Proton
An illustration of a laptop with chains and a padlock on the screen to represent a ransomware attack

What is a ransomware attack? (and 11 famous examples)

Ransomware attacks are a serious concern for organizations. In these attacks, cybercriminals typically encrypt a company’s data, making it inaccessible until a ransom is paid. 

These breaches can do far more than disrupt daily operations. Suffering a ransomware attack both exposes an organization’s security shortcomings and allows sensitive information to fall into the hands of bad actors. It can cause significant financial and reputational damage that can be harder to recover than the data itself — many organizations lose thousands, if not millions, of dollars in the aftermath.

This article will explore what a ransomware attack is, recount some of the most well-known incidents, and outline how you can protect yourself and your organization from an attack by using secure business solutions.

What is a ransomware attack?

Ransomware is a form of malware that encrypts a victim’s data or locks them out of their files and systems. The attackers behind it usually demand payment from their victims (often in cryptocurrency) to let them regain access and avoid sensitive data leaks.

Attack methods often involve exposed passwords or phishing emails and malicious downloads that act as Trojan horses for bad actors to gain access to an organization’s systems. Common targets include government institutions, corporations, hospitals, and prominent individuals for whom such attacks can cause major financial losses and operational disruptions. 

Most legal authorities encourage victims not to give in to ransom requests. Even if you pay the ransom, there is no guarantee the attackers will release the data, and paying creates an incentive to target you again. Ultimately, the decision whether to pay depends on your circumstances and should only be a last resort. The best way to avoid paying a ransom is to keep your network secure in the first place. 

Famous ransomware attacks

In 2023, the total amount of money received by ransomware attackers amounted to $1.1 billion(new window) — an increase of over 140% from the previous year. These attacks are why many organizations enforce security measures such as end-to-end encryption or multi-factor authentication. Some even hold dedicated budgets to pay attackers whenever they strike. 

Here are some of the most well-known ransomware attacks to occur throughout the past decade. 

Johnson Controls ransomware attack 

In 2023, attackers targeted the US building automation and security company Johnson Controls. The attackers, believed to be ransomware group Dark Angels, caused significant disruptions and limitations to the organization’s operations. It is reported that the attackers stole 27 TB of data and encrypted the company’s servers and other devices. They then demanded a $51 million ransom(new window). This breach was particularly concerning for the Department of Homeland Security(new window), with which Johnson Controls holds classified contracts. While it is unclear whether Johnson Controls paid the ransom, the company reported(new window) that the response and remediation costs were approximately $27 million. 

ICBC Bank ransomware attack

The Industrial and Commercial Bank of China (ICBC) is the largest bank in the world(new window) with assets amounting to 6.3 trillion dollars in 2023 — the same year that ICBC’s US unit was victim of a ransomware attack claimed by cybercriminal group LockBit. The attack disrupted the bank’s financial services, blocking access to customer data and transaction systems. As a result ICBC became temporarily indebted to BNY Mellon for $9 billion(new window) in unsettled trades, and employees were forced to use Gmail because their corporate email was no longer available — further exposing the bank to the Pandora’s box of Google privacy concerns. According to LockBit, ICBC paid a ransom to minimize the significant disruption already caused; however, the exact value of the payment has not been confirmed.

WannaCry ransomware attack

In 2017, attackers used the WannaCry ransomware cryptoworm to exploit a vulnerability in Windows operating systems. The attack affected over 200,000 systems globally, including hospitals, governments, and businesses. It resulted in an estimated $4 billion in damages worldwide and was one of the largest ransomware attacks in history. Victims included the National Health Service (NHS) in England and Scotland. Around 70,000 NHS devices, including MRI scanners and blood-storage refrigerators, are estimated to have been affected by WannaCry, which resulted in some non-critical patients having to be turned away for care. The attack caused controversy when it was revealed that the The National Security Agency already knew about the vulnerability but, rather than share the information with Microsoft, used it for their own advantage.

Fulton County ransomware attack

The 2017 attack on government infrastructure in Fulton County, Georgia(new window) led to numerous public service disruptions, partially within the county court system. The attack was claimed by LockBit, which, in a bid for ransom, threatened(new window) to “demonstrate how local structures negligently handled information protection” and reveal documents marked as confidential alongside lists of those responsible for that confidentiality. The data accessed by LockBit included Fulton County residents’ personal information and records relating to former President Donald Trump’s pending criminal case. Despite the threat, the county — which was working with legal officials — refused to pay the ransom(new window) and worked to gradually restore its systems.

Philhealth Medusa ransomware attack

Philhealth is a state-owned corporation that provides universal health coverage in the Philippines. In 2023, ransomware group Medusa stole almost 750 GB of data from the corporation, potentially affecting millions(new window) of Philhealth members. The stolen data included sensitive medical information, patient names, dates of birth, and addresses. In response to the ransomware attack, the corporation refused to pay the demanded ransom of $300,000, and instead issued an alert(new window) to those who may have been affected, informing them of the need to monitor their credit card reports and financial accounts.

British Library ransomware attack

In 2023, a ransomware attack encrypted the British Library’s data and systems, disrupting access to digital resources and archives. When the library did not give in to the attacker’s demands for payment, the data — which included the personal data of the library’s staff and users — was put up for auction and later dumped on the dark web. The attackers also destroyed some servers to inhibit system recovery and to cover their tracks, deleting around 600 GB of data in the process. A report(new window) published by the British Library identified several vulnerabilities that may have facilitated the attack. These included a reliance on third-party support and a lack of multi-factor authentication measures for internal systems. However, the exact point and method of entry has not been confirmed. 

Colonial Pipeline ransomware attack

Colonial Pipeline is the largest fuel pipeline in the US and supplies almost half of the gasoline on the East Coast. A 2021 ransomware attack on the corporation caused widespread fuel shortages as it ceased operations for several days, prompting gasoline panic-buying and price spikes(new window) in some states. Colonial Pipeline paid a ransom(new window) of $4.4 million in the form of 75 bitcoin to the attackers, however around 64 bitcoin of the ransom was later recovered by the DOJ. The attack is believed to have been facilitated by an employee password that was found on the dark web and demonstrates the importance of secure password management for businesses.

HCL Technologies ransomware attack

In 2023, one of the world’s largest IT companies, HCL Technologies, was hit by a ransomware attack that impacted its global operations, disrupted client services, and lost confidential data. 

The company described the attack as “a ransomware incident(new window) in an isolated cloud environment”.

On the day the attack occurred, shares of the company fell on the National Stock Exchange of India. While the attack did not seem to significantly disrupt HCL Technologies’ operations, it does highlight the potential vulnerabilities of cloud environments, which can be targets for attackers who identify vulnerabilities during the data upload and retrieval process. End-to-end encrypted cloud environments, like Proton Drive, protect against these risks by encrypting data throughout its journey, so that even if it is intercepted, it cannot be accessed without authorization.

CDK ransomware attack

Automotive software company CDK Global suffered what it called a “cyber ransom event(new window)” in 2023. The attackers encrypted CDK Global’s data, disrupting thousands of auto dealerships that use the company’s software for operations, including scheduling, sales, and orders. It is reported that the company paid a $25 million ransom(new window) to the attackers two days after the attack. Despite this it still faced a lengthy recovery process, reputational damage, and questions surrounding potential customer data breaches. Multiple dealerships affected by the breach filed complaints(new window) with the Securities and Exchange Commission.

Ascension ransomware attack

In 2022, major US healthcare organization Ascension(new window) was attacked by Black Basta. The attack disrupted access to digital health records, phone systems, and systems used to order tests, procedures, and medication. As a result, doctors and nurses were faced with significant challenges in their ability to treat patients for multiple weeks. The attack is believed to have occurred after an individual working in one of Ascension’s facilities accidentally downloaded a malicious file(new window).

Sony ransomware attack

In 2014, Sony Pictures was attacked by a group dubbed Guardians of Peace. During the attack, vast amounts of confidential information were lost or leaked, including sensitive employee data and unreleased media. US investigators have attributed blame for the attack to North Korean hackers and believe it was in response to plans to release The Interview, a movie that depicts the fictional assassination of leader Kim Jong Un. In response to the attack, Sony Pictures(new window) canceled its plans to release the movie in theaters as planned, which raised numerous questions on the topic of free speech and expression.

Protect your organization from a ransomware attack

From accidental downloads to exposed passwords, many ransomware attacks occur as a result of human error. So, the best way to protect your organization from a ransomware attack is by implementing strict security practices for you and your employees to follow — such as not downloading files sent by external email addresses or using multi-factor authentication to access internal systems.

Alongside this, one of the most reliable ways to secure your organization’s data is by using an end-to-end encrypted cloud storage solution like Proton Drive. Unlike cloud storage services like Google Drive or Dropbox, your files and folders are encrypted with a key that only you possess — not even Proton can access your data. This makes it far less susceptible to attackers in the event of a server breach.

If your organization does ever experience data loss, Proton Drive’s version history feature lets you restore older versions of files that may have been accidentally overwritten or altered. 
And, as Proton Drive is part of a suite of solutions, you may also consider using Proton’s encrypted email, password manager, or virtual private network(new window) to strengthen your organization’s security across your entire network.

Related articles

laptop showing Bitcoin price climbing
  • Privacy guides
Learn what a Bitcoin wallet does and the strengths and weaknesses of custodial, self-custodial, hardware, and paper wallets.
pixel tracking: here's how to tell which emails track your activity
Discover what pixel tracking is and how it works, how to spot emails that track you, and how to block these hidden trackers.
A cover image for a blog describing the next six months of Proton Pass development which shows a laptop screen with a Gantt chart
Take a look at the upcoming features and improvements coming to Proton Pass over the next several months.
The Danish mermaid and the Dutch parliament building behind a politician and an unlocked phone
We searched the dark web for Danish, Dutch, and Luxembourgish politicians’ official email addresses. In Denmark, over 40% had been exposed.
Infostealers: What they are, how they work, and how to protect yourself
Discover insights about what infostealers are, where your stolen information goes, and ways to protect yourself.
Mockup of the Proton Pass app and text that reads "Pass Lifetime: Pay once, access forever"
Learn more about our exclusive Pass + SimpleLogin Lifetime offer. Pay once and enjoy premium password manager features for life.