2023 looks set to be another record-breaking year for ransomware. In the first half of this year, public attacks increased by 49% compared to the first six months of 2022. But it's important to remember that not all ransomware attacks are public.
An even more disturbing figure is the number of undisclosed ransomware attacks in 2023, which reached 1,815 in the first six months of this year. By considering these numbers, we can paint a more realistic picture of what ransomware really looks like.
There have been many noteworthy attacks this year, and in this blog, we highlight some of the largest publicly reported attacks this year and some of the biggest consequences we've seen so far.
Read on to find out which attacks earn a spot on our list.
1. In January we saw Royal Mail fall victim to the LockBit ransomware attack. The group hacked into the UK Postal Service's software and blocked all international shipments by encrypting files. Negotiations were held, but two weeks later, LockBit made a ransom demand of $80 million, or 0.5% of the company's revenue, in exchange for the files being decrypted. Royal Mail chose not to pay the ransom and risk a data breach, which eventually happened.
2. Months later, the U.S. Marshals Service is still recovering from the February attack. The attack affected a computer system that held sensitive law enforcement data belonging to the Technical Operations Group (TOG), which provides surveillance capabilities to track fugitives. The "most critical tools" were restored within 30 days, but Marshal's service was still to bring new versions of the affected systems online and provide better security. The stolen data includes employees' personally identifiable information as well as information returned from legal proceedings, administrative information and PII related to USMS investigation subjects and third parties.
3. Medusa made headlines when it claimed that Minneapolis public schools had been hacked, stealing massive amounts of data, and is demanding $1 million to prevent the information from being posted on the dark web. The reason behind the headlines was more sinister than the attacks themselves, it was the data they ultimately leaked that caused a stir. The ransomware group dumped 300,000 files after the March attack, including confidential information such as complete sexual assault case files. Other compromised information included medical records, discrimination complaints, Social Security numbers and contact information for school district employees.
4. In March, another high-profile ransomware attack was reported, when ALPHV (aka BlackCat) infiltrated Lehigh Valley Health Network's computer systems. The incident involved systems used for "clinically appropriate patient images for radiation oncology treatment" and other sensitive information. A notorious ransomware group leaked nude photos of breast cancer patients along with medical questionnaires, passports and other sensitive patient data after healthcare providers refused to pay the ransom. LVHN has since faced lawsuits related to the ransomware attack.
5. British outsourcing company Capita suffered a ransomware attack in March, and the company reported that recovery from the incident was expected to cost up to $25 million. The charges were attributed to "expert professional fees, recovery and remediation costs and investments to strengthen Capita's cybersecurity environment". The attack was "significantly limited" by the company's security team, but it has been confirmed that customer, supplier and employee data may have been stolen during the incident. BlackBasta claimed responsibility for the attack and published the group's data. After the attack, Capita not only suffered huge losses, but the company's share price fell by 12%.
6. Managed Care of North America (MCNA) Dental exposed a data breach that affected nearly 9 million patients. LockBit took responsibility for the attack and threatened to release 700GB of sensitive confidential information unless a $10 million ransom was paid. Data including PII, health insurance information, dental care or braces documents, and bills and insurance claims were then posted on the group's dark website. The notice provided by MCNA also contains a detailed list of more than a hundred health care providers who may have been indirectly affected by the incident.
7. This year The fallout from a ransomware attack on the city of Dallas in May is still in the news. The city was forced to shut down some of its IT systems, disrupting many functions including the police and fire departments. It was recently revealed that attacks orchestrated by the Royal Ransomware Group affected more than 26,000 people. The data stolen by threat actors includes information such as names, addresses and medical information. Several city employees have reported identity theft and that some of their children's personal information was stolen. In August, the Dallas City Council announced it approved paying $8.6 million for attack-related services, including credit monitoring for potential identity theft victims.
8. There’s no doubt that Clop’s exploit of a zero-day vulnerability in MOVEit has become one of the biggest cybersecurity news stories of the year so far. The vulnerability is believed to have been exploited since around May 27 and led to multiple waves of data breaches in the following weeks. The current list of victims is believed to be around 600 organizations, with statistics showing that nearly 40 million people have been affected by the attack so far.
It is believed that we have yet to see the true impact and consequences of this attack. Some victims publicly announced their involvement in the breach, while others were named by Klopp himself. We've been monitoring this incident closely and will update our MOVEit blog as new information becomes available.
9. In June, St. Margaret's Health Center (SMH) in Illinois announced it would close after 120 years of serving the community, in part due to a 2021 ransomware attack. The attack paralyzed hospital operations for months, severely impacted the hospital's ability to bill insurance companies for services, and forced the shutdown of the hospital's IT network, email system, electronic medical records and other network operations. Other factors leading to the closure include unprecedented costs related to COVID-19, low patient volumes and staffing shortages.
10. In June, law firm HWL Ebsworth suffered a major ransomware attack, affecting at least four Australian banks. BlackCat claimed responsibility for the attack, successfully accessing HWL's servers and exfiltrating 4TB of data. A number of public and private sector entities, including Westpac, NAB, Commonwealth Bank and ANZ, may have had their data stolen in the incident. The ransom was reportedly A$5 million, but the law firm refused to pay. 1.4TB of compromised data was publicly released, including financial information, customer documents, and local and remote company credentials.
11. Ransom demands are not going down, as evidenced by the $70 million ransom demanded by Bassterlord after the TSMC attack. Threat actors affiliated with LockBit live-tweeted the ransomware attack and shared screenshots of information related to the company. LockBit announced the attack on its website and said that if the ransom was not paid, the data would be exfiltrated along with published network entry points, passwords and company login information. TSMC reported that it had not been breached, but the systems of one of its IT hardware suppliers, Kinmax Technology, were hacked.
12. Barts Health NHS Trust, the UK’s largest medical trust, suffered a ransomware attack in June. The attack was carried out by ALPHV (also known as BlackCat). The gang said they stole 7TB of sensitive data in what it claims is the UK's largest healthcare data breach. Samples of the stolen data included employee identification documents, including passports and driving licenses, as well as tagged internal documents. They also claimed to have "citizens' confidential documents." The trust is still investigating the scope of the attack.
13. Tampa General Hospital has filed a class-action lawsuit following a reported cybersecurity incident in July. The incident resulted in the theft of the protected personal health information (PHI) of up to 1.2 million patients. Although the data was stolen, the hospital clarified that the hackers' attempt to launch a ransomware attack failed and that strong security systems prevented file encryption and further damage. The class action lawsuit was filed against the hospital for "failing to protect patients' personal data." The hospital was also accused of failing to promptly notify affected individuals, taking nearly two months to notify them.
14. In August, Prospect Medical Holdings, one of the largest hospital networks in the United States, announced that it had been the victim of a cyberattack that caused technical issues with systems within the hospital network. After learning of the incident, the organization took systems offline to protect them and launch an investigation. Several hospitals and affiliates, including Eastern Connecticut Health Network, Crozer-Chester Health System, Southern California Hospital and CharterCARE, have reported significant impacts to their operations as a result of the cyberattack. The Daily News continues to report on the aftermath of the incident. It was unclear who was behind the attack.
We will continue to update this blog as other high-profile ransomware attacks make headlines this year.