The 5 biggest ransomware pay-outs of all time

Just a few years ago, you may never have heard of ransomware. Nowadays, it’s a £10 billion-a-year industry and considered one of the biggest threats facing organisations, schools and essential services.

Dozens of ransomware cases are reported each month, with companies locked out of their files and facing extortionate demands. The current going rate for decryption keys is in the region of 0.3 bitcoin (about £100,000, or $140,000), but sometimes attackers set their sights much higher.

In this blog, we look at some of the times attackers have done that – as we review the five biggest reported ransomware payments.

5. University of California at San Francisco ($1.14 million)

In June 2020, the UCSF (University of California San Francisco) caved in after a month-long standoff with criminal hackers, paying a reported $1.14 million in bitcoin to free its systems.

The initial ransom demand is thought to have been $3 million, with the university countering with an offer of $780,000.

As negotiations continued, network administrators attempted to isolate the infection and ringfence a number of systems. This prevented the ransomware from travelling to the core UCSF network and causing further damage.

Although this protected the parts of the university’s facilities, including patient care delivery operations and COVID-19 work, UCSF servers used by the school of medicine were encrypted by the attackers.

4. Travelex ($2.3 million)

While most of us spent New Year’s Eve 2019 celebrating, the IT department at Travelex was grappling with a ransomware virus that was spreading through its systems.

Almost two weeks later, the currency exchange service finally restored its internal systems, but not before paying the attackers a reported $2.3 million ransom.

Employees were forced to work with pen and paper during this time, severely delaying the few processes that could still be performed, while several UK banks that work with the company had to turn away customers who wanted to order foreign banknotes.

Unfortunately, that was only the start of Travelex’s problems. Seven months later, the organisation collapsed into administration – in part due to the losses and damaged reputation caused by the attack.

3. Brenntag ($4.4 million)

In May 2021, Brenntag’s North American division was compromised by criminal hackers. The chemical distribution company has over 17,000 employees in over 670 sites worldwide, but the damage to just one part of its business, in which 150GB of data was stolen, caused huge disruption.

The group responsible for the attack, DarkSide, initially demanded a 133.65 bitcoin ransom, which equates to approximately $7.5 million – which would have made it by far the largest ever payment.

At the time of the attack, DarkSide was already holding US Colonial Pipeline to ransom, having shut down more than 5,000 miles of pipes and stranding gasoline and diesel off the Gulf Coast. But more on that later.

After several days of negotiation, Brenntag and Darkside eventually reached a compromise, with the organisation handing over $4.4 million in bitcoin.

2. Colonial Pipeline ($4.4 million)

Millions of Americans got a first-hand glimpse of the disruption that ransomware can cause in May 2021, when Colonial Pipeline was crippled by the DarkSide gang.

The fuel supplier was forced to halt operations amid the attack, which targeted the company’s business network. This included the Colonial’s billing system, which meant it had no way to track fuel distribution and to accurately bill its customers.

Additionally, Colonial shut down its operational technology network, which controls the pipeline, to prevent further spread of ransomware.

That was probably a wise move, given the way ransomware spreads through organisations’ system, but it only increased the pressure to resolve the issue promptly.

And with news stories of petrol stations running low on gasoline and diesel and people hoarding – often in buckets, plastic bags and other unsafe materials – the crisis deepened.

After initially stating that it wouldn’t negotiate with the attacks, Colonial eventually relented. Initial reports claimed that the organisation paid $5 million in bitcoin, but the Colonial’s CEO Joseph Blount later confirmed that the fee was $4.4 million.

However, it would be a pyrrhic victory for the DarkSide ransomware gang, whose servers were seized and its cryptocurrency account drained almost immediately after payment was received.

In a public notice, a DarkSide admin wrote: “Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account.”

“A few hours ago, we lost access to the public part of our infrastructure. Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” they added.

DarkSide organisers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

That’s good news for those who had been infected by DarkSide, but the attack on Colonial Pipeline and its decision to pay up will embolden future attacks.

1. CWT Global ($4.5 million)

The US travel services company CWT Global set a world record for the largest ever ransom payment in July 2020, after it handed over $4.5 million in bitcoin to the Ragnar Locker ransomware gang.

The attack is believed to have taken down 30,000 computers and compromised two terabytes of data. Financial records, security documentation and employees’ personal details, such as email addresses and salary data, were all affected.

Just as remarkably, the discussions between the organisation and the attackers took place in a public – albeit anonymous – chat room. Those following the negotiation were able to see first-hand how CWT Global handled the incident, which began with the ransomware gang demanding $10 million.

The organisation’s representative, who was said to be acting on behalf of the chief financial officer, noted that CWT Global had been severely affected by COVID-19 and couldn’t pay what the attackers demanded.

The parties eventually settled for a little under half the original request, although it was still almost twice as much as any organisation had paid before.

A simple tip for preventing ransomware

Did you know that the majority of ransomware attacks begin with phishing emails? Cyber criminals hide the malware in an attachment that poses as a benign file, like an invoice or a report.

As soon as the victim opens the attachment, the ransomware spreads through their device, locking files and leaving behind a ransom note.

By teaching your employees to spot phishing scams, you can prevent the majority of ransomware attacks.

That’s why you should consider enrolling your employees on our Ransomware Staff Awareness E-learning Course.

You’ll learn about how to protect your organisation from ransomware attacks and how to respond if someone in your organisation falls victim.

This includes examples of ransomware attacks and their effects, as well as the ways in which you can identify them.

A version of this blog was originally published on 2 October 2019.