Ransomware is the fastest-growing type of cybercrime, and the global cost of ransomware damage is predicted to exceed $265 billion by 2031. These malicious acts, where cybercriminals seize control of a company’s data and demand payment for its release, often have a devastating business impact.
In this article, we explore what really happened in five of the biggest and most expensive ransomware attacks. By dissecting the methods, consequences, and lessons learned, we aim to glean valuable insights to help you better understand and mitigate the threat of ransomware.
1. UK waste disposal company Amey PLC hacked and targeted for $2 billion ransom
Company: Amey PLC
Criminal organization: Mount Locker ransomware group
Ransom: $2 billion
What happened: Amey PLC, responsible for garbage disposal and street cleaning in Trafford, UK, fell victim to a complex ransomware assault orchestrated by the Mount Locker group in December 2020.
According to the Manchester Evening News, the hackers demanded a staggering $2 billion ransom and began publishing the stolen data on a leaked site, including confidential contracts, financial records, and partnership agreements. The hacker group claimed they were able to steal 143 GB of data, ranging from official government correspondence to personal identity documents of employees and directors.
It’s not clear how the incident occurred, or if it was preventable. Nonetheless, this incident serves as a stark reminder of the far-reaching implications of ransomware attacks, and that it can happen to any company in any sector.
2. European electronics retailer forced to shut down IT systems while hackers demanded $240 million
Criminal organization: Hive ransomware group
Ransom: $240 million
What happened: MediaMarkt, one of Europe’s largest consumer electronics retailers with stores in 13 countries, was attacked by the Hive group in November 2021.
The Hive group attacked and encrypted MediaMarkt’s servers and workstations, forcing the company to shut down its IT systems to prevent the attack from spreading further. The incident disrupted store operations in the Netherlands and Germany, where cash registers couldn’t process credit cards or generate receipts. While online sales remained functional, the attack’s impact on physical retail was significant, rendering customer returns and purchase history lookup impossible. Allegedly, over 3,100 servers were affected.
The Hive group initially demanded an astonishing $240 million ransom, which was later negotiated down to an undisclosed amount.
According to an FBI report, the Hive ransomware group has targeted over 1,300 companies worldwide. They use a variety of methods to exploit vulnerabilities and gain unauthorized access, in some cases even bypassing multifactor authentication. This highlights the importance of a last line of defense protecting a company’s vital systems, as endpoint protection is often not enough.
3. Royal Mail victim of $80m ransomware attack
Company: Royal Mail
Criminal organization: LockBit ransomware group
Ransom: Demanded $80 million (later lowered to $40 million, payment uncertain)
What happened: A ransomware attack caused widespread disruption at Royal Mail, the British postal service and courier company, in January 2023.
Attackers hacked Royal Mail’s international shipping devices, leaving the organization unable to process international parcels at its 11,500 post office branches.
The hackers demanded a $80 million ransom to provide a decryption tool and prevent publication of the data. Negotiations ensued, with Royal Mail rejecting the demand as “absurd” and claiming they were unable to pay such a high sum. During the back-and-forth, the hackers threatened to publish stolen data unless their demand was met.
LockBit later lowered its demand to $40 million. It’s not clear if Royal Mail paid any of the ransom, but the company faced severe disruption for six weeks.
4. IT company Kaseya hacked, affecting thousands of small businesses throughout the U.S.
Criminal organization: REvil ransomware group
Ransom: $70 million
What happened: Kaseya, a Florida-based tech company, fell victim to a massive ransomware attack by the REvil group in July 2021.
Kaseya operates as a “managed service provider,” supporting smaller businesses with their tech needs. The hackers exploited this trust, using the provider’s system to distribute malicious software through regular updates, compromising customer systems.
The attack caused widespread disruption, affecting 800-1,500 businesses globally, according to the company’s own estimations. The impact extended across continents, affecting supermarkets in Sweden and schools in New Zealand.
REvil, a Russian hacker collective, claimed responsibility for the attack, sparking concerns of an escalating ransomware arms race. The Biden administration subsequently began discussions on domestic and international countermeasures.
5. U.S. Insurance company CNA paid $40 million to regain control of their systems
Company: CNA Financial Corp
Criminal organization: Believed to be linked to Evil Corp
Ransom: $40 million
What happened: CNA Financial, a major U.S. insurance company, encountered a ransomware attack in March 2021.
Hackers used a fake browser update to breach an employee’s workstation. Gaining higher privileges, they traversed the network and infiltrated multiple devices before deploying the ransomware, encrypting over 15,000 systems, including remote workers’ devices connected to the company’s VPN.
The attackers stole sensitive data, including names, Social Security numbers, and medical information, affecting employees, former employees, dependents, and some customers. Although the hackers did not leak the data, the company chose to notify affected individuals.
CNA conducted a cybersecurity investigation but was only able to regain control of its systems by paying the $40 million ransomware. The total business impact of this incident is even higher. The company incurred costs for cybersecurity support and business disruption, and they suffered reputational damage due to compromised customer data.
Lessons learned from the biggest ransomware attacks
These attacks show that any company, in any sector, can fall victim to a ransomware attack and be extorted for millions of dollars. This raises the question, what could the companies in these examples have done differently?
In all of these incidents, the hackers exploited vulnerabilities to infiltrate the companies’ systems. This is why a last line of defense is so essential, and that’s where ProLion can help.
ProLion’s CryptoSpike builds an additional layer of protection that goes beyond endpoint protection, safeguarding your critical systems at the storage level. By analyzing data access to the storage system, CryptoSpike detects ransomware attacks and suspicious behavior, stopping hackers in their tracks, and making it possible to restore affected files immediately.
ProLion offers powerful data protection solutions that safeguard critical storage and backup data, on-premises or in the cloud. From ransomware protection that detects threats in real time to data transparency, our industry-leading solutions ensure your storage system remains secure, compliant, manageable, and accessible around the clock.