As many as 90% of organizations have been hit by ransomware, and three quarters hit more than once over the past 12 months, according to a US and UK study by SpyCloud.

Ransomware attacks have become pervasive across industries in recent years. These attacks not only disrupt operations— they can also lead to significant financial and reputational damage. 

Understanding how ransomware works and what steps to take to prevent and recover from such an attack can help your organization better prepare and protect itself. Let’s start with a definition.

What is a ransomware attack?

A ransomware attack is a type of cyberattack in which malicious software encrypts a victim’s files or locks their system, rendering data or devices inaccessible. The attackers then demand a ransom, typically in cryptocurrency, in exchange for a decryption key or other way of restoring access to their data or system.

These attacks often exploit vulnerabilities in software, email systems, or human error to gain unauthorized access. Once they gain access, attackers not only encrypt files — they also steal as much data as possible and threaten to publish it if a ransom isn’t paid. In order to isolate these intruders, the organization typically shuts down part or all of its network, which can disrupt or halt their entire operations. In order to restore their operations, the organization has to decide whether to pay the ransom and hope that the attackers keep their word about decrypting and restoring access to their data or systems, or not pay the ransom and try to recover their data and systems themselves or rebuild if ransomware takes hold. 

Despite law enforcement advocating against paying ransoms and allowing cyber criminals to profit from cyberattacks, there was a significant year-on-year increase in the number of organizations paying a ransom, according to SpyCloud’s 2024 Malware and Ransomware

Defense Report. In 2024, 62% of organizations paid a ransom compared to 48% in 2023. However, of those organizations that did pay a ransom, only a third fully recovered their data.  

Ransom payments and data loss are just two parts of the potential fallout of a ransomware attack. Let’s take a closer look below to better understand what a ransomware attack is and why prevention is important.

Ransomware attack fallout

The ramifications of a ransomware attack can be severe. These are listed below with real-world examples. 

• Operational disruptions: Businesses and critical services may come to a halt. For example, a ransomware attack on CDK Global disrupted the operations of thousands of automotive dealerships for days in 2024, forcing them to revert to pen and paper. ​​A ransomware attack also forced the ninth-largest US city, Los Angeles, to close court hearings and other services for weeks.
• Data breaches: Sensitive data may be exposed or stolen whether or not the ransom is paid. This year, personal data belonging to as many as one-third of American consumers, including identity and health information, may have been stolen in a ransomware attack on a UnitedHealth Group subsidiary.
• Financial losses: Costs include ransom payments, system recovery, and lost deals and revenue. One of the worst cyber attacks of 2023 caused $100 million in financial losses to the major hotel and casino chain MGM Resorts. 
• Failed compliance audits and fines: In addition to isolating the incident and recovering data, responding to a ransomware attack involves complying with regulatory requirements, such as timely notification to authorities, affected clients, and possibly the public. Failure to do so may result in failing compliance audits and/or fines for non-compliance. For example, the HHS’ Office for Civil Rights is investigating Change Healthcare’s response to a February 2024 ransomware attack to determine if the HIPAA Rules have been violated, in part due to its delay in issuing notification letters to the individuals who had their data stolen. 
• Lawsuits: Organizations may incur additional financial losses if customers decide to sue them over data breach resulting from a ransomware attack. The online pharmacy Postmeds Inc., which does business as Truepill, for example, agreed to settle a class action lawsuit filed in response to a 2023 ransomware attack that affected 2.3 million individuals for $7.5 million.
• Reputational damage: Customers and stakeholders may lose trust in the organization, which can lead to a loss in investment and funding, among other consequences. For example, after suffering a major ransomware attack in June 2023, KNP Logistics declared itself insolvent in September due in part to the attack adversely impacting their ability to secure additional investment and funding.
• Business shutdown: In the worst cases, an organization may be forced to shutdown if they can’t restore their operations or pay the ransom. For example, ransomware attacks caused widespread outages across the healthcare ecosystem. In 2023, St. Margaret's Health in Spring Valley, Illinois became the first hospital to shut down permanently in part because of costs associated with a ransomware attack.

Let’s take a closer look at these and other real-world examples to better understand the impact of ransomware attacks on various sectors.

10 famous ransomware attack examples

Below we’ll look at several examples, including some of the most famous, largest, and recent ransomware attacks.

1. ICBC Bank ransomware attack

The Industrial and Commercial Bank of China (ICBC), one of the largest banks globally, fell victim to a ransomware attack targeting critical financial systems in November 2023. The attack had far-reaching implications, including disrupting the US Treasury market. Its potential impact on millions of customers emphasized the need for robust cybersecurity measures in the financial sector. 

While specific details about the attack, such as the ransom demanded or the amount of data compromised, remain confidential, the incident highlighted that even highly secured financial institutions are not immune to cyber threats. Additionally, because of its scale, the incident demonstrated the high stakes of cybersecurity in global finance.

2. WannaCry ransomware attack

In May 2017, the WannaCry ransomware attack spread rapidly, affecting over 200,000 systems across 150 countries in just a few days. The ransomware exploited a Windows vulnerability known as EternalBlue, which was developed by the US National Security Agency (NSA) and leaked by the hacking group Shadow Brokers. One of the most notable victims was the UK’s National Health Service (NHS), where the attack disrupted hospital operations, rerouted ambulances, and canceled thousands of medical appointments. 

The total financial impact of WannaCry was estimated to exceed $4 billion globally, including recovery costs and lost productivity. This attack served as a stark reminder of the global consequences of unpatched systems and the importance of timely updates.

3. Patelco ransomware attack

This summer, Patelco Credit Union suffered a ransomware attack that shut down most of the not-for-profit credit union’s online and mobile banking systems. It took Patelco two weeks to restore them. While Patelco’s response included restoring operations and reassuring members about the safety of their information, the credit union later informed authorities that data on more than 1 million individuals was stolen in the ransomware attack.

During the next quarter, Patelco Credit Union lost $39.2 million, most of which was due to a $38 million special charge related to the summer's ransomware attack and online outage. The net loss at the San Francisco Bay-area credit union included $9.5 billion in assets and over 500,000 members. 

This incident not only raised concerns about the resilience of credit unions against cyber threats — it highlighted the critical need for financial institutions of all sizes to implement robust incident response plans and invest in cybersecurity measures to safeguard sensitive data.

4. Heritage Valley Health System ransomware attack

In 2017, Heritage Valley Health System was affected by a global ransomware attack. It paralyzed the Pennsylvania-based healthcare provider’s computer systems, impacting patient care and hospital operations across the entire health system including satellite and community locations. The attack delayed medical procedures and forced staff to rely on manual processes for scheduling and documentation. They also had to pay almost $1 million to settle alleged HIPAA Security rule violations related to the ransomware wattack with the HHS’s Office for Civil Rights.. 

Though the organization did not pay the ransom, recovery costs and operational disruptions underscored the vulnerability of the healthcare sector. This attack demonstrated the critical role cybersecurity plays in ensuring the continuity of patient care and highlighted the need for enhanced protections against cyber threats targeting healthcare providers.

5. Fulton County ransomware attack

Fulton County, Georgia, fell victim to a ransomware attack in January 2024, disrupting various public services, including its voter registration system, telephone systems, online water billing payments, Google Image Search mapping functionality, and more. Fulton County’s recovery efforts included restoring systems and bolstering defenses to prevent future incidents.

Since the attack delayed critical services for residents, it underscored the risks ransomware poses to public infrastructure. The incident also highlighted the cybersecurity challenges faced by local governments, which often operate with limited resources and outdated systems, and the importance of investing in cybersecurity to prevent similar incidents.

6. Colonial Pipeline ransomware attack

One of the most high-profile ransomware attacks of the past decade was on the Colonial Pipeline. In May 2021, this attack disrupted the largest fuel pipeline in the United States, causing widespread panic and fuel shortages along the eastern seaboard. The attack, attributed to the DarkSide ransomware group, ultimately forced the company to shut down operations for several days and pay a $4.4 million ransom to recover some of its data.

Beyond the financial impact, the attack highlighted vulnerabilities in critical infrastructure and the potential for ransomware to disrupt national security and economic stability. This spurred federal initiatives to strengthen cybersecurity regulations for essential services.

7. CDK ransomware attack

CDK Global, a major provider of IT solutions for automotive dealerships, was hit by a ransomware attack that disrupted operations for dealerships across the US. The attack affected nearly every aspect of the dealerships’ operations, including facilitating sales, repairs, registration, inventory, and more, which in turn disrupted operations for some of the largest automotive retailers in the country. It appeared that CDK Global paid a $25 million ransom to the hackers, which would be the second-largest ransom payment on record, 

While the financial losses remain unconfirmed, the incident emphasized the importance of securing supply chain ecosystems to protect against cyberattacks that can have a ripple effect on customers across thousands of locations.

8. Ascension Health ransomware attack

Ascension Health, one of the largest healthcare systems in the US, experienced a ransomware attack that disrupted operations and raised concerns about patient care and data security after an employee downloaded a malicious file onto a company device. With thousands of providers relying on its systems and patients relying on its services, the attack had far-reaching implications for healthcare continuity across 140 hospitals in at least 10 states. Delayed or lost lab results, medication errors, and an absence of routine safety checks are just a few examples of the immediate fallout of the weeks-long disruption caused by the ransomware attack. Later, Ascension notified nearly 5.6 million patients and employees that their personal and health data was stolen during the attack. 

The breach highlighted the persistent vulnerabilities in healthcare IT systems, which makes healthcare providers particularly vulnerable to ransomware attacks. As these attacks targeting healthcare providers continue to escalate in frequency and impact, with 2023 standing out as a record-breaking year, there is a critical need for cybersecurity in healthcare.

9. Mr. Cooper ransomware attack

In 2023, Mr. Cooper, a leading mortgage services company, fell victim to a ransomware attack that temporarily disrupted customer service operations and raised concerns about the security of personal financial data. While the company worked swiftly to restore systems, the incident impacted 14.7 million current and former customers and is expected to cost the Texas-based mortgage company $25 million in response and recovery expenses. 

This attack underscored the risks financial service providers face from sophisticated cybercriminals and the need for robust data protection measures and proactive communication with customers during recovery efforts to maintain trust.

10. Change Healthcare ransomware attack

Change Healthcare, a prominent provider of healthcare technology solutions, faced a ransomware attack that exposed vulnerabilities in its systems and disrupted its operations, which led to sudden and widespread outages across the healthcare sector. Change Healthcare later confirmed that hackers stole the personal and health data of millions of Americans. As one of the largest processors of US health data, the attack on the health tech company likely stands as one of the largest data breaches of US health and medical data in history, with at least 100 million people known to be impacted.

Raising alarms about the potential for cyberattacks to compromise sensitive health data and impede innovation in healthcare technology, the breach underscored the critical need for cybersecurity investments in the sector, particularly for organizations managing large volumes of patient and operational data.

How Secureframe can help prevent and mitigate ransomware attacks

Secureframe provides security AI and automation tools to enhance your organization’s cybersecurity posture. With Secureframe, you can: 

• Simplify adherence to over 40 security frameworks, including SOC 2, ISO 27001, NIST 800-53, CMMC, and more.
• Manage incident response reporting and documentation controls and tests in case of ransomware attack.
• Integrate your cloud platform and developer tools to see all of your vulnerabilities from services like AWS inspector and Github in one place. 
• Consolidate all compliance and risk data in one source of truth via 220+ native integrations and the Secureframe API.
• Automate cloud remediation, risk assessments, policy management, and security questionnaires with AI.
• Closely monitor and manage your third-party vendor relationships.
• Conduct continuous monitoring to look for gaps in controls to maintain continuous compliance
• Automate the assigning, tracking, and reporting of required security and privacy compliance training.
• Get personalized advice based on your company’s unique risks and industry requirements from our in-house compliance team.

To learn more about how Secureframe can help you enhance your security and compliance posture and defend against ransomware and other common cyber threats, request a demo today.