A timeline of the biggest ransomware attacks


The history of technology is fraught with unintended consequences. As William Gibson wrote in Burning Chrome, “… the street finds its own uses of things.” Although Bitcoin may not have been originally conceived as a medium for ransom payments, it has quickly become a key tool for online criminals.

Ransomware, a category of “malware, “blocks access to a computer or network until a ransom is paid. Despite the governments’ constant efforts to regulate cryptocurrency and mitigate its role in ransomware payments, the attacks keep coming.

Cryptocurrency ransomware payments totaled about $ 350 million in 2020, according to Chainanalysis – an annual increase of over 300% from 2019. And because U.S. companies are legally required to report cyberattacks only if customers’ personal information is compromised, it can be estimated too conservative.

Read more: The story of hacking of ransom and cryptocurrency

Below we list the injuries on some of the highest profile episodes.

Kaseya (2021)

On July 2, 2021, Kaseya announced that their systems had been infiltrated. Kaseya provides IT solutions to other companies – an ideal goal that in a domino effect ended up affecting approximately 1,500 organizations in several countries. REvil, a cybercriminal outfit, claimed responsibility for the attack and demanded ransoms ranging from a few thousand dollars to several million, according to a Reuters report.

It is unclear how many individual companies have paid, but REvil demanded $ 70 million in bitcoin from Kaseya. Kaseya refused to pay and chose to cooperate with the FBI and the US Cybersecurity and Infrastructure Agency. On July 21, 2021, Kaseya obtained a universal decryption key and distributed it to organizations affected by the attack.

JBS (2021)

On May 31, 2021, JBS USA, one of the largest meat suppliers in the United States, uncovered a hack that caused it to temporarily halt operations at its five largest U.S.-based factories. The ransomware attack also disrupted corporate activities in Australia and the UK. JBS paid the hackers one $ 11 million ransom in Bitcoin to prevent further disruption and limit the impact on grocery stores and restaurants. The FBI attributed the hack to REvil, a sophisticated criminal ring known in ransomware attacks.

Colonial Pipeline (2021)

May 7, 2021, America’s largest “refined products” pipeline went offline after a hacker group called Darkside infiltrated it with ransomware. The Colonial Pipeline covers over 5,500 miles and transports more than 100 million gallons of fuel daily. The impact of the attack was significant: In the days that followed, the average price of a gallon of gas in the United States rose to more than $ 3 per gallon. for the first time in seven years as drivers hurried to the pumps.

The pipeline operator said it paid the hackers $ 4.4 million in cryptocurrency. On June 7, 2021, the DOJ announced that it had recovered part of the ransom. U.S. law enforcement officials were able to track the payment and take back $ 2.3 million using a private key to a cryptocurrency wallet.

Brenntag (2021)

On April 28, 2021, the German chemical distributor Brenntag learned that it was the target of a cyber attack from Darkside, which stole 150 GB of data, which it threatened to leak if its ransom demand was not met. After negotiating with the criminals, Brenntag ended up negotiating the initial ransom of $ 7.5 million down to $ 4.4 million, which it paid on May 11th.

CNA Financial (2021)

On March 23, 2021, CNA Financial, the seventh largest commercial insurance company in the United States, revealed that it had “maintained a sophisticated cyber security attack.” The attack was carried out by a group called Phoenix, which used ransomware known as Phoenix Locker. CNA Financial eventually paid $ 40 million in May to get the data back. While the CNA has been tight-lipped about the details of the negotiations and the transaction, but says all of its systems have since been completely restored.

CWT (2020)

On July 31, 2020, the US business travel management company CWT revealed that it had been affected by a ransomware attack that infected its systems – and that it had paid the ransom. Using ransomware called Ragnar Locker, the assailants claimed to have stolen sensitive company files and turned 30,000 company computers offline.

As a service provider to a third of S&P 500 companies, the data release could have been disastrous for CWT’s business. As such, the company paid the hackers about $ 4.5 million on July 28, just days before Reuters reported the incident.

University of California at San Francisco (2020)

On June 3, 2020, the University of California, San Francisco revealed that the UCSF School of Medicine’s IT systems had been compromised by a hacker collective called Netwalker on June 1st. The medical research institution had been working on a cure for COVID.

Apparently, Netwalker had investigated UCFS in hopes of gaining insight into its finances. Referring to the billions of dollars that UCFS reports in annual revenue, Netwalker demanded a ransom of $ 3 million. Following negotiations, UCSF Netwalker paid bitcoin equivalent to $ 1,140,895 to resolve the cyber attack. According to the BBC, Netwalker was also identified as the culprit in at least two other 2020 ransomware attacks targeting universities.

Travelex (2019)

On New Year’s Eve 2019, the London-based currency exchange Travelex was infiltrated by a ransomware group called Sodinokibi (aka REvil). The attackers got away with 5 GB of customer data, including birth dates, credit card information and insurance information. Travelex removed its website in 30 countries in an attempt to curb the virus.

In the wake of the ransomware attack, Travelex struggled with customer service. Sodinokibi initially demanded a payment of $ 6 million (£ 4.6 million). Following negotiations, Travelex paid cybercriminals $ 2.3 million (285 BTC at the time, around £ 1.6 million) to get their data back.

WannaCry (2017)

In May 2017, a ransomware rang WannaCry infected computers across the globe by exploiting a vulnerability in Windows PCs. The WannaCry vulnerability was revealed during a massive leak of NSA documents and hacking tools developed by a group called Shadow Brokers in April 2017.

Although the exact number of WannaCry victims remains unknown, more than 200,000 computers around the world were infected. The victims included the Spanish telecommunications company Telefónica and thousands of hospitals in the UK. Computer systems in 150 countries were affected by the attack, with a total estimated loss of about $ 4 billion globally.

The attackers initially demanded $ 300 in bitcoin to unlock infected computer systems. Demand was later increased to $ 600 in bitcoin. However, some researchers claim that no one got their data back even though they met the requirements.

WannaCry attacks continue to this day. In February 2021, the DOJ indicted three North Korean computer programmers for their alleged role in the WannaCry outbreak.

Locky (2016)

Locky was discovered in February 2016 and is remarkable due to the incredibly high number of infection attempts it has made on computer networks. Attacks typically come in the form of an email with an attached invoice from someone claiming to be employed by the company. On February 16, 2016, analysis from Check Point identified more than 50,000 Locky attacks in one day.

Locky has many variants, but the goal is pretty much the same: Lock computer files to entice owners to pay a ransom in cryptocurrency in exchange for a decryption tool that would allow users to access their locked files again. The majority of Locky victims have been in the United States, and especially among healthcare companies, but Canada and France also experienced significant infection rates.

TeslaCrypt (2015)

Modeled on an earlier program called CryptoLocker, the earliest TeslaCrypt samples were circulated in November 2014, but ransomware was not widely distributed until March of the following year.

TeslaCrypt was originally targeted at gamers. After infecting a computer, a pop-up would ask a user to pay a ransom of $ 500 in bitcoin for a decryption key to unlock the infected system. Other sources report that the requested ransoms ranged from $ 250 to $ 1000 in Bitcoin. In May 2016, the developers of TeslaCrypt released a master decryption key for affected users to unlock their computers.

CryptoWall (2014)

Widespread reports of computer systems infected with CryptoWall ransomware appeared in 2014. Infected computers were unable to access files – unless the owner paid for access to a decryption program. CryptoWall affected systems across the globe. The attackers demanded payment in the form of prepaid cards or bitcoin. CryptoWall caused about $ 18 million in damage, according to Help Net Security. Multiple versions of CryptoWall were released, with each version making ransomware harder to track and combat.

CryptoLocker (2013)

The first time large parts of the world heard the term “ransomware” was in the 2013s CryptoLocker outbreak. Discovered in early September 2013, CryptoLocker would paralyze more than 250,000 computer systems over the next four months. The victims were asked to send payments in cryptocurrency or money cards to gain access again. The ransomware delivered at least $ 3 million to its perpetrators.

ONE multinational law enforcement efforts in 2014, it succeeded in removing the Gameover ZeuS botnet, which was a primary distribution method for CryptoLocker. The DOJ accused Russian hacker Evgeniy Mikhailovich Bogachev as the mastermind of the botnet. Bogachev is still at large – and the FBI is currently offering a reward of up to $ 3 million for information leading to his arrest and / or conviction.

AIDS Trojan / PC Cyborg (1989)

The AIDS Trojan (also known as PC Cyborg) is widely regarded as the template for all subsequent attacks, and is the first known case of a ransomware attack. In 1989, more than a decade before the creation of bitcoin, a biologist named Joseph Popp distributed 20,000 diskettes at the World Health Organization’s AIDS Conference in Stockholm. The disks were labeled “AIDS Information – Introductory Diskettes” and contained a Trojan virus that installed itself on MS-DOS systems.

Once the virus was on a computer, it counted the times the computer started up. When the computer started up 90 times, the virus hid all folders and encrypted file names. An on-screen image from ‘PC Cyborg Corporation’ instructed users to send $ 189 to a PO address in Panama. However, the decryption process was relatively simple, and security researchers released a free tool to help victims.

Leave a Comment