The ransomware crisis is getting out of control. With recent attacks on critical infrastructure and hospitals, the world is waking up to how serious this type of cyberattack can be.
Nonprofit leaders understand that ransomware is preventable—and they know how to protect against it. But still, increasingly many organizations are finding their computers locked, their files encrypted, or their donors’ personal data stolen.
From the widespread chaos caused by 2017’s WannaCry attack to the recent REvil supply chain infection affecting up to 1,500 organizations, these seven ransomware examples will help you understand what you’re up against.
2017 WannaCry attack: The world’s first taste of how bad ransomware can get
Let’s start with an attack from several years ago—before “ransomware” was a household name—that shocked the world into taking cybersecurity more seriously.
The incident started in May 2017, when hackers infected a computer with the WannaCry ransomware. Within a day, users of over 230,000 computers worldwide found that their files had been encrypted—and that they could only retrieve their data by making a Bitcoin payment to the attackers.
How could WannaCry infect so many computers?
The original infection was initially believed to have resulted from a phishing email, but researchers later concluded that the ransomware took hold via a vulnerable SMB port.
Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox
From there, the infection spread to other computers that had not downloaded a recent Microsoft security update—the hackers used a tool called EternalBlue (developed by the U.S. National Security Agency) to exploit a zero-day vulnerability in Windows.
WannaCry caused chaos across multiple sectors in more than 150 countries. The U.K.’s National Health Service (NHS) was particularly badly affected—hospitals even had to cancel operations due to the disarray caused by the attack.
The actual ransom payments—between $300-$600 each—added up to a meager $130,634. But estimates of the overall costs associated with the attack range between hundreds of millions and billions of dollars.
Colonial Pipeline attack: ransomware affects critical infrastructure
On May 6, 2021, Ransomware gang Darkside hit the Colonial Pipeline Company, a utilities firm that operates the largest refined oil pipeline in the U.S., causing chaos at gas stations across the country and netting millions of dollars in the process.
Security analysts suspect that Darkside gained access to Colonial’s systems via a single compromised password—possibly after purchasing it via the dark web. The cybercriminals targeted Colonial Pipeline’s computer systems, stealing nearly 100 gigabytes of data and impacting the company’s billing operations—but not the actual technology enabling the flow of oil through the pipeline.
Nonetheless, the company halted oil supplies throughout the duration of the attack, sparking fuel shortages and panic-buying throughout parts of the southern U.S. and prompting the Biden administration to issue a state of emergency.
Colonial Pipeline paid the Bitcoin ransom of around $4.4 million. But the more significant impact was on wider society. Ransomware had affected the supply and cost of gas—the hackers had broken through to people’s everyday experiences.
Fake invoice leads to Ryuk ransomware infection
Wire transfer phishing—where cybercriminals commit online fraud using a fake invoice and a compromised email account—costs businesses billions each year. But in this mid-2020 case, a fake invoice led not to a fraudulent wire transfer but to a ransomware infection.
An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer. The malware created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware.
The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access.
Kaseya supply chain attack impacts 1,500 companies
The biggest ransomware attack on record occurred on July 2, 2021, when the REvil gang hit software company Kaseya. Organizations using Kaseya’s IT management software downloaded a malicious update that infected their computers with ransomware.
Victims received a ransom note informing them that their files had been encrypted. The note said users could retrieve their files by purchasing the cybercriminals’ $45,000 decryption software, payable in cryptocurrency.
The attack directly affected at least 60 firms—and it had downstream consequences for at least 1,500 companies. Even a Swedish supermarket chain was forced to close its doors after its payment processing equipment malfunctioned due to the attack.
A few days after the attack, a post on the cybercrime gang’s dark web page promoted a universal decryptor that could unscramble all data impacted by the attack—for the bargain price of $70 million. The Kaseya ransomware attack was reminiscent of the notorious 2020 Solarwinds attack, which, while it did not involve ransomware, exposed the vulnerability of supply chains.
UK health service warns of Avaddon phishing attacks
In April 2021, the digital arm of the U.K.’s National Health Service (NHS) put out a warning about Avaddon ransomware, a type of ransomware that can “both steal and encrypt files” in “double extortion attacks.”
Avaddon typically arrives via a phishing email. The email contains a .jpeg or .zip file which acts as a downloader for the ransomware. In some cases, the application will terminate itself if it detects that you’re using a Russian keyboard layout.
As mentioned, Avaddon not only encrypts your files—it can also steal and publicly leak them if you fail to pay the ransom. So what makes this double extortion method particularly harmful?
Getting your important files encrypted is bad enough. You lose vital data and might need to cease operations until the situation is resolved. But having your files stolen as well puts you at a heightened risk of penalties from regulators for failing to protect donor’s personal data.
Stolen credentials lead to $4.4 million DarkSide attack
The North American division of chemicals distributor Brenntag lost around 150 gigabytes of company data in May 2021, when the DarkSide ransomware gang deployed ransomware on the company’s systems.
The cybercriminals reportedly demanded $7.5 million ransom, which the chemicals company managed to negotiate down to $4.4 million—a sum it reportedly paid DarkSide on May 14 to prevent the compromised data from being published.
So how did DarkSide get access to Brenntag’s systems? It appears the cybercrime gang (or one of its affiliates) purchased some of Brenntag’s user credentials on the dark web. Credentials are a prime target for cybercriminals and are one of the data types most commonly compromised in phishing campaigns.
COVID-19 testing delayed after Irish hospitals hit by ransomware
When Irish hospitals were attacked by a ransomware gang in May 2021, patient data was put at risk, appointments were canceled, COVID-19 testing was delayed—and the world saw once again how far cybercriminals were willing to go to make money.
The hackers are believed to have targeted a zero-day vulnerability in a virtual private network (VPN) operated by the Irish Health Service Executive. The Russian cybercrime group responsible for the attack, known as Wizard Spider, reportedly demanded a $19,999,000 ransom.
After the Irish prime minister publicly declared that the country would not be paying the ransom, the healthcare system was forced to resort to keeping records on paper until the situation was resolved.
Are your fundraising systems secure? Sign up for a Gravyty demo today and learn how your team can keep its donor data safe while doing the best work of their lives: