Ransomware in 2024: A Timeline of Attacks and Record-Breaking Ransoms

Ransomware's Escalating Threat in 2024

The past year witnessed another surge in ransomware incidents, establishing a new peak in malicious activity. Beyond the familiar disruptions of file-locking malware – such as the incapacitation of online services and prolonged outages – ransomware became a primary driver of massive data theft, impacting hundreds of millions of individuals with potentially lifelong consequences.

Persistent Attacks Despite Law Enforcement Efforts

Although governmental agencies achieved limited successes against ransomware operators during the last year, including the dismantling of the LockBit group and the shutdown of Radar, data theft and extortion attacks have continued to rise significantly. This increase is evident in both the number of occurrences and the complexity of the methods employed.

Notable Ransomware Incidents of the Year

A review of the most significant ransomware attacks that transpired throughout 2024 reveals a concerning trend. These incidents highlight the evolving tactics and widespread reach of cybercriminals.

The frequency of these attacks demonstrates the need for heightened cybersecurity measures. Organizations and individuals alike must prioritize data protection strategies.

Sophistication in attack vectors is also increasing. Criminals are leveraging new technologies and techniques to bypass traditional security protocols.

The impact of these breaches extends beyond immediate financial losses. Reputational damage and long-term data exposure are also significant concerns.

Continued vigilance and proactive security practices are essential to mitigate the risks posed by ransomware in the future.

January

LoanDepot

At the beginning of the year, LoanDepot, a major mortgage and loan provider, disclosed a cybersecurity incident. This incident involved the encryption of data through the use of ransomware. Consequently, customers experienced difficulties accessing their accounts and making payments.

The Florida-based company was compelled to temporarily disable specific systems in response to the attack. Later reports indicated that the personal information of over 16 million individuals had been exposed as a result of the breach.

Fulton County

The LockBit ransomware group asserted responsibility for a cyberattack targeting Fulton County, Georgia’s most populous county. This attack caused significant disruption across the county for several weeks, impacting IT infrastructure, phone services, court operations, and tax systems.

LockBit initially released substantial amounts of data obtained from Fulton County, including what they described as “confidential documents.” However, this data was subsequently removed from their dark web leak site, potentially suggesting a ransom payment by the county. Security analysts believe LockBit likely lost the majority of the stolen data following a law enforcement operation in the subsequent month.

Southern Water

Early in the year, Southern Water, a large U.K. utility company, announced an investigation into a data theft incident. Weeks later, it was confirmed that ransomware hackers had successfully stolen the personal data of more than 470,000 customers.

The attack on Southern Water, which delivers water and wastewater services to a large population in south-east England, was attributed to the Black Basta ransomware group. This Russia-linked group had previously claimed responsibility for a 2023 cyberattack on Capita, a U.K. outsourcing organization.

February

Change Healthcare

A significant data security incident occurred in February, marking one of the year’s most substantial breaches – and the largest ever impacting U.S. health and medical data. Change Healthcare, a health technology firm owned by UnitedHealth, experienced a cyberattack orchestrated by the ALPHV ransomware group.

The ALPHV gang asserted they had successfully exfiltrated sensitive health and patient data belonging to millions of Americans. It was reported that Change Healthcare remitted a payment of $22 million to ALPHV prior to the group’s disappearance in March.

Subsequently, the contractor responsible for executing the hack contacted Change Healthcare, requesting a further ransom payment.

UnitedHealth acknowledged in April that the attack resulted in a data breach impacting a considerable segment of the U.S. population.

Confirmation that at least 100 million individuals were affected by the breach – including medical records and health information – wasn’t released until October. However, the actual number of those impacted is anticipated to be significantly greater.

March

Omni Hotels

Late in March, Omni Hotels & Resorts experienced a network intrusion by malicious actors, prompting a shutdown of its systems. This resulted in significant disruptions at Omni properties, impacting services like phone access and Wi-Fi connectivity.

Subsequently, in April, the hotel group disclosed a data breach. Cybercriminals had successfully exfiltrated customer personal information during a ransomware attack that occurred in March.

The Daixin gang, a known cybercriminal organization, claimed responsibility for the attack. Reports indicate that approximately 3.5 million customer records belonging to Omni were compromised.

Details of the Breach

The incident involved unauthorized access to Omni’s network, allowing the attackers to steal sensitive data. This data included personal information belonging to a substantial number of Omni’s clientele.

The Daixin gang’s claim of stealing 3.5 million records highlights the scale of the breach and the potential impact on affected individuals. Investigations are ongoing to determine the full extent of the compromised data.

June

Evolve Bank

A significant ransomware incident impacted Evolve Bank, a substantial banking-as-a-service provider based in the U.S., during June. This attack had far-reaching consequences for both Evolve’s banking clientele and the fintech companies dependent on its services, notably including Wise and Mercury.

The LockBit ransomware group asserted responsibility for the breach, subsequently publishing data purportedly obtained from Evolve on their dark web leak platform.

In July, Evolve acknowledged a data breach affecting at least 7.6 million individuals. Compromised data included sensitive personal information such as Social Security numbers, bank account details, and contact information.

Synnovis

A ransomware attack on Synnovis, a key pathology services provider, prompted the NHS to declare a critical incident in June.

The cyberattack resulted in the cancellation of scheduled surgeries and the redirection of emergency patients. Furthermore, the NHS issued a nationwide request for donations of “O” blood type due to delays in blood matching caused by the prolonged service disruptions.

The Qilin ransomware group took credit for the attack and ultimately leaked 400 gigabytes of confidential data. This data, allegedly stolen from Synnovis, encompassed approximately 300 million patient interactions accumulated over several years, classifying it as one of the year’s most substantial ransomware events.

July

Columbus, Ohio

Approximately 500,000 inhabitants of Columbus, Ohio – the state's capital city – experienced a data breach in July as a result of a ransomware incident. The compromised personal information included names, birthdates, addresses, identification documents issued by the government, Social Security numbers, and financial account specifics.

In August, the cybercrime organization Rhysida asserted responsibility for the Columbus attack. This group was previously linked to the significant cyberattack targeting the British Library in the prior year.

Rhysida stated that they successfully exfiltrated 6.5 terabytes of data belonging to the city of Columbus during the breach.

The stolen data represents a substantial risk to affected individuals, potentially leading to identity theft and financial fraud. City officials are working to mitigate the damage and provide support to those impacted by the ransomware attack.

Details of the Breach

The nature of the attack involved the deployment of ransomware, a type of malicious software designed to encrypt data and demand payment for its release. This encryption renders the data inaccessible to the city until a ransom is paid.

Beyond the initial encryption, Rhysida also reportedly stole a significant volume of data before encrypting systems. This stolen data is now being threatened with public release if a ransom is not paid.

The compromised information encompasses a wide range of personally identifiable information (PII), making it highly valuable to malicious actors. This includes sensitive details like Social Security numbers and bank account details.

• Affected Data: Names, dates of birth, addresses, government IDs, Social Security numbers, and bank account details.
• Attacker: Rhysida cybercrime gang.
• Data Volume: 6.5 terabytes of stolen data.

Investigations are ongoing to determine the full extent of the breach and to enhance the city’s cybersecurity defenses against future attacks. The incident underscores the growing threat of cyberattacks targeting municipal governments.

September

Transport for London

Throughout September, Transport for London, the governmental organization responsible for London’s public transportation, faced significant digital challenges. These arose from a cyberattack targeting their corporate network.

The attack, which did not interrupt the operation of the London transit network itself, was subsequently attributed to the Clop ransomware group, known for its connections to Russia.

Despite continued service, the security breach led to the compromise of financial information belonging to approximately 5,000 customers.

As a direct consequence, Transport for London was compelled to implement a manual password reset process for all 30,000 employees, requiring in-person verification for each individual.

October

Casio

In October, Casio, a leading Japanese electronics manufacturer, experienced a significant cyberattack. The company confirmed to TechCrunch that this incident involved a ransomware attack.

The Underground ransomware group took responsibility for the breach. This resulted in several of Casio’s core systems becoming inoperable, leading to shipment delays spanning several weeks.

Beyond system disruption, the attack led to data exfiltration. Sensitive data, including employee, contractor, and partner personal information, was stolen. This also included internal documents like invoices and human resources records.

Casio acknowledged that hackers gained access to customer information as well. However, the precise number of customers impacted by the breach remains undisclosed.

The compromised data encompassed a range of sensitive materials, impacting various stakeholders associated with the company. Casio is currently working to assess the full extent of the damage and implement recovery measures.

Weeks of delays to product shipments were a direct consequence of the attack. The company is focused on restoring full operational capacity as quickly as possible.

November

Blue Yonder

A ransomware incident targeting Blue Yonder in November, a leading global supply chain software vendor, triggered disruptions for numerous prominent retailers in both the U.S. and the U.K.

Several major U.K. supermarket chains, including Morrisons and Sainsbury’s, acknowledged experiencing operational difficulties stemming from the attack, as reported by TechCrunch.

The impact extended across the Atlantic, with Starbucks, a well-known U.S. coffee chain, also affected.

Specifically, Starbucks store managers were compelled to process staff payments manually due to the system outages.

Blue Yonder has released limited information regarding the breach, notably omitting details about potential data exfiltration.

However, two distinct ransomware groups – Clop and Termite – have asserted responsibility and claimed to have stolen a substantial 680 gigabytes of data.

The allegedly compromised data encompasses a wide range of sensitive materials, including documents, reports, insurance records, and email distribution lists.

Further Details

The claims made by both ransomware groups suggest a significant breach of Blue Yonder’s systems.

The potential exposure of such a large volume of data raises concerns about the privacy and security of both the company and its clients.

Investigations are ongoing to verify the validity of the claims and to assess the full extent of the damage caused by the attack.

December

NHS Hospitals

Ransomware attacks once more caused disruptions at multiple NHS hospitals in December. The Inc Ransom group, a known entity with ties to Russia, asserted responsibility for a breach affecting Alder Hey Children’s Hospital Trust, a leading pediatric medical center in Europe.

This same Russian ransomware operation had previously compromised a significant NHS trust located in Scotland earlier in the year. They alleged the acquisition of patient data and donor records from Alder Hey, alongside information from other hospitals in the surrounding region.

Furthermore, the Wirral University Teaching Hospital, situated near Alder Hey, declared a critical incident following its own ransomware victimization.

Artivion

The trend of attacks targeting the healthcare sector persisted in December with an incident at Artivion. This medical device manufacturer, specializing in implantable tissues for cardiac transplants, acknowledged a “cybersecurity incident” involving data encryption.

Artivion indicated that the incident involved both the acquisition and encryption of data, strongly suggesting a ransomware attack. In response to the cyberattack, the company proactively took certain systems offline.