The 5 biggest ransomware pay-outs of all time

A few years ago, ransomware was something that only affected a few unlucky people who were forced to pay a few hundred pounds to regain access to their locked-out laptops.

Nowadays, it’s a £10 billion-a-year industry, as cyber criminals have switched from targeting individuals to organisations – often those that provide essential services and that may be morally obliged to preserve access to their services, like local governments and hospitals.

Dozens of ransomware cases are reported each month, with companies locked out of their files and forced to pay, on average, £95,000 to regain access.

That’s not a bad profit, given that off-the-shelf ransomware can be purchased for about £600, but plenty of fraudsters have gone after much bigger paydays.

Let’s take a look at the five biggest reported ransomware payments.

5. Jackson Co., Georgia ($400,000)

US local government has fast become one of the most popular targets for ransomware attacks, because they’ve proved more than willing to meet cyber criminals’ demands.

Although experts warn organisations about the long-term effects of negotiating ransoms (you become a target for future attacks, for example), refusing to pay up will cost a lot in the short-term and halt productivity until systems are restored.

These are two things that local governments can ill-afford. Delays to ambulance and police services can put people’s lives in danger, while disruptions to other public services can affect the entire city.

When officials of the Jackson County, GA, government found their IT systems infected with the Ryuk ransomware strain, they decided to hire a negotiator to resolve the issue as quickly as possible. They paid $400,000 (about £330,000) to restore their systems, a cost that came out of the city budget.

4. Unnamed Canadian organisation ($335,000)

It’s no surprise that an organisation wouldn’t want to be named in a news report saying that it had paid CA$425,000 (about $335,000, or £264,000) to cyber criminals. It goes against the advice of experts and makes it publicly known that the organisation has poor security defences.

This doesn’t necessarily refer to the organisation’s ability to prevent a ransomware attack. The concern is that the organisation didn’t have a response plan in place.

While you can understand a local government’s hesitance about lengthy delays, private-sector organisations should be equipped to manage in the event of disaster. If you regularly back up your files, you can isolate infected machines, wipe the ransomware from your systems and restore your files in a day or two.

Combine that process with a business continuity plan, and you’ll be able to continue operating during the delay. Productivity will fall, but in most cases the financial costs will be less than the ransom demand.

However, the unnamed Canadian organisation didn’t have a plan and was forced to pay a huge sum to rectify the situation.

a business will fall victim to a ransomware attack every 14 seconds in 2019, and every 11 seconds by 2021.

3. Lake City, Florida ($500,000)

Three small Florida cities were hit by ransomware in a three-week span in 2019. Lake City was the second victim, coming a few days after officials of Riviera Beach ended their stand-off with the cyber criminals by meeting their ransom demand.

The fraudsters used Ryuk, the same ransomware strain that infected Jackson County, and which would also be used in the attack on Key Biscayne a week later.

City officials felt compelled to pay, as government employees had been locked out of their email accounts, giving them no way to communicate with colleagues and the public.

It wasn’t an easy decision, though, because the government was aware that paying the ransom was encouraging criminals to launch more attacks. A few days after Lake City and Key Biscayne restored their IT systems, the US Conference of Mayors unanimously agreed not to pay any more ransoms.

2. Riviera Beach, Florida ($600,000)

Riviera Beach was the largest of the Florida cities to be hit during the wave of ransomware attacks, so it follows that it would be subject to the largest ransom.

However, with a low average income and high crime rates, the city could ill-afford to hand over $600,000 to cyber criminals.

Unfortunately, city officials felt as though they had no other choice. After sitting on infected devices for three weeks, the Riviera Beach City Council agreedto meet the criminals’ demands.

They had already set aside $1 million to pay for new computers and hardware following the attack, but decided it would be quicker and less expensive to simply pay up.

Things may have been different for Lake City and Key Biscayne if the officials had stuck with their initial plan, something everyone involved appears to have acknowledged subsequently, given the about-turn regarding ransoms a few weeks later.

But you live and learn, with successive ransom payments totalling $1.3 million acting as a testament to the fact that paying up only leads to more damage.

1. Nayana ($1 m)

On 10 June 2017, criminal hackers infected more than 153 Linux servers hosted by South Korean web provider Nayana, shutting down 3,400 websites.

Nayana’s chief executive, Hwang Chilghong, revealed that the hackers initially asked for $4.4 million, but the organisation negotiated the ransom down to $1 million.

In a statement, Hwang apologised for the attack, and said: “I know that negotiations with hackers should not be done.

“I would not negotiate with a hacker if it was the case that it ended in the damage of my own company alone. However, the scale of the damage was too great and too many people would suffer.”

That wasn’t the full extent of the damage, though. During the negotiations, some data was deleted permanently, so Nayana offered free hosting for life and refunds to affected customers.

These costs exacerbated an already dire situation for the web provider, which said it didn’t have the funds to pay the initial ransom. It had negotiated the ransom down to $500,000, which would have still been the largest ever reported ransomware payment at the time, but the fraudsters doubled their price at the last minute.

The future of ransomware attacks

Ransomware has continued to flourish in the years after the Nayana incident – which itself came only a few weeks after the WannaCry pandemic – so it’s surprising that no one has knocked the web provider off top spot.

Many organisations don’t publicise the payment they make, so it’s possible that larger ransoms have been forked out, but we wouldn’t count on it.

For one, there aren’t too many organisations willing to hand over that amount of money. Besides, most organisations that could afford to part with hundreds of thousands of pounds will almost certainly have taken action as soon as they acknowledged the growing threat of ransomware, ensuring that their systems were protected and that they had a recovery plan for when disaster strikes.

Likewise, organisations have come to better understand how ransomware works, and realise that paying up isn’t an effective solution. The US Conference of Mayors’ agreement to refuse any more ransoms shows this, and it sets the perfect example for everyone else to follow.

By meeting fraudster’s demands once, you encourage them to go after more targets, fuelling the cyber crime industry and setting in motion a chain of attacks that will eventually lead back to you or an organisation you work with.

A simple tip for preventing ransomware

Did you know that the majority of ransomware attacks begin with phishing emails? Cyber criminals hide the malware in an attachment that poses as a benign file, like an invoice or a report.

As soon as the victim opens the attachment, the ransomware spreads through their device, locking files and leaving behind a ransom note.

By teaching your employees to spot phishing scams, you can prevent the majority of ransomware attacks.

After all, educated and informed employees are your first line of defence. Empower them to make better security decisions with our Complete Staff Awareness E-learning Suite.

A cost-effective way of managing all your staff awareness training in one place, the complete suite contains eight e-learning courses to help you transform your employees from threats to assets.

Find out more