Most Prolific Ransomware Attacks in 2022

The year 2022 looks set to top last year as the worst year on record for ransomware attacks; There is an increase by 80% year-over-year and that the cybercriminals responsible for these attacks have easily dodged law enforcement action by taking advantage of ransomware as a service, or by simply rebranding.

This year not just been the worst year for ransomware attacks statistically, it has also just been the worst. While hackers last year focused on critical infrastructure and financial services, this year’s focus has been on organizations where they can inflict the most damage

This post details the most prolific ransomware attacks / breaches that took place in 2022 in month wise alphabetical order.

JANUARY

Bay & Bay Transportation

A Minnesota based trucking and logistics company suffered a second ransomware attack, this time at the hands of the Conti gang. In 2018 a ransomware attack crippled the company forcing them to pay the ransom. On this occasion the organization was better prepared and was able to return to 90% functionality in a day and a half without paying a ransom.

Denso

Japanese auto part manufacturer suffered an attack by a criminal gang known as Rook. The cybercriminals claimed to have exfiltrated 1.1 terabytes of data from the company. Denso belongs to the corporate group led by Toyota Motor Corp.

Hensoldt

German multinational defense contractor confirmed that some of its UK subsidiary’s systems were compromised in a ransomware attack. The Lorenz ransomware gang claimed the attack.

Impresa

A reported attack on Portuguese media group Impresa. This attack occurred over the New Year holiday knocking the organization’s websites and online streaming services offline. The attack included Impresa-owned website Expresso newspaper and television station SIC. Little-known ransomware gang Lapsus$ was behind the attack.

Indonesia Central Bank

Indonesia Central Bank disclosed they had been hit by a ransomware attack, but public services were not impacted due to the quick measures taken to mitigate the incident. The Conti gang was behind the attack.

Thales Group

French aerospace giant Thales Group hit with cyber-attack and LockBit claiming responsibility. In a statement Thales said that “even though we have not received any direct ransom notification, we take this still unfounded allegation – and whatever its source – seriously. A dedicated team of security experts is currently investigating the situation.” Lockbit then acted by disclosing some of the exfiltrated data.

FEBRUARY

Bridgestone-Firestone

Authorities of Bridgestone-Firestone tire factory in Iowa were forced to send workers home after learning that hackers may have compromised the international corporation’s data systems. The Lockbit ransomware group claimed the attack for themselves

Jawaharlal Nehru Port

India’s only state-owned and operated container terminal Jawaharlal Nehru Port Trust reportedly started turning away ships after suffering what is believed to be a ransomware attack. The Jawaharlal Nehru Port Container Terminal is one of five container terminals in India’s largest container port, Jawaharlal Nehru Port Trust, which accounts for half of all the containers handled in the country.

Oiltanking GmbH

An attack on German oil company Oiltanking GmbH impacted gas stations across the country. Royal Dutch Shell disclosed that they had been forced to reroute to different supply depots because of the issue, while German newspaper Handelsblatt said 233 gas stations across Germany were impacted and forced to revert to manual processes. The BlackCat ransomware gang was behind the attack.

San Francisco 49ers’

The San Francisco 49ers’ made headlines during the Super Bowl weekend when they were hit by ransomware. Confirmation of the attack came after the 49ers were listed on a Dark Web leak site as a victim of the BlackByte Raas group. The threat actors claimed to have exfiltrated data with an estimated value of $4.175 billion.

Swissport

Airport management services company Swissport experienced a ransomware attack that targeted its IT infrastructure. Headquartered in Opfikon Switzerland, the company manages airport ground and cargo handling services for over 300 locations. The BlackCat criminal gang was responsible for the attack.

MARCH

AON

Insurance giant AON disclosed that they had been hit by a ransomware attack which reportedly left no significant impact on the company.

Bridgestone Americas

The LockBit gang attacked Bridgestone Americas who managed to recover from the attack. Unfortunately, the LockBit 2.0 ransomware gang took the credit for the attack and  later threatened to release the data they managed to exfiltrate during the attack. Bridgestone later hired Accenture Security to investigate and understand the full scope and nature of the incident and to determine what data had been stolen.

Denso

Denso Automotive  confirmed they were hit by new ransomware player Pandora after the gang began leaking sensitive data. Denso is one of the world’s largest automotive components manufacturers, supplying brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat, and General Motors. Pandora ransomware gang began leaking 1.4TB of files allegedly exfiltrated during the attack.

Microsoft

Microsoft confirmed that the Lapsus$ hacking group had successfully compromised an employee’s user account and had stolen code, days after the group boasted that it had infiltrated the software giant. The company shared that no customer data or code was affected, and that the operation was interrupted by its security team. The company made the admission in a blog post describing Lapsus$’s tactics and offering guidance on how to protect against them.

Okta

Lapus$ strikes again, this time San Francisco tech company Okta was the victim. According to the Lapus$ screenshots shared on Telegram, the ransomware group said it did not target Okta’s databases and instead focussed on Okta customer data.

Toyota

Toyota made ransomware headlines when they were forced to halt production across all plants in Japan after a ransomware attack on a key supplier. Also affected were Toyota subsidiaries Hino Motors and Daihatsu Motor.

Rompetrol

Rompetrol, Romania’s petroleum provider shared that they were battling a massive cyberattack. The Hive ransomware gang was behind this attack, and they had hit the organization with a multi-million-dollar ransom.

Samsung

Samsung hit by a cyber-attack, Lapsus$ data extortion gang leaked confidential data which they claimed had been exfiltrated from the company. Following the attack, the extortion gang shared a note teasing Samsung about releasing their data with a snapshot of C/C++ directives in Samsung software.

TransUnion

The South African division of US-based consumer credit bureau TransUnion acknowledged that they had suffered a ransomware attack after a third party gained access to one of its servers through misuse of an authorised client’s credentials. N4aughtysecTU sent an extortion demand to TransUnion South Africa that requests R223 million (approximately US $15 million) in cryptocurrency in exchange for not releasing the stolen data.

Ubisoft

French video game company Ubisoft confirmed they had suffered a hack at the hands of the Lapus$ gang. In a statement they said, “we can confirm that all our games and services are functioning normally and that at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident”.

Vodafone

Vodafone suffers a data breach at the hands of the Lapsus$ ransomware group without even knowing it. The group issued a poll on its Telegram channel asking their subscribers whose stolen data they should dump next – with three options available: Vodafone, Impresa, and MercadoLibre.

APRIL

Costa Rica

A ransomware attack crippled the Costa Rican government computer systems. After refusing to pay a ransom the Conti gang began publishing the stolen information. The Finance Ministry was the first to report problems with several its systems including tax collection being impacted. Attacks on the social security agency’s human resources system and on the Labour Ministry, as well as others followed.

Nordex

Nordex, one of the world’s largest developers and manufacturers of wind turbines was the next victim of the Conti gang. The company disclosed that they had suffered a cyberattack that was detected early and that they had shut down their IT systems to prevent the spread of the attack. They did not confirm that the incident was ransomware despite the Conti gang claiming the attack and sharing details on their leak site.

Panasonic

Panasonic confirmed that its Canadian operations were hit by a cyberattack, less than six months after the company last fell victim to hackers. The Conti gang was behind the attack and claimed to have stolen over 2.8 gigabytes of data from Panasonic Canada.

Russian Orthodox Church

The Anonymous hacker group posted on Twitter that they had launched an attack on the Russian Orthodox Church. The group released around 57,500 emails from the data they stole from the organization.

MAY

Bulgarian refugee agency

The LockBit gang, thought to have strong ties with Russia, announced that they would be releasing files they stole from the Bulgarian refugee agency. Nearly 230,000 Ukrainian refugees have made their way to the country since the start of the war. A note on the dark web site belonging to the gang said that all data would be published but there was no mention of a ransom amount.

Costa Rican CCCS

Systems on the network of Costa Rica’s public health service were offline following a Hive ransomware attack. The Costa Rican government agency says that citizens’ health and tax information stored in the EDUS (Unified Digital Health) and the SICERE (Centralized Tax-Collection System) databases was not compromised.

SpiceJet

India’s SpiceJet airlines announced that their systems had faced an “attempted ransomware attack” causing lengthy delays and passengers stranded at airports with very little communication from staff. According to company statements their IT team were able to contain and rectify the situation with no further information given on the attack or perpetrators.

JUNE

AMD

Multinational semiconductor company AMD made headlines when the RansomHouse extortion gang claimed them as their latest victim. AMD disclosed that they were investigating a potential data breach following the claims that the criminal gang had exfiltrated data from the U.S. chipmaker.

Goodman Campbell Brain and Spine

Indiana based healthcare provider Goodman Campbell Brain and Spine announced a data breach following an earlier ransomware attack. An investigation confirmed that “initial analysis indicates that both Goodman Campbell patient and employee data had been accessed by an unauthorized party.” The Hive criminal gang claimed the attack.

Walmart

Retail giant Walmart being hit by the Yanluowang ransomware gang, an entry on the data leak site  claimed that that they breached the retailer and encrypted between 40,000 and 50,000 devices.

JULY

Bandai Namco

Japanese game publishing giant Bandai Namco confirmed they has been the victim of a cyberattack that may have resulted in the theft of customer data. While the company has not provided any technical details regarding the cyberattack, it has appeared on the BlackCat data leak site. No data has been leaked yet but that can be common pending a ransom negotiation.

Entrust

Digital security giant Entrust made news when they confirmed that they had become a victim of a cyberattack. Entrust is a security firm focused on online trust and identity management. The gang behind the attack isn’t publicly known yet but unless they pay the ransom we will likely find out when they start leaking the stolen data.

Goa GRD

An unknown cybercriminal gang attacked the Water Resource Department (WRD) in Goa, India, the organization responsible for the flood monitoring system across 15 of Goa’s major rivers. The currently unknown ransomware gang encrypted the files and demanded Bitcoin in return for decryption. According to reports the server runs on a 24-7 internet line and an absence of antivirus and outdated firewalls helped facilitate the ransomware attack

AUGUST

Cisco

Cisco confirmed that their corporate network had been breached by the Yanluowang ransomware group. Threat actors tried to extort them by threatening to leak the information they had exfiltrated, although Cisco was confident that only non-sensitive information had been stolen. The information was accessed through a Box folder linked to a compromised employees account, hijacked through a hacked personal Google account with synced information. 3,100 files (2.75GB) of data associated with this incident has now been published on the dark web.

Baker & Taylor

Baker & Taylor, the world’s largest distributor of books worldwide fell victim to a ransomware attack. It was announced that the incident impacted phone systems, offices, and service centers. There are still some limitations to operations, but their priority is remediating and sanitizing systems. It has not yet been established who carried out the attack or if any information was stolen during the incident.

Holdcroft Motor Group

UK’s largest family run car dealerships suffered a ransomware attack. The hackers stole two years’ worth of data including employee information, causing damage beyond repair of some core systems. No group has yet claimed responsibility for this attack.

TAP Air Portugal

TAP Air Portugal, Portugal’s national airline hit with a Ragnar Locker ransomware. The ransomware gang posted a new entry on their leak website stating that they have “reasons” to believe that hundreds of Gigabytes of data have been compromised. In the statement they also threatened to disprove TAP’s claims that no customer data was accessed during the incident. No ransom amount has yet been disclosed

SEPTEMBER

Damart

French clothing firm, Damart suffered a cyberattack launched by the Hive ransomware gang. During the attack, data was encrypted, and some services disrupted, with operational issues continuing in 92 stores two weeks after the first issues emerged. It was confirmed that the attack infiltrated Damart’s Active Directory causing them to shut down some of their services temporarily to prevent further intrusion. It is unclear what data was taken during this incident but a ransom of $2million was posted by the group.

IHG

Hotel chain Holiday Inn suffered disruptions on their booking channels and other applications due to a cyberattack. Intercontinental Hotels Group (IHG), who own Holiday Inn and other well-known hotels, Hackers behind the attack, a couple from Vietnam, told the BBC that they accessed the FTSE 100 firm’s databases thanks to an easily found and weak password, Qwerty1234 and carried out the attack ‘for fun’.

LAUSD

A ransomware attack caused “significant disruption” to the second largest school district in the USA, Los Angeles Unified. LAUSD enrols more than 640,000 students, from kindergarten through to 12th grade. Vice Society claimed responsibility for the attack and report that 500GBs of data was stolen. A ransom amount has not been disclosed at this time.

New York Racing

New York Racing Association, the operator of the three largest thoroughbred horse racing tracks in New. The incident impacted IT operations, the website and compromised member data which included social security details, health information and driver license numbers. Hive gang claimed the attack and added the organization to its leak site. The hackers also published a link to freely download a ZIP archive containing all of the files they allegedly stole from NYRA’s system.

Savannah College of Art and Design

The AvosLocker ransomware group claimed responsibility for the attack on Savannah College of Art and Design this month. SCAD’s information network systems were accessed by the group with potentially 69,000 files containing student information, personnel files and business data being exfiltrated. The ransomware group allegedly negotiated with the college for an undisclosed ransom which was not paid.

Uber

Uber reported a network breach that forced the ride-sharing company to shut down several of its internal communications and engineering systems. It is reported that the hacker compromised an employee’s Slack account via a social engineering method and used it to announce the data breach to Uber employees. The hacker claimed to have infiltrated internal systems and gained access to security vulnerability information. Lapsus$ claimed responsibility for the attack and a 17-year-old was arrested in connection with the incident.

OCTOBER

AT&T

American telecommunications giant AT&T who made headlines after the Everest ransomware group claimed an attack on the company. The criminal gang also claimed to be selling access to the company’s corporate network on its data leak site.

Ferrari

Italian luxury car manufacturer, Ferrari, has had some of its internal documents posted online as the result of an attack by RansomEXX. The group claimed to have stolen 7GB of data from the company but have not disclosed the ransom demanded. Ferrari continues to deny the event, claiming there is no evidence of a breach to its systems.

ForceNet

The Australian defense communications platform used by military personnel and defense staff. The company disclosed that at this time there was no evidence that data had been breached. It’s not yet known who was behind the attack.

Pendragon

A ransom of $60million was demanded from UK car dealer Pendragon. The company, who has 200 car dealerships across the UK and an umbrella of multiple brands, fell victim to a LockBit attack which according to a company statement did not affect their ability to operate. The company declined to pay the ransom and have since taken out a high court injunction against LockBit.

Tata Power

India’s largest integrated power company, Tata Power, were victims of a cyberattack orchestrated by Hive group. Hive operators posted data they claim to have stolen from the company, indicating that the ransom negotiations have failed. Leaked data appears to include employee PII, engineering drawings, financial and banking information, and client information. The attack also impacted some of the organization’s IT infrastructure causing disruption to some internal systems.

NOVEMBER

AirAsia

Malaysian low-cost airline became a victim of  Daixin Team. The ransomware group claim to have obtained personal data associated with five million unique passengers and all its employees. Samples of stolen data have been uploaded to Daixin’s leak site containing passenger information and staff personal data.

AIIMS

A suspected ransomware attack hit servers at the All-India Institute of Medical Science (AIIMS), causing long waits for patients as registrations, sample processing and billing computers went down. All services were forced to run on manual mode during recovery from the incident. An investigation with law enforcement authorities is ongoing and measures are being taken to prevent further attacks. It’s been identified that attacks were originated from China.

Central Bank of Gambia

ALPHV/BlackCat ransomware attack allegedly stole 2TB of highly sensitive data involving personal and confidential information relating to employees, customers, and management of the bank. An undisclosed ransom has been demanded but the bank has refused to pay it.

Continental

LockBit compromised the German multinational automotive group’s systems and is reportedly selling stolen files for $50million on their leak site. Negotiations failed between the two parties but the ransom amount requested was not made public.

Ikea

Swedish retail giant Ikea confirmed an attack after the Vice Society criminal gang posted data from its Morocco and Kuwait locations. Samples of the stolen data suggest that the gang managed to exfiltrate confidential business data. File and folder names also indicate that employee data including passport details may have also leaked.

Silverstone

One of the UK’s most popular motor racing circuits, Silverstone, was targeted by Royal ransomware gang. The circuit was aware that it had been added to the gang’s victim list and had launched an investigation into the incident.

Vanutu

A ransomware attack brought Vanuatu, a small archipelago of the South Pacific Ocean, to a standstill causing chaos across its islands. Official government emails addresses stopped working, raising the red flag that there was an issue. Websites of the island’s parliament, police and prime minister’s offices were disabled, and intranets and online databases of schools and hospitals were inaccessible. No one has yet claimed responsibility for this attack.

DECEMBER

RackSpace

Rackspace, a cloud computing provider has confirmed a ransomware attack is responsible for its recent email outage. The attack occurred early Dec,2022 when suspicious activity was detected in the company’s Hosted Exchange environment. As noted in a company press release, Rackspace believes the incident “was isolated to its Hosted Exchange business.” The company has yet to determine if any customer data was accessed by attackers.