Most Impactful Ransomware Attacks of 2023

In January we saw Royal Mail fall victim to a ransomware attack at the hands of LockBit. The group hacked into the UK’s postal services’ software and blocked all international shipments by encrypting files. Negotiations took place between the two sides, but after two weeks, LockBit set a ransom demand of $80 million, 0.5% of the company’s revenue, in exchange for the decryption of the files. Royal Mail chose to not pay the ransom and take the risk of their data being leaked, which ultimately happened.

Months later, the US Marshals Service is still recovering from an attack which took place in February. The attack impacted a computer system which held sensitive law enforcement data belonging to the Technical Operations Group (TOG) who provide surveillance capabilities to track fugitives. “Most critical tools” were restored within 30 days, but the Marshal’s service is still to bring in a new version of the impacted system online with better security. Stolen data included employees’ personally identifiable information alongside returns from legal processes, administrative information and PII pertaining to subjects of USMS investigations and third parties.

Medusa hit the headlines when the group claimed an attack on Minneapolis Public Schools, exfiltrating a trove of data and demanding $1million to keep the information from being posted on the dark web. The reason behind the headlines was more sinister than the attack itself, it was the data they eventually leaked that caused a stir. Confidential information including complete sexual assault case folios were among the 300,000 files dumped by the ransomware group in March after the attack. Other leaked information included medical records, discrimination complaints, SSNs and contact information of district employees.

Another ransomware attack with sinister consequences was reported in March when ALPHV, aka BlackCat, infiltrated Lehigh Valley Health Network’s computer system. The incident involved systems used for “clinically appropriate patient images for radiation oncology treatment” and other sensitive information. The notorious ransomware group leaked naked images of breast cancer patients along with medical questionnaires, passports, and other sensitive patient data after the healthcare provider refused to pay the ransom demanded. LVHN have since faced lawsuits in relation to this ransomware attack.

British outsourcing company Capita was hit by a ransomware attack in March, since reporting that recovery from the incident is expected to cost up to $25million. Expenses have been attributed to “specialist professional fees, recovery and remediation costs and investment to reinforce Capita’s cyber security environment.” The attack was “significantly restricted” by the company’s security team, but it was confirmed that customer, supplier, and employee data may have been stolen during the incident. BlackBasta claimed responsibility for the attack and has published data belonging to the organization. Not only has Capita incurred exceptional costs but the share price for the company dropped 12% after the attack.

Managed Care of North America (MCNA) Dental exposed a data breach which impacted almost 9 million patients. LockBit claimed the attack, threatening to publish 700GB of sensitive confidential information unless the $10million ransom was paid. Data including PII, health insurance information, care for teeth or braces documentation, and bills and insurance claims was later posted on the group’s dark web site. On the notice MCNA provided, there was also an extensive list of over one hundred healthcare providers that may have been indirectly impacted by the incident.

The fallout from a ransomware attack on City of Dallas in May this year is still making the news. The city was forced to shut down some of its IT systems, with a number of functional areas including the police and fire department experiencing disruption. It has recently come to light that over 26,000 people were affected by the attack orchestrated by Royal ransomware group. Information including names, addresses and medical information is among the data exfiltrated by the threat actors. Some city employees have already reported identity theft, with some of their children also having personal information stolen. In August, it was announced that the Dallas City Council approved $8.6 million in payments for services relating to the attack, including credit monitoring for potential identity theft victims.

There is no question that Clop’s exploitation of the zero-day vulnerability within MOVEit has been one of the biggest cybersecurity news stories of the year so far. The vulnerability is believed to have been exploited since around May 27th and has led to multiple waves of data breaches in the weeks following. The current victim list is now believed to be at around 600 organizations, with tallies showing that nearly 40 million people have been affected so far by the attack.

It is believed that we are yet to see the real impact and fallout of this attack. Some victims have publicly announced their involvement in the breach, others have been named by Clop themselves. We’ve been following the incident closely and have been updating our MOVEit blog with new information as it becomes available.

In June it was announced that St Margaret’s Health (SMH) in Illinois would be closing after 120 years of serving the community, partially due to a 2021 ransomware attack. The attack crippled operations for months, catastrophically impacting the hospital’s ability to collect payments from insurers for services rendered and forced the shutdown of the hospital’s IT network, email systems, electronic medical records, and other web operations. Other factors leading to the closure included unprecedented expenses tied to COVID-19, low patient volumes and staff shortages.

At least four Australian banks were impacted when a major ransomware attack hit law firm HWL Ebsworth in June. BlackCat claimed the attack, successfully accessing HWL’s servers and exfiltrating 4TB of data. Westpac, NAB, the Commonwealth Bank and ANZ were among the many public and private sector entities who may have had data stolen during the incident. The ransom was reportedly $5million AUSD which the law firm refused to pay. 1.4TB of the exfiltrated data was publicly released which included financial information, customer documentation, and local and remote company credentials.

Ransom demands are not declining, which is made clear by the $70million ransom demanded by Bassterlord following an attack on TSMC. The threat actor, who is affiliated with LockBit, live tweeted the ransomware attack, sharing screenshots of information relating to the company. LockBit posted the attack on their site and stated should the ransom payment not be made the data would be leaked along with published points of entry into the network and password and company logins. TSMC has reported that it has not been breached but rather the systems of one of the IT hardware suppliers, Kinmax Technology, was hacked.

Barts Health NHS Trust, the largest health trust in the UK, was hit by a ransomware attack in June which was claimed by ALPHV, aka BlackCat. The gang stated that it had stolen 7TB of sensitive data in what is claimed to be the biggest breach of healthcare data in the United Kingdom. Samples of the stolen data included employee identification documents including passports and driver’s licenses and labelled internal documents. They also claim to have “citizens’ confidential documents.” The trust is still investigating the scope of the attack.

A class-action lawsuit has been filed against Tampa General Hospital following a cybersecurity incident reported in July. The incident resulted in the theft of protected personal health information (PHI) of up to 1.2 million patients. Although data was stolen, the hospital clarified that the hackers had failed in their attempt to launch a ransomware attack, with robust security systems preventing encryption of files and further damage. The class-action law suit filed against the hospital is for “failing to protect the personal data of its patients.” The hospital is also being accused of failing to notify impacted individuals on time, taking nearly two months to notify them.

In August Prospect Medical Holdings, one of the largest hospital networks in the US announced that it had fallen victim to a cyberattack which caused technical issues for the internal systems of the hospital’s network. Upon learning of the incident, the organization took systems offline to protect them and launched an investigation. Multiple hospitals and affiliates including Eastern Connecticut Health Network, Crozer-Chester Medical System, Southern California Hospital and CharterCARE have reported the substantial impact that this cyberattack has had on their operations. The fallout from this incident continues to be reported in the news daily. It is not yet clear who is behind the attack.

Danish hosting firms CloudNordic and AzeroCloud suffered ransomware attacks causing the catastrophic loss of the majority of customer data. Threat actors shut down the organization’s systems, wiping both company and customers’ websites and email systems. Backups were also impacted as well as production data. Those behind the combined attack are still yet to be named but reports suggest that a ransom of six Bitcoins or $157,000 has been demanded to restore the data. CloudNordic released a statement notifying clients that they neither can nor wish to meet the financial demands of the criminal hackers.

One of the biggest news stories in September was BlackCat’s ransomware attacks on two of the biggest names on the Las Vegas Strip!

MGM Resorts reported a 36-hour outage due to the ransomware attack, creating huge downtime costs and financial losses. For every hour the gaming floor was down, money was lost, likewise with the reservation services and websites. Ten days after the incident MGM announced that hotels and casinos were “operating normally” again. BlackCat claimed that one of its affiliates, being tracked as Scattered Spider, was responsible for executing this attack by using social engineering to identify an IT employee on LinkedIn and then within 10 minutes of calling the help desk, the attack was launched. Reports suggest that 6TB of data was exfiltrated and servers encrypted but the threat actors stated that the lack of communication indicates that the company has no intention of negotiating a ransom payment.

A few days after the attack on MGM resorts hit the headlines, it was revealed that Caesars Entertainment also fell victim to an attack. The same affiliate, Scattered Spider, who was responsible for carrying out the attack on MGM orchestrated the attack on the Nevada-based hotel and casino company. The disclosure made by Caesars indicated that the attackers specifically accessed the “Caesar’s Rewards” loyalty database. Reports indicate that attackers initially demanded $30million ransom payment, but Caesars was able to negotiate the eventual amount down to $15million. It appears the attack took place several weeks before the MGM breach, with the ransom payment being made mere days before the attackers moved on to the other casino giant.

Yet another organization has been forced to close after the devastating consequences of a ransomware attack. KNP Logistics, one of the UK’s largest privately owned logistics groups, declared itself insolvent, blaming a ransomware attack in June. The “major” ransomware incident affected key systems, processes, and financial information, which adversely impacted on the financial position of the Group and its ability to secure additional investment and funding. The attack is believed to have been orchestrated by Akira. As a result of the administration process, approximately 730 employees will be made redundant.

In September, Johnson Controls International suffered a massive ransomware attack which encrypted many of the company devices, impacting the company’s and its subsidiaries’ operations. The organization was initially breached at its Asia offices, but the attack caused the company to shut down part of its IT systems, with its subsidiaries displaying technical outage messages on website login pages and customer portals. New entry, Dark Angels was credited for the attack, with the group claiming to have exfiltrated over 27TB of corporate data and encrypted the company’s VMWare ESXi virtual machines. The ransom note provided by the gang linked to a negotiation chat where a ransom demand of $51million was posted in exchange for providing a decryptor and the deletion of stolen data. Recent reports suggest that the stolen data may contain sensitive Department of Homeland Security (DHS) data.

November seen Wall Street and Beijing fight the fallout of a ransomware attack on China’s biggest bank, ICBC. The attack sent failed trading rates in the US Treasury market soaring to $60 billion, which must be resolved by the Federal Reserve. ICBC’s Financial Services Unit was unable to clear U.S. Treasury trades and subsequently isolated its affected systems after the attack shut down the bank’s New York subsidiary. The unit was temporarily unable to access its corporate email accounts and was forced to send crucial settlement details for its trades to affected parties on a USB stick via a messenger in Manhattan.

LockBit claimed responsibility for the attack on the bank and has confirmed that the bank has completed an undisclosed ransomware payment to help restore its systems.

We all know that cybercriminals like to target companies during holiday periods, which is exactly what happened to Ardent Health Services. On Thanksgiving morning, a cyberattack impacted 30 hospitals and more than 200 healthcare facilities owned by Ardent. Once the ransomware incident was discovered, IT departments took the computer network offline in an attempt to safeguard patient care. As a result, hospitals were thrown into chaos, with some having to divert ambulances and emergency patients while others seen appointments and procedures cancelled. Investigations into the attack are ongoing and the full extent of compromised patient and financial data is still unknown. No ransomware group has yet taken credit for the incident.