The Worst Ransomware Attacks of 2022

As the world has seen an uptake in online activity, there’s been an associated rise in criminal activity. Cyberattacks are becoming more prevalent with ransomware attacks cited as one of the most common.

We’ve taken a look at some of the most notable cyberattacks of 2022 in a previous blog.

Now, let’s get more specific and put ransomware in the spotlight.

What is ransomware?

Ransomware is a type of malware that encrypts targeted files to prevent access. It’s a form of extortion, in that threat actors demand money in return for access to the encrypted data — effectively, a ransom, hence the name_ ransom_ware. Some ransomware actors also demand payment of a ransom in return for not divulging stolen data publicly or on the dark web.

Threat actors have control over the breached files so they can corrupt data, delete it, or sell it. Hackers like to target compromising or personal data to obtain as much leverage as possible.

Now you’re aware of what ransomware is, let’s take a look at some case studies of real-world instances of ransomware use.

Medibank

Medibank is Australia’s largest health insurance provider, meaning it has vast stores of sensitive and confidential patient information on its books.

In November 2022, Medibank was targeted by a group that’s believed to be an affiliate of REvil — a hacking group with links to Russia. The attack was devastating with 9.7 million users' personal details stolen and around half a million customers having health claims information compromised.

The group demanded $10 million for the information to be returned in an attempt to extort Medibank. This demand dropped slightly to $1 per victim of this data theft, equating to $9.7 million.

Medibank would not succumb to the hackers' demands and consequently, the data was released with the cybercriminals publishing the information on their blog on the dark web. It comprised 6GB of zipped files with deeply personal illness information and sensitive identity data such as passport numbers and birth dates.

Toyota

On 24^th February 2022, Toyota had to shut down operations in 14 plants across Japan. This meant that 28 production lines were out of action, causing severe disruption to their car manufacturing schedule.

It’s thought that the 14 plants account for up to one-third of global Toyota production, so this incident greatly affected supply chains.

It transpired that Kojima Industries — one of Toyota’s key suppliers of plastic and electronic parts — was subject to a ransomware attack that came through the company’s server. There are few details on the exact nature of the attack but fortunately, the issues were resolved within a day. Yet, this example highlights the disruptive power of a breach from threat actors.

Bernalillo County, New Mexico

In January 2022, government services in Bernalillo County were the target of a ransomware attack. This resulted in severe disruption to the computer systems and websites of county departments.

Government buildings were forced to close down, including a local jail that led to inmates being locked down all day as security cameras and automated doors wouldn’t work. In total, around 675,000 residents were impacted by this attack, giving some insight into the sheer scale of this incident.

The perpetrators remain unknown, despite speculation about their identity. The anonymity of the threat actors shows why this style of attack is becoming more and more popular — threat actors have confidence that they can carry out ransomware attacks with little consequence.

Normal capacity of government services was not resumed for a number of months, with only very basic services being available to residents for several weeks.

In response to this attack, the county set about adopting a new framework for cybersecurity to ensure this kind of event doesn’t happen again.

The new framework has meant a county-wide implementation of multi-factor authentication to create a more robust perimeter around networks and systems used by government employees. A 24-hour security outfit now monitors county networks for any suspicious activity.

Government of Montenegro

In August 2022, the government of Montenegro was hit with a ransomware attack, for which the blame was initially placed on Russia. Later, a hacking group called Cuba ransomware came forward claiming responsibility for the breach.

Cuba ransomware proclaimed, on the dark web, that they had accessed sensitive information from Montenegro’s parliament that included: banking transactions and financial documents, as well as tax information.

Parliament refuted these claims but the government later stated that 150 workstations in 10 state institutions had been infected with the Zerodate virus.

Cuba ransomware used its leverage to try and extort $10 million from the government of Montenegro in return for the stolen information. It’s unclear if this was paid or not.

TransUnion

In March 2022, the credit reporting agency, TransUnion, suffered a ransomware attack on its South Africa-based office. The servers that were exposed during the breach held the information of up to 54 million customers.

It has since become apparent that 5 million users had sensitive information stolen, while other customers had minor, less-compromising details taken that would not expose them to criminal activity.

The Brazilian hacking group, N4ughtysecTU, claimed that they used brute force tactics to gain access to TransUnion’s server. Shockingly, they stated that the password attempt that successfully gave them entry was… “password”!

This goes to show the importance of using complex passwords to reduce the likelihood of a successful brute-force attack.

In the attack, N4ughtysecTU say that they stole 4TB of data, for which they demanded $15 million in cryptocurrency for its return.

It’s yet to be disclosed if the ransom was paid or not.

Make sure your systems are protected from ransomware attacks by signing up for Samurai XDR’s 30 day free trial today!