16 Biggest Ransomware Attacks in 2022

Miklos Zoltan

By Miklos Zoltan . 20 October 2022

Founder - Privacy Affairs

Shanika W.

Fact-Checked this

2022 saw a global increase in malware attacks for the first time in more than 3 years, with 2.3 billion attacks.

Ransomware is dangerous software that locks down a network or machine unless a ransom is paid.

Ransomware attackers often threaten to reveal or sell authentication details or stolen data when the ransom is not paid.

Cybercriminals will restore your files or provide you with the key to enter your systems once you have paid your ransom, at least that is what they promise.

This in-depth article will examine the 16 biggest ransomware attacks of 2022:

Affected Ransom Requested / Paid
1. Costa Rica Government $20 million
2. The Center Hospitalier Sud Francilien $10 million
3. Montenegro’s Parliament $10 million
4. Ward Hadaway $6 million in Bitcoin
5. Austrian State of Carinthia $5 million in Bitcoin
6. Trenitalia $5 million in Bitcoin
7. City of Wheat Ridge $5 million
8. University of Pisas $4.4 million
9. Rompetrol $2 million
10. Damart $2 million
11. Tift Regional Medical Center $1.15 million
12. Optus $1 million in cryptocurrency
13. Glenn County Office of Education $1 million
14. Nvidia $1 million
15. Instituto Agrario Dominicano $600,000
16. OSDE $300,000

1. Costa Rica Government

Ransom Requested: $20 million

Given that it was the only time a nation declared a nationwide emergency in reaction to a cyberattack, this incident has likely received the most attention in 2022.

Early in April, the initial ransomware hit on the country started, crippling the Department of Finance and affecting both government services and the import/export activities of the business sector.

Conti, the ransomware organization, claimed the initial attack and demanded a $10 million (and eventually a $20 million) ransom from the government.

It is unclear if this ransom was paid.

2. The Center Hospitalier Sud Francilien

Ransom Requested: $10 million

In August, a ransomware attack hit the Center Hospitalier Sud Francilien. It is a hospital in France just outside of Paris.

As a result, the medical center was forced to refer patients elsewhere and reschedule surgery appointments. The intrusion into their network led them to restrict operations and created IT failures that affected patient admissions.

However, it was stated that those responsible for the attempt sought $10 million in exchange for a decryption key.

Nobody has yet claimed the attack’s responsibility.

3. Montenegro’s Parliament

Ransom Requested: $10 million

A ransomware attack that affected the government’s technology systems hit Montenegro’s parliament.

The attack, which affected 150 workstations in 10 governmental organizations, was carried out by the Cuba ransomware gang.

The gang asserts to have gotten hold of financial records, letters from bank workers, account activity, balance sheets, and tax records.

$10 million has been demanded as a ransom.

4. Ward Hadaway

Ransom Requested: $6 million in Bitcoin

After a cyberattack, top-100 firm Ward Hadaway was subjected to blackmail demands for up to $6 million in bitcoin.

The company discovered a cyberattack on March 2022, and an anonymous hacker warned that files and data stolen from its IT servers would be made public online if $3m out of a $6m ransom was not made within a week.

The cybercriminal copied data and files during the attack (some were posted to the internet in encrypted form) and sent them to Ward Hadaway.

5. The Austrian State of Carinthia

Ransom Requested: $5 million in Bitcoin

The cybercriminal group Black Cat demanded $5 million in Bitcoin from the Austrian State of Carinthia. They claimed to possess sensitive data and decryption software access.

Their attack also caused a huge IT failure in their Government services.

The state decided not to pay since insufficient evidence was shown. They also prepared multiple backup systems. The effect dominoes into 3000 IT workstations stopping their new passport and traffic fine deliveries.

It didn’t stop there. It continued onto the State’s website, email, and social benefits systems.

6. City of Wheat Ridge

Ransom Requested: $5 million

Denver’s City of Wheat Ridge was a ransomware victim and was threatened with a $5 million ransom. They firmly declared, “We’ll keep our money and fix the mess you made ourselves,” in response to the violent BlackCat gang from Eastern Europe.

Wheat Ridge was forced to close down its phone, email system, and City Hall for the public for more than a week after the attack. Although things are gradually returning to normal, there are still questions about the hacked data.

7. Trenitalia

Ransom Requested: $5 million in Bitcoin

The Hive team attacked Trenitalia’s computer systems, which affected the onboard employees’ tablets, software, and ability to purchase tickets.

The Hive team has issued a $5 million Bitcoin ransom demand with a three-day deadline, or the sum would double to $10 million.

Trenord, a connected ticketing system to Trenitalia, was also impacted by the hack.

However, Trenord could keep comparatively normal business operations by preventing the affected ticket sales.

8. University of Pisa

Ransom Requested: $4.4 million

The University of Pisa from Italy was another of BlackCat’s targets. The university administration was given time to pay the $4.5 million demanded in the perpetrators’ ransom note for the attack.

The timing of this could not be worse for troubled Italy, which has already had another ransomware attack that interfered with Palermo’s municipal elections.

To react to BlackCat’s demands for ransom, the targets were offered special access to a conversation channel on the private browser Tor, which is used to reach the dark web.

The note, seen by CyberSecurity360, stated that “this sum is required to recover access to data that has been encoded and thus made worthless.”

BlackCat has also used a double or triple-extortion tactic by threatening to leak crucial information if it is not paid.

9. Rompetrol

Ransom Requested: $2 million

Petromidia Navodari, the largest oil refinery in Romania with a processing capability of more than five million tons annually, is run by Rompetrol.

The attack against Rompetrol, a KMG subsidiary, was carried out by the Hive Ransomware gang.

Hive was holding Rompetrol for a $2 million ransom in exchange for a decryptor and a promise to keep its purportedly stolen data a secret.

Before the attack, KMG had stated that planned maintenance would cause Rompetrol Rafinare to cease operations from March 11 until April 3.

10. Damart

Ransom Requested: $2 million

Damart is a French clothing line attacked by the Hive cybercriminal gang. Data was encoded, certain services were interrupted, and 92 stores were still experiencing operational problems two weeks after the attack started.

The attack was verified to have accessed Damart’s Active Directory, forcing them to cease several of their servitors to block further infiltration immediately.

The organization demanded $2 million in ransom.

11. Tift Regional Medical Center

Ransom Requested: $1.15 million

Georgia’s Tift Regional Medical Center was the target of an attack in July 2022, but it wasn’t until September that the incident was made public when talks with the Hive gang fell through.

The Hive gang stole about 1TB of data during the hack, which occurred in July and August, containing press records, staff payroll records, and confidential business information.

The gang emailed the hospital on August 25th, introducing themselves and providing a link to some stolen material. In brief, the ransom demand was $1,150,000, and Tift responded with an offer of $100,000.

The response from Hive was quite an interesting one: “Thank you for your offer”. Followed by “Tell the board that they can keep 100k for lawyers. We will publish the data.”

12. Optus

Ransom Requested: $1 million in cryptocurrency

Following a ransomware attack in which an unidentified group claimed to have stolen data from about 11.2 million users, the Australian telecommunications firm Optus grabbed headlines.

The hackers demanded $1 million in Monero cryptocurrency to prevent them from selling the stolen data.

Federal police in Australia are looking into the matter.

13. Glenn County Office of Education

Ransom Requested: $1 million

The Quantum ransomware group attacked the Glenn County Office of Education in California and demanded a whopping $1 million ransom money.

The cybercriminal gang appears to have been bargaining during the ransomware negotiation process under the mistaken belief that the county’s assets and cyber insurance would be sufficient to pay their demand.

Allegedly, a $400,000 ransom was paid.

14. Nvidia

Ransom Requested: $1 million

In February 2022, a ransomware outbreak affected the biggest semiconductor chip firm in the world. The business acknowledged that the cybercriminals had started posting employee login details and confidential data online.

Lapsus$, a ransomware organization, claimed blame for the incident and said it got possession of 1TB of stolen corporate data that it planned to post online.

Additionally, it requested $1 million and a portion of an undefined sum from Nvidia.

According to numerous media reports, Nvidia had to take some of its operations offline for two days because its internal systems were vulnerable. Later, the business asserted that this incident had not affected its operations.

In reaction to the attack, Nvidia quickly hardened its security and instantly hired cyber incident response specialists to help contain the problem.

According to some sources, Nvidia compromised the hacker in return. It appears to have tracked Lapsus$ members and attacked their computers with malware. However, this cannot be verified or supported.

15. Instituto Agrario Dominicano

Ransom Requested: $600,000

A Quantum ransomware attack affected the Instituto Agrario Dominicano (IAD), a Dominican Republic government organization and a Ministry of Agriculture division.

The encryption of numerous services and workstations impacted the agency’s operations. The databases, apps, and emails were located on four local and eight virtual servers — all of the organization’s servers.

A $600,000 ransom was sought.

16. OSDE

Ransom Requested: $300,000

A cyberattack against OSDE, a chain of healthcare services and professionals in Argentina, was disclosed earlier in the year.

Assuming responsibility for the hack, LockBit demanded a $300,000 ransom to buy back or erase every piece of exfiltrated material.

The organization released the files after the ransom was not paid, although according to DataBreaches.net, they contained relatively little personal data.

What's the Downtime After a Ransdomware Attack?

Average Downtime – Organizations may bounce back from downtime quickly if they are resilient. If businesses have tested operational backups, the disruption might only last a few hours.

The disruption, however, could continue for days or weeks if a company cannot recover its systems from backups; this is especially true if specialized hardware needs to be replaced or a network needs to be completely rebuilt.

If that is the case, most businesses should plan many days of downtime to recover their systems. The average downtime lasts 7 to 10 days.

Why is Ransomware Effective?

The creators of ransomware utilize fear and panic to manipulate their victims into clicking a link or paying a ransom, which can lead to the infection of users’ systems with more software.

Ransomware contains threatening messages. For example, “Websites with unlawful content were visited on your computer. You must pay a $75 fine to access your computer.” or “A virus has just been installed on your computer. Click here to fix the problem.”

What are the Best Practices Against Ransomware?

  • Utilize strong firewall and antivirus defenses on your network.
  • Keep backup hardware on hand in case the main hardware is damaged during a cyber assault so systems can be rebuilt.
  • Update your network using the most recent software fixes.
  • Consider network segmentation on a physical or logical level.
  • Think about encrypting data to make it more difficult to access, copy, or transfer.
  • Utilize an “allow list” for applications only to allow certain programs to run on your network.
  • Create a business recovery plan that will enable you to continue operating even if some systems are unavailable.

What should one do after a ransomware attack?

When you encounter a ransomware attack, carry out your incident management and business continuity strategy as soon as possible.

After that, inform your financial institution that you’ve undergone a ransomware assault and are implementing your contingency measures.

Furthermore, to prevent the implementation of suspicious transactions, restrict the use of payment platforms until you are certain that your networking system is secure.

Leave a Comment