The alarming increase in ransomware attacks against organizations worldwide is not random. Over the past few years, it has become evident that certain patterns and commonalities exist among the most damaging incidents. With estimated losses ranging from millions to billions of U.S. dollars, the top ransomware attacks have left an interconnected trail of destruction in their wake.
Here we explore what many consider the top five ransomware attacks of the decade based on financial impact, number of victims affected, data sensitivity, industry disruption and public awareness.
Top 5 Ransomware Attacks of the Decade
No. 1. Change Healthcare 2024
- Estimated losses: $1.35 to $1.6 billion
- Details: Threat actor BlackCat/ALPHV stole credentials and exploited zero-day vulnerabilities in a remote management tool. Change Healthcare also failed to turn on its multifactor authentication (MFA), allowing hackers to gain access and initiate the attack. It significantly disrupted healthcare systems across the U.S., affecting various aspects of patient care.
No. 2. MGM 2023
- Estimated losses: Approximately $100 million
- Details: Hackers used social engineering tactics to enter MGM’s systems, leading to operational disruptions that disabled online reservation systems, digital room keys, slot machines and websites.
No. 3. MOVEit 2023
- Estimated losses: Around $6.5 billion
- Details: Ransomware gang CL0P gained entry by exploiting a zero-day vulnerability in MOVEit’s managed file transfer service system, allowing it to steal sensitive information from over 2,000 organizations.
No. 4. Costa Rican Government 2022
- Estimated losses: Over $125 million in the first two days + losses of $30 million daily for nearly six weeks following the attack
- Details: The government suffered two consecutive attacks by the Conti and HIVE gangs, which exploited digital vulnerabilities to encrypt and steal sensitive data. Costa Rican government operations were severely disrupted for an extended period, causing substantial economic damage.
No. 5. Colonial Pipeline 2021
- Estimated losses: $4.4 million in ransom + incalculable economic impact
- Details: Hackers exploited a VPN server vulnerability to gain access to computer systems, leading to a shutdown of the pipeline and a $4.4 million ransom payment that resulted in widespread societal disruptions and consumer panic.
Despite the diversity of businesses operating in different industries, these ransomware victims share common threads that bind them together. By examining these commonalities, chief information security officers (CISOs)—especially those in high-target industries—can glean insights to better shield their organizations from a similar fate.
3 commonalities between top ransomware attack
No. 1: Heavily regulated industries
Each of the top five attacks affected organizations in highly regulated industries, such as healthcare and oil and gas. As these organizations handle sensitive data—personal identifiable information (PII), financial data and confidential records—they are prime targets for cyber criminals. As a result, such organizations have seen an uptick in ransomware attacks, especially those located in countries where companies face fines for failing to protect sensitive data.
Under Australia’s Privacy Act, for example, organizations can be fined up to AU$50 million for data breaches. Cybercriminals capitalize on such regulations by increasingly targeting companies in these jurisdictions, knowing the threat of fines and reputational damage may prompt them to pay a ransom rather than report the incident and risk penalties.
These same organizations allocate substantial portions of their budgets to meeting regulatory requirements. This is not surprising given that the cost of regulations in the U.S. alone is estimated at $3.079 trillion. The downside is that this often means CISOs and their cybersecurity teams receive an average of only 9% of companies’ IT budgets.
This inadequate investment in cybersecurity could translate to fewer resources, staff shortages, and other weaknesses that leave companies vulnerable to ransomware attacks and various threats—a particularly perilous irony for regulated industries, which already are attractive targets for cyber criminals.
Invest in a collective defense
The similarities and interconnected nature of cyber threats across regulated industries is a strong impetus for taking part in a collective defense, defined as “an exchange of resources and expertise to strengthen the cybersecurity posture of organizations.”
A formal alliance isn’t required for businesses to participate. They can engage in cross-industry cybersecurity working groups, conduct joint exercises and simulations, share best practices and lessons learned, and collaborate to develop common standards and guidelines.
Information Sharing and Analysis Centers (ISACs) are vital in facilitating collective defense by enabling the sharing of threat intelligence, best practices, and risk management strategies among member companies. Those within an industry can pool resources and expertise by participating in ISACs to enhance their collective cybersecurity resilience. What’s more, ISACs share information with each other to maintain awareness across various sectors, enabling them to respond more effectively to cyber threats.
Understand cyber-physical risks
The most heavily regulated industries are also those most crucial to human safety, national security, and global and national economies. This means the effects of cyber-physical risks—those that begin in the digital domain but become real threats in the physical world and vice versa—can be more detrimental to them than to organizations in other industries.
Take for example the August 2023 cyber attack on Prospect Medical Holdings, which forced U.S. hospitals to close emergency rooms and ground ambulances—severely limiting healthcare services for the populations in several disparate regions. Or the ransomware attack on the Costa Rican government that sent import and export businesses into a tailspin, paralyzing the shipment of goods in and out of the country and devastating the economy as nearly all forms of commerce screeched to a halt.
No. 2: Partner and third-party user dependency
When an organization is hit by a ransomware attack, the ripple effects can disrupt an entire ecosystem of users dependent on its services—from customers and vendors to consultants. For instance, the mass exploitation of MOVEit file transfer servers in December 2023 has affected approximately 60 million people to date.
Similarly, Delta Airlines suffered a data breach through a third-party supplier that was integrated into the airline’s e-commerce platform, highlighting the critical importance of visibility and rapid response in managing third-party risk.
The breach, which cost hundreds of millions of dollars to remediate, could have been prevented if Delta had received timely notification from the supplier that it had been compromised.
Incidents like the ones suffered by MOVEit and Delta highlight the devastating consequences of delayed notification by vendors to mitigate third-party risk, underscoring the importance of early warning systems. However, getting that kind of notification early enough to act requires casting a wide net over the public data landscape, a feat that is impossible to achieve without AI-enabled solutions, like that of Dataminr Pulse for Cyber Risk.
Mitigating Third-party Risk in the Age of Mass Zero-day Exploitation
Cyber execs from CISA, Global Payments and Salesforce on managing third-party risk and exposure and cyber-physical threats—and the role AI will play.
Watch WebinarAudit networks and conduct risk assessments regularly
With companies having a high volume of connections into their system through various portals and third-party entry points, it’s critical to perform periodic audits to assess the effectiveness of cybersecurity controls, identify vulnerabilities and address any gaps.
By also sharing these assessments with stakeholders ahead of a potential attack, companies can demonstrate a transparent and proactive approach to addressing vulnerabilities, and a commitment to addressing weaknesses before they can be exploited.
Educate and engage with third-party partners
Companies must ensure partners and vendors adhere to cybersecurity measures that are as rigorous as their own to prevent third parties from potentially exposing them to risks. This includes enforcing protocols such as the exclusive use of secure connections for remote access to a vendor’s network.
Confirming the alignment of cybersecurity policies between first- and third-party companies can strengthen defenses and underscore a vendor’s commitment to risk management, fostering trust and reassuring clients of a vendor’s dedication to minimizing threats. In the event of a cybersecurity incident, trust can translate into continued partnership, as users may be likely to rely on a vendor’s guidance and remain loyal if they know every effort is made to prevent an attack.
Are Your Vendors Exposing Your Organization to Vulnerabilities?
Vendors don’t always disclose their vulnerabilities, which could leave both organizations and customers exposed. Learn how real-time cyber threat intelligence can mitigate the risk.
Read NowNo. 3: Attackers’ preference for large targets
Size isn’t a deterrent against ransomware attacks. In fact, larger, well-known organizations face unique challenges due to their expansive attack surfaces, which require constant monitoring and maintenance to prevent exploitation. Even a single small vulnerability can be enough for attackers to gain a foothold and maintain persistence within the network.
Additionally, high-profile entities are often targeted for the prestige and notoriety that comes with successfully breaching their defenses, making them attractive targets to threat actors seeking to make a name for themselves.
Organizations are worried. A survey of risk managers at large companies found that 90% are concerned that threat actors will target their organization; 68% had been hit by a cyber attack in the last 3 years. And, ransomware was found to be one of the top three cyber threats.
In comparison, a recent Guardz report analyzing small and medium enterprises revealed that 57% of respondents said their companies experienced a cyber attack, with 31% having been targeted by a breach in the past 12 months.
Recent trends show that cyber criminals are moving to smaller companies in order to infiltrate large ones.
From what we’re seeing in the threat landscape…small and medium-sized entities are among the most targeted.
Brandon Wales, U.S. Cybersecurity & Infrastructure Security Agency (CISA) Executive Director
High-profile entities typically have thousands of employees, every one of whom must understand the importance of cybersecurity. Help employees grasp the key role they play in protecting their organization by implementing the following initiatives.
Train and educate employees on risk mitigation
Large entities have large numbers of employees and each one must understand the role they play in mitigating risk. While this may seem like an obvious precaution, many CISOs don’t have a full grasp of the insider threats their employees may pose.
Whether intentionally (stealing data for financial gain or revenge) or unintentionally (negligence from lack of training), employees can cause significant harm to their organizations. CISOs should make cybersecurity awareness and training an ingrained part of company culture, including how to spot phishing scams and use strong passwords.
Implement and reinforce multi-factor authentication (MFA)
MFA is a simple yet effective way to secure access gateways. Employees with access to sensitive systems and data should have MFA requirements to ensure there is an extra layer of cybersecurity by combining something they know—like a password—with something only they can receive: a unique, one-time code sent via email or mobile app.
For example, the Change Healthcare ransomware attack may have been avoided if the company’s MFA had been turned on. This lapse in security left the organization vulnerable and allowed attackers to gain unauthorized access to Change Healthcare’s systems. The importance of prioritizing authentication measures to protect against cyber threats cannot be overstated, especially at larger companies where it may be easier for warnings to slip through the cracks.
Build cyber resilience
Being able to identify the commonalities between the largest ransomware attacks of this decade gives CISOs and other security and risk leaders a clear view into what made the organizations hit vulnerable—and potential risks within their own business. It’s one way to bolster cyber defenses and strengthen cyber resilience.
Also critical is investing in early warning systems, like that of Dataminr Pulse for Cyber Risk, which notify CISOs of cyber risks and threats as soon as they emerge. At a time when CISOs are challenged to keep up with the ever-increasing, ever-evolving risks outside of their organization, getting the earliest warnings possible means they can proactively mitigate risks faster and more effectively.
Pulse for Cyber Risk does this across the entire cyber threat landscape, from ransomware attacks and leaked credentials to domain impersonations and zero-day vulnerabilities.
Dataminr Pulse for Cyber Risk
Get a first-hand look at the power of Dataminr Pulse for Cyber Risk.
Request a Demo
