Anastasiya Novikava
Copywriter
Anastasiya believes cybersecurity should be easy to understand. She is particularly interested in studying nation-state cyber-attacks. Outside of work, she enjoys history, 1930s screwball comedies, and Eurodance music.
Ransomware is malicious software designed to block access to a computer system until a ransom is paid and remains a significant threat to organizations. In 2023, we witnessed some of the most prominent ransomware attacks.
Central to this wave of digital assaults is exploiting a vulnerability in a managed file transfer software product, MOVEit. The vulnerability exploited by the Russia-linked Clop ransomware group has left a trail of disruption across various sectors, affecting over 500 organizations and exposing the personal information of more than 34.5 million people.
The evolving cyber threat landscape underscores a crucial reality: no sector is immune to the sophisticated tactics of modern cybercriminals. Let's look at the biggest ransomware attacks of the last year.
Industry: Government
Location: United States
Affected users: 1,300,000
The government of Maine confirmed a significant data breach where over a million individuals' personal information was stolen by a ransomware group linked to Russia. The breach exploited a vulnerability in the MOVEit file-transfer system used by the state government. Stolen information includes names, birth dates, Social Security numbers, driver's licenses, and possibly medical and health insurance details. Maine's Department of Health and Human Services and the Department of Education are the most affected agencies.
The breach's extent was revealed after a recent assessment, and the state is notifying affected individuals. It's unclear how recent the stolen data is. This incident is part of a larger MOVEit system breach, deemed one of the largest of the year. The US Securities and Exchange Commission has subpoenaed Progress Software for information related to the MOVEit vulnerability, and the company has pledged full cooperation.
Industry: Healthcare
Location: United States
Affected users: 2,200,000
A Michigan-based healthcare provider, McLaren Health Care, experienced a significant cyberattack resulting in the compromise of sensitive personal and health information of 2.2 million patients. The breach, later claimed by the Alphv ransomware gang (also known as BlackCat), involved hackers accessing patient names, dates of birth, Social Security numbers, and extensive medical information, such as billing, claims, diagnoses, prescription details, and Medicare and Medicaid information. The cyberattack was only detected a month after it happened.
The organization in question operates 13 hospitals across Michigan and employs about 28,000 people. The news of the breach became public in October, but McLaren's spokesperson declined to provide further details or comment on whether a ransom was paid. Due to this cyberattack, McLaren now faces at least three class-action lawsuits.
Industry: Financial Services
Location: United States
Affected users: 4,000,000
A Texas mortgage and loan company, Mr. Cooper, acknowledged a cyberattack leading to a data breach. On Wednesday, the company experienced a technical outage on its website, preventing customers from online payments. It was later revealed that the outage was caused by a cyberattack that led to a system lockdown to protect customer data.
The company's IT team took immediate containment measures and investigated the incident for potential data theft, promising identity protection services if needed. Later, the organization confirmed that customer data was compromised in the breach.
Industry: Healthcare
Location: United States
Affected users: 5,800,000
A major US pharmacy service provider, PharMerica, has reported a data breach affecting nearly six million patients. The breach was discovered due to suspicious network activity and involved an unauthorized third party accessing PharMerica's systems. The leaked data includes names, birth dates, Social Security numbers, medication, and health insurance details. Additionally, sensitive health information like allergy, Medicare details, and mental health diagnoses was also stolen.
The Money Message ransomware gang published the data on the dark web, which claimed responsibility for the attack and allegedly obtained 4.7 terabytes of data from PharMerica and its parent company, BrightSpring Health. PharMerica has announced measures to prevent future breaches but has not detailed these steps.
Industry: Insurance
Location: United States
Affected users: 8,900,000
One of the largest US dental health insurers, Managed Care of North America (MCNA) Dental, was targeted by a ransomware attack that compromised the personal data of about 9 million individuals. The breach exposed patients' personal and health insurance information, including Social Security numbers and driver's licenses.
The LockBit ransomware group claimed responsibility and demanded a $10 million ransom, eventually releasing the data as the ransom wasn't paid. MCNA is unaware of any data misuse and has bolstered its security measures. Affected individuals are being notified and offered complimentary credit monitoring services in line with state law requirements. LockBit, which experienced a setback with the arrest of an alleged leader, reportedly stole 700GB of data, including sensitive patient information.
Industry: Business services
Location: United States
Affected users: 11,000,000
A US government services contractor, Maximus, confirmed a data breach potentially affecting 11 million individuals. The breach occurred through a zero-day vulnerability in MOVEit Transfer, a tool Maximus uses to share data with government clients. The hackers accessed personal data, including Social Security numbers and health information. While the exact number of affected individuals is still uncertain, estimates suggest at least 8 to 11 million people could be impacted.
Maximus has not specified the types of health data accessed and is in the process of notifying affected customers and regulators. They estimate the cost of investigation and remediation at around $15 million.
Industry: Telecommunications
Location: United Kingdom
Affected users: 16,000,000
UK-based mobile virtual network operator Lyca Mobile confirmed a cyberattack on its systems, which led to unauthorized access to customers' personal information. Lyca Mobile took immediate action, such as isolating and shutting down compromised systems. However, intruders accessed personal data, including names, birth dates, addresses, identity documents, customer interactions, and payment card details.
Lyca Mobile encrypts data, including passwords, during transmission and when it's not actively used. However, the company has not disclosed the encryption methods used, and it remains uncertain whether the attackers obtained the encryption keys. The company has not provided details on how the breach occurred, or its nature, but data theft suggests a potential ransomware connection.
Lyca Mobile has informed the UK's Information Commissioner's Office (ICO), and the ICO is assessing the information provided.
As ransoms for data decryption range from a few hundred to thousands of dollars, it's one of the most lucrative opportunities for cybercriminals. Therefore, protecting your business from ransomware involves a multifaceted approach. Here are some effective strategies to protect your business against ransomware.
Employees are often the weakest link in cybersecurity and the first defense against cyber threats. Educating them about warning signs, safe practices, and response strategies is crucial for preventing malware intrusion. In addition, conduct regular training sessions to educate them about phishing scams, a common entry point for ransomware. Timely recognition of a phishing email can save millions of dollars.
Limit user access to data and information, granting access only to those who need it for their work. This principle of 'least privilege' can minimize the extent of a ransomware attack. Software installation and execution abilities on your network devices should also be limited as it minimizes the network's vulnerability to malware.
Regularly back up your data and ensure these backups are not connected to your main network. Offsite or cloud-based backups can be effective as they shouldn't be affected during a breach of your main network. In the event of an attack, you can restore data without paying a ransom.
Keep your operating systems, software, and applications updated. Cybercriminals exploit vulnerabilities in outdated software. Implement a patch management strategy to ensure timely updates. Also, consider implementing methods for regular scans to help maintain system efficiency.
Exercise caution with links in emails or pop-up messages. Don't click unless you're sure of their legitimacy. When in doubt, hover over a link to see the real URL before clicking. Be wary of email attachments or downloads, as they can contain malicious software. Implement advanced email filtering solutions that can detect and block phishing emails, a common ransomware delivery method.
In light of these incidents, organizations and individuals must prioritize cybersecurity measures. Regularly updating security software, implementing robust backup strategies, and training staff on recognizing phishing attempts are key steps in mitigating the risk of ransomware attacks.
Upgrading your current remote network access solutions could also enhance the organization's overall security. NordLayer aids businesses by offering sophisticated network access and management solutions. Our services authenticate each access request in line with the Zero Trust security model, boosting data protection and limiting the attack surface.
NordLayer's security offerings include a VPN and multi-factor authentication, all tailored to meet your business requirements without needing extra hardware.
Get in touch with our sales team to learn more about our offerings.
Subscribe to our blog updates for in-depth perspectives on cybersecurity.