Cyber Security Blog

Biggest Ransomware Attacks, Demands & Payments 2022 & 2021

Written by Aditi Uberoi | 10 January 2023

Did you know that in 2022 more than 10 TB of data was stolen every month in ransomware attacks as per some reports? As per some other estimates, almost $111,737,688.23 have been paid in ransomware demands and payouts across the world - and these are just the tracked numbers. According to some analysis, the  average ransom payment in Q3 of 2022 was a whopping $258,143 - this is considering the global recommendation that ransom demands should never be paid.

A new trend in ransomware has emerged where data of victims and organisations is leaked on online leak sites without often mentioning the company name. While this is a direct threat to the safety of personal information,  it also compromises business secrets, confidential information, marketing strategies and modus operandi of the victims. This is something that cannot easily be quantified in monetary terms.    

The biggest Ransomware fact of 2022 and 2021 is that the number one cybersecurity threat is clearly not going anywhere. In fact, it’s only becoming more prevalent and complex in nature every day in 2023. 

The low entry-barriers in the ransomware industry, coupled with the anonymity that cryptocurrency offers, means that even low-skilled criminals can make a quick buck by launching ransomware attacks. What the advanced criminal can achieve already makes news headlines every day. 

In our ongoing quest to highlight how big a scourge ransomware is today, we’ve compiled two eye-opening lists. One lists the ransomware attacks in 2021 and 2022 where the ransom demand figures and/or payment statuses are known. The second list on this page details the other major ransomware attacks where the ransom demands/payment statuses are not yet known. 

This is a live page and we’re updating it every month. We also welcome crowdsourced knowledge so if you know of an attack or a ransom demand that is not in this list, you can write to us and we’ll add it in. Please also provide a verified source of information for each attack. 

As always, this list is purely educational in nature and purpose.  

The intention is never to highlight or deride the victim. The goal is only to turn the spotlight on the massive number of ransomware attacks in the last two years and the huge ransom demands that have been made (in known cases). 

As always, the goal is only to focus attention on ransomware preparedness in 2023.  

This list is only meant as an eye-opener for our readership so you’re able to better understand the impact that a ransomware attack can have on your organisation.  It has been created only to allow readers to shift their focus on better ransomware readiness and enhance their ransomware mitigation strategies today.  

This page contains the following lists: 

1. Ransomware Attacks with Known Ransomware Demands/Payouts in 2021 & 2022
2. Ransomware Attacks with Undisclosed Ransomware Demands/Payouts in 2021 & 2022
3. Ransomware Groups that received Ransomware Payouts in 2022

Remember that if you need help without blowing your budget, our flexible and cost-effective Virtual Cyber Assistant and Virtual Cyber Consultant services can help you get more resilient. 

 

Attacks with Known Ransomware Demands and/or Ransomware Payments - 2021 and 2022

 

Summary

Ransom Demanded

Ransom Paid

Ransomware Family

Source Link

Trafford bin collection firm Amey PLC  suffers a ransomware attack

$2billion

Not disclosed

Mount Locker

Amey PLC ransomware attack

Delaware County Officials Paid $25,000 in Ransom To Hackers Who Infiltrated the County’s Computer System

Undisclosed

The county paid a $25,000 deductible to their insurers, and the insurers paid a ransom of an unknown amount. Media reports have pegged the amount at $500,000, but the county is not confirming that figure

DoppelPaymer Ransomware

Delaware County, Pennsylvania paid a $500,000 ransom


Delaware Country paid ransom

Computer giant Acer hit by a ransomware attack

$50 Million

Acer offered to pay the group $10 million, but REvil gang rejected that offer

REvil Ransomware 

Acer suffers ransomware attack

Ransomware gang leaks data from Metropolitan Police Department



$4 Million

MPD counter-offered with $100,000

Babuk Ransomware

Metropolitan Police Department hit by a ransomware attack

Chemical distribution company Brenntag paid a $4.4 Million to the DarkSide ransomware group

$7.5 Million

$4.4 Million

DarkSide Ransomware

Brenntag pays ransom to DarkSide group

Ireland's Health Services suffer ransomware attack

$20 Million

Refused to pay

Conti Ransomware

Conti targets Ireland's Health Services

Apex America hit by Sodinokibi ransomware

$7 Million

Not disclosed

REvil (Sodinokibi)

Sodinokibi targets Apex America  

Colonial Pipeline paid $5 Million ransom one day after cyberattack, CEO tells Senate

$5 Million

Nearly $5 Million

DarkSide Ransomware

Colonial Pipeline paid ransom to DarkSide ransomware gang

JBS paid $11 Million to REvil ransomware, $22.5M first demanded

$22.5 Million

$11 Million

REvil Ransomware

JBS paid ransom amount of $11 Million

Insurance giant CNA fully restores systems after ransomware attack

$60 Million

$40 Million

Phoenix CryptoLocker operators utilised by Evil Corp

CNA restores its systems after paying ransom

REvil gang targets Kaseya

$70 Million

Refused to pay

REvil Ransomware

Kaseya suffers ransomware attack

Maryland’s Leonardtown town becomes a victim of a global ransomware attack that targets Kaseya product user Just Tech  

$45000 per computer

Not disclosed

Apparently REvil Ransomware

Maryland’s Leonardtown suffers a ransomware attack that hits JustTech, a product user of Kaseya

Ransomware demand $80,000 from York Animal Hospital

$80,000

Refused to pay

An unknown Russian ransomware group

York Animal Hospital suffer ransomware attack

Babuk’s new ransomware forum RAMP suffers ransomware attack

$5000 in BTC

Refused to pay

An unknown ransomware group

Babuk’s newly launched ransomware forum RAMP hit by a ransomware attack  

The Judson Independent School District pays ransom

Not disclosed

More than $547,000

Unknown

Judson Independent School District ransomware attack

Joplin city computers  shutdown was ransomware attack

Not disclosed

Joplin city government’s insurer paid $320,000

Unknown

Joplin city suffers ransomware attack 

US farmer cooperative New Cooperative hit by BlackMatter ransomware attack

$5.9 Million 

Not disclosed

BlackMatter

New Cooperative suffers BlackMatter ransomware attack

Web hosting service Exabytes suffers ransomware attack

$900,000

Not disclosed

Unknown

A ransomware attack targets Web hosting service Exabytes

JVCKenwood hit by Conti ransomware claiming theft of 1.5TB data

$7 Million

Not disclosed

Not disclosed

JVCKenwood ransomware attack 

Accenture discloses a data breach after August ransomware attack

$50 Million

Not disclosed

Not disclosed

A ransomware attack hits Accenture 

Schreiber Foods hit with cyberattack; plants closed

$2.5 Million

Not disclosed

Not disclosed

Schreiber Foods suffers ransomware attack

Thailand’s Central Restaurants Group (CRG) suffers ransomware attack

Not disclosed 

Desorden group refused to accept $900,000.00 USD offer made by Central Restaurants Group (CRG)

Desorden group

Thailand’s Central Restaurants Group (CRG) hit by a ransomware attack

Electronics retail giant MediaMarkt suffers ransomware attack

$240 Million

Not disclosed

Hive ransomware

Hive ransomware hits electronics retail giant MediaMarkt

Hackers dump NHS records of Lister Fertility Clinic on their leak site

£3 Million in BTC

Refused to pay

Unknown

Hackers dump NHS records of Lister Fertility Clinic on dark web 

ONUS suffers Log4j hack

$5 Million ransom demand

Refused to pay

Apparently Conti Ransomware exploited Log4j flaws

ONUS ransomware attack  

Delta Electronics, a Taiwanese electronics manufacturing company

$15 Million

Not disclosed

Conti Ransomware 

Delta Electronics hit by a ransomware attack  

BlackCat ransomware implicated in attack on German oil companies

$14 Million

Not disclosed

BlackCat

German oil companies suffer ransomware attack

German’s Hensoldt confirms Lorenz ransomware attack

$500.000 and $700.000

Apparently paid the ransom

Lorenz ransomware

German’s Hensoldt hit by a ransomware attack

New Bedford Police suffer ransomware attack

BTC equal to $5.3 Million

Offered $400,000 payment to unlock the computers, but the attackers refused the offer

RYUK Ransomware

RYUK ransomware hits New Bedford Police

Glenn County Office of Education pays ransom to Quantum group

Not disclosed

$400,000 in BTC

Quantum Ransomware 

Glenn County suffers ransomware attack and agrees to pay ransom of $400,000

Walmart hit by Yanluowang ransomware attack

$55 Million

Not disclosed

Yanluowang Ransomware 

Ransomware group claims an attack on Walmart

BlackCat attacks University of Pisa; Demands $4.5M Ransom

$4.5 Million

Not disclosed

BlackCat Ransomware

University of Pisa suffers BlackCat ransomware attack

How Conti ransomware hacked and encrypted the Costa Rican government

$20 Million

Not disclosed

Conti Ransomware

Costa Rica government hit by Conti ransomware  

Quantum ransomware attack disrupts govt agency in Dominican Republic

$650,000

Not disclosed

Quantum Ransomware 

Quantum Ransomware govt agency in Dominican Republic

Hackers demand $10m to end cyber attack on CHSF Hospital Center

$10 Million

Not disclosed

LockBit 3.0

CHSF Hospital Center ransomware attack

Quantum ransomware attack disrupts govt agency in Dominican Republic

$650,000

Not disclosed

Quantum ransomware

Quantum ransomware targets Dominican Republic's govt agency

Damart clothing store hit by Hive ransomware, $2 Million demanded

$2 Million

Not disclosed

Hive Ransomware

Damart clothing store suffers Hive ransomware attack

Montenegro hit by ransomware attack, hackers demand $10 Million

$10 Million

Not disclosed

Apparently Cuba Ransomware

Montenegro govt suffers ransomware attack

Everest ransomware operators claim to have hacked South Africa state-owned company ESKOM Hld SOC Ltd

$200,000

Not disclosed

Everest Ransomware

South Africa state-owned company ESKOM Hld SOC Ltd hit by a ransomware attack

AFP investigates $1m ransom demand posted online for allegedly hacked Optus data

$1 Million

Not disclosed

Optusdata (Telegram Channel Name)

Optus hackers demand $1millon as ransom 

Australian insurance firm Medibank confirms ransomware attack

$15 Million

Refused to pay

BlogXX (A Relaunch of REvil)

Medibank hackers demand $15 Million 

Pendragon car dealer refuses $60 Million LockBit ransomware demand

$60 Million

Refused to pay

LockBit Ransomware

Pendragon car dealer refuses $60 Million ransom demand of LockBit ransomware

The BlackByte ransomware group claims to have compromised Asahi Group Holdings, a precision metal manufacturing and metal solution provider

The ransomware gang  demands $500k to buy data and $600k to delete the stolen data

Not disclosed

BlackByte

Asahi Group Holdings faces ransomware attack

Medibank hackers sell Deutsche Bank data online for 7.5 BTC

7.5 BTC

Uncertain

Apparently BlogXX

Hackers that sold Medibank access credentials are selling Deutsche Bank data online


Medibank hackers sell Deutsche Bank data

LockBit offers to sell 40TB of stolen  files of Continental for $50 Million

$50 Million

Not disclosed

LockBit

LockBit ransomware gang offers to sell Continental data for $50 Million

Hackers that hit AIIMS Delhi raise a demand of nearly $24.5 million in BTC

Nearly $24.5 Million in BTC

Hackers put the AIIMS servers down and it is feared that data of around 3-4 crore patients (including VVIPs patients) could have been compromised

Not disclosed

AIIMS Delhi hackers demand ransom of nearly $24.5 million in BTC

 

Back to Top 


Ransomware Attacks with Undisclosed Demands 2021 & 2022

Summary

Ransom Demanded

Ransom Paid

Ransomware Family 

Source Link 

Dassault Falcon Jet reports data breach after ransomware attack

Not disclosed

Not disclosed

Ragnar Locker

Dassault Falcon Jet suffers ransomware attack

Audio maker Bose discloses data breach after ransomware attack

Not disclosed

Refused to pay

Unknown

Audio device manufacturer Bose suffers ransomware attack

Canada Post hit by data breach after supplier ransomware attack

Not disclosed

Not disclosed

Lorenz Ransomware

Canada Post hit by a ransomware attack

Iranian hacking group targets Israel with wiper malware known as DEADWOOD

Not disclosed

Not disclosed

Agrius

Agrius targets Israel with Wiper malware 

Fujifilm refuses to pay ransom; restores network from backups

Not disclosed

Refused to pay

Apparently REvil Ransomware

Fujifilm suffers ransomware attack and refuses to pay ransom

Computer memory maker ADATA suffers ransomware attack

Not disclosed

Not disclosed

Ragnar Locker

ADATA hit by Ragnar Locker ransomware 

Northern UK’s rail ticket machines hit by a ransomware attack

Not disclosed

Not disclosed

Unknown

Northern England’s rail ticket machines suffer ransomware attack 

Tulsa warns of data breach after Conti ransomware leaks police citations

Not disclosed

Not disclosed

Conti ransomware 

Tulsa city hit by a ransomware attack

BlackMatter ransomware hits medical technology giant Olympus

Not disclosed

Not disclosed

BlackMatter

Medical technology giant Olympus suffers ransomware attack

Acer confirms second security breach in the year 2021

Not disclosed

Not disclosed

Desorden Group

Desorden Group targets Acer

Shutterfly services disrupted by Conti ransomware attack

Undisclosed amount in Millions

Uncertain

Conti Ransomware

Shutterfly hit by ransomware attack  

Brazilian Ministry of Health suffers ransomware attack that vanishes COVID-19 vaccination data

Not disclosed

Not disclosed

Lapsus$ Group

A ransomware attack hits Brazilian Ministry of Health

Conti ransomware uses Log4j bug to hack VMware vCenter servers

Not disclosed

Not disclosed

Conti Ransomware

Conti gang uses Log4j vulnerability to target VMware vCenter servers

FinalSite ransomware attack shuts down thousands of school websites

Not disclosed

Not disclosed

Unknown

FinalSite ransomware attack 

Lapsus$ ransomware gang hits SIC, Portugal’s largest TV channel

Not disclosed

Not disclosed

Lapsus$ group

Lapsus$ hits Portugal’s largest TV channel SIC 

Karakurt ransomware group hits WELDCO-BEALES MFG

Undisclosed demand in cryptocurrency 

Not disclosed

Karakurt ransomware

WELDCO-BEALS MFG. hit by Karakurt ransomware attack 

Maryland Department Of Health Confirms Ransomware Attack Caused Disruption In COVID-19 Data Last Month

Not disclosed

Not disclosed

Unknown

Maryland Department of Health ransomware attack 

Minnesota trucking company Bay & Bay hit in 2nd ransomware attack

Not disclosed

Refused to pay

Conti Ransomware

Minnesota trucking company Bay & Bay suffers ransomware attack 

FlexBooker discloses a ransomware attack; over 3.7 million accounts impacted

Not disclosed

Refused to pay

UaWrongTeam group

FlexBooker hit by a ransomware attack  

Bernalillo County reports suspected ransomware attack

Not disclosed

Refused to pay

Unknown

Bernalillo County suffers ransomware attack

Compton and Broomhead Dental Center alleged victim of a ransomware attack

Not disclosed

Refused to pay

Unknown

A ransomware attack targets Compton and Broomhead Dental Center 

Hospital Centro de Andalucia recovered quickly from ransomware attack

Not disclosed

Refused to pay

Vice Society

Hospital Centro de Andalucia recovers from ransomware attack's impact

Marketing giant RRD confirms data theft in Conti ransomware attack

Not disclosed

Not disclosed

Conti Ransomware

Conti ransomware hits Marketing giant RRD

KP Snacks giant suffers Conti ransomware, deliveries disrupted

Not disclosed

Not disclosed

Conti Ransomware

A ransomware hits KP Snacks

Business services provider Morley uncovers ransomware attack hit the company in August

Not disclosed

Not disclosed

Unknown

Morley Companies Inc. discloses ransomware attack

Airport services firm Swissport discloses a ransomware incident

Not disclosed

Not disclosed

Unknown

Airport services provider Swissport suffers ransomware attack

Ransomware gang says it has hacked 49ers football team

Not disclosed

Not disclosed

BlackByte

BlackByte ransomware hits San Francisco 49ers 

The Royal Dublin Society suffers ransomware attack

Not disclosed

Not disclosed

Unknown

A ransomware attack targets Royal Dublin Society

The Jawaharlal Nehru Port Container Terminal hit by a ransomware attack

Not disclosed

Not disclosed

Unknown

The Jawaharlal Nehru Port Container Terminal suffers ransomware attack

Seattle-based logistics company Expeditors International suffers ransomware attack

Not disclosed

Not disclosed

Unknown

Logistics company Expeditors International hit by a ransomware attack

Insurance giant AON hit by a cyberattack 

Not disclosed

Not disclosed

Unknown

A ransomware attack hits Insurance giant AON 

Toyota stops production in Japan after a cyberattack at a supplier

Not disclosed

Not disclosed

Pandora ransomware 

A ransomware attack pauses Toyota operations 

Bridgestone Americas confirms ransomware attack

Not disclosed

Not disclosed

LockBit ransomware 

Bridgestone Americas suffers LockBit ransomware attack

Automotive giant DENSO hit by new Pandora ransomware gang

Not disclosed

Not disclosed

Pandora ransomware 

Pandora ransomware hits Toyota’s main supplier DENSO

Nvidia says its ‘proprietary information’ was leaked by hackers as Lapsus$ hit chip manufacturer

Lapsus$ demands Nvidia permanently make its GPU drivers completely open-source

Unknown 

Lapsus$ Ransomware

Nvidia hit by Lapsus$ ransomware  

Samsung Confirms Lapsus$ Ransomware Hit, Source Code Leak

Not disclosed

Not disclosed

Lapsus$ Ransomware

Lapsus$ hits Samsung and leaks source code 

Ubisoft hit by ransomware group that hit Nvidia

Not disclosed

Not disclosed

Lapsus$ Ransomware

Ubisoft suffers ransomware attack

Vodafone investigating ransomware attack that hit Samsung, Nvidia

Not disclosed

Not disclosed

Lapsus$ Ransomware

Vodafone suffers ransomware attack

RansomEXX Disrupts Scottish Association for Mental Health

Not disclosed

Not disclosed

RansomEXX

Scottish Association for Mental Health suffers ransomware attack 

Microsoft confirms Lapsus$ hit account with limited access after ransomware group released alleged Bing and Cortana source

Not disclosed

Not disclosed

Lapsus$ Ransomware 

Lapsus$ group target Microsoft and access the source code

Okta investigates claims of customer data breach from Lapsus$ group

Not disclosed

Not disclosed

Lapsus$ Ransomware

Okta hit by Lapsus$ ransomware 

Rio de Janeiro finance department hit with LockBit ransomware

Not disclosed

Not disclosed

LockBit ransomware 

LockBit takes responsibility for Rio de Janeiro ransomware attack 

American Dental Association hit by new Black Basta ransomware

Not disclosed

Not disclosed

Black Basta ransomware 

Black Basta ransomware targets American Dental Association

Panasonic says Canadian operations hit by a ransomware attack

Not disclosed

Not disclosed

Conti ransomware-as-a-service (RaaS) group

Panasonic Canada suffers ransomware attack

Ransomware grounds some flights at Indian budget airline SpiceJet

Not disclosed

Not disclosed

Apparently LockBit ransomware 

Indian air carrier SpiceJet hit by a ransomware attack

Costa Rica’s public health agency hit by Hive ransomware

Not disclosed

Not disclosed

Hive Ransomware 

Hive group hits Costa Rica’s public health agency CCCS

RansomHouse extortion group hits AMD

Not disclosed

Not disclosed

RansomHouse group

AMD hit by a ransomware attack

Macmillan shuts down systems after likely ransomware attack

Not disclosed

Not disclosed

Unknown 

US book publisher Macmillan hit by ransomware attack

Bandai Namco confirms ransomware  attack

Not disclosed

Not disclosed

ALPHV Ransomware

Bandai Namco hit by a ransomware attack 

Clop ransomware leaks Spinneys’ customer data in UAE

Not disclosed

Not disclosed

Clop ransomware

Spinney’s suffers ransomware attack in UAE

Semiconductor manufacturer Semikron hit by LV ransomware attack

Not disclosed

Not disclosed

LV Ransomware 

Semiconductor manufacturer Semikron faces a ransomware attack

LockBit claims ransomware attack on Italian tax agency

Not disclosed

Not disclosed

LockBit Ransomware

LockBit ransomware targets Italian tax agency  

LockBit claims ransomware attack on security giant Entrust, leaks data

Not disclosed

Not disclosed

LockBit Ransomware

Entrust hit by LockBit ransomware 

Yanluowang ransomware gang stole Cisco source code

Not disclosed

Not disclosed

Yanluowang Ransomware

Yanluowang Ransomware hits Cisco to steal source code

UK’s car dealership Holdcroft Motor Group hit by a ransomware attack

Not disclosed

Not disclosed

Unknown 

Holdcroft Motor Group suffers ransomware attack

Greek natural gas operator DESFA suffers ransomware attack

Not disclosed

Not disclosed

Ragnar Locker

Ragnar Locker targets Greek natural gas company DESFA

Leading library services firm Baker & Taylor hit by ransomware

Not disclosed

Not disclosed

Unknown

Baker & Taylor suffers ransomware attack

Ragnar Locker ransomware claims attack on Portugal's flag airline

Not disclosed

Not disclosed

Ragnar Locker

Ragnar Locker hits Portugal's flag airline TAP

Holiday Inn hotels hit by a ransomware type attack

Not disclosed

Not disclosed

Unknown

Holiday Inn hotels faces a ransomware type attack

Hive ransomware claims cyberattack on Bell Canada subsidiary

Not disclosed

Not disclosed

Hive Ransomware 

Bell Canada hit by a ransomware attack

Puma hit by data breach after Kronos ransomware attack

Not disclosed

Not disclosed

Kronos Ransomware

Puma suffers Kronos ransomware attack 

BlackCat ransomware claims attack on Italian energy agency

Not disclosed

Not disclosed

BlackCat Ransomware

BlackCat ransomware targets Italian energy agency 

CommonSpirit hospital chains hit by ransomware, patients are facing problems

Not disclosed

Not disclosed

Unknown

CommonSpirit hospital chains suffer ransomware attack

NHS software vendor Advanced confirms a ransomware attack

Not disclosed

Not disclosed

LockBit 3.0

NHS software vendor Advanced hit by LockBit 3.0

Hive claims ransomware attack on Tata Power, begins leaking data

Not disclosed

Not disclosed

Hive Ransomware 

Hive Ransomware targets Tata Power

Ransomware hackers hit Australian defence communications platform ForceNet

Not disclosed

Not disclosed

Unknown

ForceNet faces ransomware attack

LockBit ransomware claims attack on Continental automotive giant

Not disclosed

Not disclosed

LockBit Ransomware

LockBit hits automotive giant Continental 

Ransomware attack cripples Vanuatu government systems

Not disclosed

Not disclosed

Unknown

Vanuatu government systems hit by a ransomware attack 


Back to Top 

 

Ransomware groups which received ransom payments in 2022

 

Ransomware Group

Total payments received *

Source Link

Karakurt ransomware group

$4,348,145.276

Karakurt ransomware group receives payment in 2022

darkangels

$1,463,379.327

darkangels ransomware group receives payment in 2022 

Conti

$1,118,339.572

Conti ransomware receives payment in 2022

MedusaLocker

$269,244.38

MedusaLocker receives payment in 2022

LockBit

$119,120.459

LockBit receives payment in 2022 

*The figures mentioned in the above table are based on information provided from reliable sources. Cyber Management Alliance Pvt Ltd cannot confirm their accuracy, nor does it take responsibility for this information. We have compiled this easy-to-consume visual data table merely for educational purposes. 

 Back to Top 

If all the data on this page makes you anxious about your organisational preparedness against cyber attacks, do know that there is a way out. While NOBODY can ever truly prevent a ransomware attack, you can strengthen your defence against it. 

Start by getting your cyber crisis incident response plans and ransomware response plans in order today. Have them professionally reviewed by virtual cybersecurity experts and ensure that they're fit for purpose.

You should also test these plans in a simulated attack environment through a Ransomware Tabletop Exercise.  An experienced cybersecurity expert will put your tech and Incident Response team in a verbally simulated attack scenario where they will test their own best laid plans and their decision-making abilities in the face of chaos.  You will then be presented with a report on what the gaps in your organisation's ransomware readiness are and how you can fix them. 

Ransomware attacks are going nowhere in 2023. They will only become more ubiquitous & complex. The only way to ensure that you are able to mitigate the damage to your business is by bolstering your readiness against them.