The 10 Biggest Ransomware Attacks of 2019

Multinational manufacturers and U.S. city and county governments spent more $176 million responding to the biggest ransomware attacks of 2019, spending on everything from rebuilding networks and restoring backups to paying the hackers ransom.


The U.S. was hit by a barrage of ransomware attacks in 2019 that impacted at least 948 government agencies, educational establishments and health-care providers at a potential cost in excess of $7.5 billion, according to a December Emsisoft report. This occurred due to the use of increasingly sophisticated types of ransomware like Ryuk specifically designed to exploit weaknesses.

Multinational manufacturers and U.S. city and county governments spent at least $176 million on costs related to ransomware attacks ranging from investigating the attack, rebuilding networks and restoring backups to paying the hackers ransom and putting preventative measures in place to avoid future incidents.

The two most costly ransomware attacks impacted industrial companies based in Continental Europe, with six of the remaining incidents striking city government, one impacting a county government, and one walloping a collection of cities and towns. Several health-care firms were also hit with ransomware in 2019, but the ransom amounts tended to be smaller and mitigation costs weren’t disclosed.

Sponsored post

Here’s an examination of 10 of the biggest ransomware attacks during the past year.

Get more of CRN's 2019 tech year in review.

10. Albany, N.Y.

Recovery And Mitigation Costs: $300,000

Albany IT systems were infiltrated on March 30, with hackers demanding payment in cryptocurrency to recover the files they had encrypted. City officials immediately shut down the affected systems and didn’t have to worry about the hackers constantly changing ransom demands since Albany had backups of its critical servers, according to Administrative Services Commissioner Rachel McEneny.

Having daily backup of those mission-critical systems meant that Albany never lost the ability to pay its employees and was able to get its treasury office up and running just two calendar days after the attack, McEneny said. Restoring all the city’s systems took two or three months and was done in-house through Albany’s in-house IT department, with some legacy systems not rebuilt due to being obsolete, she said.

Still, the city took $300,000 out of its contingency fund to purchase firewall insurance, upgrade user security software, address destroyed servers, and firm up the city’s systems, McEneny told the Times Union. Specially, NewsChannel 13 said that $85,000 had been spent on professional services, $54,000 was for hardware and software investments, and $23,000 was used for credit monitoring services.

9. Jackson County, Ga.

Recovery And Mitigation Costs: $400,000

A Ryuk ransomware attack in early March locked nearly all Jackson County, Ga., agencies out of their systems, forcing many to carry out operations on paper. The attack impacted county law enforcement, resulting in computer screens at the 911 dispatch center going dark, county jail staff being unable to open cell doors remotely, and sheriff’s deputies losing the ability to use laptops to look up license plates.

As a result, guards had to go into cell blocks to open doors and escort inmates to family visits, which increased the risk to guards, according to county Sheriff Janis Mangum. And emergency dispatchers had to take notes by hand and rely on printed maps of the county and paper logs to keep track of emergency responders in the field, according to county E-911 director LouAnn David.

County Manager Kevin Poe made the decision to pay the $400,000 ransom after speaking with cybersecurity consultants, who advised that rebuilding networks from scratch could be a long and costly process. After paying, hackers sent Jackson County a decryption key that allowed county employees back into their computer systems, although dispatchers were without computers for two weeks.

8. Lake City, Fla.

Recovery And Mitigation Costs: $460,000

A “Triple Threat” Ryuk ransomware attack in June disabled Lake City’s servers and phones, prompting city leaders to unanimously agree to pay hackers $460,000 in bitcoin to unlock the encrypted files. All but $10,000 of that amount would be picked up by the city’s cyberinsurance provider, and city manager Joe Helfenberg expected the city to make a full recovery in two weeks.

The ransomware affected everything but Lake City’s police and fire departments, which were on a separate server, and the city had run into trouble attempting to recover backup files that were deleted during the incident. A prolonged recovery from backups would have exceeded the city’s $1 million cyberinsurance coverage limit, and the city wanted to resume normal services expeditiously.

The initial ransom demand had been for $700,000 in bitcoin, but negotiations with incident response firm Covewave managed the knock the payout down by some $240,000. Lake City might have been able to achieve a majority recovery of its files without paying the ransom, according to a city spokesman, but it would have cost “three times as much money trying to get there.”

7. New Bedford, Mass.

Recovery And Mitigation Costs: Less than $1 million

The city of New Bedford in July was hit with a variant of the Ryuk virus that affected 158 of the city’s 3,532 desktop and laptop computers, encrypting data stored on servers and workstations. The hackers initially asked for $5.3 million in bitcoin, and New Bedford countered with an offer to pay $400,000.

The attacker rejected New Bedford’s counteroffer outright, so the city went about restoring from backups, which was relatively easy due to the low number of infected systems and the fact that no critical systems had been impacted. Attackers hit during the night when most of the city systems were turned off, preventing the ransomware from spreading through the entirety of the network.

New Bedford’s insurance company has spent “in the hundreds of thousands” on recovering from the ransomware attack, Mayor Jon Mitchell told The Standard-Times. But the city expects its $1 million cybersecurity insurance policy with AIG will cover the full cost.

6. Riviera Beach, Fla.

Recovery And Mitigation Costs: $1.5 million

A ransomware attack against Riviera Beach, Fla., began on May 29 after a police department employee opened an infected email attachment, knocking out the city’s online systems, email, phones and water utility pump stations. The city was only able to accept utility payments in person or by snail mail, but by the following week had restored the city’s website and created new email addresses for all employees.

The city on June 4 authorized spending more than $900,000 to buy new computer hardware, moving up purchases that had been planned for the following year. About a third of the cost associated with investing in 310 desktops and 90 laptops is expected to be borne by the city’s cyberinsurance company, according to Cybersecurity Insiders.

Then in mid-June, the city council unanimously agreed during an emergency meeting to have Riviera Beach’s insurance carriers pay the hackers roughly $592,000 in bitcoin in hopes to regaining access to data that had been encrypted in the cyberattack three weeks earlier. Although paying the ransom is not advised by law enforcement, city officials concluded there was no other way to recover the files.

5. New Orleans

Recovery And Mitigation Costs: At Least $3 million

New Orleans was made aware of a ransomware attack of Dec. 13 after an employee clicked on a link in a phishing email and provided their credentials, resulting in a large volume of phishing emails showing up in the city’s system. Those behind the attacks are believed to have used Ryuk, a piece of malware first discovered 16 months ago that’s popular with criminal groups in eastern Europe and Russia.

Only about 10 percent of the city’s 450 servers and more than 3,500 laptops had been re-imaged five days after the attack, with New Orleans focused on getting critical systems up and running in time for the holiday and Carnival season. No city data was lost in the attack and no demands for payment have been made, according to Mayor LaToya Cantrell.

Cantrell told WWL-TV that she expected the cost of the attack would exceed the $3 million cyberinsurance policy the city has in place, and that she will seek to increase the policy to $10 million next year. Within a few days of the attack, Fox News said New Orleans had incurred nearly $1 million in costs, all of which will be covered by cybersecurity insurance.

4. 22 Texas Towns

Recovery And Mitigation Costs: At least $12 million

A coordinated ransomware attack hit 22 Texas towns on Aug. 16, using Sodinokibi (REvil) ransomware to lock the municipalities out of their IT systems after hackers breached the software of a third-party service provider used to remotely manage their infrastructure. The criminals demanded a ransom of $2.5 million to regain access to the IT systems, but none of the affected towns were willing to pay.

All of the affected towns have transitioned from assessment to remediation and recovery by a week after the attack, with more than half resuming normal operations as of Sept. 9, according to the Texas Department of Information Resources (DIR). The state declined to release the names of the affected cities, with only Keene and Borger initially indicating they were victims of the attack.

Of the total cost associated with the ransomware, some $3.25 million was expected to be incurred by county governments, $2.34 million was expected to be incurred by cities and towns, and $1.8 million was expected to be incurred by educational institutions, according to Cybersecurity Insiders. The remaining $5 million of anticipated expenses were miscellaneous in nature.

3. Baltimore

Recovery And Mitigation Costs: $18.2 million

Baltimore’s computer systems on May 7 were hit by a ransomware strain known as RobbinHood, which encrypted several critical functions for the city. The damage extended to city employees’ email and voice mail systems; online payment services for water bills, property taxes and traffic citations; and real-estate transactions, necessitating the creation of a “manual workaround” using paper forms.

City leaders at the time were presented with a demand for roughly $76,000 in exchange for a decryption key, and were threatened with the destruction of affected data within days if the ransom wasn’t paid. But the city refused to pay the ransom and instead endeavored to restore the affected systems and data on its own.

As a result, the city experienced the loss or delay of $8.2 million in revenue from sources such as fines, property taxes and real-estate fees, and expects to spend $10 million in the recovery effort by the some of 2019. Some of the recovery-related costs include $2.8 million for forensic analysis and detection, $1.9 million for new hardware and software, and $600,000 to deploy new systems and replace hard drives.

2. Norsk Hydro

Recovery And Mitigation Costs: $60 million to $71 million

Oslo, Norway-based aluminum provider Norsk Hydro was struck in March with a large ransomware attack that started in its U.S.-based facilities then spread, and the company couldn’t stabilize the situation until the summer.

The ransomware strain was ultimately determined by incident responders to be LockerGoga, which has wreaked havoc on companies in the industrial and manufacturing space. Norsk Hydro restored its systems from digital backups rather than pay the ransom demand, and switched to “manual mode” inside several its facilities to contain the spread of the ransomware.

Much of the financial impact of the ransomware stemmed from Norsk Hydro being forced to switch off production lines and resort to manual operations for reporting, billing and invoicing. Norsk Hydro aluminum manufacturer Extruded Solutions suffered the most significant operations challenges and financial losses as a result of the attack, according to a company earnings report.

1. Demant

Recovery And Mitigation Costs: $80 million To $95 million

An apparent ransomware attack that hit Danish hearing aid manufacturer Demant at the start of September is expected to cause one of the most significant cyber-related losses ever outside the 2017 NotPetya ransomware outbreak. The financial impact would have been even worse had it not been for a $14.6 million cyberinsurance policy held by Demant.

The “critical incident” forced Demant to shut down its entire internal IT infrastructure, with the impact spanning from the company’s Polish production and distribution facilities, French cochlear impact production sites, and Danish amplifier production sites to its Mexican production and service sites, entire Asia-Pacific network, and ERP system.

As a result, Demant was unable for several weeks to supply its products, receive and process orders, and service end users through clinics in its network. Although Demant never specifically mentioned ransomware, the incident was reported as a ransomware attack by the Danish media.