Ransomware breaches have become a widespread and concerning issue in recent years and present an ever-growing threat to thousands of organizations and businesses worldwide. These breaches involve attackers encrypting a victim's data and demanding a ransom payment in exchange for providing the decryption key. The average ransom in 2023 is $1.54 million, almost double the 2022 figure of $812,380. (Sophos, 2023). Additionally, ransomware attacks have risen by 13 percent in the last five years, with an average cost of $1.85 million per incident. (Astra, 2023). The following are a few notable examples of ransomware breaches and how they were resolved:
- WannaCry (2017): WannaCry is one of the most infamous ransomware attacks. It targeted Windows computers worldwide by exploiting a vulnerability in the Windows operating system. The attack affected various organizations, including hospitals and government agencies. The ransomware demanded payments in Bitcoin.
- Resolution: A security researcher accidentally discovered a "kill switch" within the malware's code, which helped slow down the attack's propagation. Microsoft also released emergency security patches to address the underlying vulnerability. Some victims paid the ransom, but decrypting tools were eventually released by security researchers, allowing many victims to recover their files without paying.
- NotPetya (2017): NotPetya, also known as Petya or ExPetr, masqueraded as a ransomware attack but was later determined to be a destructive malware designed to disrupt systems. It spread using the same EternalBlue exploit as WannaCry and caused significant damage to various multinational companies.
- Resolution: NotPetya did not have a reliable method for decryption, and its intent seemed more focused on causing chaos. Organizations affected by NotPetya had to rebuild their systems from backups and implement stronger security measures to prevent future attacks.
- Colonial Pipeline (2021): The Colonial Pipeline, a major fuel pipeline in the United States, fell victim to a ransomware attack attributed to the DarkSide ransomware group. The attack led to the temporary shutdown of the pipeline, causing disruptions in fuel supply along the East Coast.
- Resolution: Colonial Pipeline decided to pay a ransom of approximately $4.4 million in Bitcoin to the attackers to expedite the restoration of services. However, the U.S. government later announced that a significant portion of the ransom was successfully recovered through law enforcement efforts.
- JBS (2021): JBS, one of the world's largest meat processors, suffered a ransomware attack that disrupted its operations and supply chain. The attack was attributed to the REvil ransomware group.
- Resolution: JBS decided to pay a ransom of $11 million in Bitcoin to the attackers to regain control of its systems and prevent further disruptions. Similar to the Colonial Pipeline case, law enforcement efforts led to a portion of the ransom being recovered.
- MOVEit Hack (2023): This was one of the biggest hacks and spanned 600 breaches. Nearly 40 million people were impacted by this hack per cyber analysts. In 2023, the Clop ransomware group attacked MOVEit Transfer—a secure managed file transfer software–and robbed its customers’ sensitive data.
- Resolution: One of the nuances of the MOVEit situation is that it is a true software supply chain security issue, therefore it was never completely resolved! Patches for the flaws have been released in phases and the company says that it has not “currently” seen evidence that the bugs are being actively exploited.
It's important to note that paying ransoms can have ethical, legal, and strategic implications. Paying the ransom does not guarantee that the attackers will provide a working decryption key, and it can further incentivize criminal activity. Many cybersecurity experts advise against paying ransoms and instead recommend focusing on prevention, preparedness, and building robust incident response plans to mitigate the impact of ransomware attacks.