For years, ransomware actors have developed new families and attack campaigns in increasing frequency and numbers. Such activity peaked in 2017 but then fell in tandem with cryptocurrency miners’ rise. This development was short-lived, however. Between Q4 2018 and Q1 2019, Malwarebytes observed a 195 percent increase in ransomware detections involving business targets. The rate was even greater compared to Q1 2018 at 500 percent.
Ransomware attacks of varying significance made news over that multi-year period. Here are 10 of the most significant of those attacks. (For the purposes of this article, “most significant” does not account only for the number of users affected. It also takes into account other factors such as distribution, costs, updates, media coverage and potential damages for future victims.)
Hollywood Presbyterian Medical Center
In February 2016, Hollywood Presbyterian Medical Center temporarily suspended its IT system after detecting suspicious activity. The southern California medical center subsequently shut down several departments and diverted patients to other institutions for treatment while staff recorded registrations/logins via paper and fax. A few days later, the hospital revealed that ransomware had affected its systems; Hollywood Presbyterian Medical Center ultimately paid the ransom of 40 bitcoins (then worth $17,000) after working with law enforcement.
San Francisco MTA
Later in 2016, ransomware attackers targeted 2,000 computers owned by San Francisco’s transport system (known as Muni). This incident didn’t disrupt the system’s rail and bus network, but it did affect Windows workstations, servers and ticketing machines. As a result, many passengers enjoyed free rides on Muni’s trains and buses while IT personnel worked to recover from the attack. These individuals’ efforts revealed that a strain of HDDCrypter had struck the transport agency and had demanded 100 bitcoins ($70,000) in ransom.
On 12 May 2017, an updated version of WCry/WannaCry ransomware called “WanaCrypt0r 2.0” struck hospitals belonging to the United Kingdom’s National Health Service (NHS), internet service provider Telefonica and other high-profile targets around the world. Researchers ultimately determined that WannaCry had made its rounds by exploiting EternalBlue, a vulnerability which Microsoft patched in a security bulletin in March 2017. In total, WannaCry demanded $300 in bitcoin from more than 300,000 organizations worldwide through that attack.
News of NotPetya first broke on 27 June 2017 when power distributors in Ukraine and the Netherlands confirmed hacking attacks that affected their systems. Not long afterwards, Ukraine’s government, the offices of multinationals in Spain and the British advertising group WPP confirmed similar incidents. Researchers quickly traced the attacks to Petya ransomware. A closer look by Kaspersky Lab, however, revealed that other malware had borrowed code from Petya and had behaved as a wiper. For that reason, Kaspersky named the threat “NotPetya.”
A week before Halloween, Kaspersky Lab revealed it had received “notifications of mass alerts” of a new ransomware targeting Ukrainian and Russian organizations. Some of the victims included Russian news media outlets Fontanka.ru and Interfax as well as Kiev’s metro system and an airport in Odessa. Kaspersky’s researchers ultimately identified the threat as BadRabbit. This threat used drive-by attacks to deliver the ransomware dropper, a small-scale operation which demanded 0.5 Bitcoins in ransom from hundreds of victims.
Colorado’s Department of Transportation (CDOT) spotted an infection of SamSam ransomware on 21 February. An investigation revealed that the malware had encrypted files on all employee computers running Windows OS and McAfee AV software. As a result of those findings, the Department took 2,000 employee machines offline and began working with the FBI to remove the ransomware from all affected computers and recover its systems using data backups. Less than a month later, however, CDOT suffered an infection from another SamSam variant.
City of Atlanta
In late March 2018, Atlanta officials determined that ransomware had taken down several customer-facing systems employed by the city including bill payment applications and had instituted a ransom of $51,000 for the recovery of the entire system. Atlanta Mayor Keisha Lance Bottoms refused to pay the attackers and spent millions on emergency tech contracts for rebuilding the affected IT system within the months that followed. In August of that year, reports emerged that it might take as much as $17 million for the city to make a full recovery.
Port of San Diego
Not long thereafter, the Port of San Diego revealed that it had suffered a ransomware attack. This crypto-malware, which remained unknown at the time of the incident’s disclosure, had disrupted several information technology systems used by the Port. As a result of the attack, the Harbor Police Department resorted to alternative means and methods to continue serving the public. The Port also notified the public that the attack might affect its processes associated with issuing park permits, honoring public records requests and fulfilling business services.
Three Florida Cities
In June 2019, two Florida city governments each paid hundreds of thousands of dollars to ransomware actors in order to recover their affected data and assets. The first municipality, Riviera Beach, paid $600,000 in bitcoin to digital attackers who had locked its IT system with ransomware. Less than a week after that, Lake City handed $460,000 over to malefactors after the municipality suffered a “triple threat” attack in which Emotet malware downloaded Trickbot and subsequently Ryuk ransomware.
23 Texas Towns
Later that same summer, the Texas Department of Information Resources (DIR) disclosed a ransomware attack that affected more than 20 entities, most of them being small city governments. DIR responders subsequently engaged with all affected entities to figure out how they could best help those victims recover. Within a matter of days, DIR had helped 25 percent of affected entities transition from response and assessment to recovery and remediation. Government officials were still investigating the source of attack at the time of publication.
Now It’s Your Turn!
Did we miss a significant ransomware attack which you feel belongs in our list? If so, let us know on Twitter (@TripwireInc).
In the meantime, organizations and users alike should use these recommendations to prevent a ransomware infection from occurring in the first place. They should also consider using a sophisticated solution to help detect both known malware signatures as well as evidence of zero-day threats. Learn how Tripwire can help in that regard.