ProLion Blog - Top Ransomware Attacks
Marilyn Wilkinson, August 2023

The Five Most Expensive Ransomware Attacks & Lessons Learned

Ransomware is the fastest-growing type of cybercrime, and the global cost of ransomware damage is predicted to exceed $265 billion by 2031. These malicious acts, where cybercriminals seize control of a company’s data and demand payment for its release, often have a devastating business impact.

In this article, we explore what really happened in five of the biggest and most expensive ransomware attacks. By dissecting the methods, consequences, and lessons learned, we aim to glean valuable insights to help you better understand and mitigate the threat of ransomware.

1.  UK waste disposal company Amey PLC hacked and targeted for $2 billion ransom

Company: Amey PLC

Criminal organization: Mount Locker ransomware group

Ransom: $2 billion

What happened: Amey PLC, responsible for garbage disposal and street cleaning in Trafford, UK, fell victim to a complex ransomware assault orchestrated by the Mount Locker group in December 2020.

According to the Manchester Evening News, the hackers demanded a staggering $2 billion ransom and began publishing the stolen data on a leaked site, including confidential contracts, financial records, and partnership agreements. The hacker group claimed they were able to steal 143 GB of data, ranging from official government correspondence to personal identity documents of employees and directors.

It’s not clear how the incident occurred, or if it was preventable. Nonetheless, this incident serves as a stark reminder of the far-reaching implications of ransomware attacks, and that it can happen to any company in any sector.

2.  European electronics retailer forced to shut down IT systems while hackers demanded $240 million

Company: MediaMarkt

Criminal organization: Hive ransomware group

Ransom: $240 million

What happened: MediaMarkt, one of Europe’s largest consumer electronics retailers with stores in 13 countries, was attacked by the Hive group in November 2021.

The Hive group attacked and encrypted MediaMarkt’s servers and workstations, forcing the company to shut down its IT systems to prevent the attack from spreading further. The incident disrupted store operations in the Netherlands and Germany, where cash registers couldn’t process credit cards or generate receipts. While online sales remained functional, the attack’s impact on physical retail was significant, rendering customer returns and purchase history lookup impossible. Allegedly, over 3,100 servers were affected.

The Hive group initially demanded an astonishing $240 million ransom, which was later negotiated down to an undisclosed amount.

According to an FBI report, the Hive ransomware group has targeted over 1,300 companies worldwide. They use a variety of methods to exploit vulnerabilities and gain unauthorized access, in some cases even bypassing multifactor authentication. This highlights the importance of a last line of defense protecting a company’s vital systems, as endpoint protection is often not enough.

3.  Royal Mail victim of $80m ransomware attack

Company: Royal Mail

Criminal organization: LockBit ransomware group

Ransom: Demanded $80 million (later lowered to $40 million, payment uncertain)

What happened: A ransomware attack caused widespread disruption at Royal Mail, the British postal service and courier company, in January 2023.

Attackers hacked Royal Mail’s international shipping devices, leaving the organization unable to process international parcels at its 11,500 post office branches.

The hackers demanded a $80 million ransom to provide a decryption tool and prevent publication of the data. Negotiations ensued, with Royal Mail rejecting the demand as “absurd” and claiming they were unable to pay such a high sum. During the back-and-forth, the hackers threatened to publish stolen data unless their demand was met.

LockBit later lowered its demand to $40 million. It’s not clear if Royal Mail paid any of the ransom, but the company faced severe disruption for six weeks.

4.  IT company Kaseya hacked, affecting thousands of small businesses throughout the U.S.

Company: Kaseya

Criminal organization: REvil ransomware group

Ransom: $70 million

What happened: Kaseya, a Florida-based tech company, fell victim to a massive ransomware attack by the REvil group in July 2021.

Kaseya operates as a “managed service provider,” supporting smaller businesses with their tech needs. The hackers exploited this trust, using the provider’s system to distribute malicious software through regular updates, compromising customer systems.

The attack caused widespread disruption, affecting 800-1,500 businesses globally, according to the company’s own estimations.  The impact extended across continents, affecting supermarkets in Sweden and schools in New Zealand.

REvil, a Russian hacker collective, claimed responsibility for the attack, sparking concerns of an escalating ransomware arms race. The Biden administration subsequently began discussions on domestic and international countermeasures.

5.  U.S. Insurance company CNA paid $40 million to regain control of their systems

Company: CNA Financial Corp

Criminal organization: Believed to be linked to Evil Corp

Ransom: $40 million

What happened: CNA Financial, a major U.S. insurance company, encountered a ransomware attack in March 2021.

Hackers used a fake browser update to breach an employee’s workstation. Gaining higher privileges, they traversed the network and infiltrated multiple devices before deploying the ransomware, encrypting over 15,000 systems, including remote workers’ devices connected to the company’s VPN.

The attackers stole sensitive data, including names, Social Security numbers, and medical information, affecting employees, former employees, dependents, and some customers. Although the hackers did not leak the data, the company chose to notify affected individuals.

CNA conducted a cybersecurity investigation but was only able to regain control of its systems by paying the $40 million ransomware. The total business impact of this incident is even higher. The company incurred costs for cybersecurity support and business disruption, and they suffered reputational damage due to compromised customer data.

Lessons learned from the biggest ransomware attacks

These attacks show that any company, in any sector, can fall victim to a ransomware attack and be extorted for millions of dollars. This raises the question, what could the companies in these examples have done differently?

In all of these incidents, the hackers exploited vulnerabilities to infiltrate the companies’ systems. This is why a last line of defense is so essential, and that’s where ProLion can help.

ProLion’s CryptoSpike builds an additional layer of protection that goes beyond endpoint protection, safeguarding your critical systems at the storage level. By analyzing data access to the storage system, CryptoSpike detects ransomware attacks and suspicious behavior, stopping hackers in their tracks, and making it possible to restore affected files immediately.

Learn more about how CryptoSpike works here, or get in touch with our team to get a personalized live demo.

About ProLion

ProLion offers powerful data protection solutions that safeguard critical storage and backup data, on-premises or in the cloud. From ransomware protection that detects threats in real time to data transparency, our industry-leading solutions ensure your storage system remains secure, compliant, manageable, and accessible around the clock.