Ransomware Hackers Hit Brakes Worldwide, Leaving Mystery in Wake

By Andrew Martin, Demetrios Pogkas and Mathieu Benhamou

Published: March 18, 2019, 1:00 AM EDT | Updated: July 27, 2022, 5:00 AM EDT

There’s some good news on the ransomware front. By some accounts, there are fewer attacks happening. Victims aren’t paying ransoms as often. Some of the biggest ransomware gangs have gone dark. And law enforcement has had some success disrupting hackers’ flow of illegal money.

But the data on hacking isn’t perfect, and no one knows yet if the positive trend will continue. In other words, it’s far too soon to proclaim: “Mission Accomplished.”

Ransomware attacks involve encrypting a victim’s computer networks and demanding a ransom to unlock them. Most gangs now steal a victim’s data too and demand money to return it. The number of ransomware hacks has soared in recent years, with attackers targeting businesses, schools, municipal governments, nonprofit groups, even hospitals.

Now, something is afoot. For instance, the most prolific ransomware gang of late, called LockBit, has retooled its website, software and rules governing its “affiliates,” the people it gives its malware to for a cut of the illicit profits. The new-look LockBit claims it’s located in the Netherlands, “completely apolitical and only interested in money.” It also says that affiliates aren’t allowed to encrypt the computer files of companies and organizations that provide critical infrastructure, such as water and electrical systems.In addition, the group says, “It is forbidden to encrypt institutions where damage to files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like.”

But LockBit says the hackers who borrow its malware can still steal files from those sensitive targets and demand payment – a distinction that still allows for a shake down but doesn’t shut down the business. Drew Schmitt, managing security consultant for GuidePoint’s Research and Intelligence Team, says ransomware groups such as LockBit are trying to make as much money as possible while being less destructive.

Other major ransomware gangs have learned the hard way of drawing too much attention. Most recently, Conti, a particularly nasty group accused of partially disabling Ireland’s health care system and hacking Costa Rica’s government, shut down much of its online infrastructure. Other big names in the ransomware racket – Maze, DarkSide and REvil – have also gone by the wayside, with its members either moving to other groups or getting out of the business.

Ransomware groups tracked by GuidePoint Security claimed 574 victims in the second quarter, down 34% from the first quarter. GuidePoint attributed the decline to the dissolution of Conti, LockBit shutting down briefly while it rebooted and fewer attacks from another group, called Clop.

Other theories trying to explain the downturn point to successful measures by law enforcement, a drop in the value of cryptocurrency and fallout from Russia’s invasion of Ukraine. Not everyone agrees with this trend: Check Point Research said cyberattacks peaked in the second quarter – a reflection that there isn’t a reliable repository of data on hacks.

Allan Liska, threat intelligence analyst at Recorded Future, said there’s often a dip in attacks in June and July and that it’s not yet clear how long that may last. Some hackers may be moving away from the ransomware-as-a-service model, in which groups offer their malware to affiliates for a cut of the action. But the RaaS model may be drawing too much heat from law enforcement, so affiliates are striking out on their own, Liska said.

Coveware, which conducts negotiations on hacking victims’ behalf, said ransomware victims just aren’t paying as often. “While results quarter to quarter can hop and skip, the trend is very clear over the past three years,” according to a May 3 blog post. In the first quarter of 2019, 85% of the cases Coveware handled ended with the ransom being paid; in the first quarter of this year, only 46% did.

“This is what progress looks like against ransomware,” the blog says. “It is slow.”

Ransomware Attacks on Essential Infrastructure

Monthly count of attacks against entities in:
Education
Government
Health Care

Note: Data as of June. “Education” includes schools, school districts, colleges and universities. “Government” includes municipalities, counties, police departments, court offices and other local authorities. “Health Care” includes hospitals, health centers and other providers of medical services.

Source: Recorded Future

Notable Hacks

While ransomware attacks have become a dominant form of financial cybertheft, hackers continue to pursue more traditional types of breaches as well—stealing sensitive data such as credit card information and Social Security numbers. There are many variables in what makes a hack “bad”—records stolen, lives disrupted, money lost, to name a few. Bloomberg News compiled a list of some of the most notable attacks, by both criminal groups and hackers tied to a specific country.

Government-supported hacking groups from Russia, China, North Korea, Iran and even the U.S. have pulled off some of the most sophisticated and audacious attacks in history. These include the so-called Stuxnet worm—said to be created by the U.S. and Israel—that destroyed Iranian nuclear centrifuges and the Russian hack of Democratic Party emails ahead of the 2016 U.S. presidential election. Both attacks significantly raised the stakes in nation-state cyber warfare.

An attack on the computer networks of NASA and the Defense Department in 1999 was unsettling, but not as much as the fact that it was perpetrated by a Miami teenager. Baltimore is among many cities and towns that have been victimized by ransomware, but what makes that case stand out is the economics of it. The city refused to pay a $76,000 ransom, but the attack ended up costing an estimated $18 million in various damages.

Target: Colonial Pipeline Co., which operates the biggest fuel pipeline in the U.S.

Attacker: DarkSide

Date of attack: May 2021

Why it's noteworthy: When ransomware made by a Russia-linked gang called DarkSide crippled the computers of Colonial Pipeline Co., the company shut down operations, including the biggest fuel pipeline in the U.S. Gas prices went up as lines formed at filling stations along the East Coast, exposing the potentially devastating impact of ransomware to the masses and the challenges of stopping it. In a remarkable move, Colonial disclosed that it had paid the hackers $4.4 million in ransom; such information is rarely made public. However, the FBI recovered some of the money.

Targets: SolarWinds Corp.; government agencies and private companies, particularly in technology

Attacker: Russian state-sponsored hackers

Date of attack: Started in January 2019; became public in December 2020

Why it's noteworthy: Russian hackers installed a backdoor in updates for popular software from SolarWinds Corp., and then used it as a launching pad to attack some of its customers including U.S. government agencies. In all, nine U.S. government agencies and about 100 companies were infiltrated via SolarWinds and other methods. The hack showed the skill of Russia’s state-sponsored hackers and exposed gaping vulnerabilities in America’s digital supply chain.

Target: City of Baltimore

Attacker: Robbinhood ransomware

Date of attack: May 2019

Why it's noteworthy: Baltimore refused to pay a ransomware gang $76,000 in Bitcoin, a decision that ended up costing them an estimated $18 million in lost or delayed revenue and mitigation. To make matters worse, someone claiming to represent the hackers taunted the mayor on Twitter saying, “You are the only person that is responsible for this sh*t!” The incident highlighted how vulnerable local governments were to hackers and the difficult choices leaders face when confronted by extortion demands.

Target: NHS

Attacker: North Korea state-sponsored hackers

Date of attack: May 2017

Why it's noteworthy: An attack using ransomware called WannaCry wreaked havoc on the U.K.’s health-care system – forcing cancellations of surgeries and medical appointments -- and spread to targets outside the country as well. The attack used a software vulnerability developed by and stolen from the National Security Agency -- and traced to North Korean hackers. The WannaCry attacks set the stage for future ransomware attacks on healthcare facilities.

Targets: Among others: Ukraine; FedEx; Merck; Maersk; Mondelez International

Attacker: GRU (one of Russia’s military intelligence agencies)

Date of attack: 2017

Why it's noteworthy: Described by the White House as “the most destructive and costly cyberattack in history,” NotPetya was created by Russian military intelligence – apparently for use in its ongoing conflict with Ukraine. But it spread automatically and indiscriminately, causing an estimated $10 billion in damage to companies and organizations around the globe. The pharmaceutical company Merck alone sought $1.3 billion in losses from the attack from its insurers.

Targets: Democratic Party organizations; the Hillary Clinton campaign

Attacker: GRU

Date of attack: 2016

Why it's noteworthy: Russian hackers infiltrated the computer networks of Democratic Party organizations and presidential candidate Hillary Clinton and then leaked documents to hurt her campaign. The attacks, coupled with a Russian disinformation campaign on social media, were a significant escalation in cyberwarfare and fueled widespread partisan bickering and division after Donald Trump defeated Clinton.

Target: Ukraine’s electrical grid

Attacker: Russian state-sponsored hackers

Date of attack: December 2015

Why it's noteworthy: Russian state hackers attacked Ukrainian power stations, the first confirmed cyber takedown of a power grid. It set a dangerous new precedent for cyberwar. Nearly a year later, the Russian hackers did it again.

Target: Sony Pictures Entertainment

Attacker: North Korean state-sponsored hackers

Date of attack: 2014

Why it's noteworthy: North Korean hackers attacked a U.S. company, stealing documents and leaking sensitive and embarrassing content in apparent retaliation for a movie called “The Interview” that poked fun at their leader. After a threat against theaters, Sony canceled the movie’s premiere -- Sony later said it was because theaters were pulling the showing, not the threat. The attack showed even a small, isolated country could inflict damage using cyberattacks.

Target: Iranian nuclear centrifuges

Attacker: Allegedly Israel and the U.S.

Date of attack: Unknown; discovered in 2010

Why it's noteworthy: A computer worm known as Stuxnet sabotaged Iranian nuclear facilities. It destroyed centrifuges at a uranium enrichment facility and eventually burned them out. Stuxnet was remarkable for its sophistication, using four “zero day” vulnerabilities in Microsoft Windows and targeted specific industrial control systems. Believed to be the work of Israel and the U.S., Stuxnet touched off an escalation of nation state cyberwarfare.

Targets: Westinghouse Electric Co.; U.S. Steel; Alcoa; the U.S. Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union; others

Attacker: Chinese state-sponsored hackers

Date of attack: 2006 to 2012

Why it's noteworthy: The 2014 indictment of five Chinese military hackers for cyberattacks against U.S. companies was an example of what U.S. officials have described as a massive problem: Chinese theft of intellectual property from American companies. In this instance, the hackers were accused of conspiring to hack into American companies and a labor union to steal information that would be useful to their competitors in China.

Targets: NASA; U.S. Department of Defense

Attacker: Jonathan James

Date of attack: 1999

Why it's noteworthy: A teenager was able to infiltrate computer networks at NASA and the Defense Department. At NASA, James infiltrated 13 computers, downloaded software and stole data. At a Defense Department agency that monitors nuclear, biological and chemical threats, he intercepted thousands of messages and more than a dozen usernames and passwords. As a 16-year-old, James became the first juvenile hacker to be sentenced federally to serve time, the Justice Department said.

Hacks that Exposed Personal Information

Bloomberg News continues to gather and analyze data on major cyberattacks that expose 1 million records or more. Since January 2020, 92 corporate, government and nonprofit organizations have experienced such breaches, which exposed more than 996 million records. Over the course of more than a decade, the tally exceeds 11.43 billion records across 382 entities.

Major Data Breaches by Industry

Records exposed

Source: Data before March 2019 is based primarily on the Privacy Rights Clearinghouse, the Breach Level Index and Have I Been Pwnd?. Data after March 2019 is based primarily on Have I Been Pwnd? and the Identity Theft Resource Center, as the other two data sources have put updating or publishing their databases on hold. Whenever possible, data has been corroborated against company statements, regulatory filings and reports, or media clippings.

Nowadays, user and corporate data are among a business’s most valuable and most sensitive assets. As a growing number of hackers attempt to exfiltrate such information for their own benefit, Bloomberg News will be updating this story with more cybersecurity incidents when they become known.

With assistance from: Benedikt Kammel.

Graphics Editor: Jeremy Scott Diamond.

Methodology

Included are cyberattacks that resulted in user data, personal identifiable information, or financial data being stolen or exposed. Only cases that resulted in exposure of at least 1 million records are included. Excluded are physical thefts or losses of data, accidental public data leaks, mishandling of user or customer data, data breaches due to insider knowledge, and other similar cases.

Whenever available, the exact or approximate date an incident occurred is used, as disclosed by the affected entities themselves or as reported by the media or other sources. When an incident occurred within a time range, the starting date is used. For all other cases, the date the incident was discovered, or the date the incident was disclosed or publicized (whichever came first), is used. For the timeline, date approximations have been translated to an actual date.

Whenever available, the exact number of unique records that were exposed, as disclosed by the affected entities themselves or as reported by the media or other sources, is used. For all other cases, an estimate of exposed records is used, similarly as disclosed by affected entities or as identified by other sources. “Unknown” numbers of records refer to incidents in which the affected entities only specified that the breach was in the scale of millions. When a difference has been identified between the total number of records claimed to and the number of records confirmed to have been exposed, the latter is used. When an update in the number of records exposed or the time the incident occurred was identified, the revised figures are used.

Whenever an incident has been specified to have affected users in one country only, that location is used. For all other cases, location indicates country of origin of the affected entities.