Biggest Ransomware Attacks, Demands & Payments 2022 & 2021
Date: 10 January 2023
Did you know that in 2022 more than 10 TB of data was stolen every month in ransomware attacks as per some reports? As per some other estimates, almost $111,737,688.23 have been paid in ransomware demands and payouts across the world - and these are just the tracked numbers. According to some analysis, the average ransom payment in Q3 of 2022 was a whopping $258,143 - this is considering the global recommendation that ransom demands should never be paid.
A new trend in ransomware has emerged where data of victims and organisations is leaked on online leak sites without often mentioning the company name. While this is a direct threat to the safety of personal information, it also compromises business secrets, confidential information, marketing strategies and modus operandi of the victims. This is something that cannot easily be quantified in monetary terms.
The biggest Ransomware fact of 2022 and 2021 is that the number one cybersecurity threat is clearly not going anywhere. In fact, it’s only becoming more prevalent and complex in nature every day in 2023.
The low entry-barriers in the ransomware industry, coupled with the anonymity that cryptocurrency offers, means that even low-skilled criminals can make a quick buck by launching ransomware attacks. What the advanced criminal can achieve already makes news headlines every day.
In our ongoing quest to highlight how big a scourge ransomware is today, we’ve compiled two eye-opening lists. One lists the ransomware attacks in 2021 and 2022 where the ransom demand figures and/or payment statuses are known. The second list on this page details the other major ransomware attacks where the ransom demands/payment statuses are not yet known.
This is a live page and we’re updating it every month. We also welcome crowdsourced knowledge so if you know of an attack or a ransom demand that is not in this list, you can write to us and we’ll add it in. Please also provide a verified source of information for each attack.
As always, this list is purely educational in nature and purpose.
The intention is never to highlight or deride the victim. The goal is only to turn the spotlight on the massive number of ransomware attacks in the last two years and the huge ransom demands that have been made (in known cases).
As always, the goal is only to focus attention on ransomware preparedness in 2023.
This list is only meant as an eye-opener for our readership so you’re able to better understand the impact that a ransomware attack can have on your organisation. It has been created only to allow readers to shift their focus on better ransomware readiness and enhance their ransomware mitigation strategies today.
This page contains the following lists:
1. Ransomware Attacks with Known Ransomware Demands/Payouts in 2021 & 2022
2. Ransomware Attacks with Undisclosed Ransomware Demands/Payouts in 2021 & 2022
3. Ransomware Groups that received Ransomware Payouts in 2022
Remember that if you need help without blowing your budget, our flexible and cost-effective Virtual Cyber Assistant and Virtual Cyber Consultant services can help you get more resilient.
Attacks with Known Ransomware Demands and/or Ransomware Payments - 2021 and 2022
Summary |
Ransom Demanded |
Ransom Paid |
Ransomware Family |
Source Link |
Trafford bin collection firm Amey PLC suffers a ransomware attack |
$2billion |
Not disclosed |
Mount Locker |
|
Delaware County Officials Paid $25,000 in Ransom To Hackers Who Infiltrated the County’s Computer System |
Undisclosed |
The county paid a $25,000 deductible to their insurers, and the insurers paid a ransom of an unknown amount. Media reports have pegged the amount at $500,000, but the county is not confirming that figure |
DoppelPaymer Ransomware |
Delaware County, Pennsylvania paid a $500,000 ransom |
Computer giant Acer hit by a ransomware attack |
$50 Million |
Acer offered to pay the group $10 million, but REvil gang rejected that offer |
REvil Ransomware |
|
Ransomware gang leaks data from Metropolitan Police Department |
$4 Million |
MPD counter-offered with $100,000 |
Babuk Ransomware |
|
Chemical distribution company Brenntag paid a $4.4 Million to the DarkSide ransomware group |
$7.5 Million |
$4.4 Million |
DarkSide Ransomware |
|
Ireland's Health Services suffer ransomware attack |
$20 Million |
Refused to pay |
Conti Ransomware |
|
Apex America hit by Sodinokibi ransomware |
$7 Million |
Not disclosed |
REvil (Sodinokibi) |
|
Colonial Pipeline paid $5 Million ransom one day after cyberattack, CEO tells Senate |
$5 Million |
Nearly $5 Million |
DarkSide Ransomware |
|
JBS paid $11 Million to REvil ransomware, $22.5M first demanded |
$22.5 Million |
$11 Million |
REvil Ransomware |
|
Insurance giant CNA fully restores systems after ransomware attack |
$60 Million |
$40 Million |
Phoenix CryptoLocker operators utilised by Evil Corp |
|
REvil gang targets Kaseya |
$70 Million |
Refused to pay |
REvil Ransomware |
|
Maryland’s Leonardtown town becomes a victim of a global ransomware attack that targets Kaseya product user Just Tech |
$45000 per computer |
Not disclosed |
Apparently REvil Ransomware |
Maryland’s Leonardtown suffers a ransomware attack that hits JustTech, a product user of Kaseya |
Ransomware demand $80,000 from York Animal Hospital |
$80,000 |
Refused to pay |
An unknown Russian ransomware group |
|
Babuk’s new ransomware forum RAMP suffers ransomware attack |
$5000 in BTC |
Refused to pay |
An unknown ransomware group |
Babuk’s newly launched ransomware forum RAMP hit by a ransomware attack |
The Judson Independent School District pays ransom |
Not disclosed |
More than $547,000 |
Unknown |
|
Joplin city computers shutdown was ransomware attack |
Not disclosed |
Joplin city government’s insurer paid $320,000 |
Unknown |
|
US farmer cooperative New Cooperative hit by BlackMatter ransomware attack |
$5.9 Million |
Not disclosed |
BlackMatter |
|
Web hosting service Exabytes suffers ransomware attack |
$900,000 |
Not disclosed |
Unknown |
|
JVCKenwood hit by Conti ransomware claiming theft of 1.5TB data |
$7 Million |
Not disclosed |
Not disclosed |
|
Accenture discloses a data breach after August ransomware attack |
$50 Million |
Not disclosed |
Not disclosed |
|
Schreiber Foods hit with cyberattack; plants closed |
$2.5 Million |
Not disclosed |
Not disclosed |
|
Thailand’s Central Restaurants Group (CRG) suffers ransomware attack |
Not disclosed |
Desorden group refused to accept $900,000.00 USD offer made by Central Restaurants Group (CRG) |
Desorden group |
Thailand’s Central Restaurants Group (CRG) hit by a ransomware attack |
Electronics retail giant MediaMarkt suffers ransomware attack |
$240 Million |
Not disclosed |
Hive ransomware |
|
Hackers dump NHS records of Lister Fertility Clinic on their leak site |
£3 Million in BTC |
Refused to pay |
Unknown |
Hackers dump NHS records of Lister Fertility Clinic on dark web |
ONUS suffers Log4j hack |
$5 Million ransom demand |
Refused to pay |
Apparently Conti Ransomware exploited Log4j flaws |
|
Delta Electronics, a Taiwanese electronics manufacturing company |
$15 Million |
Not disclosed |
Conti Ransomware |
|
BlackCat ransomware implicated in attack on German oil companies |
$14 Million |
Not disclosed |
BlackCat |
|
German’s Hensoldt confirms Lorenz ransomware attack |
$500.000 and $700.000 |
Apparently paid the ransom |
Lorenz ransomware |
|
New Bedford Police suffer ransomware attack |
BTC equal to $5.3 Million |
Offered $400,000 payment to unlock the computers, but the attackers refused the offer |
RYUK Ransomware |
|
Glenn County Office of Education pays ransom to Quantum group |
Not disclosed |
$400,000 in BTC |
Quantum Ransomware |
Glenn County suffers ransomware attack and agrees to pay ransom of $400,000 |
Walmart hit by Yanluowang ransomware attack |
$55 Million |
Not disclosed |
Yanluowang Ransomware |
|
BlackCat attacks University of Pisa; Demands $4.5M Ransom |
$4.5 Million |
Not disclosed |
BlackCat Ransomware |
|
How Conti ransomware hacked and encrypted the Costa Rican government |
$20 Million |
Not disclosed |
Conti Ransomware |
|
Quantum ransomware attack disrupts govt agency in Dominican Republic |
$650,000 |
Not disclosed |
Quantum Ransomware |
|
Hackers demand $10m to end cyber attack on CHSF Hospital Center |
$10 Million |
Not disclosed |
LockBit 3.0 |
|
Quantum ransomware attack disrupts govt agency in Dominican Republic |
$650,000 |
Not disclosed |
Quantum ransomware |
|
Damart clothing store hit by Hive ransomware, $2 Million demanded |
$2 Million |
Not disclosed |
Hive Ransomware |
|
Montenegro hit by ransomware attack, hackers demand $10 Million |
$10 Million |
Not disclosed |
Apparently Cuba Ransomware |
|
Everest ransomware operators claim to have hacked South Africa state-owned company ESKOM Hld SOC Ltd |
$200,000 |
Not disclosed |
Everest Ransomware |
South Africa state-owned company ESKOM Hld SOC Ltd hit by a ransomware attack |
AFP investigates $1m ransom demand posted online for allegedly hacked Optus data |
$1 Million |
Not disclosed |
Optusdata (Telegram Channel Name) |
|
Australian insurance firm Medibank confirms ransomware attack |
$15 Million |
Refused to pay |
BlogXX (A Relaunch of REvil) |
|
Pendragon car dealer refuses $60 Million LockBit ransomware demand |
$60 Million |
Refused to pay |
LockBit Ransomware |
Pendragon car dealer refuses $60 Million ransom demand of LockBit ransomware |
The BlackByte ransomware group claims to have compromised Asahi Group Holdings, a precision metal manufacturing and metal solution provider |
The ransomware gang demands $500k to buy data and $600k to delete the stolen data |
Not disclosed |
BlackByte |
|
Medibank hackers sell Deutsche Bank data online for 7.5 BTC |
7.5 BTC |
Uncertain |
Apparently BlogXX |
Hackers that sold Medibank access credentials are selling Deutsche Bank data online |
LockBit offers to sell 40TB of stolen files of Continental for $50 Million |
$50 Million |
Not disclosed |
LockBit |
LockBit ransomware gang offers to sell Continental data for $50 Million |
Hackers that hit AIIMS Delhi raise a demand of nearly $24.5 million in BTC |
Nearly $24.5 Million in BTC |
Hackers put the AIIMS servers down and it is feared that data of around 3-4 crore patients (including VVIPs patients) could have been compromised |
Not disclosed |
AIIMS Delhi hackers demand ransom of nearly $24.5 million in BTC |
Ransomware Attacks with Undisclosed Demands 2021 & 2022
Summary |
Ransom Demanded |
Ransom Paid |
Ransomware Family |
Source Link |
Dassault Falcon Jet reports data breach after ransomware attack |
Not disclosed |
Not disclosed |
Ragnar Locker |
|
Audio maker Bose discloses data breach after ransomware attack |
Not disclosed |
Refused to pay |
Unknown |
|
Canada Post hit by data breach after supplier ransomware attack |
Not disclosed |
Not disclosed |
Lorenz Ransomware |
|
Iranian hacking group targets Israel with wiper malware known as DEADWOOD |
Not disclosed |
Not disclosed |
Agrius |
|
Fujifilm refuses to pay ransom; restores network from backups |
Not disclosed |
Refused to pay |
Apparently REvil Ransomware |
Fujifilm suffers ransomware attack and refuses to pay ransom |
Computer memory maker ADATA suffers ransomware attack |
Not disclosed |
Not disclosed |
Ragnar Locker |
|
Northern UK’s rail ticket machines hit by a ransomware attack |
Not disclosed |
Not disclosed |
Unknown |
Northern England’s rail ticket machines suffer ransomware attack |
Tulsa warns of data breach after Conti ransomware leaks police citations |
Not disclosed |
Not disclosed |
Conti ransomware |
|
BlackMatter ransomware hits medical technology giant Olympus |
Not disclosed |
Not disclosed |
BlackMatter |
|
Acer confirms second security breach in the year 2021 |
Not disclosed |
Not disclosed |
Desorden Group |
|
Shutterfly services disrupted by Conti ransomware attack |
Undisclosed amount in Millions |
Uncertain |
Conti Ransomware |
|
Brazilian Ministry of Health suffers ransomware attack that vanishes COVID-19 vaccination data |
Not disclosed |
Not disclosed |
Lapsus$ Group |
|
Conti ransomware uses Log4j bug to hack VMware vCenter servers |
Not disclosed |
Not disclosed |
Conti Ransomware |
Conti gang uses Log4j vulnerability to target VMware vCenter servers |
FinalSite ransomware attack shuts down thousands of school websites |
Not disclosed |
Not disclosed |
Unknown |
|
Lapsus$ ransomware gang hits SIC, Portugal’s largest TV channel |
Not disclosed |
Not disclosed |
Lapsus$ group |
|
Karakurt ransomware group hits WELDCO-BEALES MFG |
Undisclosed demand in cryptocurrency |
Not disclosed |
Karakurt ransomware |
|
Maryland Department Of Health Confirms Ransomware Attack Caused Disruption In COVID-19 Data Last Month |
Not disclosed |
Not disclosed |
Unknown |
|
Minnesota trucking company Bay & Bay hit in 2nd ransomware attack |
Not disclosed |
Refused to pay |
Conti Ransomware |
Minnesota trucking company Bay & Bay suffers ransomware attack |
FlexBooker discloses a ransomware attack; over 3.7 million accounts impacted |
Not disclosed |
Refused to pay |
UaWrongTeam group |
|
Bernalillo County reports suspected ransomware attack |
Not disclosed |
Refused to pay |
Unknown |
|
Compton and Broomhead Dental Center alleged victim of a ransomware attack |
Not disclosed |
Refused to pay |
Unknown |
A ransomware attack targets Compton and Broomhead Dental Center |
Hospital Centro de Andalucia recovered quickly from ransomware attack |
Not disclosed |
Refused to pay |
Vice Society |
Hospital Centro de Andalucia recovers from ransomware attack's impact |
Marketing giant RRD confirms data theft in Conti ransomware attack |
Not disclosed |
Not disclosed |
Conti Ransomware |
|
KP Snacks giant suffers Conti ransomware, deliveries disrupted |
Not disclosed |
Not disclosed |
Conti Ransomware |
|
Business services provider Morley uncovers ransomware attack hit the company in August |
Not disclosed |
Not disclosed |
Unknown |
|
Airport services firm Swissport discloses a ransomware incident |
Not disclosed |
Not disclosed |
Unknown |
Airport services provider Swissport suffers ransomware attack |
Ransomware gang says it has hacked 49ers football team |
Not disclosed |
Not disclosed |
BlackByte |
|
The Royal Dublin Society suffers ransomware attack |
Not disclosed |
Not disclosed |
Unknown |
|
The Jawaharlal Nehru Port Container Terminal hit by a ransomware attack |
Not disclosed |
Not disclosed |
Unknown |
The Jawaharlal Nehru Port Container Terminal suffers ransomware attack |
Seattle-based logistics company Expeditors International suffers ransomware attack |
Not disclosed |
Not disclosed |
Unknown |
Logistics company Expeditors International hit by a ransomware attack |
Insurance giant AON hit by a cyberattack |
Not disclosed |
Not disclosed |
Unknown |
|
Toyota stops production in Japan after a cyberattack at a supplier |
Not disclosed |
Not disclosed |
Pandora ransomware |
|
Bridgestone Americas confirms ransomware attack |
Not disclosed |
Not disclosed |
LockBit ransomware |
|
Automotive giant DENSO hit by new Pandora ransomware gang |
Not disclosed |
Not disclosed |
Pandora ransomware |
|
Nvidia says its ‘proprietary information’ was leaked by hackers as Lapsus$ hit chip manufacturer |
Lapsus$ demands Nvidia permanently make its GPU drivers completely open-source |
Unknown |
Lapsus$ Ransomware |
|
Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak |
Not disclosed |
Not disclosed |
Lapsus$ Ransomware |
|
Ubisoft hit by ransomware group that hit Nvidia |
Not disclosed |
Not disclosed |
Lapsus$ Ransomware |
|
Vodafone investigating ransomware attack that hit Samsung, Nvidia |
Not disclosed |
Not disclosed |
Lapsus$ Ransomware |
|
RansomEXX Disrupts Scottish Association for Mental Health |
Not disclosed |
Not disclosed |
RansomEXX |
Scottish Association for Mental Health suffers ransomware attack |
Microsoft confirms Lapsus$ hit account with limited access after ransomware group released alleged Bing and Cortana source |
Not disclosed |
Not disclosed |
Lapsus$ Ransomware |
|
Okta investigates claims of customer data breach from Lapsus$ group |
Not disclosed |
Not disclosed |
Lapsus$ Ransomware |
|
Rio de Janeiro finance department hit with LockBit ransomware |
Not disclosed |
Not disclosed |
LockBit ransomware |
LockBit takes responsibility for Rio de Janeiro ransomware attack |
American Dental Association hit by new Black Basta ransomware |
Not disclosed |
Not disclosed |
Black Basta ransomware |
|
Panasonic says Canadian operations hit by a ransomware attack |
Not disclosed |
Not disclosed |
Conti ransomware-as-a-service (RaaS) group |
|
Ransomware grounds some flights at Indian budget airline SpiceJet |
Not disclosed |
Not disclosed |
Apparently LockBit ransomware |
|
Costa Rica’s public health agency hit by Hive ransomware |
Not disclosed |
Not disclosed |
Hive Ransomware |
|
RansomHouse extortion group hits AMD |
Not disclosed |
Not disclosed |
RansomHouse group |
|
Macmillan shuts down systems after likely ransomware attack |
Not disclosed |
Not disclosed |
Unknown |
|
Bandai Namco confirms ransomware attack |
Not disclosed |
Not disclosed |
ALPHV Ransomware |
|
Clop ransomware leaks Spinneys’ customer data in UAE |
Not disclosed |
Not disclosed |
Clop ransomware |
|
Semiconductor manufacturer Semikron hit by LV ransomware attack |
Not disclosed |
Not disclosed |
LV Ransomware |
Semiconductor manufacturer Semikron faces a ransomware attack |
LockBit claims ransomware attack on Italian tax agency |
Not disclosed |
Not disclosed |
LockBit Ransomware |
|
LockBit claims ransomware attack on security giant Entrust, leaks data |
Not disclosed |
Not disclosed |
LockBit Ransomware |
|
Yanluowang ransomware gang stole Cisco source code |
Not disclosed |
Not disclosed |
Yanluowang Ransomware |
|
UK’s car dealership Holdcroft Motor Group hit by a ransomware attack |
Not disclosed |
Not disclosed |
Unknown |
|
Greek natural gas operator DESFA suffers ransomware attack |
Not disclosed |
Not disclosed |
Ragnar Locker |
|
Leading library services firm Baker & Taylor hit by ransomware |
Not disclosed |
Not disclosed |
Unknown |
|
Ragnar Locker ransomware claims attack on Portugal's flag airline |
Not disclosed |
Not disclosed |
Ragnar Locker |
|
Holiday Inn hotels hit by a ransomware type attack |
Not disclosed |
Not disclosed |
Unknown |
|
Hive ransomware claims cyberattack on Bell Canada subsidiary |
Not disclosed |
Not disclosed |
Hive Ransomware |
|
Puma hit by data breach after Kronos ransomware attack |
Not disclosed |
Not disclosed |
Kronos Ransomware |
|
BlackCat ransomware claims attack on Italian energy agency |
Not disclosed |
Not disclosed |
BlackCat Ransomware |
|
CommonSpirit hospital chains hit by ransomware, patients are facing problems |
Not disclosed |
Not disclosed |
Unknown |
|
NHS software vendor Advanced confirms a ransomware attack |
Not disclosed |
Not disclosed |
LockBit 3.0 |
|
Hive claims ransomware attack on Tata Power, begins leaking data |
Not disclosed |
Not disclosed |
Hive Ransomware |
|
Ransomware hackers hit Australian defence communications platform ForceNet |
Not disclosed |
Not disclosed |
Unknown |
|
LockBit ransomware claims attack on Continental automotive giant |
Not disclosed |
Not disclosed |
LockBit Ransomware |
|
Ransomware attack cripples Vanuatu government systems |
Not disclosed |
Not disclosed |
Unknown |
Ransomware groups which received ransom payments in 2022
Ransomware Group |
Total payments received * |
Source Link |
Karakurt ransomware group |
$4,348,145.276 |
|
darkangels |
$1,463,379.327 |
|
Conti |
$1,118,339.572 |
|
MedusaLocker |
$269,244.38 |
|
LockBit |
$119,120.459 |
*The figures mentioned in the above table are based on information provided from reliable sources. Cyber Management Alliance Pvt Ltd cannot confirm their accuracy, nor does it take responsibility for this information. We have compiled this easy-to-consume visual data table merely for educational purposes.
If all the data on this page makes you anxious about your organisational preparedness against cyber attacks, do know that there is a way out. While NOBODY can ever truly prevent a ransomware attack, you can strengthen your defence against it.
Start by getting your cyber crisis incident response plans and ransomware response plans in order today. Have them professionally reviewed by virtual cybersecurity experts and ensure that they're fit for purpose.
You should also test these plans in a simulated attack environment through a Ransomware Tabletop Exercise. An experienced cybersecurity expert will put your tech and Incident Response team in a verbally simulated attack scenario where they will test their own best laid plans and their decision-making abilities in the face of chaos. You will then be presented with a report on what the gaps in your organisation's ransomware readiness are and how you can fix them.
Ransomware attacks are going nowhere in 2023. They will only become more ubiquitous & complex. The only way to ensure that you are able to mitigate the damage to your business is by bolstering your readiness against them.