Record-breaking ransoms and breaches: A timeline of ransomware in 2024



It was another record-breaking year for ransomware. When file-locking malware wasn’t causing widespread disruption, like downing online services and lasting outages, ransomware was the cause of unprecedented data theft attacks affecting hundreds of millions of people, in some cases for life.

While governments have struck some rare wins against ransomware hackers over the past twelve months, including the disruption of the prolific LockBit gang and the seizure and takedown of Radar, these data theft and extortion attacks continue to increase dramatically, both in terms of frequency and sophistication. 

We look back at some of the most notable ransomware attacks of 2024.

January

LoanDepot

Mortgage and loan giant LoanDepot said at the start of the year that it had been hit by a cyberattack involving the “encryption of data,” or ransomware. The attack left customers unable to access account information or submit payments, and forced the Florida-based company to “shut down certain systems.” Weeks later, LoanDepot said that the personal data of more than 16 million individuals were compromised.

Fulton County

The notorious LockBit ransomware gang claimed a January cyberattack on Fulton County, the largest county in Georgia with a population over one million. The attack led to weeks of county-wide disruption, including IT outages affecting phone lines, the courts, and tax systems. LockBit published troves of data from the Georgia county, including “confidential documents,” but later removed these claims from its dark web leak site, which can be an indication that the victim paid the hackers a ransom. While the LockBit gang claimed Fulton County had paid, security experts reckon that LockBit likely lost most of the data it had stolen when the gang’s servers were subsequently seized the following month by U.S. and U.K. law enforcement.

Southern Water

U.K. utility giant Southern Water said early in the year that it was investigating a data theft incident, before weeks later confirming that ransomware hackers had stolen the personal data of more than 470,000 customers. The attack on Southern Water, which provides water and wastewater services to millions of people across the south-east of England, was claimed by the Black Basta ransomware group, a Russia-linked gang that previously took credit for a 2023 hack on U.K. outsourcing giant Capita.

February

Change Healthcare 

February saw one of the biggest data breaches of the year — and by far the largest data breaches of U.S. health and medical data in history. UnitedHealth-owned health tech company Change Healthcare was hacked by the ALPHV ransomware gang, which at the time claimed to have stolen “millions” of Americans’ sensitive health and patient information. Change Healthcare reportedly paid $22 million to ALPHV before the gang vanished in March, only for the ALPHV contractor who carried out the hack to demand a second ransom payment from Change.

UnitedHealth conceded in April that the hack led to a data breach affecting a “substantial proportion of people in America.” It wasn’t until October that UnitedHealth confirmed that at least 100 million people were affected by the data breach, which included sensitive data including medical records and health information, though the precise number of affected individuals is expected to be far higher.

March

Omni Hotels

Hotel chain Omni Hotels & Resorts shut down its systems in late March after identifying hackers on its network, leading to widespread outages across Omni’s properties, including phone and Wi-Fi issues. In April, the hotel giant confirmed that cybercriminals stole the personal information of its customers during the March ransomware attack, which was claimed by the prolific Daixin gang. According to reports, this gang claimed to have stolen 3.5 million Omni customer records. 

June 

Evolve Bank

U.S.-based banking-as-a-service giant Evolve Bank was the target of a ransomware attack in June that had widespread effect on Evolve’s banking customers and the fintech startups that relied on the bank, including Wise and Mercury. The LockBit gang claimed credit for the attack on Evolve, with the gang posting data it claimed to have stolen from Evolve on its dark web leak site. In July, Evolve confirmed that the hackers had obtained the personal data of at least 7.6 million people, including customers’ Social Security numbers, bank account number, and contact information. 

Synnovis 

The NHS was forced to declare a critical incident in June after a ransomware attack on a major pathology services provider, Synnovis. The cyberattack led to canceled operations and the diversion of emergency patients, and also saw the NHS issue a national appeal for “O” blood-type group donors in the weeks that followed because of delays in matching blood to patients as a result of the weeks-long outages. The Qilin ransomware gang claimed responsibility for the attack and eventually leaked 400 gigabytes of sensitive data allegedly stolen from Synnovis, or around 300 million patient interactions dating back years, making it one of the largest ransomware attacks of the year.

July

Columbus, Ohio

Some 500,000 residents of the City of Columbus, Ohio’s state capital, had their personal data stolen during a July ransomware attack, including names, dates of birth, addresses, government-issued identification documents, Social Security numbers, and their bank account details. Rhysida, the cybercrime gang responsible for last year’s devastating cyberattack on the British Library, claimed responsibility for the attack against Columbus in August, saying it had stolen 6.5 terabytes of data from the city. 

September

Transport for London

Transport for London, the government body overseeing the U.K. capital’s public transit system, experienced weeks of digital disruption following a cyberattack on the authority’s corporate network in September that was later claimed by the infamous Russia-linked Clop ransomware group. While the London transit network continued operating without issue, the incident nevertheless resulted in the theft of banking data on some 5,000 customers — and forced the transit authority to manually reset the login passwords of every single one of its 30,000 employees in-person.

October

Casio

Japanese electronics giant Casio was the victim of an October cyberattack, confirming to TechCrunch that the incident was ransomware. The cyberattack, which was claimed by the Underground ransomware gang, rendered several of Casio’s systems “unusable,” causing weeks of delays to product shipments. The attack also saw the theft of personal information belonging to Casio employees, contractors, and business partners, along with sensitive company data including invoices and human resources files. Casio said the hackers also accessed “information about some customers,” but did not say how many were affected.

November

Blue Yonder

A November ransomware attack on Blue Yonder, one of the world’s largest providers of supply chain software, had a knock-on effect at several major U.S. and U.K. retailers. Two of the U.K.’s largest supermarket chains, Morrisons and Sainsbury’s, confirmed to TechCrunch, that they had experienced disruption as a result of the ransomware attack, and U.S. coffee giant Starbucks was also affected, forcing store managers to pay staff manually. Blue Yonder has said little about the incident, including whether any data was stolen, but both the Clop ransomware gang and the newer Termite crew claims it has stolen 680 gigabytes of data from the supply chain giant company, including documents, reports, insurance documents and email lists.

December

NHS Hospitals

Several NHS were disrupted (again) by ransomware in December after a prolific Russia-linked ransomware gang dubbed Inc Ransom claimed to have compromised Alder Hey Children’s Hospital Trust, one of Europe’s largest children’s hospitals. The Russian ransomware gang, which similarly breached a major NHS trust in Scotland earlier this year, claimed it obtained Alder Hey patient records and donor reports, along with data from several other hospitals in the nearby area. Separately, the Wirral University Teaching Hospital — another NHS location not far from Alder Hey — was forced to declare a critical incident after also falling victim to ransomware.

Artivion

December continued to be the month for healthcare-targeted attacks, as Artivion, a medical device company that manufactures implantable tissues for cardiac transplants, this month confirmed a “cybersecurity incident” that involved the “acquisition and encryption” of data — which reads as ransomware. Artivion said it took certain systems offline in response to the cyberattack.




Source