SoftwareOne logo

7.25 min to readDigital Workplace

What we can learn from the biggest ransomware attacks

Ravi Bindra
Ravi BindraCISO
A woman's finger is pointing at a colorful screen.

Ransomware is on the rise – in terms of attack frequency and the size of the ransom payout. And while organizations are constantly stepping up their approach to cybersecurity, threat actors are constantly finding new attack vectors.

The best way to improve your cyber security approach is to closely examine the missteps of others. That’s why we’d like to provide details on the 5 biggest ransomware attacks in recent history. While these victims suffered massive losses, their missteps were usually quite minor – and will give you a clear idea of what your organization is up against. So, let’s cover some key facts about ransomware and uncover what we can learn from the biggest ransomware attacks.

10 key facts about ransomware

Before we cover recent attacks, it’s important to understand how ransomware has evolved over the years. Here are the most important facts and figures related to ransomware attacks:

  • Ransomware is the most common malware threat.

    According to Datto’s 2019 Global State of the Channel Ransomware Report, 85% of Managed Service Providers reported ransomware to be the most common malware threat to their small and medium business clients.

    Read more

    Read more

  • The average downtime from a ransomware attack is 21 days.

    According to Coveware’s Quarterly Ransomware Report, the average firm experienced 21 days of downtime in Q4 of 2020. This downtime is one of the biggest sources of financial loss from attacks. 

    Read more
  • Ransomware attacks are increasing in number.

    In 2020, ransomware attacks numbered 304.6 million worldwide, up from 187.9 million in 2019. But the 2020 numbers have already been surpassed in the first two quarters of 2021 alone, with attack volume reaching 304.7 million in just six months.

    Read more
  • Phishing emails are still the most common source of a breach.

    According to Statista, phishing emails accounted for over half (54%) of ransomware attacks in 2020.

  • The average ransomware payout is $570,000 – and growing.

    This is the average payout according to Palo Alto Networks in the first half of 2021. In comparison, the average payout in 2020 was $312,000.

  • The currency of ransomware is Bitcoin.

    Almost all ransomware ransoms (as much as 98% according to some sources) are paid in Bitcoin due to its availability and lack of regulation. 

    Read more
  • Over a third of organizations globally were hit by ransomware in 2020.

    According to a Sophos 2021 report, 37% of surveyed organizations worldwide were affected by ransomware attacks last year alone.

    Read more
  • The average cost to recover from a ransomware attack is $1.85 million.

    There’s the cost of the ransom itself, and then the cost due to downtime, lost data, and other financial impacts.

  • Paying the ransom doesn’t always get your data back.

    According to Sophos, only 65% of survey respondents had their data restored after they paid the ransom.

  • Remote workers are now the primary target.

    A rise in cyber attacks came along with the COVID-19 pandemic and the shift toward remote work. Due to a lack of home network and device security, remote workers are frequently the weak link that threat actors choose to exploit.

There is no question that ransomware should be on the top of every organization’s list of concerns. It’s both a widespread problem and extremely expensive to recover from.

The 5 biggest ransomware attacks & pay-outs

According to a 2021 Ransomware Threat Report by Palo Alto Networks, the average ransom increased 171% from 2019 to 2020 - and there’s every indication that criminals will continue to demand more. For this reason, it’s crucial that organizations learn from the expensive mistakes of others. Let’s cover the 5 biggest ransomware payouts to date, and assess factors associated with the attack.

Brenntag - $4.4 million

Hemical distribution company Brenntag had 150 GB of data stolen from its North American division in May of 2021. The culprit, DarkSide, initially demanded $7.5 million but accepted $4.4 million in bitcoin after several days of negotiation.

Colonial Pipeline - $4.4 million

A big newsmaker, also in May of 2021, and also at the hands of the DarkSide cybercriminal group, was the Colonial Pipeline attack. Colonial had to halt operations and shut down its entire operational technology network to stop further spread. From New Jersey to Texas, gas stations ran low on fuel, and news stories of people hoarding gas abounded. After initially stating they wouldn’t pay the ransom, the company was eventually forced to relent to the tune of $4.4 million in bitcoin.

CWT Global - $4.5 million

The Ragnar Locker group took down travel services giant CWT Global in July 2020 with a ransomware attack that compromised 2 TB of data and took down 30,000 computers. Negotiations occurred in a public chat room, giving those who knew where to look a glimpse into the process as it occurred. While the initial demand was for $10 million, they eventually settled on a $4.5 million payout.

JBS Foods - $11 million

In June 2021, the world’s largest meat producer was forced to halt operations at all 13 US processing plants, threatening supply shortages and posing a financial risk to grocery stores, farms, and other industries. JBS Foods conceded to paying $11 million in bitcoin to the Russian-based REvil group in order to prevent further disruption.

CNA Financial - $40 million

In March of 2021, insurance giant CNA Financial sustained a ransomware attack causing widespread network disruption and impacting several internal systems, including corporate email. The culprit made use of the Phoenix CryptoLocker malware and scored a whopping $40 million payout from the company.

The numbers above are only part of the story, however. Many organizations have either refused to pay or have not admitted to paying even heftier ransoms. Of note from this year are REvil’s attack on Acer, with a $50 million payout demand, though Acer has been silent as to whether they paid this ransom or not.

REvil also hit Apple supplier Quanta with a $50 million demand, and when they refused to pay, they moved on to demanding payment from Apple. And as if that wasn’t enough, REvil also attacked Florida-based software company Kaseya with a $70 million ransom demand, though Kaseya refused to pay it.

New trends observed

In the world of technology, new trends emerge frequently and patterns evolve over time. Some of the biggest trends in the ransomware sector today are data exfiltration, "big-game hunting," and the emergence of ransomware as a service (RaaS). With data exfiltration, attackers don’t just encrypt an organization’s data until the ransom is paid, but they copy it, sometimes threatening to release it to the public, and often doing so at least in part even if the ransom is paid. It now occurs in about 70 percent of all ransomware attacks

Many cybercriminal organizations are also increasingly targeting large, high-value organizations. With big-game hunting, bad actors target organizations that possess significant assets and/or stand to lose the most due to downtime. This includes organizations in the healthcare, manufacturing, and government sectors.

The emergence of cryptocurrency has made it possible for cybercriminals to organize on a larger scale, creating an entire cybercrime ecosystem complete with RaaS offerings. Once a ransomware tool is created, enterprising criminals sell it as a service to other criminals much in the same way legitimate software companies distribute their software as a service (SaaS).

Lessons learned

As the saying goes, an ounce of prevention is worth a pound of cure. Preparing for and protecting against attacks before they happen is key to mitigating their effects. Organizations should make sure their software is up to date and the latest security patches are installed. Tools that automate this process are ideal because they minimize the time between patch release and installation.

Consider SoftwareOne’s BackupSimple for all of your security needs. Powered by Metallic, our offering can help mitigate your organization’s risk by providing industry-leading data protection and security as well as cloud storage. When it comes to ransomware, we know organizations need 24 x 7 x 365 monitoring, and our experts are able to provide exactly that. With BackupSimple, you can free up your day and spend more time on more important tasks by eliminating the daily stressors of data backup and recovery.

Additionally, SoftwareOne offers Managed Security Services to help you protect your business from threats, including ransomware. Service offerings allow you to secure hybrid and multi-cloud environments, maintain compliance, identify risks, and rectify IT security weaknesses before they can be exploited by attackers.

No one is immune from ransomware, regardless of security measures in place, and cyber criminals regularly attack organizations of all sizes across all sectors. In general, robust network security is vital, particularly in distributed environments where workers may be connecting to the corporate network from home. Companies should also develop a response plan that can be implemented immediately in the event of a breach in order to limit the damage done.

blue digital waves

Digital Workplace Security

SoftwareOne Digital Workplace Security Services add security without contributing to your staffing overhead. We operate a dedicated security operations center (SOC) that tracks data vulnerabilities globally to prevent losses due to break-ins or employee errors.

Digital Workplace Security

SoftwareOne Digital Workplace Security Services add security without contributing to your staffing overhead. We operate a dedicated security operations center (SOC) that tracks data vulnerabilities globally to prevent losses due to break-ins or employee errors.


Ravi Bindra

Ravi Bindra

Ravi holds over 20 years’ experience as a cyber security evangelist, holding multiple leadership roles in the Swiss pharmaceutical industry, such as Global Head of Risk Management, Global Head of Architecture and Global Head of Security Operations.