8 Most Catastrophic Ransomware Attacks in 2020

Cover Image

Over recent years, ransomware has evolved to become the most prevalent form of cyberattack that directly threatens governments, enterprises, and NGOs around the world. Even though some of the earliest ransomware types were created to target individual users, the ransomware strains today are powerful weapons highly capable of large-scale destruction. 

Another characteristic of ransomware attacks today is that they are mostly double extortion attacks. This means that the attackers do not only encrypt the targeted data to prevent the owner from accessing them, they also exfiltrate a copy of the data in advance so that they could further blackmail the owner by threatening to release the data to the public if no ransom was received.

Such double extortion attacks are the biggest nightmare for organizations because oftentimes, having sensitive data released in public is far more damaging than simply being locked out of their own databases. What’s worse is that even after a ransom is paid, there is no way to guarantee that the attackers would delete their copy of the data as promised.

In this blog, we have compiled a list of eight most catastrophic ransomware attacks in 2020, along with a brief description of each highlighting their impacts on the victims.


1. Toll Group (NetWalker and Nefilim ransomware)

Suspension of delivery services

Australian transportation and logistics giant Toll Group was hit by ransomware twice in the first half of 2020. In the first attack, which happened in late January, Toll Group was infected with the NetWalker ransomware. The company was forced to shut down significant parts of delivery operations across Australia and Southeast Asia. Its customers were unable to send, receive, or track their shipments for a number of days. With operations in over 50 countries spanning five continents, over 1000 servers were infected by the ransomware and all staff worldwide were told to shut off and disconnect their computers from the company’s network.

Ironically, Toll Group was hit with a second ransomware attack three months later in early May. This time, the company was infected with the Nefilim ransomware. Even though Toll Group’s operations remained largely unaffected, its online portal was out of service, and the attackers threatened to release sensitive data if the ransom demand was not met. Toll Group publicly refused to pay the attackers, but the aftermath of these attacks lingered for months. The company spent months dealing with ongoing customer concerns, reimbursements, and regulatory obligations.


2. Grubman Shire Meiselas & Sacks (REvil ransomware)

Sensitive data of celebrities compromised and put on auction

In May, New York-based entertainment and media law firm Grubman Shire Meiselas & Sacks suffered an attack by the REvil ransomware. The law firm represents some of the most prominent companies and public figures in the US. 

As a typical double extortion attack, the ransomware operators stole all the data they deemed valuable before encrypting them. With a total size of 756GB, the compromised data included sensitive private information of Lady Gaga, Madonna, Elton John, Bruce Springsteen, Mariah Carey, Barbara Streisand, and more. The attackers also claimed to have obtained sensitive data relating to Donald Trump, although Donald Trump was never a client of the firm.

The attackers initially demanded a payment of $21 million, and published 2.4GB of data relating to Lady Gaga online to prove their words. After a week of failed negotiations, the ransom demand was raised to $42 million. As the law firm stood firm against paying, the attackers used an approach never seen before. The stolen data were put up for auction, with Madonna’s information sold at a base price of $1 million. This incident caused significant damage to the reputation of the law firm.


3. University of California, San Francisco (NetWalker ransomware)

Academic research work compromised

The University of California, San Francisco (UCSF), widely regarded as the world’s best medical research university, was infected with the NetWalker ransomware in June. The intrusion started at the servers of the School of Medicine. Even though the university later managed to stop the infection from spreading by separating the rest of the network, many databases stored in the affected servers were encrypted by the attackers.

Fortunately, the attack did not affect UCSF’s university hospitals and COVID-19 research labs. Still, since the compromised databases contained some priceless academic research work, the university eventually decided to pay $1.14 million in ransom to the attackers. This incident showed how academic institutions could be extremely vulnerable to ransomware attacks, and had led to a series of attacks on universities that followed.


4. Westech International (Maze ransomware)

Classified information potentially compromised

US defense subcontractor Westech International suffered a ransomware attack in early June that affected its IT systems. The company provides critical technical, logistical, and operational support services for LGM-30 Minuteman III, a three-stage intercontinental ballistic missile (ICBM) designed for nuclear weapons delivery. Manufactured by Northrop Grumman, it is currently the only land-based ICBM in service in the United States. 

Operators of the Maze ransomware exfiltrated sensitive data before encrypting them, then published a portion of the stolen data online before threatening Westech to release the rest unless Westech agreed to pay. The data published online already contained highly sensitive information such as emails and payroll information. It was likely that military-related classified information might have been compromised. If such classified information gets in the hands of hostile states and terrorist groups, national security could be at threat.


5. Garmin (WastedLocker ransomware)

Massive global service shutdown

Garmin, a multinational firm that specializes in GPS navigation and wearable technology, suffered a cyberattack in July, forcing it to shut down all services worldwide and significant parts of production activities in Asia. The WastedLocker ransomware operators encrypted Garmin’s corporate network and portions of its production systems. The company had to shut down all systems along with a few separate data centers to prevent the infection from spreading. This quickly led to a chaotic disruption of services. 

Garmin’s official domain was closed. It was unable to receive calls, emails, and online chats. Garmin Connect was down so that users of its smartwatches and wearables could no longer sync data with the servers. FlyGarmin was also disabled, meaning that pilots could not download the latest updates for their airplane navigation systems and receive weather information and position reports as required by the FAA. Lastly, the Garmin Pilot app, used by pilots to schedule and plan flights, was shut down as well.


6. University Hospital of Dusseldorf

First fatality caused by ransomware

In September, a German woman died en route to the emergency room when the closest hospital, the University Hospital of Dusseldorf, was shut down due to a ransomware attack, forcing her to be redirected to another hospital 30km away. At the time of the incident, more than 30 of the hospital’s internal servers were encrypted by ransomware, forcing it to shut down all services including the emergency room. The attackers gained access to the network by exploiting a vulnerability in an undisclosed commercial software. 

This made the first-ever reported human death caused by a ransomware attack, and was later investigated as a murder case by German police. After being contacted by the police, the ransomware operators provided the decryption key without asking for a ransom payment.


7. LG Electronics and Xerox (Maze ransomware)

Sensitive data published online

On August 4, 50GB of data stolen from LG Electronics and 26GB of data stolen from Xerox were published on the data leak site of the Maze ransomware. This was a month after both companies were hit by the Maze ransomware back in June. Both companies refused to pay the initially demanded ransom, and ended up suffering the second phase of the double extortion attack. 

Published data from LG Electronics included the source code of its products. The attackers said that after exfiltrating the sensitive data, they did not execute the ransomware because they did not want to interrupt LG’s operations as many of its clients are significant social contributors. In the case of Xerox, the leaked data appeared to be related to customer support, involving the personal information of employees and potential customers.


8 Argentinian Borders (NetWalker ransomware)

Shutdown of all border crossings

In August, Argentina’s Department of National Migration suffered an attack from operators of the NetWalker ransomware. The agency started receiving numerous technical support requests from a number of border crossings across the country. After discovering the ransomware infection, the agency had to shut down all its internal IT systems, forcing all of Argentina’s border crossings to close for four hours.

The ransomware operators initially asked $2 million for the decryption key and the destruction of the stolen data, then raised the price to $4 million after a week of failed negotiations. This incident served as a warning sign showing that the impact of ransomware attacks could reach far beyond the organizational and regional level. Apparently, these attacks are capable of damaging infrastructure and disrupt activities at a national level.


Staying Prepared for Ransomware Attacks

Despite their destructiveness, ransomware attacks can be effectively mitigated with adequate countermeasures in place. Indeed, it is always important to have robust cybersecurity measures for vulnerabilities in the applications, systems, and networks. Yet, when it comes to defending ransomware attacks, these measures are not enough.

To prepare for ransomware threats, the two most important steps are data backup and data encryption. Data backup is the duplication of the database into a separate network, so that even if the attackers encrypt the original data, another backed-up copy is available. However, it is understandable that not every organization has the time and resources to make a copy of all important data and save them in an isolated network.

What’s more important than data backup is data encryption. As mentioned earlier, ransomware attacks today mostly use the double extortion approach, that is to steal a copy of the data before encrypting them with ransomware. If the database had been safely encrypted, the attackers would lose significant leverage at the negotiation table because they would not be able to threaten the victim with the release of the data. This makes database encryption key to mitigating ransomware attacks.

Penta Security’s D’Amo is a data security solution that utilizes multiple encryption algorithms and technologies for optimized security, compatible with most on-premises and cloud databases. By utilizing the plug-in method, the entire encryption process occurs within the DBMS at the database engine level, allowing the data to be searchable from the database search engine. D’Amo also comes with an advanced key management system that secures the key with blockchain technology, because encryption is not complete without securing the key.

To learn more about D’Amo, click here.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security