Ransomware cyberattacks are a big business, so big in fact, that research anticipates a business is attacked by a cybercriminal every 11 seconds and damage costs from these attacks will hit around $20 billion by 2021.

In 2020, we’ll be tracking the publicized ransomware cyberattacks each month and sharing them with you via this blog.

2020 Ransomware by Industry

Ransomware by Country

Ransomware Attacks by Month

January

Starting with January, let’s look back at some of the attacks that occurred around the globe.

  1. Hackers celebrated the last New Year’s Eve of the decade with an attack on Travelex, taking down it’s websites across 30 countries and causing chaos for foreign exchange transactions worldwide during the month of January. The ransom was rumoured to be the sum of $6M.
  2. Next we head to the Middle East where Oman’s largest insurance company was hit by a ransomware attack causing data loss but no publicized monetary loss.
  3. To the United States next where Richmond Country Schools in Michigan had to postpone opening after the Christmas break when hackers demanded $10K in Bitcoin to restore access to the server.
  4. Another US city and another school, as this time students in the Pittsburgh Unified School District of Pennsylvania were left without internet access after a ransomware attack disabled the district’s network systems during the festive break.
  5. Next we move on to Florida where patients of a medical practice in Miramar reported that they received ransom demands from a cybercriminal threatening to release their private medical data unless a ransom was paid.
  6. Back to the education sector again as the Panama-Buena Vista School District in California experienced a  ransomware attack that caused a technology and phone outage at multiple schools. While the school was working with the FBI regarding the attack, they let parents and students know that they couldn’t access any grades so report cards would be delayed.
  7. Moving on to the small town of Colonie in New York where cybercriminals hacked into the computer system and demanded $400K in Bitcoin cryptocurrency to unlock it.
  8. Next up is a synagogue in New Jersey who fell victim to a cyberattack and a ransom demand of around $500K.
  9. Next we are back to Florida where 600 computers were taken offline after a cyberattack at Volusia County Public Library.
  10. Back to Europe now where the hackers responsible for the Travelex shut down target the German car parts company Gedia. The group used two Russian-speaking underground forums on the Dark Web to threaten to publish 50GB of sensitive data, including blueprints and employees’ and clients’ details, unless Gedia agreed to pay a ransom.
  11. France is next as the Bouygues construction company was paralysed by a major cyberattack affecting the entire computer network and shutting down all of the company’s servers. A ransom of €10M was requested by the cybercriminals.
  12. Back the United States now where Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor suffered a ransomware infection.
  13. Up next is Oregon, where all of the computer systems for Tillamook County went down. Despite early thoughts that the outages were a technical issue it was later confirmed they suffered a ransomware attack.
  14. Lastly we head to the City of Racine in Wisconsin where a ransomware attack caused the city’s website, email, voicemail, and payments systems to be knocked offline.

February

February saw the same amount of reported attacks with almost 60% of attacks occurring in the education and public sector verticals. Here’s a roundup of the ransomware attacks we have been tracking.

  1. The first attack of the new month was reported in Baton Rouge Louisiana on Feb 3rd when ITI Technical College became the victim of a cyberattack via a phishing email sent at the end of January.
  2. Next up, another school to report as Scotland’s Dundee and Angus College was hit with what they described as a cyber-bomb which took down their entire IT system.
  3. Deliveries across Australia were stranded in the next reported attack as logistics company Toll Group confirmed they had to shut down their systems because of ransomware.
  4. Over to the United States now, this time it’s the North Miami Beach Police Department who reported they had become a victim of ransomware.
  5. Back to the education sector where this time it’s two Texas schools in the same district who were affected. The city of Garrison managed to make a quick recovery but the Nacogdoches Independent School District faced more of a struggle to rebound from the attack.
  6. To England next where a ransomware attack on Redcar Council forced staff back to pen and paper and 35,000 UK residents were without online public services.
  7. Next up was a Valentine’s Day cyberattack on INA Group, Croatia’s biggest oil company and its largest petrol station chain. The suspected ransomware attack had a crippling effect on business operations.
  8. Staying in Europe, the next attack occurred in Denmark where facilities firm ISS World was crippled by a ransomware attack that left hundreds of thousands of employees without access to their systems or email.
  9. Another US school district is up next, this time it’s The South Adams Schools district in Indiana where an overnight ransomware attack affected all of the schools IT systems.
  10. The education sector is up again as the Gadsden Independent School District in Alabama suffered a ransomware attack that managed to take down all of their internet and communications systems across all of its 24 school sites.
  11. Back to Texas again where La Salle County confirmed a ransomware demand was responsible for its ongoing technology issues.
  12. Jordan Health in New York State, a non-profit organization that operates 9 health centres in Rochester and Canandaigua was the next to suffer at the hands of cybercriminals when they reported a ransomware attack had shut down all of their IT systems.
  13. Back to Australia for the next incident. This time ransomware affected the Australian wool industry when sales were stopped by a ransomware attack at wool industry software company Talman.
  14. Closing a month of reported cyberattacks we are back in Kansas where legal services giant Epiq Global reported they had suffered a ransomware attack on the last day of the month. The attack affected the organization’s entire fleet of computers across its 80 global offices.

March

March’s numbers were on par with the first two months of the year with attackers still focusing on the education and public sector verticals. Here’s a roundup of what we uncovered for the month.

  1. The first ransomware attack of the month took place on March 2nd in La Salle County in Illinois where a cyberattack affected around 200 computers and 40 servers in the county government.
  2. On the same day hackers targeted Visser, a parts manufacturer for Tesla based in Colorado. Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data.
  3. On the same day it was revealed that the provincial government in P.E.I. Canada suffered a data breach when internal government documents were posted online following a ransomware attack.
  4. Next up is Missouri where Three Rivers College were forced to cancel almost all of their classes following a ransomware attack.
  5. California based defense contractor CPI was the next company to reveal they had been knocked offline by a ransomware attack. Sources say the company who makes components for military devices and equipment paid a ransom of about $500,000 after an attack in January but they were not yet operational.
  6. Next, we learned that EVRAZ, owned by Roman Abramovich and one of the world’s largest steel manufacturers, suffered a Ryuk ransomware infection that managed to take down its North American branches.
  7. Durham city was the next target when a Ryuk ransomware attack affected everything from the police to fire services. The county government services were also taken offline when 80 servers were impacted by the attack.
  8. The Fort Worth Independent School District in Texas was the next to fall victim after a string of cyberattacks took place across several Texas school districts in 2019.
  9. Next to be hit was the Champaign-Urbana Public Health District in Illinois. Their website was taken down by the NetWalker ransomware attack, hampering the organization’s response efforts amid the Coronavirus pandemic.
  10. The next attack takes us to the UK where cybercriminals hit London based Hammersmith Medical Research firm who were on standby to carry out trials of a possible future vaccine for the Covid-19 coronavirus.
  11. Another London based company was the next victim of the month. Finastra, a fintech firm that provides technology solutions to banks were forced to shut down their key systems globally after detecting a cyberattack.
  12. Next up Connecticut based medical and military contractor Kimchuk who announced they were hit by DoppelPaymer, a newer strain of ransomware that exfiltrates data out of an infected network before encrypting user files.
  13. Over to Missouri next where TI Power Systems, a supplier of the energy company Ameren Missouri was hit by a ransomware attack that allowed the malicious actors behind the attack to steal information from the firm.
  14. Finally, we end a month of attacks in South Carolina where Bluffton Fire and Rescue was the next in a long line of government entities in the state to be compromised by cyberattacks in recent months.

April

April had a slow start and it initially seemed that cyberattacks were on a downward trend for the month. But things picked up mid-month starting with a major attack in Portugal. Here’s a roundup of what we uncovered.

  1. Portuguese Energy giant Energias de Portugal (EDP) were the first to report they had been a victim of a major attack when cybercriminals held them to ransom for a massive 9.9 million Euros!
  2. On the same day in Canada, the Law Society of Manitoba revealed that two un-named law firms in the province had been locked out of their computer systems after they were infected with ransomware.
  3. Up next is the small city of Olean in New York. Few details were released but we know that a ransomware attack shut down all of the computers at the Olean Municipal Building.
  4. Next up was a Maze ransomware attack on information technologies services giant Cognizant . The New Jersey headquartered organization is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.
  5. Over to Denmark now where Agribusiness group Danish Agro, were the target of a ransomware attack on Sunday, April 19.
  6. Colorado-based Parkview Medical Center reported that their technology infrastructure was hit with a ransomware attack on April 21, causing a number of IT network outages amid the battle with Covid-19.
  7. Next is the City of Torrance in the Los Angeles metropolitan area who was allegedly attacked by DoppelPaymer Ransomware. The attackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files.
  8. Back to Canada next where accounting firm MNP were hit by a cyberattack which forced a company-wide shutdown of its computer systems.
  9. Next it was reported by the Architects Journal that a hacker had accessed the servers of Zaha Hadid Architects in London and had stolen confidential information in an attempt to extort money from the firm.
  10. CivicSmart, a Milwaukee, USA based company known for its parking meter technology was the next victim of a ransomware attack that exposed internal files in an attempt to elicit a ransom payment.
  11. Next up, Pennsylvania headquartered pharmaceutical giant ExecuPharm revealed that ransomware attackers had recently encrypted its servers and had stolen corporate and employee data.
  12. The final reported attack of the month takes us back to Canada, where the website and email services of the Northwest Territories Power Corporation were shut down after they received a ransomware message from unknown hackers.

May

May was a busy month for cybercriminals with 20 ransomware incidents reported. This month’s ransomware attacks took us around the globe from Taiwan to Texas, here’s a look at what we found.

  1. On May 5 Toll Group revealed it had found itself at the mercy of cybercriminals for the second time this year. The incident was unrelated to their previous attack in February and was thought to be a relatively new form of ransomware known as Nefilim.
  2. Taiwan’s state-owned energy company CPC Corp was the next victim. Luckily the attack didn’t affect any energy production, but it did cause some disruption for customers attempting to purchase gas.
  3. Up next was Fresenius in Germany, Europe’s largest private hospital operator. The company who employ around 300,000 people across more than 100 countries confirmed that a cyberattack had affected every part of the company’s operations around the globe.
  4. Germany again for the next attack on May 7 Ruhr University Bochum were forced to shut down large parts of their central IT infrastructure, including their backup systems after a ransomware attack occurred overnight.
  5. Moving to the US now for what was likely the most publicized attack of the month. Grubman Shire Meiselas & Sacks, a NYC law firm with a host of celebrity clients including Elton John, Robert DeNiro and Madonna were a victim of REvil ransomware used to steal the personal information of celebrity clients. Hackers threatened to expose nearly 1TB of private celebrity data unless a ransom was paid in Bitcoin.
  6. Swiss Rail construction firm Stadler was the next victim. The company disclosed that hackers had threatened to publish sensitive data to harm the firm and its employees if the large ransom was unpaid.
  7. The seventh attack of the month goes to another repeat victim. Pitney Bowes disclosed that they had been hit by Maze ransomware less than a year after they were hit by a similar attack. The group behind Maze specializes in double extortion, an attack that increases pressure on its victims to pay by threatening to release important data in addition to encrypting systems.
  8. Elexon, the organization that helps balance and settle the UK’s electricity market was attacked by hackers using the REvil/Sodinokibi ransomware on May 11. Sensitive internal data was stolen in the attack with some posted on the Dark Web to pressure the organization into making the ransom payment.
  9. Back the US now where the Office of Court Administration in Texas revealed that a ransomware attack was launched against its court system. It’s thought that no sensitive data was stolen, and at the time of writing they insisted that no ransom would be paid.
  10. Staying in the US, the next attack takes us to Ohio where Diebold Nixdorf, a major provider ATMs and payment technology, disclosed that a ransomware attack had disrupted some of their operations. The company said the hackers didn’t affect the ATMs or customer networks and that the intrusion only affected its corporate network.
  11. Magellan Health, a major US healthcare provider based in Phoenix, Arizona found themselves a victim of ransomware after falling for a phishing email that appeared to be from a client. The hackers proceeded to exfiltrate records containing personal information before launching ransomware to encrypt files.
  12. Back to Australia, where this time it was BlueScope Steel who suffered IT disruption that impacted production across its global operations. The ransomware incident was thought to be caused by employees opening contaminated email attachments.
  13. The next attack takes us to the UK where Bam Construct, a firm that had recently delivered Nightingale Hospitals for the NHS during the Covid-19 crisis had fallen victim to a ransomware attack. The company said that the business “stood up well” after the incident despite being forced to take services offline to mitigate the attack.
  14. Up next was the Texas Department of Transportation who revealed they has been hit by ransomware just days after the state’s judiciary system suffered the same fate. It appears that Texas is becoming a popular destination for cybercriminals as 22 local governments were targeted by ransomware in a single attack in 2019.
  15. Anglo-Eastern, one of the largest ship managers based in Hong Kong was hit with a ransomware attack on May 18. The incident was quickly contained, and it was reported that no data was lost.
  16. Over to New South Wales next where retailer In Sport’s head office hit by ransomware. The firm was unable to confirm what data had been accessed but they revealed that the attackers used REvil/Sodinokibi ransomware.
  17. Staying in Australia, this time it was customer experience firm Stellar who appeared to have taken a hit from a group of attackers using NetWalker ransomware.  Images of data stolen from the company were posted on the Dark Web and according to a countdown timer on the site, the company had just over six days to respond to the hacker’s ransom demands.
  18. The next incident takes us to Halifax in Canada where the Northwest Atlantic Fisheries Organization (NAFO), an intergovernmental organization that manages fish stocks in international waters in the northwest Atlantic Ocean, was hit by a ransomware attack. The organization who counts a dozen countries as members, including Japan, Norway, Canada, the European Union, and Russia admitted the attack had locked them out of their data systems and knocked their website offline in a letter to stakeholders.
  19. Back to the US again where this time it’s Michigan State University . The operators of the NetWalker ransomware gang reportedly gave MSU officials seven days to pay the ransom before they planned to leak the stolen university files.
  20. IT Services Giant Conduent disclosed that a ransomware attack had affected it European operations and although customer data had hit the Dark Web, they had managed to restore their systems in 8 hours.
  21. We close out the month in Austria where a NetWalker ransomware attack was launched against the city of Weiz. The attack affected the public service system and leaked some of the stolen data from building applications and inspections.

June

Ransomware attacks surged again in the month of June with Covid-19 related phishing techniques still proving popular with cybercriminals. Notable attacks include Honda, who had their European operations significantly affected, and the University of California who reportedly paid $1.14 million to recover academic data related to its Covid-19 research. Here is a roundup of the incidents we uncovered.

  1. We start the month in South Africa with telecoms firm Telkom SA SOC Ltd. We found limited coverage of the incident, but it was reported that the attack led to outages across several systems with remote staff unable to connect to the servers or VPN.
  2. Up next is Columbia College in Chicago who were attacked just one week after Michigan State University. On the Netwalker blog the cybercriminals claimed to have exfiltrated very highly- sensitive data during the attack.
  3. Hackers continued their spree on US colleges when they hit the University of California on the same day. Important Covid-19 research was encrypted during the attack and it was later disclosed that the school paid out $1.14 million to recover the data.
  4. The City of Florence in Alabama became the next victim on June 5 when a cyberattack shut down the city’s email system. The city reportedly paid over $250K to recover the encrypted data.
  5. The next attack took place at VT San Antonio Aerospace, the US subsidiary of ST Engineering Aerospace in Singapore. The ransomware attack resulted in the exposure of confidential company data including government contracts.
  6. Automotive giant Honda suffered a Snake ransomware attack which targeted its offices in the United States, Europe and Japan. The attack forced many offices to shut down in what was likely the most publicized ransomware incident of the month.
  7. Earlier in the month Australian beverage giant Lion disclosed they had been the victim of a cyberattack, they later confirmed it was ransomware. The company’s data was said to be available on the Dark Web but at the time of writing the company said they did not have any evidence of data being exfiltrated.
  8. Over to New Mexico next where nuclear missile contractor Westech International was the victim of a Maze ransomware attack. Hackers were able to access sensitive employee information, but it is still unconfirmed whether any classified military information was accessed.
  9. Next up is Norwegian shipbuilder Vard, Europe’s first attack of the month. Local reports indicate that company servers were hit with an encryption attack which led to disruption and downtime. The overall extent of the damage has not yet been disclosed.
  10. Fisher and Paykel, a white-goods manufacturer based in New Zealand disclosed they had been targeted by Nefilim ransomware. Although the attack was quickly identified, the hackers did disclose an initial leak of the company’s corporate files on the Dark Web.
  11. Up next was New York company Threadstone Advisors, a mergers and acquisitions firm whose client list includes Victoria Beckham.   The Maze ransomware gang insisted that they had exfiltrated and encrypted sensitive company data.
  12. An overnight attack hit the City of Knoxville in Tennessee. Fortunately emergency services were not affected in the attack, but by the time it was noticed by the IT department the ransomware had already encrypted multiple systems. Knoxville joins a list of other targeted cities, including Atlanta, Baltimore, Denver and New Orleans.
  13. Back to Europe now where this time it was European energy giant Enel Group. The incident was the work of the Snake ransomware group who were also responsible for the attack at Honda earlier in the month.
  14. Rhode Island-based Care New England (CNE) was victim of a cyberattack that hit its servers on June 16. The suspected ransomware attack forced the shutdown of its website and other internal systems.
  15. Up next is Florida based ConnectWise who hit the headlines when it was revealed that their partners were hit by ransomware through a software flaw in their platform.
  16. Electronics giant LG is reportedly being threatened by the Maze ransomware gang, however at the time of writing no official statement had been issued by the company.
  17. Closing out the month is another suspected attack on car giant Mitsubishi. The Doppelpaymer gang are allegedly threatening to leak data from the organization, although at the time of writing there has been no official statement from the company.

July

July was quiet in comparison to other months this year with only 12 ransomware attacks making the list. Although the number of reported attacks was lower for the month, news of the incident at Blackbaud, the cloud computing provider that serves non-profits, foundations, corporations, educational, healthcare, and religious organizations, dominated the headlines as hundreds of their customers were affected by cyberattacks and breaches due to the major ransomware attack that occurred at Blackbaud in May.

  1. We’ll start the month with Blackbaud. The incident was reported late in July but it has been revealed that the actual ransomware attack occurred in May. At time of writing we don’t know the full extent of the organizations impacted, but reports say the list currently tops 120. Multiple universities, charities and the UK Labour Party on are on the list of those affected.
  2. Up next is Texas-based government institution, Trinity Metro, a transit agency that operates bus and commuter rail transportation services in Fort Worth. Phone lines and booking systems were down following the attack and a post on the NetWalker gang website showed more than 200 Trinity Metro folders containing information that was apparently exfiltrated from the agency before its systems were disrupted.
  3. Xchanging, a subsidiary of IT Services giant DXC was the next victim. DXC announced in a press release that certain systems of London based MSP Xchanging had been affected by a ransomware attack. Xchanging offers IT services and business process outsourcing to aerospace, banking, defence and insurance firms.
  4. Back to Texas again where Cooke County found themselves the next victim of REvil ransomware. The attackers threatened to start releasing data within 7 days of the attack after posting screenshots thought to be documents and data from the county’s police department on the Dark Web.
  5. Another government attack in the US is up next, this time it’s Chilton County in Alabama who implemented a shutdown after being targeted by an attack on the morning of July 7. The incident which caused a temporary disruption to the County’s computer records systems including the tag office and probate court records was announced via social media.
  6. New Jersey based IT Staffing firm Collabera  were the next firm to find themselves victim of a Maze ransomware attack. Hackers were able to exfiltrate employees’ names, addresses and other personal information and infect its systems during the cyberattack.
  7. French telecommunications company Orange was the next company to fall victim, this time to Netfilim ransomware. Luckily for Orange and its 266 million customers, the incident was only related to its business services division. Data exfiltrated from Orange customers was later added to the Nefilim Dark Web site that details corporate leaks.
  8. Next up is yet another telecoms giant, this time in Argentina. Telecom Argentina fell victim to what has been described as a massive ransomware attack with the cybercriminals demanding that $7.5 million be paid in the privacy coin Monero. Twitter posts suggested that the criminal gang demanded payment prior to July 21, if the payment wasn’t made the ransom would double while the systems would remained locked.
  9. Back to the US now for the attack on state owned New Hampshire Radio. The organization revealed that they had been hit by a ransomware attack but no personal information had been accessed. The organization also revealed that third party supplier Blackbaud had discovered and stopped an attack back in May and had contacted them in July with details.
  10. Over to Kansas next where a ransomware attack took place at the GPS and smartwatch business Garmin. The attack took the business entirely offline for more than three days and is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.
  11. Next up was Atlanta based SiteOne, the largest national wholesale distributor of landscape supplies in the United States. The company reacted quickly to the attack and managed to recover its critical business data with little disruption.
  12. We finish the month in Germany with Dussman Group, a global facility management specialist providing cleaning, catering, security, technical, and commercial services worldwide.  The multinational company which employs over 66,000 staff worldwide and makes billions of euros in sales annually was reportedly struck by the Nefilim variant. After the attack the criminal group began posting 16,000 files to the Dark Web as proof of the attack.