This Year in Ransomware Payouts (2020 Edition)
The Highest Ransoms Paid by Organizations in 2020
Ransomware has come to be a customary instrument in the arsenal of cybercriminals who routinely attack individuals and organizations. Under such circumstances, their victims experience financial damage either by ending up paying the ransom or by bearing the price of recovering from attacks. It’s now fairly obvious that becoming a ransomware target is no longer an “if”, but rather a “when” presumption. In a piece I wrote at the end of last year, I examined the biggest ransomware payments of 2019. To keep the tradition going, I’ve also tracked this year’s publicized cyberattacks so, at this time, I will review the highest ransomware payouts of 2020.
Ransomware statistics and trends in 2020
- 51% of businesses were targeted by ransomware (source).
- There was a 40% surge in global ransomware, reaching 199.7 million hits (source).
- By the end of 2020, ransomware costs are projected to reach $20 billion for all businesses (source).
- The average ransomware payment demand was $233,817 in Q3 2020 (source).
- 1 in 5 SMBs and 4 in 5 MSPs were targeted by ransomware attacks (source).
The rise of Ransomware during COVID-19
Malicious hackers have taken advantage of the uncertainty and instability created by this year’s pandemic, at the same time amplified by the work-from-home movement adopted by companies unprepared to deal with remote set-ups. Unfortunately, the 2020 events shaped a prosperous environment for cybercriminals who were hunting for increasingly larger compensations and consequently resorted to ransomware. Naturally, as people wanted to relieve their sense of confusion, coronavirus-related web searches increased. As a result, cybercriminals started to conceal ransomware and disguise it as COVID-19 materials, seeking to trick victims into accessing fake websites or downloading malicious applications. During this period, researchers found that the COVID-19 pandemic sparked a 72% growth in ransomware attacks. An example of a Covid-19-related ransomware attack has been spotted in Italy, one of the most affected countries. A type of ransomware dubbed “[F]Unicorn” started spreading through a fake contact tracing app, that promised to offer real-time updates related to new infections. After installing the application, users would notice that their data had been encrypted and could read a ransom note written in Italian, which demanded them to pay EUR 300 in three days – otherwise, their data would be erased. The “good” news here was that, according to CERT-AgID, the password for encrypting the files was sent in plain text, so it could be recovered from the network traffic logs. This indicated that [F]Unicorn was the creation of an inexperienced attacker with little technical expertise, who used the code from an already-known ransomware strain. Other victims were targeted through commonly used software such as Microsoft Office. Recently, security researchers discovered a phishing document targeting staff at the University of British Columbia (UBC) with a fake COVID-19 survey, which used template injection to download and execute a remote template that included a malicious macro. When the macro was executed, it dropped the Vaggen ransomware and demanded a payment in Bitcoin, the equivalent of $80.
First reported fatality triggered by ransomware
Tragically, the first human death as a result of ransomware took place this year. The incident happened on September 10, when the Dusseldorf University Hospital, the nearest institution to a woman who required immediate medical attention, was shut down due to a ransomware attack. Consequently, the patient had to be transferred to another hospital 30 km away, but sadly, it was too late. By exploiting a flaw in commercial software, the criminals obtained access to the network and more than 30 of the hospital’s internal servers were encrypted with ransomware, causing it to close down all facilities, including the emergency unit. After being approached by the police, the attackers issued the decryption key without requesting the ransom payment.
Major ransomware payouts of 2020
Moving on to the largest ransomware payments of 2020, you’ll notice how easily organizations of all sizes can become victims of crippling cyber-attacks. Without further ado, below you will find the biggest ransomware payouts of 2020.
#10. City of Florence
Amount paid: $300,000
On June 5, ransomware attackers breached the IT networks of City of Florence, Alabama. After the intruders unleashed the attack, they encrypted the City’s systems and requested Bitcoin worth almost $300,000. City officials decided to pay the ransom fee, seeking to keep their residents’ personal details off the Internet. On May 26, acting in response to information received from Hold Security, KrebsOnSecurity contacted the Florence mayor’s office to inform them that a ransomware group had taken control of a Windows 10 system in their IT environment. The computer and the Windows network account that was flagged as compromised were isolated by an administrator. However, a few days later, Florence Mayor Steve Holt announced that the city’s email system was shut down by a cyberattack. At the time, there was no evidence of ransomware, according to Holt. However, Holt later admitted in an interview with KrebsOnSecurity that the City’s systems had been infected with DoppelPaymer, a ransomware type used by a cybercriminal group with a reputation for negotiating some of the largest extortion payments, with attacks involving hundreds of popular ransomware strains. The mayor stated the same group seemed to have concurrently infiltrated networks belonging to four other victims an hour away from Florence, including another municipality he refused to name. Holt mentioned that the scam artists originally requested 39 bitcoins (USD $378,000), but the offer had been negotiated down to 30 bitcoins (USD $291,000) by an independent security company hired by the city. Holt declared that the city couldn’t have risked having the personal and financial records of its citizens compromised by not paying.
Image source: Crowdstrike
DoppelPaymer operators are generally known for stealing massive amounts of data from victims before releasing the ransomware, and then threaten to reveal or distribute the information unless a ransom demand is paid. This practice is commonly employed by many ransomware cyber criminals, who typically infiltrate a target’s network for weeks or even months before initiating an attack.
#9. Tillamook County
Amount paid: $300,000
Tillamook County fell victim to a ransomware attack on January 22, 2020. The servers, internal computer systems, and website went down, and their phone systems and email networks were affected as well. Their IT environment was disabled for around two weeks. Officials announced that a $300,000 ransom was paid to restore computer access. Commissioner Bill Baertlein said if the amount went unpaid, it would have taken 12-24 months and cost $1 million to decrypt the county’s computer system.
Image source: PCRisk
#8. Yazoo County School District, Mississippi
Amount paid: $300,000
In October, a school board in Mississippi voted to pay $300,000 to restore files that were encrypted during an alleged ransomware attack. After malicious actors breached the information technology infrastructure of the Yazoo County School District, a federal investigation was opened.
“Last week, the Yazoo County School District detected a potential cyber event impacting certain devices on our network. We took our IT systems offline to investigate and address. National cyber-security firms were engaged to assist. We also reported this to federal law enforcement,” said Barron Superintendent Dr. Ken Barron in a statement released by the school.
Dr. Ken Barron informed the WLBT news that on Monday, 12 October, the institution became aware of the cyberattack. Barron also stated that the attack did not involve payroll, cafeteria transactions, and the school’s phone, fire alarm, and burglary systems.
#7. University of Utah
Amount paid: $457,000
The University of Utah announced on July 19, 2020, that they become the target of ransomware. A $457,000 ransom was paid to stop cybercriminals from disclosing data captured during the attack. In the College of Social and Behavioral Sciences (CSBS) branch, the malware encrypted their servers. As part of the operation, before locking up their devices, the malicious actors also stole the university’s data.
“After careful consideration, the university decided to work with its cyber insurance provider to pay a fee to the ransomware attacker. This was done as a proactive and preventive step to ensure information was not released on the internet,” stated their data security incident notification.
#6. Communications & Power Industries (CPI)
Amount paid: $500,000
CPI – a major electronics manufacturer for defense and communications (military devices and equipment, such as radar, missile seekers, or electronic warfare technology) – also became a victim of a high-profile ransomware attack this year. The incident took place in mid-January and shortly after, the defense contractor paid a ransom of about $500,000. A user with the highest level of privileges (a domain admin), accessed a malicious link as they logged in, which contained the ransomware. Since thousands of endpoints on the network were on the same, unsegmented domain, the encrypting malware rapidly extended to all CPI offices, as well as to its on-site backups. A few machines holding sensitive military data were restored using the decryption key, which was obtained after the organization paid the ransom. It was said that one system had files linked to Aegis, a naval arms system developed by Lockheed Martin.
System admins waste 30% of their time manually managing user
rights or installations
Heimdal™ Privileged Access
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
#5. Delaware County, Pennsylvania
Amount paid: $500,000
In November, Delaware County, Pennsylvania paid a $500,000 ransom after their systems were infected with DoppelPaymer ransomware. The Bureau of Elections and the County’s Emergency Services Department were not impacted and were on a different network than the affected one. According to local media, the ransomware operators managed to access networks that contained police reports, payroll, purchasing, and other sensitive information. The attackers demanded a $500,000 ransom in exchange for the decryptor. The payment was covered by their cyber insurance.
#4. University of California San Francisco (UCSF)
Amount paid: $1,14 million
The University of California at San Francisco paid a ransom demand of $1.14 million to recover files encrypted by ransomware. The institution was attacked on June 1, when ransomware was discovered in the systems of the UCSF School of Medicine. The IT staff attempted to isolate the infection, which prevented the malware from extending to the core UCSF network and producing additional damage. The school said the attack did not affect their patient care delivery operations, overall campus network, or COVID-19 work. However, the UCSF servers used by the school of medicine were encrypted. The Netwalker ransomware gang was believed to be responsible for the attack. The BBC closely followed the Dark Web negotiation made between Netwalker and the UCSF. The malicious hackers first asked for a ransom of $3 million, which was disputed by the UCSF with a $780,000 proposal. The university’s offer was declined and negotiations eventually led to the agreed figure of $1,140,895, paid in Bitcoin. The threat actors offered a decryption key and said they would erase data stolen from the servers. However, it is uncertain whether the attackers actually kept their promise.
Amount paid: $2,3 million
Following a ransomware attack on New Year’s Eve, Travelex, a London-based foreign currency exchange that does business in 26 countries, paid $2.3 million to regain access to its records. The event crippled the company for weeks. Travelex’s payment and the sum were not announced until April 2020, but the company reported the ransomware attack shortly after it happened. The Sodinokibi gang claimed to have accessed and then copied and encrypted 5 GB of data from Travelex’s network. Initially, the cybercriminals allegedly requested $6 million to decrypt the information. Travelex agreed to pay a $2.3 million ransom after several weeks of negotiation and consulting its partners and associates. Sources said they confirmed the payment in an online conversation with members of the Sodinokibi group.
#2. CWT Global
Amount paid: $4,5 million
Ransomware: Ragnar Locker
According to a record of ransom negotiations seen by Reuters, the US travel services company CWT paid $4.5 million to malicious hackers who stole vast amounts of their confidential business files and said they had taken 30,000 computers down.
Image source: Reuters
A type of ransomware dubbed Ragnar Locker was used by the attackers, which encrypts data files and makes them unusable until the user pays for access to be recovered. In an anonymous chat room, the ongoing discussions between the hackers and a CWT official remained publicly open, offering a remarkable glimpse into the complex connections that can be created between cybercriminals and their victims. CWT said it had notified U.S. law enforcement and European data privacy agencies immediately. A source familiar with the investigation believed the number of compromised machines was significantly smaller than 30,000. According to the messages inspected by Reuters, the hackers initially requested a ransom of $10 million to recover CWT’s files and erase all the stolen data. In the talks, the CWT official, who said that they were speaking on behalf of the Chief Financial Officer of the company, said the organization was severely affected by the COVID-19 pandemic and agreed to pay $4.5 million in Bitcoin. The hackers reported having stolen two terabytes of data, including financial records, security documentation, and personal details of employees such as email addresses and salary information. Whether the data belonging to some of CWT’s customers (including Thomson Reuters) was hacked was not known.
Amount paid: $10 million (disputed)
Garmin experienced a worldwide outage on July 23rd, 2020, where their clients could not access their services. BleepingComputer was the first one to announce the incident after Garmin’s employees exchanged images of encrypted workstations. The cyber assault was carried out by the operators of WastedLocker Ransomware.
Employees later revealed that the ransom demand was $10 million. Garmin suddenly announced that they were beginning to restore services after a four-day shutdown, which led the public to believe that they had paid the ransom to obtain the decryptor. However, the company declined to comment. BleepingComputer obtained access to an executable developed by the Garmin IT department used to decrypt a workstation and install a range of security tools on the device. WastedLocker is a ransomware strain with no known vulnerabilities in its encryption algorithm. The absence of flaws only suggests that it would not have been possible to create a decryptor for free.
“To obtain a working decryption key, Garmin must have paid the ransom to the attackers. It is not known how much was paid, but as previously stated, an employee had told BleepingComputer that the original ransom demand was for $10 million.”, notes Lawrence Abrams.
To pay, or not to pay?
Today’s organizations live and breathe data, which is why ransomware victims are inclined to pay. One may think that as a result of paying the ransom the issue will simply disappear, however, this will not always be the case. In fact, studies have shown that half of ransomware victims who pay the ransom never get their data back. Here are the top three reasons why HeimdalTM always advises both individuals and organizations to never pay the ransom:
- There’s no guarantee that all your data will be decrypted. It could only be partially recovered, or not at all.
- You will never find out if your data has already been sold on the dark web.
- This practice fuels future attacks – in a nutshell, this is why ransomware attacks still work.
In addition, if you’re a US-based company, paying the ransom might also get you in trouble with the federal government. On October 1st, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory indicating that paying ransoms may be unlawful in certain situations. All entities that pay could breach the OFAC legislation and thereby be subject to investigation and stiff penalties, regardless of whether the victim or a third-party (such as a cyber insurance company) arranged the payment.
How to prevent ransomware infections in your organization
As a general rule, prevention is always much better and easier than the cure. Luckily, there are numerous steps you can take to prevent ransomware, such as keeping backups, performing regular patching, using multi-factor authentication and strong passwords, introducing programs for your employees’ education, and using the appropriate cybersecurity tools. What’s more, you should always plan your company’s protection in layers, from the bottom up. Your first anti-ransomware layer of protection should be your employee cybersecurity awareness training. This should far exceed the simple understanding of how to recognize an attack, but rather include rigorous and continuous education. Your staff needs to grasp the motivations behind a ransomware attack, what to do if they believe the company has been targeted, how their actions will influence the final outcome, and what the recovery process will include if an attack turns into an outbreak. With reference to cybersecurity tools, I suggest you check out HeimdalTM’s Threat Prevention suite, which proactively offers DNS, HTTP, and HTTPS filtering at the perimeter and endpoint-level. Our proprietary technologies, DarkLayer™ GUARD and VectorN Detection™ act jointly to enhance the DNS filtering process with AI-based behavioral analysis and detection. As part of our endpoint cybersecurity suite, but also of our perimeter-based solution, they offer excellent defenses against complex cyber aggressions. Besides, HeimdalTM’s Automated Patch Management module helps organizations fix software vulnerabilities, achieve compliance, and uniquely prevent and stop ransomware, APTs, data leaks, exploits, and more.
Ransomware attacks leave no organization behind, regardless of industry or size. We can always expect such attacks to be even more frequent than we’ve seen so far, which means that organizations and home users alike will always be vulnerable. All things considered, try to do everything in your power to avoid becoming yet another ransomware attack case study.