{"id":28511,"date":"2025-01-31T23:16:29","date_gmt":"2025-01-31T17:46:29","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/ransowmare-attacks-in-2024\/28511\/"},"modified":"2025-01-31T23:16:58","modified_gmt":"2025-01-31T17:46:58","slug":"ransowmare-attacks-in-2024","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/ransowmare-attacks-in-2024\/28511\/","title":{"rendered":"Ransomware: the most notable attacks of 2024"},"content":{"rendered":"

You may have noticed a slight drop in the amount of coverage of ransomware on our Kaspersky Daily blog in recent years. Sadly, it\u2019s not that ransomware attacks have stopped. Far from it \u2014 such incidents are now so commonplace that they\u2019ve become part of the cyber-furniture. Nevertheless, some ransomware attacks still have the power to shock. In this post, we take you through the ransomware incidents of 2024 that made a lasting impression in terms of scale, impact, or mode of attack\u2026<\/p>\n

January 2024: ransomware attack on Toronto Zoo<\/h2>\n

\nOne of the first major ransomware incidents of 2024 was the January attack on Canada\u2019s biggest zoo<\/a>, located in Toronto. The zoo\u2019s management was quick<\/a> to reassure the public that no systems related to animal care were impacted. Indeed, its website and ticketing service were also unaffected, so the zoo continued to welcome visitors as usual.<\/p>\n

\"Toronto<\/a>

The official Toronto Zoo website reports a cyberattack and assures that all animals are fine. Source<\/a><\/p><\/div>\n

It soon transpired<\/a> that the attackers had stolen a significant amount of zoo employees\u2019 personal information \u2014 dating back to 1989. This incident served as yet another reminder that even organizations far removed from critical sectors can become targets of ransomware attacks.<\/p>\n

February 2024: $3.09 billion attack on UnitedHealth<\/h2>\n

\nFebruary\u2019s attack on the U.S. healthcare insurance giant UnitedHealth would easily claim the \u201cransomware incident of the year\u201d award if such existed. The attack was in fact carried out on Optum Insight, a UnitedHealth subsidiary that provides technology-enabled services.<\/p>\n

Getting granular here, the direct target<\/a> was Change Healthcare, which has been part of Optum since 2022. This company\u2019s platform serves as a financial intermediary between payers, patients, and healthcare providers. The attack took down over a hundred different Optum digital services. As a result, UnitedHealth was able to process neither electronic payments nor medical applications. Essentially, the company couldn\u2019t perform its core function \u2014 causing chaos across the U.S. healthcare system.<\/p>\n

The attack\u2019s repercussions were so extensive that UnitedHealth even set up a dedicated website<\/a> to provide updates about the process of restoring the company\u2019s affected IT systems. The bulk of the restoration work was carried out in the first months after the attack. However, almost a year on, the site continues to post regular updates, and some systems still have the \u201cservice partially available\u201d status.<\/p>\n

A few days after the attack, the ransomware gang BlackCat\/ALPHV claimed responsibility<\/a>. In addition, they reported stealing 6TB of confidential data \u2014 including medical records, financial documents, personal data of U.S. civilians and military personnel, and a wealth of other sensitive information.<\/p>\n

UnitedHealth ended up paying<\/a> the gang a $22\u00a0million ransom. And it\u2019s rumored that the company had to pay up again<\/a> when BlackCat\u2019s accomplices from the RansomHub group claimed they hadn\u2019t received their share and began leaking the stolen data into the public domain.<\/p>\n

However, compared to the total financial losses caused by the incident, the ransom was a mere drop in the ocean. UnitedHealth\u2019s own financial reports estimate the damage in Q1 alone at $872 million. As for the total damage for the year 2024, it reached<\/a> an eye-watering $3.09 billion.<\/p>\n

According to the latest reports, the attackers stole medical data of more than 100 million patients<\/a>, which is approximately one in three U.S. residents!<\/p>\n

March 2024: Panera Bread\u2019s week-long outage<\/h2>\n

\nIn March, ransomware attackers targeted<\/a> U.S. food-chain giant Panera Bread. The incident knocked out many of its IT systems, including the online ordering service, offline payment system, telephony, website and mobile apps, loyalty program, various internal systems for employees, and other services.<\/p>\n

\"Panera<\/a>

Stub message on the Panera Bread website. Source<\/a><\/p><\/div>\n

Over 2000 restaurants in the Panera Bread chain continued to operate after the attack \u2014 but in stone-age conditions: payment was by cash only; subscription offers (such as unlimited drinks for $14.99 per month) were temporarily unavailable; loyalty program points weren\u2019t awarded; and restaurant staff had to manually coordinate their work schedules with managers. The outage lasted about a week<\/a>.<\/p>\n

During the attack, as we learned<\/a> three months later, the personal data of Panera Bread employees was stolen. By the looks of it, the company ended up paying<\/a> a ransom to keep that data from being published.<\/p>\n

April 2024: Hunters International attack on Hoya Corporation<\/h2>\n

\nEarly April saw an attack<\/a> on Hoya Corporation, the major Japanese optics manufacturer. In an official statement, the company said that the systems of some manufacturing plants, plus the ordering system for several products had been affected.<\/p>\n

\"Ransom<\/a>

Hunters International demanded a ransom of $10 million (151.56 BTC at the then exchange rate) from Hoya Corporation. Source<\/a><\/p><\/div>\n

A week after the incident, it was confirmed<\/a> as a ransomware attack. The Hunters International ransomware-as-a-service group\u2019s website reported that the attackers had stolen 1.7 million files from Hoya (around 2TB), and demanded a ransom of $10 million.<\/p>\n

May 2024: Major disruptions at U.S. healthcare network Ascension<\/h2>\n

\nIn early May, Ascension, one of the largest healthcare networks in the United States, had some of its systems taken offline<\/a> due to a \u201ccybersecurity event\u201d. The \u201cevent\u201d in question was soon revealed to be a ransomware attack on the organization\u2019s IT infrastructure. The disruption affected electronic medical records, telephony, and systems for ordering tests, procedures, and medications.<\/p>\n

As a result, some hospitals run by Ascension couldn\u2019t admit emergency patients, and had to divert ambulances<\/a> to other facilities. Healthcare workers also reported having to switch to pen and paper and writing out medical referrals from memory.<\/p>\n

Restoring the affected electronic systems took over a month. The Black Basta ransomware group claimed responsibility for the attack. The investigation revealed that the root cause of the attack was an employee who downloaded a malicious file<\/a> onto a company device.<\/p>\n

It was revealed in late 2024 that the cybercriminals had stolen the personal data of 5.6 million patients and hospital staff<\/a>. This data included medical records, payment details, insurance information, social security and ID numbers, addresses, dates of birth, and more. As compensation, Ascension offered all those affected a free two-year subscription to its identity-theft protection service.<\/p>\n

June 2024: Ransomware attack on healthcare provider hits London hospitals<\/h2>\n

\nIn early June, news broke<\/a> of a ransomware attack on Synnovis, a UK company providing pathology and diagnostic services to several major London hospitals. As a result, over 800 surgeries were canceled<\/a> and some patients diverted to other facilities.<\/p>\n

\"Major<\/a>

Major outage reported on the website of Synnovis, a healthcare provider for several major London hospitals. Source<\/a><\/p><\/div>\n

One of the worst consequences of the attack was that doctors were unable to match donor and patient blood types, forcing them to use the universal blood type O. This quickly led to a shortage<\/a>.<\/p>\n

July 2024: Los Angeles County Superior Court shut down by ransomware<\/h2>\n

\nThe Los Angeles County Superior Court, the largest single unified trial court in the United States, suspended<\/a> all 36 courthouses in the county due to a ransomware attack. Both external services (such as the court\u2019s website and the jury duty portal) and internal resources (including the case management system) were impacted.<\/p>\n

The Los Angeles courts reopened two days later, but restoring publicly-accessible electronic services took about a week<\/a> longer. After that, however, the Superior Court stopped updating the public about the incident, so it\u2019s unknown how long it took to restore the courts\u2019 internal systems. It also remains a mystery whether the court paid a ransom or what data the attackers may have gotten away with.<\/p>\n

August 2024: Ransomware attack on vodka maker Stoli<\/h2>\n

\nIn August, a ransomware attack targeted Stoli Group, the producer of Stolichnaya vodka and multiple other beverages. The incident had a serious impact on the company\u2019s IT infrastructure and operations: an ERP system failure meant that all internal processes, including accounting, had to be transferred to manual mode.<\/p>\n

In particular, the incident meant that Stoli Group companies couldn\u2019t submit financial statements to creditors \u2014 which alleged that the Stoli companies failed to repay a debt of $78 million. Stoli Group had to file for bankruptcy<\/a> in December.<\/p>\n

September 2024: Highline Public Schools closure due to ransomware<\/h2>\n

\nIn early October, Highline Public Schools, a public school district in the U.S. state of Washington, temporarily closed<\/a> all 34 of its member schools, which serve more than 17,000 students and employ around 2000 staff. The cyberattack halted all educational activities, including sports events and meetings, for four school days.<\/p>\n

About a month after the incident, Highline\u2019s management confirmed that the attack was ransomware-related. Unfortunately, Highline Public Schools officials never disclosed whether any personal information of staff or students had been compromised. As a precaution, however, the district offered all Highline employees one year of free credit and identity monitoring services.<\/p>\n

Although the schools were quite quick to reopen, it took a long time to restore the IT infrastructure back to normal operation. Regretfully, more than a month passed before employees and students were finally urged to change their passwords and reinstall the operating system on all school-supplied devices.<\/p>\n

October 2024: Ransomware attack on Casio<\/h2>\n

\nIn early October, Japan\u2019s Casio, the renowned electronics manufacturer, reported<\/a> unauthorized access to its network. According to its statement, the incident resulted in failure of IT systems and unavailability of certain unspecified services.<\/p>\n

Five days later, the ransomware group Underground claimed responsibility for the attack. The group also stole data during the hack, which it posted<\/a> on its website \u2014 including confidential documents, patent information, employees\u2019 personal data, legal and financial documents, project information, and so on. The very next day, Casio confirmed<\/a> the data theft.<\/p>\n

In early 2025, Casio released<\/a> more details about the number of people whose data had been stolen. According to the company, a total of 8500 people were affected, of which around 6500 were employees, and 2000 were business partners. At the same time, Casio reported not paying a ransom to the attackers and announced that most (but not all) services were already back up and running.<\/p>\n

Interestingly, in that same October 2024, Casio was the victim of another successful attack<\/a>, unrelated to the above ransomware incident.<\/p>\n

November 2024: Ransomware attack on Bologna FC<\/h2>\n

\nIn November, ransomware claimed a rather atypical victim \u2014 the Italian soccer club Bologna FC. The club posted<\/a> on its website an official statement about a ransomware attack, warning that \u201cit is a serious criminal offence\u201d to store or distribute stolen data.<\/p>\n

\"Official<\/a>

The Italian soccer club Bologna FC website reports a ransomware attack. Source<\/a><\/p><\/div>\n

The RansomHub group claimed responsibility for the hack. Later, it published the stolen data after the club refused to pay the ransom. According to the attackers, the leaked information included<\/a> sponsorship contracts, the club\u2019s complete financial history, personal and confidential player data, medical records, transfer strategies, confidential data of fans and club employees, and much more.<\/p>\n

December 2024: Ransomware attacks medical tissue and equipment supplier Artivion<\/h2>\n

\nIn December, Artivion, a global supplier of tissues and equipment for cardiac surgery, announced<\/a> that its IT infrastructure had been compromised by a cyberattack. The attackers encrypted some of the company\u2019s systems and stole data from affected computers.<\/p>\n

According to Artivion, the incident caused \u201cdisruptions to some order and shipping processes\u201d, as well as corporate operations. The company also reported being insured against such incidents, but the policy may not fully cover the damage caused by the attack.<\/p>\n

How to defend against ransomware attacks<\/h2>\n

\nRansomware continues to evolve, and every year the attacks take on new, complex forms. Therefore, in today\u2019s world, effective protection against ransomware requires a comprehensive approach. We recommend the following security measures:<\/p>\n