We’ll cover 15 of the most recent ransomware attacks (so far) in 2020 — what they were and who they impacted — as well as some of the latest news and trends in ransomware attacks
These are just a few headlines of the recent ransomware attacks that have been making waves in the news. Ransomware attacks are a cause for concern for governments, healthcare providers and other businesses worldwide. They’re also a major issue for their customers and employees, whose data is frequently the collateral damage of these types of attacks.
Ransomware attacks against 966 U.S. government, healthcare and educational entities cost those organizations $7.5 billion in 2019 alone, Emsisoft’s Q1 and Q2 2020 research shows. Data from NinjaRMM’s 2020 Ransomware Resiliency Report also shows that ransomware incidents resulted in damages of between $1 million and $5 million for 35% of the organizations whose IT pros they surveyed. That’s a lot of money flowing through the prospering cybercrime market and a lot of opportunities for those organizations to sustain reputational damage.
In this article, we’ll share 15 of the most recent ransomware attacks that we’ve seen (so far) in 2020.
Let’s hash it out.
The 15 Most Recent Ransomware Attacks (to Date) in 2020
Ransomware attacks are those that use malicious software (malware) to encrypt the data and files of targets. I say this to differentiate ransomware attacks from extortion campaigns that use distributed denial of service (DDoS) attacks to overwhelm targets with traffic with the promise of stopping their onslaught in exchange for payment).
Unfortunately, there are a lot of ransomware attacks to choose from that we can cover in this article. So, we’ve decided to limit ourselves to talking about the most recent ransomware attacks that are malware-based and have made headlines in 2020.
Of course, this list is far from being complete list. Unfortunately, there are many other recent ransomware attacks that have occurred this year (way more than I have time to write about individually). However, this list at least gives you an idea of what some of the most notable ransomware attacks have been so far in 2020 and what we know about them.
How the Latest Ransomware Attack List Is Organized
For this article, we’ve decided to organize the content chronologically — starting with listing the most recent ransomware attacks before making our way back to the earliest attacks of the year. The reason why we’re not going to list them in terms of the largest ransom payments or demands is because, frankly, many companies don’t disclose the attackers’ demands. (Heck, some companies don’t even want to disclose that the “cyber incidents” they’ve experienced were actually ransomware attacks in the first place!) Furthermore, some ransomware targets choose to pay the ransom demands while others do not.
So, without further ado, let’s get right to it. Here’s the list of the latest ransomware attacks we’ve seen (so far) this year:
1. Brookfield (August 2020)
The first on our list of recent ransomware attacks in 2020 comes to us from the north side of the border. Darkside, a new ransomware group, claims to have carried out a ransomware attack against Brookfield Residential Properties, which is based in Calgary, Canada. ITWorldCanada reports that the company, a division of Brookfield Asset Management Inc., admitted to them that an unspecified data security incident took place. However, it didn’t verify whether the attack involved ransomware or DarkSide.
Of course, Darkside themselves have decided to make it known that they were responsible for the attack:
The second ITWorldCanada article reports that the company was also sure to stress that “Brookfield Residential has its own corporate network that is separate from the parent company, which wasn’t hit.” Basically, they want to make it clear that the ransomware attack affected only that subsidiary and not the larger parent company.
2. R1 RCM Medical Debt Collections Firm (August 2020)
Next on our list of the most recent ransomware attacks comes from Brian Krebs. In August, KrebsOnSecurity reported that the R1 RCM Inc. was hit by a ransomware attack. The company, formerly Accretive Health Inc., is one of the country’s biggest medical debt collection companies. They contract with more than 750 U.S. healthcare organizations and handle the personal and health-related data of tens of millions of patients.
R1 RCM Inc. chose to not disclose the type of ransomware that was used in the attack, nor provide other details about the compromise, including which systems or data may have been compromised. However, KrebsOnSecurity reports that the attack used the Defray ransomware. Trend Micro describes Defray as a type of targeted ransomware that’s typically spread via phishing emails.
Read more about the attack in the KrebsOnSecurity article.
3. The City of Lafayette, Colorado (July 2020)
The city of Lafayette announced in August that they paid $45,000 to ransomware operators after their devices and data became encrypted via ransomware on July 27. The payment was made to receive a decryption key after the city was unable to restore systems from their backups. They chose to go the ransom payment route because it seemed like a less costly and more convenient solution to minimize lengthy service outages for residents.
Although they didn’t specify the type of ransomware that was involved, the city’s notice about the outage shared that the ransomware disabled the city’s network systems. This impacted everything from online payment systems to email and phone services (but thankfully not the 9-1-1 and emergency dispatch systems, though). The results of their initial investigation points to a phishing scam or potential brute force attack for the cause of the ransomware attack.
So, is there any good news about this situation? Yes, although it still comes with a warning:
Financial data appears to be recoverable from unaffected backups. Personal credit card information was not compromised, as the City uses external PCI-certified payment gateways. There is no evidence to suggest personal data was compromised, but out of an abundance of caution, residents and employees are advised to be vigilant to monitor accounts for suspicious activity.”
4. University of Utah (July 2020)
The University of Utah (UofU) recently found itself in the crosshairs of one of the latest ransomware attacks on a higher ed institution. They released a statement about the attack, stating that their computing servers were targeted in an unspecified ransomware attack that affected approximately 0.02% of the data on those servers. Although the university used their data backups to restore some of its services and systems, they still chose to pay the $457,059.24 ransom.
Why would they choose to pay the ransom? According to the university’s official statement:
After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet.”
But UofU isn’t alone — several other educational institutions were recent ransomware attack targets as well. We’ll talk more about those shortly.
But first, here’s one important bit of info that might be of interest to note: A 2020 study by Comparitech shows that since 2005, more than 1,300 data breaches (involving 24.5 million records) have been reported at colleges, universities and K-12 school districts in the U.S. Now, keep in mind, however, that those are just the breaches that we know about and that ransomware wasn’t specifically identified as the cause. But it just goes to show that the state of cybersecurity in education has a way to go in terms of better protecting data.
Speaking of which…
5. Columbia College Chicago (June 2020)
This brings us to No. 5 on our list of recent ransomware attacks: Columbia College Chicago. The Illinois institution was targeted by the NetWalker ransomware gang, who threatened to sell students’ data on the dark web if no extortion payment was made within six days.
The Columbia Chronicle shared a link to a July 17 collegewide email that indicates that some users personal information was accessed in the attack. However, it’s unclear at this time whether Columbia College Chicago decided to pay the ransom or negotiate with the attackers.
NetWalker, also known as Mailto, is a ransomware strain that’s thought to have made its criminal debut in August 2019. ZDNet reports that the NetWalker closed-access ransomware-as-a-service (RaaS) portal — which other hackers can use after undergoing a vetting process — launches specialized attacks against high-value targets. It’s thought to have helped the NetWalker ransomware operators rake in $25 million since March 2020 alone.
6. University of California, San Francisco (June 2020)
However, Columbia College Chicago wasn’t the NetWalker ransomware’s only recent target. Two other institutions — University of California, San Francisco (UCSF) and Michigan State University — were also victimized by the same family of ransomware. (More on MSU shortly.)
On June 1, the university’s IT staff spotted and halted unauthorized access of the medical school’s IT environment. They began working with a cybersecurity firm and were able to determine that most of the school’s IT environment was unaffected. ZDNet reports that UCSF opted to pay the $1.14 million negotiated ransom demand to the attackers to recover data that the attackers encrypted.
According to UCSF’s June 26 security update:
While we stopped the attack as it was occurring, the actors launched malware that encrypted a limited number of servers within the School of Medicine, making them temporarily inaccessible. Since that time, we have been working with a leading cyber-security consultant and other outside experts to investigate the incident and reinforce our IT systems’ defenses.”
7. Michigan State University (May 2020)
MLive reports that Michigan State University was hit with the NetWalker ransomware. In their demand, the ransomware operators said the university had one week to pay a ransom in exchange for access to their encrypted files. Otherwise, the attackers said they’d leak the personal and banking related data of MSU students.
The attack, which is said to have taken place on Memorial Day, was reportedly limited to affecting systems for the Department of Physics and Astronomy. Unlike UCSF, the Michigan university opted to not pay the ransom, saying that they were heeding the advice of law enforcement.
MSUToday reports the following statement from MSU Police Chief Kelly Roudebush:
It is important to remember that these are criminal acts being carried out by individuals seeking nothing more than an opportunity to earn a quick buck at any person or entity’s expense. Paying cyber-intrusion ransoms perpetuates these crimes and provides an opportunity for the group to live another day and prey upon another victim.”
This incident was followed by the discovery of a data breach that involved MSU’s online store. MSUToday reports that the names, addresses and credit card numbers of around 2,600 customers was exposed as the result of a website vulnerability. The period of exposure was said to have been between Oct. 19, 2019 and June 26, 2020
8. Blackbaud (May 2020)
Blackbaud, the major cloud computing provider for many commercial and non-profit entities, was the target of a ransomware attack in May. (UCSF and MSU were among the educational institutions affected by the incident because they use Blackbaud as a vendor for their philanthropic tracking activities.)
The company was able to discover and disrupt the attack, ultimately blocking them from their systems. However, they weren’t able to do so before the attackers successfully removed some data. According to Blackbaud’s official statement:
Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
The company disclosed neither the payment amount nor the type of ransomware that was involved in the attack.
9. Grubman, Shire, Meiselas & Sacks Law Firm (May 2020)
Although we’ve already talked about this situation in our list of the top cyber security statistics for 2020, it’s definitely worth including on the list of the latest ransomware attacks. In May, Page Six reported that a hacker group that goes by the name REvil set their sights on the A-list law firm Grubman, Shire, Meiselas & Sacks. REvil used the Sodinokibi ransomware to carry out their attack.
Initially, the attackers demanded a payment of $21 million to prevent the disclosure of 756 GB of confidential client data. However, they doubled the demand to $42 million when the law firm refused to cough up the payment. They’ve since released data relating to several celebrities, including Madonna and Lady Gaga, and said that they plan to auction off more data.
10. Cognizant (April 2020)
Cognizant, a Fortune 500 company that provides IT services to companies across a variety of industries, shared in April that they were the target of a ransomware attack. The attack, which affected their internal systems and involved the deletion of their internal directory, also disrupted services to their customers:
In their next update on May 7, Cognizant said that they’ve since contained the attack and are using the experience as an “opportunity to refresh and strengthen our approach to security.”
Cognizant shared in their Q2 2020 results report at the end of July that revenue across their business segments was down 3.4% to $4 billion. This was due, in part, to the April ransomware attack. Their Q2 2020 net income was $361 million, whereas their net income from Q2 2019 was $509.
11. Travelex (April 2020)
REvil decided to “help” Travelex ring in an (un)happy new year by slamming the currency exchange service provider with a Sodinokibi ransomware attack on New Year’s Eve. However, unlike one of REvil’s other targets, the Grubman law firm, Travelex chose to pay the $2.3 million ransom in Bitcoin after their currency exchange services were crippled by the attackers.
Now, as of early August, SC Media reports that Travelex has gone into administration (the U.K.’s equivalent of bankruptcy) and has cut 1,309 jobs to help try to save the company. But I guess the mindset here is that despite the sacrifice, the company will live to see another day.
12. Chinese & Taiwanese Companies and Consumers (April 2020)
Of course, organizations, schools and governments aren’t the only targets of ransomware attacks. Ransomware attacks also target general internet users and consumers.
In April, tens of thousands of users were the victims of the WannaRen ransomware attacks on their home and company devices. ZDNet reports that a ransomware infection chain included the EternalBlue exploit that devastated hundreds of thousands of devices globally during the WannaCry ransomware attacks in 2017.
Initially the attackers demanded 0.05 Bitcoin in exchange for decrypting a victim’s data. However, in an unexpected turn of events, the ZDNet report states that the ransomware authors chose to give the victims their decryption key. They did so at no cost to the victims so they could recover their encrypted data.
13. Unidentified Natural Gas Facility (February 2020)
In February, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) reported that an undisclosed natural gas compression facility was the target of a ransomware attack. The attack resulted in the pipeline effectively shutting down operations for two days. But how could this happen? According to the alert:
The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers.
Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted.”
However, something that really caught our attention about this particular alert is this:
Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks.
The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning.”
This situation serves as a powerful reminder to all organizations, regardless of size and industry, of the importance of cybersecurity incident and response planning and preparations. Planning to prepare your IT infrastructure and employees for these types of scenarios could be the difference between a brief situation and days of downtime.
14. The Pittsburg Unified School District of California (January 2020)
One county in California started off the new year with a ransomware attack. The Pittsburg Unified School District of CA, located in Contra Costa County, had to take its servers offline after it experienced a ransomware attack. The school district didn’t disclose the ransom demands of their attackers. According to a report from KTVU, however, the attack affected “every school, office and most services in the school district.”
15. Contra Costa County Library System (January 2020)
The school system attack followed closely on the heels of another attack that targeted the Contra Costa County Library System. That attack, which the library system reported on Jan. 3, caused network outages for all 26 of its branches that lasted for several days.
Just a quick note: If you’re looking for ransomware statistics, be sure to check out our blog post 20 Ransomware Statistics You’re Powerless to Resist Reading.
Recent Ransomware Attack Trends to Note (So Far) in 2020
The aggregate number of ransomware attacks decreased in Q2 2020, according to data from Coveware. However, not all that glitters is gold. Their research also shows that the numbers of recent ransomware attacks might be declining because bad guys are getting more selective about who they target and are increasing how much they charge per attack.
Coverware reports that the average ransom payment increased by 60% to 178,254 from Q1 to Q2 2020. This is a number that’s been rising rapidly since 2019.
Furthermore, their research also indicates that ransomware-as-a-service (RaaS) is also on the rise:
“The availability of free, do it yourself RaaS kits, and cheap attack ingredients pushed the barrier to entry extremely low. Deep technical expertise is no longer needed to participate in the cyber crime economy.”
The Q1 and Q2 2020 data from Emsisoft that we referenced earlier shows that while there was a bit of a reprieve in terms of fewer successful attacks on government, healthcare, and educational institutions in the U.S. early this year, it looks like those numbers are going back up. However, these public sector organizations can to something to put an end to poor cybersecurity practices. They must take action to enhance their cybersecurity defenses and to mitigate risks.
The following quote from Fabian Wosar, the Chief Technology Officer at Emsisoft, sums it up nicely:
“2020 need not be a repeat of 2019. Proper levels of investment in people, processes and IT would result in significantly fewer ransomware incidents and those incidents which did occur would be less severe, less disruptive and less costly.” — Fabian Wosar, CTO, Emsisoft
Final Thoughts on the List of the Most Recent Ransomware Attacks in 2020
Needless to say, ransomware attacks suck and are bad for business. While your organization may love free publicity, making headlines as the next victim of a ransomware attack just ain’t a good way to do it. However, there are things you can do to help your organization avoid becoming the next ransomware headline. Earlier this week, we outlined 12 steps you can take to make your organization more secure against malware-based threats (including ransomware).
Be sure to check them out and share your own insights and cybersecurity suggestions in the comments section of that article.