreadsheets with employee addresses and phone numbers, confidential agreements, and other sensitive documents” that the group had allegedly stolen from the company.


Ransomware attacks on Ukraine deemed a “decoy” for other cyber threats

Ukraine was hit by a variety of cyberattacks in the run-up to Russia’s invasion of the country in February 2022, including massive distributed-denial-of-service (DDoS), data wiper and ransomware attacks.

Wiper attacks hit Ukranian (and seemingly Lithuanian) servers on the morning of February 24, shortly before the Russian military launched an all-out war on the country. The wiper malware makes any device it infects unusable.

Researchers at Symantec said some ransomware attacks were also detected—but it’s possible that ransomware was used as a “decoy or distraction” from these other attacks. In this case, ransomware’s disruptive nature made it the perfect distraction from the other cyberattacks that preceded Russia’s invasion.


Ransomware on candy manufacturer spoils Halloween

In October 2021, Ferrara—a candy manufacturer responsible for culinary delights such as SweeTarts, Nerds, Redhots, and Pixy Stix—announced a ransomware attack that could cause delays to production and affect Halloween deliveries.

The confectioner declined to reveal the extent of the damage caused by the attack but said it appreciated its customers’ “patience and understanding.”

Viewed in light of the hospitals, gas pipelines, and border agencies that have been hit by ransomware over the past year, Ferrara’s plight might seem insignificant—unless, perhaps, if America’s trick-or-treaters start coming home with empty baskets.

Sinclair Broadcast Group: Ransomware shuts down TV stations

US TV company Sinclair Broadcast Group was hit with ransomware in October 2021. The company operates over 600 channels, and this ransomware attack reportedly caused chaos within Sinclair’s internal and external operations.

The attack broke Sinclair’s email and phone systems and left the company unable to air certain ads and TV shows. Sinclair’s share price also dropped 3% on the day it announced the attack.

Several days after the incident, the company was still reportedly in disarray, with an anonymous source inside the company telling Vice that the attacker had “done a very good job… either by accident or by design.”

That last part is important. Once ransomware starts spreading, it takes on a life of its own—and it can quickly get out of control, causing more damage than even the attackers might have anticipated.

Vice’s source also condemned Sinclair’s alleged lack of preparedness for the incident, reportedly asking of their bosses: “Did you not have a plan? Did you not think this was a possibility? (…) In 2021, how could you not have a plan?”


Olympus hit by ransomware twice in five weeks

Japanese medical tech firm Olympus was hit hard by ransomware on September 8, 2021. The attackers encrypted Olympus’ network, disrupting the company’s EMEA operations. But just as the med-tech firm was recovering, it was attacked again on October 10, 2021—just one month after the first incident. This time, the attack impacted Olympus’ operations in the Americas.

We don’t know much about these two incidents, except that they are suspected to have been carried out by the Evil Corp ransomware gang. The attackers also reportedly used “Macaw Locker”—a new communications tool designed to evade US sanctions rules that had previously prevented victims from entering into negotiations with the group.

Ransomware actors have been known to strike the same victims multiple times—either because they have found a vulnerability they can exploit or because they know that the target is likely to pay up.


Weir Group faces $55m lost profits following ransomware attack

Scottish multinational engineering company Weir Group used its Q3 trading update to announce that it had been hit by ransomware—and that it expected profits to shrink by around 40 million GBP (55 million USD) as a result.

According to Weir Group’s statement, the incident—which occurred in early September 2021—forced the company to shut down its IT systems, enterprise resource planning operations, and engineering applications. Weir Group also said it expected the impact of the attack to continue into Q4 2021.

As a result of the ransomware incident, Weir Group said it had experienced 5 million GBP (6.8 million USD) in direct losses. But the company also said that the disruption indirectly caused by the incident was likely to cost nearly ten times that amount.

A $55 million loss would be a substantial blow for a company that expects its yearly profits to be around $316 million to $336 million—and a stark reminder of how destructive ransomware can be.




Attack on Italian government agency exposes celebrities’ personal data

Ransomware isn’t just a cybersecurity threat—it can harm people’s privacy, too. In October 2021, an Italian public body responsible for safeguarding intellectual property rights—the Società Italiana degli Autori ed Editori (SIAE)—lost over 60 GB of data to the Everest ransomware group.

BleepingComputer later found this data—which reportedly included “national ID and driver’s license scans and documents relevant to contract agreements between SIAE and its members”—publicly available on Everest’s “extortion portal.”

The group appears to be selling the data for $500,000 after the SIAE failed to pay its ransom—a reminder that ransomware gangs will follow through on their threats. Italy’s data protection authority, the Garante per la Protezione dei Dati Personali (GPDP), is investigating the matter.


2017 WannaCry attack: The world’s first taste of how bad ransomware can get

Let’s start with an attack from several years ago—before “ransomware” was a household name—that shocked the world into taking cybersecurity more seriously.

The incident started in May 2017, when hackers infected a computer with the WannaCry ransomware. Within a day, users of over 230,000 computers worldwide found that their files had been encrypted—and that they could only retrieve their data by making a Bitcoin payment to the attackers.

How could WannaCry infect so many computers?

The original infection was initially believed to have resulted from a phishing email, but researchers later concluded that the ransomware took hold via a vulnerable SMB port.

From there, the infection spread to other computers that had not downloaded a recent Microsoft security update—the hackers used a tool called EternalBlue (developed by the U.S. National Security Agency) to exploit a zero-day vulnerability in Windows.

Wannacry caused chaos across multiple sectors in more than 150 countries. The U.K.’s National Health Service (NHS) was particularly badly affected—hospitals even had to cancel operations due to the disarray caused by the attack.

The actual ransom payments—between $300-$600 each—added up to a meager $130,634. But estimates of the overall costs associated with the attack range between hundreds of millions and billions of dollars.


Colonial Pipeline attack: ransomware affects critical infrastructure

On May 6, 2021, Ransomware gang Darkside hit the Colonial Pipeline Company, a utilities firm that operates the largest refined oil pipeline in the U.S., causing chaos at gas stations across the country and netting millions of dollars in the process.

Security analysts suspect that Darkside gained access to Colonial’s systems via a single compromised password—possibly after purchasing it via the dark web.

The cybercriminals targeted Colonial Pipeline’s computer systems, stealing nearly 100 gigabytes of data and impacting the company’s billing operations—but not the actual technology enabling the flow of oil through the pipeline.

Nonetheless, the company halted oil supplies throughout the duration of the attack, sparking fuel shortages and panic-buying throughout parts of the southern U.S. and prompting the Biden administration to issue a state of emergency.


Colonial Pipeline paid the Bitcoin ransom of around $4.4 million. But the more significant impact was on wider society. Ransomware had affected the supply and cost of gas—the hackers had broken through to people’s everyday experiences.

Fake invoice leads to Ryuk ransomware infection

Wire transfer phishing—where cybercriminals commit online fraud using a fake invoice and a compromised email account—costs businesses billions each year. But in this mid-2020 case, a fake invoice led not to a fraudulent wire transfer but to a ransomware infection.

An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer.

The malware created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware

The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access.

Kaseya supply chain attack impacts 1,500 companies

The biggest ransomware attack on record occurred on July 2, 2021, when the REvil gang hit software company Kaseya. Organizations using Kaseya’s IT management software downloaded a malicious update that infected their computers with ransomware.

Victims received a ransom note informing them that their files had been encrypted. The note said users could retrieve their files by purchasing the cybercriminals’ $45,000 decryption software, payable in cryptocurrency.

The attack directly affected at least 60 firms—and it had downstream consequences for at least 1,500 companies. Even a Swedish supermarket chain was forced to close its doors after its payment processing equipment malfunctioned due to the attack.

A few days after the attack, a post on the cybercrime gang’s dark web page promoted a universal decryptor that could unscramble all data impacted by the attack—for the bargain price of $70 million.

The Kaseya ransomware attack was reminiscent of the notorious 2020 Solarwinds attack, which. while it did not involve ransomware, exposed the vulnerability of supply chains.

UK health service warns of Avaddon phishing attacks

In April 2021, the digital arm of the U.K.’s National Health Service (NHS) put out a warning about Avaddon ransomware, a type of ransomware that can “both steal and encrypt files” in “double extortion attacks.”

Avaddon typically arrives via a phishing email. The email contains a .jpeg or .zip file which acts as a downloader for the ransomware. In some cases, the application will terminate itself if it detects that you’re using a Russian keyboard layout. As mentioned, Avaddon not only encrypts your files—it can also steal and publicly leak them if you fail to pay the ransom.

What makes this double extortion method particularly harmful? Getting your important files encrypted is bad enough. You lose vital data and might need to cease operations until the situation is resolved.

But having your files stolen as well puts you at a heightened risk of penalties from regulators for failing to protect people’s personal data.

Stolen credentials lead to $4.4 million DarkSide attack

The North American division of chemicals distributor Brenntag lost around 150 gigabytes of company data in May 2021, when the DarkSide ransomware gang deployed ransomware on the company’s systems.

The cybercriminals reportedly demanded $7.5 million ransom, which the chemicals company managed to negotiate down to $4.4 million—a sum it reportedly paid DarkSide on May 14 to prevent the compromised data from being published.

So how did DarkSide get access to Brenntag’s systems? It appears the cybercrime gang (or one of its affiliates) purchased some of Brenntag’s user credentials on the dark web.

Credentials are a prime target for cybercriminals and are one of the data types most commonly compromised in phishing campaigns. For more information, see What is Credential Phishing?


COVID-19 testing delayed after Irish hospitals hit by ransomware

When Irish hospitals were attacked by a ransomware gang in May 2021, patient data was put at risk, appointments were cancelled, COVID-19 testing was delayed—and the world saw once again how far cybercriminals were willing to go to make money.

The hackers are believed to have targeted a zero-day vulnerability in a virtual private network (VPN) operated by the Irish Health Service Executive. The Russian cybercrime group responsible for the attack, known as Wizard Spider, reportedly demanded a $19,999,000 ransom.

After the Irish prime minister publicly declared that the country would not be paying the ransom, the healthcare system was forced to resort to keeping records on paper until the situation was resolved.