For the last decade, ransomware attacks have been one of the most pervasive and damaging cybersecurity threats, harming businesses, government agencies, and even critical infrastructure worldwide. We write about this kind of cybercrime often, covering developments like ransomware-as-a-service (RaaS), intermittent-encryption ransomware, encryption-less ransomware, and more.
But what does ransomware look like on the ground, so to speak? What are some of the most damaging attacks, and how did they come about? Today, we’ll dive into real-life examples of ransomware attacks and explore best practices to mitigate this ever-growing cyber threat.
We all know the basics: Ransomware encrypts (and sometimes exfiltrates) a victim’s data, rendering the encrypted files and systems inaccessible until a ransom demand is paid and the decryption key is turned over. But the actual forms that ransomware takes — as well as the methods by which it accesses victim networks and the means by which it demands a payment — can vary widely. Below, we cover some of the most notorious and damaging ransomware infections of the last decade by sector.
Cyberattacks targeting critical infrastructure represent a significant threat to national security and public safety. There are two particularly notable ransomware attacks that have targeted critical infrastructure in the past decade: the Colonial Pipeline attack in 2021 and the Ukraine power grid attacks in 2015 and 2016.
In May 2021, Colonial Pipeline, one of the largest fuel pipeline operators in the United States, fell victim to an attack by the DarkSide ransomware group. The attack forced Colonial Pipeline to temporarily shut down its operations, leading to fuel shortages and disrupting the gasoline supply chain on the East Coast.
Meanwhile, Ukraine experienced significant cyberattacks on its critical infrastructure and power grid in December 2015 and 2016. These cyberattacks, widely attributed to Russian state-sponsored actors, disrupted power distribution in Ukraine, leaving hundreds of thousands of people without electricity. While the exact ransomware variants used in these attacks were not disclosed, the incidents serve as stark reminders of the impact of ransomware on essential services.
Healthcare organizations are prime targets for ransomware attacks due to the sensitive nature of their patient data and the essential role they play in public health. In fact, according to an FBI report, healthcare was the top critical sector targeted by ransomware in 2022.
One of the largest attacks in recent months was on the CommonSpirit Health system, which saw 620,000 patient records impacted. Although patient data was not believed to be leaked, the nonprofit health system had to take its electronic medical records and patient portal offline and reschedule appointments.
Another particularly notable attack targeted the Vastaamo practice in Finland in 2020. Tens of thousands of psychotherapy patients at the practice had their confidential treatment records hacked, with threats to leak them online unless they paid the ransom.
Higher education institutions store vast amounts of sensitive data, including financial records, research, student records, and intellectual property, making them attractive targets for ransomware attacks. Cybercriminals are known to target colleges and universities during school breaks, when IT staff aren’t around to prevent or mitigate attacks.
The most devastating ransomware attack on higher education was undoubtedly the one on Lincoln College, a historically Black college in Illinois that was ultimately forced to close in 2022 after the attack led to major financial damages and a drop in enrollment. Other institutions — including the University of California, San Francisco and Minnesota State University-Moorhead — have also been hit hard by ransomware in recent years.
Supply-chain ransomware attacks involve targeting third-party vendors or service providers to gain access to their clients’ networks. They can be particularly insidious because third parties often have weaker security controls than the large enterprises they serve.
The most notorious supply-chain ransomware incident was the SolarWinds attack in 2020. That attack involved compromised software updates from supplier SolarWinds that were distributed to thousands of organizations worldwide. The hackers also inserted a backdoor into the software, allowing them to gain unauthorized access to the networks of SolarWinds customers, including government agencies and Fortune 500 companies like Microsoft, Intel, and the Pentagon.
However, SolarWinds isn’t the only vendor to be hit by this kind of attack. In July 2021, a supply-chain ransomware attack targeted Kaseya, a provider of remote management software used by managed service providers (MSPs) to administer IT systems. The attackers managed to distribute the ransomware to hundreds of organizations through their MSPs, highlighting the interconnected nature of supply-chain ecosystems and the potential ripple effects of ransomware attacks.
Ransomware variants are essentially different versions or families of ransomware, with each variant possessing its own distinct encryption methods and propagation techniques. Variants can vary widely in their sophistication, ranging from easily detectable versions to highly complex and evasive strains.
Because of this wide variety in ransomware families, it’s important to understand the general ransomware landscape. Different types of ransomware often require different mitigation techniques, and knowing which variants they’re facing helps cybersecurity professionals to stay ahead of evolving threats.
From Petya and NotPetya to Locky, CryptoLocker, and Bad Rabbit, there are dozens of examples of ransomware families. Here are a few of the most common and most dangerous variants from the last decade.
Given the severe consequences of ransomware attacks, it’s crucial for individuals and organizations to implement robust cybersecurity measures. An effective ransomware mitigation plan will encompass everything from advanced technical safeguards to a security-conscious company culture. Here are some top tips and strategies:
Regularly back up data. Maintain regular backups of essential data and ensure they are stored securely offline or in the cloud. Regularly test the backups to verify their integrity and effectiveness in restoring operations.
Patch systems regularly. Keep operating systems, software, and firmware up to date with the latest security patches. Vulnerability management plays a critical role in mitigating ransomware and other types of malware attacks and avoiding data breaches.
Employee training and awareness. Educate employees about phishing emails, malicious email attachments, smishing on mobile devices, and other social engineering tactics used by threat actors. Make sure workers are also up to speed on good password hygiene and multi-factor authentication (MFA). Encourage a culture of cybersecurity awareness, with regular training sessions or cybersecurity exercises to reinforce office security procedures. And, if your employees are working from home via a Remote Desktop Protocol (RPD), make sure their connection is secure, since this is one of the most common entry points for ransomware attacks today.
Create incident response plans. Develop or amend your incident response plans to include the steps to take in the event of a ransomware infection. Ensure that roles and responsibilities, including communication with relevant stakeholders, are clearly defined to facilitate a swift and coordinated response.
Network segmentation and endpoint protection. To contain ransomware inside your organization and limit its impact on critical data, implement network segmentation. To detect ransomware threats early, deploy advanced endpoint protection solutions — especially those that utilize tools like behavioral analysis, threat intelligence, and AI and machine learning.
Know your remedies. For many common forms of ransomware, there are now decryptor tools available online, some of them free. The FBI, for instance, released a decryption tool for Blackcat in December 2023, and other sources have solutions for other types of ransomware.
Consider ShardSecure. The ShardSecure platform mitigates the impact of ransomware in on-prem, cloud, and hybrid-cloud architectures. It protects the accuracy and integrity of data with multiple data health checks that detect unauthorized tampering by ransomware. In the event that a health check fails, the platform’s self-healing feature immediately begins to reconstruct affected data, protecting it from unauthorized deletion, compromise, or loss.
ShardSecure also protects sensitive data from double extortion attacks, automatically reconstructing and relocating data compromised by ransomware. With virtual clusters that deploy on-prem or in the cloud, the platform also offers high availability during attacks and other disruptions to maintain robust data resilience.
To learn more about how the ShardSecure platform mitigates ransomware attacks, visit our ransomware solutions page or check out our other resources.
Cyber-Attack Against Ukrainian Critical Infrastructure | CISA
FBI: Healthcare it with most ransomware attacks of any critical sector | Healthcare Executive
'Shocking' hack of psychotherapy records in Finland affects thousands | The Guardian
Lincoln College in Illinois to Close, Hurt by Covid and Ransomware Attack | The New York Times
A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack | NPR
The Kaseya ransomware attack: A timeline | CSO Online
REvil ransomware attack against MSPs and its clients around the world | Securelist
Law enforcement disrupt world’s biggest ransomware operation | Europol
The Top 10 Ransomware Groups of 2023 | BlackFog
Ransomware WannaCry: All you need to know | Kaspersky
MedusaLocker Ransomware Leveraged In Healthcare Cyberattacks | Health IT Security
What is Maze ransomware? | Cloudflare
The Top 10 Ransomware Groups of 2023 | BlackFog
Ransomware Spotlight: Play | Trend Micro
Unmasking the Shapeshifter: Threat Hunting for BianLian Malware | Medium
RDP Ransomware: Everything You Need to Know | ransomware.org
FBI disrupts Blackcat ransomware operation, creates decryption tool | Bleeping Computer