Ransomware cyberattacks are a big business, so big in fact, that research anticipates a business is attacked by a cybercriminal every 11 seconds and damage costs from these attacks will hit around $20 billion by 2021.

In 2020, we’ll be tracking the publicized ransomware cyberattacks each month and sharing them with you via this blog.

Get our Monthly Ransomware Report as a PDF

2020 Ransomware by Industry

Ransomware by Country

Ransomware Attacks by Month

Covid Facts

Ransomware during a pandemic

The way we work forever changed with the onset of Coronavirus. As companies everywhere closed their doors and pivoted to a remote model with little time to prepare, the disruption of the newly dispersed workforce was creating the perfect storm for cybercriminals. Learn how to protect yourself from ransomware.

Download eBook


Starting with January, let’s look back at some of the attacks that occurred around the globe.

  1. Hackers celebrated the last New Year’s Eve of the decade with an attack on Travelex, taking down it’s websites across 30 countries and causing chaos for foreign exchange transactions worldwide during the month of January. The ransom was rumoured to be the sum of $6M.
  2. Next we head to the Middle East where Oman’s largest insurance company was hit by a ransomware attack causing data loss but no publicized monetary loss.
  3. To the United States next where Richmond Community Schools in Michigan had to postpone opening after the Christmas break when hackers demanded $10K in Bitcoin to restore access to the server.
  4. Another US city and another school, as this time students in the Pittsburgh Unified School District of Pennsylvania were left without internet access after a ransomware attack disabled the district’s network systems during the festive break.
  5. Next we move on to Florida where patients of a medical practice in Miramar reported that they received ransom demands from a cybercriminal threatening to release their private medical data unless a ransom was paid.
  6. Back to the education sector again as the Panama-Buena Vista School District in California experienced a  ransomware attack that caused a technology and phone outage at multiple schools. While the school was working with the FBI regarding the attack, they let parents and students know that they couldn’t access any grades so report cards would be delayed.
  7. Moving on to the small town of Colonie in New York where cybercriminals hacked into the computer system and demanded $400K in Bitcoin cryptocurrency to unlock it.
  8. Next up is a synagogue in New Jersey who fell victim to a cyberattack and a ransom demand of around $500K.
  9. Next we are back to Florida where 600 computers were taken offline after a cyberattack at Volusia County Public Library.
  10. Back to Europe now where the hackers responsible for the Travelex shut down target the German car parts company Gedia. The group used two Russian-speaking underground forums on the Dark Web to threaten to publish 50GB of sensitive data, including blueprints and employees’ and clients’ details, unless Gedia agreed to pay a ransom.
  11. France is next as the Bouygues construction company was paralysed by a major cyberattack affecting the entire computer network and shutting down all of the company’s servers. A ransom of €10M was requested by the cybercriminals.
  12. Back the United States now where Electronic Warfare Associates (EWA), a 40-year-old electronics company and a well-known US government contractor suffered a ransomware infection.
  13. Up next is Oregon, where all of the computer systems for Tillamook County went down. Despite early thoughts that the outages were a technical issue it was later confirmed they suffered a ransomware attack.
  14. Lastly we head to the City of Racine in Wisconsin where a ransomware attack caused the city’s website, email, voicemail, and payments systems to be knocked offline.


February saw the same amount of reported attacks with almost 60% of attacks occurring in the education and public sector verticals. Here’s a roundup of the ransomware attacks we have been tracking.

  1. The first attack of the new month was reported in Baton Rouge Louisiana on Feb 3rd when ITI Technical College became the victim of a cyberattack via a phishing email sent at the end of January.
  2. Next up, another school to report as Scotland’s Dundee and Angus College was hit with what they described as a cyber-bomb which took down their entire IT system.
  3. Deliveries across Australia were stranded in the next reported attack as logistics company Toll Group confirmed they had to shut down their systems because of ransomware.
  4. Over to the United States now, this time it’s the North Miami Beach Police Department who reported they had become a victim of ransomware.
  5. Back to the education sector where this time it’s two Texas schools in the same district who were affected. The city of Garrison managed to make a quick recovery but the Nacogdoches Independent School District faced more of a struggle to rebound from the attack.
  6. To England next where a ransomware attack on Redcar Council forced staff back to pen and paper and 35,000 UK residents were without online public services.
  7. Next up was a Valentine’s Day cyberattack on INA Group, Croatia’s biggest oil company and its largest petrol station chain. The suspected ransomware attack had a crippling effect on business operations.
  8. Staying in Europe, the next attack occurred in Denmark where facilities firm ISS World was crippled by a ransomware attack that left hundreds of thousands of employees without access to their systems or email.
  9. Another US school district is up next, this time it’s The South Adams Schools district in Indiana where an overnight ransomware attack affected all of the schools IT systems.
  10. The education sector is up again as the Gadsden Independent School District in Alabama suffered a ransomware attack that managed to take down all of their internet and communications systems across all of its 24 school sites.
  11. Back to Texas again where La Salle County confirmed a ransomware demand was responsible for its ongoing technology issues.
  12. Jordan Health in New York State, a non-profit organization that operates 9 health centres in Rochester and Canandaigua was the next to suffer at the hands of cybercriminals when they reported a ransomware attack had shut down all of their IT systems.
  13. Back to Australia for the next incident. This time ransomware affected the Australian wool industry when sales were stopped by a ransomware attack at wool industry software company Talman.
  14. Closing a month of reported cyberattacks we are back in Kansas where legal services giant Epiq Global reported they had suffered a ransomware attack on the last day of the month. The attack affected the organization’s entire fleet of computers across its 80 global offices.


March’s numbers were on par with the first two months of the year with attackers still focusing on the education and public sector verticals. Here’s a roundup of what we uncovered for the month.

  1. The first ransomware attack of the month took place on March 2nd in La Salle County in Illinois where a cyberattack affected around 200 computers and 40 servers in the county government.
  2. On the same day hackers targeted Visser, a parts manufacturer for Tesla based in Colorado. Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data.
  3. On the same day it was revealed that the provincial government in P.E.I. Canada suffered a data breach when internal government documents were posted online following a ransomware attack.
  4. Next up is Missouri where Three Rivers College were forced to cancel almost all of their classes following a ransomware attack.
  5. California based defense contractor CPI was the next company to reveal they had been knocked offline by a ransomware attack. Sources say the company who makes components for military devices and equipment paid a ransom of about $500,000 after an attack in January but they were not yet operational.
  6. Next, we learned that EVRAZ, owned by Roman Abramovich and one of the world’s largest steel manufacturers, suffered a Ryuk ransomware infection that managed to take down its North American branches.
  7. Durham city was the next target when a Ryuk ransomware attack affected everything from the police to fire services. The county government services were also taken offline when 80 servers were impacted by the attack.
  8. The Fort Worth Independent School District in Texas was the next to fall victim after a string of cyberattacks took place across several Texas school districts in 2019.
  9. Next to be hit was the Champaign-Urbana Public Health District in Illinois. Their website was taken down by the NetWalker ransomware attack, hampering the organization’s response efforts amid the Coronavirus pandemic.
  10. The next attack takes us to the UK where cybercriminals hit London based Hammersmith Medical Research firm who were on standby to carry out trials of a possible future vaccine for the Covid-19 coronavirus.
  11. Another London based company was the next victim of the month. Finastra, a fintech firm that provides technology solutions to banks were forced to shut down their key systems globally after detecting a cyberattack.
  12. Next up Connecticut based medical and military contractor Kimchuk who announced they were hit by DoppelPaymer, a newer strain of ransomware that exfiltrates data out of an infected network before encrypting user files.
  13. Over to Missouri next where TI Power Systems, a supplier of the energy company Ameren Missouri was hit by a ransomware attack that allowed the malicious actors behind the attack to steal information from the firm.
  14. Finally, we end a month of attacks in South Carolina where Bluffton Fire and Rescue was the next in a long line of government entities in the state to be compromised by cyberattacks in recent months.


April had a slow start and it initially seemed that cyberattacks were on a downward trend for the month. But things picked up mid-month starting with a major attack in Portugal. Here’s a roundup of what we uncovered.

  1. Portuguese Energy giant Energias de Portugal (EDP) were the first to report they had been a victim of a major attack when cybercriminals held them to ransom for a massive 9.9 million Euros!
  2. On the same day in Canada, the Law Society of Manitoba revealed that two un-named law firms in the province had been locked out of their computer systems after they were infected with ransomware.
  3. Up next is the small city of Olean in New York. Few details were released but we know that a ransomware attack shut down all of the computers at the Olean Municipal Building.
  4. Next up was a Maze ransomware attack on information technologies services giant Cognizant . The New Jersey headquartered organization is one of the largest IT managed services company in the world with close to 300,000 employees and over $15 billion in revenue.
  5. Over to Denmark now where Agribusiness group Danish Agro, were the target of a ransomware attack on Sunday, April 19.
  6. Colorado-based Parkview Medical Center reported that their technology infrastructure was hit with a ransomware attack on April 21, causing a number of IT network outages amid the battle with Covid-19.
  7. Next is the City of Torrance in the Los Angeles metropolitan area who was allegedly attacked by DoppelPaymer Ransomware. The attackers demanded a 100 bitcoin ($689,147) ransom for a decryptor, to take down files that have been publicly leaked, and to not release more stolen files.
  8. Back to Canada next where accounting firm MNP were hit by a cyberattack which forced a company-wide shutdown of its computer systems.
  9. Next it was reported by the Architects Journal that a hacker had accessed the servers of Zaha Hadid Architects in London and had stolen confidential information in an attempt to extort money from the firm.
  10. CivicSmart, a Milwaukee, USA based company known for its parking meter technology was the next victim of a ransomware attack that exposed internal files in an attempt to elicit a ransom payment.
  11. Next up, Pennsylvania headquartered pharmaceutical giant ExecuPharm revealed that ransomware attackers had recently encrypted its servers and had stolen corporate and employee data.
  12. The final reported attack of the month takes us back to Canada, where the website and email services of the Northwest Territories Power Corporation were shut down after they received a ransomware message from unknown hackers.


May was a busy month for cybercriminals with 20 ransomware incidents reported. This month’s ransomware attacks took us around the globe from Taiwan to Texas, here’s a look at what we found.

  1. On May 5 Toll Group revealed it had found itself at the mercy of cybercriminals for the second time this year. The incident was unrelated to their previous attack in February and was thought to be a relatively new form of ransomware known as Nefilim.
  2. Taiwan’s state-owned energy company CPC Corp was the next victim. Luckily the attack didn’t affect any energy production, but it did cause some disruption for customers attempting to purchase gas.
  3. Up next was Fresenius in Germany, Europe’s largest private hospital operator. The company who employ around 300,000 people across more than 100 countries confirmed that a cyberattack had affected every part of the company’s operations around the globe.
  4. Germany again for the next attack on May 7 Ruhr University Bochum were forced to shut down large parts of their central IT infrastructure, including their backup systems after a ransomware attack occurred overnight.
  5. Moving to the US now for what was likely the most publicized attack of the month. Grubman Shire Meiselas & Sacks, a NYC law firm with a host of celebrity clients including Elton John, Robert DeNiro and Madonna were a victim of REvil ransomware used to steal the personal information of celebrity clients. Hackers threatened to expose nearly 1TB of private celebrity data unless a ransom was paid in Bitcoin.
  6. Swiss Rail construction firm Stadler was the next victim. The company disclosed that hackers had threatened to publish sensitive data to harm the firm and its employees if the large ransom was unpaid.
  7. The seventh attack of the month goes to another repeat victim. Pitney Bowes disclosed that they had been hit by Maze ransomware less than a year after they were hit by a similar attack. The group behind Maze specializes in double extortion, an attack that increases pressure on its victims to pay by threatening to release important data in addition to encrypting systems.
  8. Elexon, the organization that helps balance and settle the UK’s electricity market was attacked by hackers using the REvil/Sodinokibi ransomware on May 11. Sensitive internal data was stolen in the attack with some posted on the Dark Web to pressure the organization into making the ransom payment.
  9. Back the US now where the Office of Court Administration in Texas revealed that a ransomware attack was launched against its court system. It’s thought that no sensitive data was stolen, and at the time of writing they insisted that no ransom would be paid.
  10. Staying in the US, the next attack takes us to Ohio where Diebold Nixdorf, a major provider ATMs and payment technology, disclosed that a ransomware attack had disrupted some of their operations. The company said the hackers didn’t affect the ATMs or customer networks and that the intrusion only affected its corporate network.
  11. Magellan Health, a major US healthcare provider based in Phoenix, Arizona found themselves a victim of ransomware after falling for a phishing email that appeared to be from a client. The hackers proceeded to exfiltrate records containing personal information before launching ransomware to encrypt files.
  12. Back to Australia, where this time it was BlueScope Steel who suffered IT disruption that impacted production across its global operations. The ransomware incident was thought to be caused by employees opening contaminated email attachments.
  13. The next attack takes us to the UK where Bam Construct, a firm that had recently delivered Nightingale Hospitals for the NHS during the Covid-19 crisis had fallen victim to a ransomware attack. The company said that the business “stood up well” after the incident despite being forced to take services offline to mitigate the attack.
  14. Up next was the Texas Department of Transportation who revealed they has been hit by ransomware just days after the state’s judiciary system suffered the same fate. It appears that Texas is becoming a popular destination for cybercriminals as 22 local governments were targeted by ransomware in a single attack in 2019.
  15. Anglo-Eastern, one of the largest ship managers based in Hong Kong was hit with a ransomware attack on May 18. The incident was quickly contained, and it was reported that no data was lost.
  16. Over to New South Wales next where retailer In Sport’s head office hit by ransomware. The firm was unable to confirm what data had been accessed but they revealed that the attackers used REvil/Sodinokibi ransomware.
  17. Staying in Australia, this time it was customer experience firm Stellar who appeared to have taken a hit from a group of attackers using NetWalker ransomware.  Images of data stolen from the company were posted on the Dark Web and according to a countdown timer on the site, the company had just over six days to respond to the hacker’s ransom demands.
  18. The next incident takes us to Halifax in Canada where the Northwest Atlantic Fisheries Organization (NAFO), an intergovernmental organization that manages fish stocks in international waters in the northwest Atlantic Ocean, was hit by a ransomware attack. The organization who counts a dozen countries as members, including Japan, Norway, Canada, the European Union, and Russia admitted the attack had locked them out of their data systems and knocked their website offline in a letter to stakeholders.
  19. Back to the US again where this time it’s Michigan State University . The operators of the NetWalker ransomware gang reportedly gave MSU officials seven days to pay the ransom before they planned to leak the stolen university files.
  20. IT Services Giant Conduent disclosed that a ransomware attack had affected it European operations and although customer data had hit the Dark Web, they had managed to restore their systems in 8 hours.
  21. We close out the month in Austria where a NetWalker ransomware attack was launched against the city of Weiz. The attack affected the public service system and leaked some of the stolen data from building applications and inspections.


Ransomware attacks surged again in the month of June with Covid-19 related phishing techniques still proving popular with cybercriminals. Notable attacks include Honda, who had their European operations significantly affected, and the University of California who reportedly paid $1.14 million to recover academic data related to its Covid-19 research. Here is a roundup of the incidents we uncovered.

  1. We start the month in South Africa with telecoms firm Telkom SA SOC Ltd. We found limited coverage of the incident, but it was reported that the attack led to outages across several systems with remote staff unable to connect to the servers or VPN.
  2. Up next is Columbia College in Chicago who were attacked just one week after Michigan State University. On the Netwalker blog the cybercriminals claimed to have exfiltrated very highly- sensitive data during the attack.
  3. Hackers continued their spree on US colleges when they hit the University of California on the same day. Important Covid-19 research was encrypted during the attack and it was later disclosed that the school paid out $1.14 million to recover the data.
  4. The City of Florence in Alabama became the next victim on June 5 when a cyberattack shut down the city’s email system. The city reportedly paid over $250K to recover the encrypted data.
  5. The next attack took place at VT San Antonio Aerospace, the US subsidiary of ST Engineering Aerospace in Singapore. The ransomware attack resulted in the exposure of confidential company data including government contracts.
  6. Automotive giant Honda suffered a Snake ransomware attack which targeted its offices in the United States, Europe and Japan. The attack forced many offices to shut down in what was likely the most publicized ransomware incident of the month.
  7. Earlier in the month Australian beverage giant Lion disclosed they had been the victim of a cyberattack, they later confirmed it was ransomware. The company’s data was said to be available on the Dark Web but at the time of writing the company said they did not have any evidence of data being exfiltrated.
  8. Over to New Mexico next where nuclear missile contractor Westech International was the victim of a Maze ransomware attack. Hackers were able to access sensitive employee information, but it is still unconfirmed whether any classified military information was accessed.
  9. Next up is Norwegian shipbuilder Vard, Europe’s first attack of the month. Local reports indicate that company servers were hit with an encryption attack which led to disruption and downtime. The overall extent of the damage has not yet been disclosed.
  10. Fisher and Paykel, a white-goods manufacturer based in New Zealand disclosed they had been targeted by Nefilim ransomware. Although the attack was quickly identified, the hackers did disclose an initial leak of the company’s corporate files on the Dark Web.
  11. Up next was New York company Threadstone Advisors, a mergers and acquisitions firm whose client list includes Victoria Beckham.   The Maze ransomware gang insisted that they had exfiltrated and encrypted sensitive company data.
  12. An overnight attack hit the City of Knoxville in Tennessee. Fortunately emergency services were not affected in the attack, but by the time it was noticed by the IT department the ransomware had already encrypted multiple systems. Knoxville joins a list of other targeted cities, including Atlanta, Baltimore, Denver and New Orleans.
  13. Back to Europe now where this time it was European energy giant Enel Group. The incident was the work of the Snake ransomware group who were also responsible for the attack at Honda earlier in the month.
  14. Rhode Island-based Care New England (CNE) was victim of a cyberattack that hit its servers on June 16. The suspected ransomware attack forced the shutdown of its website and other internal systems.
  15. Up next is Florida based ConnectWise who hit the headlines when it was revealed that their partners were hit by ransomware through a software flaw in their platform.
  16. Electronics giant LG is reportedly being threatened by the Maze ransomware gang, however at the time of writing no official statement had been issued by the company.
  17. Closing out the month is another suspected attack on car giant Mitsubishi. The Doppelpaymer gang are allegedly threatening to leak data from the organization, although at the time of writing there has been no official statement from the company.


July was quiet in comparison to other months this year with only 12 ransomware attacks making the list. Although the number of reported attacks was lower for the month, news of the incident at Blackbaud, the cloud computing provider that serves non-profits, foundations, corporations, educational, healthcare, and religious organizations, dominated the headlines as hundreds of their customers were affected by cyberattacks and breaches due to the major ransomware attack that occurred at Blackbaud in May.

  1. We’ll start the month with Blackbaud. The incident was reported late in July but it has been revealed that the actual ransomware attack occurred in May. At time of writing we don’t know the full extent of the organizations impacted, but reports say the list currently tops 120. Multiple universities, charities and the UK Labour Party on are on the list of those affected.
  2. Up next is Texas-based government institution, Trinity Metro, a transit agency that operates bus and commuter rail transportation services in Fort Worth. Phone lines and booking systems were down following the attack and a post on the NetWalker gang website showed more than 200 Trinity Metro folders containing information that was apparently exfiltrated from the agency before its systems were disrupted.
  3. Xchanging, a subsidiary of IT Services giant DXC was the next victim. DXC announced in a press release that certain systems of London based MSP Xchanging had been affected by a ransomware attack. Xchanging offers IT services and business process outsourcing to aerospace, banking, defence and insurance firms.
  4. Back to Texas again where Cooke County found themselves the next victim of REvil ransomware. The attackers threatened to start releasing data within 7 days of the attack after posting screenshots thought to be documents and data from the county’s police department on the Dark Web.
  5. Another government attack in the US is up next, this time it’s Chilton County in Alabama who implemented a shutdown after being targeted by an attack on the morning of July 7. The incident which caused a temporary disruption to the County’s computer records systems including the tag office and probate court records was announced via social media.
  6. New Jersey based IT Staffing firm Collabera  were the next firm to find themselves victim of a Maze ransomware attack. Hackers were able to exfiltrate employees’ names, addresses and other personal information and infect its systems during the cyberattack.
  7. French telecommunications company Orange was the next company to fall victim, this time to Netfilim ransomware. Luckily for Orange and its 266 million customers, the incident was only related to its business services division. Data exfiltrated from Orange customers was later added to the Nefilim Dark Web site that details corporate leaks.
  8. Next up is yet another telecoms giant, this time in Argentina. Telecom Argentina fell victim to what has been described as a massive ransomware attack with the cybercriminals demanding that $7.5 million be paid in the privacy coin Monero. Twitter posts suggested that the criminal gang demanded payment prior to July 21, if the payment wasn’t made the ransom would double while the systems would remained locked.
  9. Back to the US now for the attack on state owned New Hampshire Radio. The organization revealed that they had been hit by a ransomware attack but no personal information had been accessed. The organization also revealed that third party supplier Blackbaud had discovered and stopped an attack back in May and had contacted them in July with details.
  10. Over to Kansas next where a ransomware attack took place at the GPS and smartwatch business Garmin. The attack took the business entirely offline for more than three days and is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.
  11. Next up was Atlanta based SiteOne, the largest national wholesale distributor of landscape supplies in the United States. The company reacted quickly to the attack and managed to recover its critical business data with little disruption.
  12. We finish the month in Germany with Dussman Group, a global facility management specialist providing cleaning, catering, security, technical, and commercial services worldwide.  The multinational company which employs over 66,000 staff worldwide and makes billions of euros in sales annually was reportedly struck by the Nefilim variant. After the attack the criminal group began posting 16,000 files to the Dark Web as proof of the attack.


August was 2020’s second busiest month for ransomware attacks with some well-known brands such as Jack Daniels, Carnival Cruises and Canon hitting the headlines. In the 20 incidents we uncovered manufacturing was the hardest hit sector followed closely by education.

  1. We start the month in Japan where Konica Minolta was hit by their second ransomware attack which took down company services for almost a week. The group behind the attack reportedly used RansomEXX ransomware, a relatively new malware that needs to be operated manually and does not have the ability to steal files. Meaning whoever was behind the attack needed to compromise the network and infiltrate all of the devices before running the malware.
  2. Next to make the headlines was Netherlands based travel management company CWT. A ransomware attack knocked 30,000 company computers offline and cost the company a $4.5 million ransom to get up and running again. Hackers allegedly obtained corporate data although this was denied by the company.
  3. Over to Australia next where aged care operator Regis was the victim of an international cyberattack that led to the loss of personal data. The company told investors that an “overseas third party” was responsible for the attack which resulted in data being copied from its servers and publicly released. Following the incident, the federal Australian government’s cybersecurity centre issued a critical warning that Maze ransomware was threatening aged care facilities across the country.
  4. Ohio based Muskingum Valley Health Center made the headlines next when they notified more than 7,000 patients that their personal information may have been exposed in a ransomware attack on its EHR system.
  5. Boyce Technologies, a manufacturer of transit communication systems that pivoted to build ventilators during the COVID-19 pandemic was the next victim of the DoppelPaymer ransomware gang. The gang posted examples of the stolen data on the Dark Web and threatened to release it unless the ransom was paid.
  6. North Carolina based Cornerstone Building Brands, a top manufacturer of windows in North America was the next reported victim. The company confirmed the attack and launched an investigation. At time of writing the publicly traded company had reportedly recovered many of its critical systems and did not expect the attack to have a material impact on its business.
  7. Back to Japan next where this time it’s the turn of camera maker Canon whose services division experienced an outage caused by a Maze ransomware attack. Internal applications, email servers, Microsoft Teams, and the US website were impacted.
  8. Carnival, the world’s largest cruise line operator were the next to disclose they had become a victim of ransomware. With over 150,000 employees and 13 million guests every year, Carnival Corporation is the largest cruise operator in the world. In an 8-K form filed with the Securities and Exchange Commission (SEC), the company disclosed that one of its brands had suffered a ransomware attack and that data was likely to have been stolen.
  9. Next up is Brown-Forman, the Louisville, Kentucky based manufacturer of Jack Daniels. The company was reportedly able to intervene before attackers could encrypt its systems and is working with law enforcement and third-party experts to mitigate the incident. While there is no confirmation on when the attack took place, a Forbes report indicates the intruders were in Brown-Forman’s environment for more than a month.
  10. The University of Utah was next to hit the headlines when it was reported that following an earlier ransomware attack they paid a $457K ransom. As data stolen during the attack contained student and employee information, the university decided to work with its cyber insurance provider to pay the ransom to prevent it from being leaked.
  11. Over to Chicago next where medical debt collection firm R1 RCM suffered a ransomware attack. The company with more than 19,000 employees and revenues of $1.18 billion in 2019 have contracts with at least 750 healthcare organizations nationwide. The company acknowledged they had been targeted in an attack but declined to discuss it further.
  12. Next up was an attack on South Korea based semiconductor manufacturer SK Hynix. Although the company has yet to comment on the incident the gang behind the attack released screenshots of some of the stolen company documents.
  13. TFI International, a Canadian transport and logistics company was next to disclose that four of their courier divisions were hit by ransomware just two days after they raised $219 million in a share offering. A company notice stated that they would continue to meet most customer shipping needs that they were not aware of any misuse of client information.
  14. Haywood County Schools in North Carolina were forced to close following an attack. In a statement released by the school, it was disclosed that school staff discovered the incident and that the third-party attacker has requested a ransom to stop the attack.
  15. Southeastern Pennsylvania Transportation Authority (SEPTA) were unable to provide real-time transportation information after an attack caused their systems to fail. SEPTA declined to provide further information about the attack but experts speculate that disruption to its systems has been significant.
  16. Brookfield Residential Properties , the home construction division of one of Canada’s largest publicly-traded companies, was next to fall victim to an attack. Although the organization did not confirm that the attack was ransomware, a threat group known as DarkSide claimed the attack and threatened to release stolen data unless a ransom was paid.
  17. Back to education where this time it’s the Gosnell School District in Arkansas. Little has been reported about the attack but it was disclosed that ransomware software infiltrated the school’s system and at the time of writing personal data had not been compromised.
  18. Up next is another attack on the education sector. This time its the Royal Military College in Kingston, Ontario. A cyberattack was reported in July but at the time it was unclear if it was ransomware. Ransomware was later confirmed when hackers posted documents that revealed sensitive personal information online.
  19. California based MA LABS, one of the leading computer component distributors in the United States was the next company to make the list. The REvil ransomware gang claim to have exfiltrated 949 gigabytes of confidential information from the central servers of the company. REvil said the attack affected more than 1,000 servers, and also claimed that the distributor didn’t tell the public about the attack.
  20. We finish the month in Fresno, California where back to school was disrupted when a ransomware attack took down the entire network at the Selma Unified School District forcing Fresno-area schools to cancel online classes.

To learn more about ransomware please download our newest eBook, Ransomware in a Pandemic: A Perfect Storm


Ransomware gangs seemingly worked overtime this month as we reported the most attacks of the year, a whopping 31 incidents. The most notable attack was on a German hospital which caused a woman to lose her life. The first cyberattack homicide investigation is currently underway and the EU Cybersecurity Agency is calling for countries to consider making company bosses liable for deaths in the future. Here’s a look at what we uncovered for the month.

  1. We start the month in Australia where workforce design and delivery firm Tandem Corp became a victim of NetWalker ransomware. Screenshots of data allegedly stolen during the attack were published on the Dark Web. The screenshots included files which appeared to contain financial data, personnel information and passport details.
  2. Next we head to Miami where staff at Key West City Hall were forced to go back to pen and paper when a ransomware attack took their systems offline.
  3. Boston headquartered cybersecurity and threat detection company Cygilant suffered a NetWalker ransomware attack. In a statement their CFO confirmed that the attack had impacted a portion of the company’s technology environment. At the time of writing it was unclear whether or not a ransom had been paid.
  4. Next up is another NetWalker attack. This time on Argentina’s official immigration agency, Dirección Nacional de Migraciones. The attack temporarily halted border crossing into and out of the country, and the attackers initially demanded $2 million but this was doubled to $4 million after a 7 day period.
  5. Staying in South America we next heard about a REvil attack on BancoEstado in Chile. The bank, which is one of Chile’s three largest, was forced to close all of its branches following the attack.
  6. Next was the first reported education attack of the month. The ransomware attack disrupted the first day back to school for students of Hartford Public Schools in Connecticut when hackers knocked their critical systems offline over Labor Day weekend.
  7. Newcastle University in the UK was the next reported attack on education. The disruption to the schools systems is ongoing and the DoppelPaymer group has been posting documents it claims to have stolen from its servers to its dedicated “Doppel Leaks” site.
  8. California based data center giant Equinix was the next firm to reveal they had been hit with a ransomware attack. The organization confirmed that its data centers and managed services remained intact as it was only internal systems affected.
  9. Saraburi Hospital in Thailand was the next victim. At the time of writing the hospital confirmed they had been hit with ransomware but that no demand for money had been made.
  10. Attack number 10 takes us to Ukraine where software developer and IT services provider SoftServe suffered a ransomware attack that may have led to the theft of customers source code.
  11. The Fourth District Court of Louisiana suffered a Conti attack , a relatively new ransomware strain. The administrative infrastructure of the courts was affected which led to the website being breached and internal documents being posted online.
  12. Students in Fairfax County Public Schools, Virginia’s largest school system were forced to begin the new school year with remote learning after a ransomware attack affected its systems. The hack reportedly didn’t impact distance learning or personal devices.
  13. Manitoulin Transport, one of Canada’s largest trucking companies was the next to disclose that they had become the latest victim of attacks targeting firms in Canada’s supply chain. The Conti gang posted stolen data but following discussions with the hackers the firm decided not to pay as the information stolen in the attack wasn’t important.
  14. Up next is Veiligheidsregio Noord- en Oost-Gelderland (VNOG) in the Netherlands. The attack damaged internal systems and it is still unclear who was behind it.
  15. The Development Bank of Seychelles (DBS) was next to find themselves a ransomware victim. DBS is a joint venture by the Seychelles government and several shareholders and at the time of writing they were reportedly unclear about how the attack occurred and the damage was still being assessed.
  16. K-Electric, the sole power distributor in Karachi, Pakistan experienced a ransomware attack by the Netwalker gang. The attack led to the disruption of the power utility’s billing and online services and the attackers requested a ransom of $3.8 million.
  17. Back to education again where this time it was Great Falls Public Schools in Montana. The school district shut down most of its systems to investigate and recover from the attack. At the time of writing they were working with the department of Justice, the National Guard, FBI and other private consultants to remedy the problem and were yet to disclose where the attack came from or what the attackers were requesting as a ransom.
  18. Newhall School District in California were next to find themselves victimized by ransomware. The attack locked up the systems and led to the cancellation of remote classes as students where told not to log on to the learning systems or use any district device.
  19. Artech Information Systems, one of the largest IT staffing companies in the US reported their second ransomware attack in nine months. The REvil gang were responsible for the attack which was picked up by the company following reports of suspicious activity on an employee device.
  20. Duesseldorf University Hospital in Germany suffered an attack which meant they were unable to accept emergency patients. Sadly this resulted in a loss of life after a patient was re-routed to another facility 20 miles away. A German news outlet reported that the cyberattack was not intended for the hospital and that the ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital.
  21. Massachusetts based IPG Photonics, a leading developer of fiber lasers for cutting, welding, medical use, and laser weaponry was next to suffer a ransomware attack. It was reported that RansomExx was behind the attack that shut down the IT systems worldwide, affecting email, phones, and network connectivity in the offices.
  22. Over to Canada next where Ontario’s College of Nurses , the organization that oversees 188,000 members, was next to be hit by an attack. At the time of reporting it was disclosed that personal information may have been impacted but a ransom demand had not yet been received.
  23. Another hospital is up next, this time its University Hospital in New Jersey. It was reported that the institution suffered a massive 48,000 document data breach after the ransomware operation leaked their stolen data. The SunCrypt ransomware gang claimed to be responsible for the attack.
  24. Sixth Form College in Bolton, UK was the next reported incident in the education sector. Post attack the college engaged a specialist team to launch an investigation and mitigate the impact. At time of writing the forensic investigation was ongoing but it was confirmed that some data had been exfiltrated.
  25. Italy based Luxottica, the parent company of Ray Ban made the headlines next. The organization reported widespread service outages but claimed that no customer data had been stolen in the incident.
  26. Anglicare Sydney, a not-for-profit that provides social services such as aged care was next to report they had been hit by a ransomware attack that saw attackers exfiltrate 17GB of data. Once the cyberattack was detected they immediately embarked on remediation and investigation before strengthening their cybersecurity.
  27. Texas based Tyler Technologies, the largest provider of software to the United States public sector disclosed that they had become a victim of an attack that affected their internal systems. Tyler reported that there had been no impact on the software they host for their clients and at time of writing, the company, the FBI and the Department of Homeland Security all declined to answer questions on the extent of the hack, the risk of related breaches and the suspected identity of the perpetrators.
  28. French carrier CMA CGM became the latest big name in container shipping to reveal it had become a victim of ransomware, following other leading liners including Maersk, MSC and Cosco in recent years. The Ragnar Locker ransomware gang instructed them to make contact within two days via live chat to pay for the ransom key.
  29. Universal Health Services, one of the largest healthcare providers in the United States was next to be hit by a ransomware attack. Its speculated that the Ryuk gang was behind the attack and details of how widespread the issue is are still unknown. UHS has 400 hospitals and healthcare facilities in the US and the UK and serves millions of patients each year.
  30. Our final attack on education for the month goes to Clark County School District in Las Vegas. The attack which activated at the end of August triggered a data breach involving Social Security numbers, student information and other private information according to the Wall Street Journal. An investigation is ongoing and the district has pledged to keep parents, employees and the public informed as new information about the incident becomes available.
  31. Our final reported ransomware victim of the month is International insurance brokerage firm Arthur J. Gallagher & Co. The company confirmed that the attack had occurred on September 26th and that the incident impacted a “limited portion” of its internal systems. They also said they do not expect it to have a material impact on its operations or finances.

Get our Monthly Ransomware Report as a PDF