Standard Office Systems Blog

Worst Ransomware Attacks 2020 | Top Cases and Tips to Avoid Attacks

Written by Erica Kastner | 1/24/20 5:00 PM

RANSOMWARE | 12 MIN READ

Ransomware attacks pose one of the biggest security threats to both individuals and businesses alike, showing no signs of slowing down as hackers grow increasingly tech-savvy and Ransomware-as-a-Service (RaaS) is making it easier for criminals with little experience to carry out attacks. As a Managed Service Provider, we aim to use our ransomware expertise to educate the public on emerging trends and how to avoid becoming a victim.  Read more to see our timeline of some of the worst ransomware attacks of 2020 so you can see developing attack patterns. 

 

Want to learn about the biggest ransomware attacks of 2021? Click here!

 

What is Ransomware?

When the media is constantly reporting on worrying ransomware trends, it is easy for us to get caught up in the news frenzy. However, what exactly is ransomware?

Ransomware is exactly what it sounds like –a form of malware (also known as malicious software) that encrypts personal or company data and holds it for ransom. Hackers then will threaten to publish, destroy or sell the information on the dark web if their monetary demands are not met.

Ransomware is typically spread through phishing schemes or direct hacking of a company's network. Phishing schemes allow a hacker to trick a victim into providing personal information such as account logins, which can then be used to hack their network. 

RELATED: How Does Ransomware Work?

January

Travelex 

The world's biggest currency exchange company, Travelex, was the victim of a ransomware attack starting on New Year's Eve 2019. Their data was held hostage for $6 million, causing the company to go offline for weeks while they sorted out the situation. 

The strain of ransomware responsible for the attack is reported to be Sodinokibi, also known as REvil. 

RELATED: How Ransomware has Evolved

Richmond Community Schools, Michigan

Officials for Richmond Community Schools, located in Richmond, Michigan, returned back from winter break to find that cyber-criminals had seized control of their servers.

The hackers demanded a $10,000 Bitcoin ransom to return control of the affected servers, which impacted the functionality of telephones, copiers, office technology, and more. So far, Richmond officials have refused to pay the ransom, instead opting to close three schools for a week while they sort out the problem.

Contra Costa County, California

Hackers deployed ransomware to shut down the online network of 26 Contra Costa County library branches the morning of January 3rd. For a little while after the attack, library services such as book check-outs and returns weren't available. Even after restoring these services, the libraries' Wi-Fi and printing services remained down for a while. 

Spokespeople for the library system said that since the library doesn't store sensitive financial information such as credit card numbers, they do not believe any personal information was compromised as a result of the attack. 

Enloe Medical Center

Enloe Medical Center in Chico, California was hit by a ransomware attack in January of this year, affecting the phone systems of the hospital and clinic as well as the hospital's private network.

Representatives for Enloe do not think that any patient data has been compromised.

Tillamook County, Oregon

Although Tillamook County, located in northwestern Oregon, was hit by a ransomware attack in late January, they were still recovering their systems through early February.

Once the ransomware was deployed, the county’s server, internal computer systems and website were down. To contain the spread of malware, county computer network connections were disabled. Eventually, county officials voted unanimously to pay the cyber-criminals who deployed the ransomware money to recover their systems.

Tampa Bay Times

The Tampa Bay Times, a local news organization, was attacked by a strain of the popular Ryuk ransomware in late January. Thankfully, their systems were restored and they didn't have to pay the hackers any ransom to recover their systems.

The Ryuk ransomware has been making headlines since 2018, typically aiming for larger organizations that hackers can demand a sizable ransom from. This tactic, known big game hunting” has earned Ryuk's creators and users more than an estimated $3 billion so far.

Electronic Warfare Associates

You may not be familiar with this company, but you may recognize some of their clients. Electronic Warfare Associates, a government contractor, has clients like the Department of Defense, the Department of Justice, and the Department of Homeland Security.

Right at the tail end of January, Electronic Warfare Associates' network was infected with a strain of ransomware that they have yet to disclose further details about.

Besides the big-name clients potentially affected, this particular ransomware attack is notable because although this company develops products like drone jammers and threat systems that are advanced enough to be used by the US government, they still could not keep hackers from attacking their network.

RELATED: How to Prevent Ransomware Attacks [8 Quick Tips]

TVEyes

Right at the tail end of January leading into February, TVEyes, a search engine that lets companies track their TV and radio coverage, was hit by a strain of ransomware.

The attack, which was mainly on US networks but a few foreign networks as well, forced the company's platform offline for a few days while company executives dealt with remedying the damage.

TVEyes was likely a prime target because of the thousands of clients' data which their servers host, which is a gold mine for hackers. When companies like TVEyes are attacked, anybody who does business with them are potentially at risk.

And, according to their website, TVEyes has some notable clients such as the New York Times and US Immigration and Customs Enforcement (ICE).

February

NRC Health

On February 11, NRC Health, which collects and sells vast amounts of healthcare consumer data, was hit by ransomware. The company has over 9,000 customers including prominent healthcare organizations like Cedars Sinai.

The company was likely targeted for the vast swaths of consumer data it holds as well as its big-name clientele. Since patient data was potentially breached, the company could potentially be found at risk of breaching HIPAA, which comes with a host of possible consequences.

Visser Precision

Visser Precision, a parts manufacturer for notable clients like Lockheed Martin, SpaceX, and Tesla, was attacked by a relatively new strain of ransomware called DoppelPaymer.

DoppelPaymer, similar to another strain of ransomware called Sodinokibi, coerces victims into paying the ransom by threatening to publish their stolen data online.

Because DoppelPaymer targets large corporations and infects vast numbers of devices within an organization, its users can demand large ransoms.

Kenneth Cole Productions

The creators behind Sodinokibi ransomware threatened to publish stolen files from Kenneth Cole Productions, a large American fashion company, unless they paid a large ransom.

The company, which manufactures luxury fashion brand Kenneth Cole, had cause to worry, seeing as its servers contain millions of customers' data. This attack speaks to the "big game hunting" techniques that are increasingly becoming common among cyber criminals. 

Cyber criminals know that large corporations like Kenneth Cole Productions have the money to pay larger ransoms and hold large amounts of valuable consumer data, which is why they are attractive targets. 

March

City of Torrance, California

Torrance, a city located in LA County, California, was not only hit with a ransomware attack at the beginning of March, but also had their data published online a month later after failing to pay the ransom.

DoppelPaymer, a strain of ransomware that threatens to publish a victim's data online if they don't pay the ransom, was used in this attack. City email accounts and servers were impacted during the attack, which led to a temporary pause in certain city business services.

ExecuPharm

March is when the COVID-19 pandemic really began to pick up steam in the US. ExecuPharm, a pharmaceutical giant in the US healthcare industry, was hit by CLOP ransomware in mid-March.

In a series of emails with BleepingComputer, CLOP’s creators said that although ExecuPharm is in the healthcare industry, they would not be spared during the pandemic because they were not actively contributing to fighting the coronavirus like hospitals and non-profits.

Data stolen from ExecuPharm, which includes social security numbers, financial information, and more, was published online about a month after the original attack.

10X Genomics Inc.

10X Genomics, a biotechnical company involved in a coalition of companies fighting to find antibody therapies for COVID-19, was not spared from a ransomware attack.

While the creators of the CLOP ransomware issued statements saying that they wouldn't attack companies actively fighting the pandemic, the creators of Ryuk, the ransomware used to attack 10X Genomics, did no such thing.

Though the company was able to resume normal operations relatively quickly, they admitted that some company data had been stolen.

City of Jupiter, Florida

The city of Jupiter, Florida was hit with ransomware in late April that left certain government services such as email, utility billing and online payment, and records requests offline for about three weeks.

The strain of ransomware used in the attack is believed to be REvil, a strain that gained notoriety in early 2020 and that has continued carrying out widespread attacks ever since. This attack on the city comes two years after another attack in December 2018 which involved the Nozelesn ransomware. 

Chubb

Major cyber insurer Chubb was the target of a Maze ransomware attack at the tail end of March. A company spokesperson confirmed that a security incident took place but said there was no evidence Chubb’s own network was affected and it remained “fully operational.”

This incident shows that even companies that exist to help others recover from cyber attacks can fall prey to one themselves. 

April

Cognizant

Cyber security provider Cognizant, an industry giant with Fortune 500 clients, was struck by Maze ransomware in mid-April.

Though the impact to the company's servers seems to not have been that severe, with only some clients being affected, Cognizant expressed concerns that the attack may have impacted their bottom line by as much as $50-70 million in Q2.

This attack serves as a wake up call for all companies to strengthen their cyber security.  

Magellan Health

Magellan Health, a Fortune500 healthcare company, was also the victim of a ransomware attack in mid-April. The attack stemmed from a phishing attempt that an employee fell for. 

Though they stated that they think no stolen information was misused, Magellan admitted that the attacker accessed a corporate service with private information such as names, addresses, tax details and Social Security numbers, and may have used malware designed to steal passwords.

May

Grubman Shire Meiselas & Sacks

A New York-based law firm used by numerous celebrities was hit with REvil ransomware in mid-May. Celebrity clients such as Lady Gaga and Mariah Carey were among those whose personal information may have been compromised in the attack.

Hackers posted evidence of the hack on the dark web, which included information such as contracts, NDA's, and addresses. Shortly after, the attackers posted hundreds of documents containing files on Lady Gaga to entice the firm into paying the $21 million ransom.

Toll Group

Toll Group, a logistics company with a global presence, was attacked for the second time in 2020 in early May. Following a Malito ransomware attack in February that left some service suspended or limited for six weeks, the Toll Group experienced another wave in early May, this time from a ransomware called Nefilim.

Following the second attack, Toll Group published a statement emphasizing that it would not pay the ransom and would attempt to mitigate the effects of the attack themselves. 

Blackbaud

Blackbaud, a leading cloud computing provider for universities and major non-profits such as the American Diabetes Association and Feeding America, experienced a ransomware attack that locked clients out of their system.

Although Blackbaud reported that the attackers didn't access financial information or encrypt any files, they ended up paying the ransom to ensure that any stolen data was deleted.

Diebold Nixdorf

As one of the US' largest providers of ATM's and payment technology to banks and retailers, it's no surprise that Diebold Nixdorf was targeted in a ransomware attack in mid-May. 

Though the company states that the hackers never touched customer information and the ransom was not paid, the company's size is a testament to how, no matter the size, businesses can be targeted for ransomware. 

June

Collabera 

Even Collabera, an IT staffing and business services giant whose worldwide presence has allowed them to expand their client roster to include a variety of Fortune500 companies, fell prey to a ransomware attack in June of this year.

Maze ransomware was used to attack Collabera's network and steal enough data that they issued a company-wide memo telling employees they would pay for credit and identity monitoring services for up to two years.

This attack shows that even those who you least expect can fall victim to a ransomware attack. 

Xerox 

Printing giant Xerox experienced a ransomware attack right at the end of June. The cyber attackers responsible threatened to publish stolen company files, some of which included financial information, on their website unless a ransom was paid. 

As proof of their attack, the hackers posted screenshots of some stolen files, which included financial documents and user information, on their website. It is alleged that Maze ransomware, which has gained widespread notoriety this year, was used to carry out the attack.

July

Cooke County Sheriff's Office, Texas

Cyber criminals targeted a Texas county's sheriff's office on the Fourth of July. The attackers accessed data going back several years, however, emergency services were still operational while the office restored their systems. 

The sheriff's office had to send letters to over 2,000 people notifying them that their personal data may have been accessed during the hack. 

Garmin

Following a storm of angry tweets from customers who couldn't access certain watch features, major watch manufacturer Garmin released a statement informing customers that while the company had been hacked, no personal customer information had been stolen. 

Following the attack, certain services were unavailable for several days. The attack on Garmin signals an increased targeting of major corporations this year. 

August

Canon

Major camera manufacturer Canon was revealed to have been the victim of a ransomware attack, according to an internal memo published by IT/tech media outlet BleepingComputer. 

According to the memo, the attack caused multiple Canon domains to temporarily be offline, specifically Canon's image.canon cloud photo and video storage service. The alleged hackers, purported to be from the Maze ransomware group, published files containing marketing materials as proof of the hack. 

Carnival Cruises

In mid-August, Carnival Cruises, a major cruise line that owns Princess, experienced a ransomware attack that hackers used to access the personal information of guests and workers

While they didn't publicly mention whether or not any sensitive data was stolen, this attack is a reminder that even large corporations that have the money for robust cyber security can still fall prey to a hacker. 

Clark County School District, Nevada

Though this Las Vegas school district gained some media attention after it was the victim of a ransomware attack at the end of August, it gained coverage from major news outlets just a few weeks later when the hackers released mounds of sensitive data after the district refused to pay the ransom to unlock their servers.

The hackers published documents containing student grades, employee Social Security numbers, retirement paperwork, and student data files which included their grades, birth dates, addresses, and more.  

This attack, which coincided with the start of a remote school year, highlighted the fragility of remote learning, seeing as teaching is hindered when school servers cannot be accessed.

September

Fairfax County School District

Fairfax County Public Schools, which is one of the largest school districts in the nation, had to coordinate with the FBI to identify the cause of a targeted ransomware attack in mid-September. 

The creators of the widely used Maze ransomware claimed responsibility for the attack. Thankfully, the district said the attack did not cause disruptions to remote learning, as opposed to April of this year when technical difficulties forced classes to be cancelled for a week

Universal Health Systems

One of the largest hospital chains in the country experienced widespread system failure, causing some hospitals to filing patient information by hand, cancel surgeries, and divert ambulances.

This attack comes shortly after the first known death due to ransomware, which happened earlier in the month at a German hospital after an older woman died after failing to receive prompt life-saving treatment due to hacked computer systems.

October

eResearch Technology

eResearch Technology, a company that sells software used in hundreds of clinical trials, including development of tests and a vaccine for COVID-19, was hit with a ransomware attack in early October. 

While clinical trials could still continue, researchers had to shift some work processes to pen and paper. 

Hall County, Georgia

Just weeks before the 2020 presidential election, this north Georgia county was hit with ransomware that penetrated their networks and captured some election information

According to Gabriel Sterling, the state's voting system manager, the county temporarily had issues verifying voter signatures on absentee ballot envelopes. 

Thankfully, Sterling said that he doesn't believe the hackers were directly targeting the state's election system, and were simply trying to hack into any part of the county government that they could access. 

St. Lawrence Health System

Four hospitals in the St. Lawrence Health System were hit with ransomware in late October. The Ryuk ransomware, a strain used to carry out attacks on other large businesses, is purported to have been used in this attack.

This attack, in part, prompted the US' Cybersecurity and Infrastructure Security Agency (CISA) to release a statement alerting the public to the threat that ransomware attacks pose to the healthcare industry, and warned of more attacks to come.

The attack came during a time when COVID-19 cases were peaking across the country, which shows just how low some hackers will stoop to get a ransom.

November

Americold

Cold storage firm Americold, which operates temperature-controlled warehouses and transportation for supply chains, was hit with ransomware in mid-November. 

Americold, which has a current valuation of over $1 billion, was likely targeted for the lucrative potential earnings for a hacker.

Jackson County, Oregon

Jackson County's web-hosting service provider Managed.com was the target of a ransomware attack that caused them to take down all their servers. The company was supposedly hit with the prolific REvil ransomware, causing Jackson County's website, jacksoncountyor.org, to go down.

While their website was fixed, Jackson County was forced to establish an alternate website, jacksoncounty.org, to allow the public to access key links for  property taxes, 2020 election results, marriage applications, and more. 

Baltimore County School District

Just in time for Thanksgiving, Baltimore County School District had to shut down due to a ransomware attack. The district urged that students only virtually learn on district-issued laptops, granting those without one an excused absence.

Directly following the attack, even the district's website was down. To take extra precaution, they advised that all teachers stay off their work laptops and avoid checking their work email on any device, including their cellphones.

Foxconn

Electronics giant Foxconn suffered from a DoppelPaymer ransomware attack Thanksgiving weekend that resulted in the hackers publishing company data online in early December.

Thankfully the leaked files are purported to contain little, if any, sensitive company information. However, this incident should serve as a warning that company data may be at risk of being published online following a ransomware attack.

December

Kmart

Kmart, once a major retailer, fell victim to a ransomware attack in early December that encrypted a number of servers operating on a network owned by Transform Holdco, a company which acquired them back in 2019.

An internal company website is believed to have gone offline due to the attack. The Egregor ransomware is believed to have been behind the attack.

Greater Baltimore Medical Center

A ransomware attack forced certain systems at the Greater Baltimore Medical Center offline. Patients were temporarily having a tough time calling the center's doctors and finding information on their website. Additionally, some access to patients' medical portals was temporarily blocked or limited.

The attack is purported to have been carried out using Egregor ransomware. This incident serves as a reminder of how much healthcare facilities were targeted in 2020.

*Notable Related Attack: SolarWinds

Though this event was not a ransomware attack and was instead a cyber attack, which is a related type of incident, it was noteworthy enough to mention in this article.

The SolarWinds cyber attack may be the single worst cyber attack of 2020, if not one of the worst in US history. SolarWinds sells IT software that's typically used by large companies to manage their cyber security infrastructure.

Following a SolarWinds data breach that was discovered in mid-December, cyber criminals used their software to infiltrate their clients' networks. The event gained widespread notoriety because of the high-profile clients such as Fortune500 companies and US governmental agencies that were breached.

Reported data breach victims include the Department of Homeland Security, the Pentagon, and Microsoft. While certain details are still unknown, the hackers are supposedly from Russia and may have been silently inside victims' networks since early 2020 spying and gathering data. 

The attack raises growing cyber security concerns across the country as businesses struggle to figure out how to best protect against cyber attacks.

How Can I Stay Protected from Ransomware?

According to a recent survey from IBM, only 38% of state and local government employees are trained on ransomware prevention. While you cannot with 100% certainty prevent a ransomware attack, there are steps you can take to lessen the odds that a hackers breaks into your system to install it.

In the moments immediately following the attack, before you decide whether to pay the ransom or not, what should you do? According to a report released by the FBI, there are a few actions you should take.

Stay Current with Security Patches and Software Updates

Many people forget or push off updating their anti-virus software or upgrading their firewall.

While we know this process can be a nuisance, every day that you wait to update your cyber security infrastructure after new versions emerge leaves you more vulnerable to ransomware attacks.

If you are able to, enable auto-updates on all security software and schedule any updates for late at night when you're not using your computer. 

Strengthen and Protect Your Passwords

Weak passwords are one of the easiest ways that a hacker can break into your network and install ransomware. Consider both strengthening your passwords and protecting where they're stored to better leverage your cyber security infrastructure.

A main focus of any password policy should be to limit how much you write down your passwords. Writing a password down anywhere leaves it susceptible to being found by hackers. If you have too many passwords to remember, consider a secure password-storing program such as MyGlue.

Create passwords that don't use easy-to-find information such as birthdays or your children's names. When creating a password, make sure it's long and complex. Additionally, install two-factor authentication on your devices if possible, seeing as it's a widely used secure method of protecting accounts.

RELATED: How Can I Create and Secure a Strong Password?

Secure Your Copiers and Printers

Printers and copiers are an overlooked security risk. Whether you are a business who owns corporate machines or an individual with a home copier, there are risks associated with both types.

For instance, personal copiers can have a "print from anywhere" feature that lets you print documents to the copier even when you're away from the office. However, this "print from anywhere" feature has little security because it has to create a hole in your firewall to allow you to communicate with the machine from anywhere in the world. Turn this feature off if you have it.

If possible, consider upgrading to a newer copier or printer. Some newer models created within the last 5-6 years have data security kits that you can enable. These kits can have data encryption functions, which scramble the data stored on your copiers and printers, rendering the information useless to a hacker.

Additionally, on some newer models of brands like Canon and Sharp, data security kits might also have features that, when a document is scanned, copied, or printed, erase those documents from the hard drive sometimes as many as 28 times. 

RELATED: How Can Your Printers Have Security Risks? [Tips to Protect]

Consider Managed IT Services

If you are a business, especially if you do not have any in-house staff to manage your cyber security, the thought of instituting the changes described above can sound daunting. 

Managed IT services can help put all of the above cyber security suggestions and more into action. Managed IT services layers your cyber security infrastructure and then employs a team of IT experts to address any threats or issues that pop up.

To take the burden of updating software off of you, a managed services provider can update all cyber security software for you and install necessary security patches.

Managed IT services can help you create a password policy and role-based security that works for your business too. In the event that a ransomware attack happens or your network goes down, they can reduce downtime by quickly recovering data due to their use of frequent and secure backups.

As a Managed Service Provider, we use industry-leading tactics to secure clients' networks and prevent ransomware attacks. 

Ransomware attacks can happen anywhere and any time − are you prepared?

RELATED: Cyber Security Solutions: 12 Best Practices for Businesses