10 of the biggest ransomware attacks in 2024

LoanDepot

On Jan. 8, California-based mortgage lender LoanDepot disclosed an attack in a 8K filing with the U.S. Securities and Exchange Commission (SEC). The company said attackers were in its systems from Jan. 3 through Jan. 5 and engaged in malicious activity that included "access to certain Company systems and the encryption of data."

While it was only three days, the attack led to significant loan service disruptions as customers were unable to pay bills and affected a high number of individuals. LoanDepot revealed that a data breach affected 16.6 million customers. Data breach notifications issued in February showed affected information included names, addresses, phone numbers, Social Security numbers and financial account numbers. Alphv/BlackCat, which was highly active throughout 2024 until law enforcement agencies disrupted the gang, took responsibility for the attack.

Veolia

On Jan. 19, Veolia North America disclosed it was investigating a ransomware attack that occurred one week prior and disrupted certain software applications and systems in the company's network. The Boston-based water, waste and energy recycling management company forced its backend systems offline, which disrupted customer billing and payment services.

Veolia said the attack did not affect its water or wastewater treatment operations but did result in a potential data breach. In February, Veolia began notifying affected individuals. It appears no ransomware gang claimed responsibility for the attack. Cyber attacks on water utilities have become increasingly common; in June, CISA published an incident response guide for the water and wastewater sector. 

Change Healthcare

One of the year's most significant attacks, if not the most significant, occurred against UnitedHealth Group's Change Healthcare on Feb. 21. The healthcare technology company, which provides payment and reimbursement services, suffered a massive data breach, prolonged disruptions and substantial recovery costs.

In May, UnitedHealth Group CEO Andrew Witty testified during a House Energy and Commerce Subcommittee on Oversight and Investigations hearing. Witty revealed that Change Healthcare was breached through a Citrix portal that did not have MFA enabled. Additionally, he confirmed that Change Healthcare paid the Alphv/BlackCat ransomware group a $22 million ransom to restore operations.

Despite the payment, fallout from the attack continued for months, affecting patient care, insurance submissions and billing processes. In October, it was revealed that the data breach affected 100,000,000 individuals, marking one of the biggest U.S. data breaches.

Ascension

Ascension is another healthcare organization that suffered a significant ransomware attack this year. On May 8, the St. Louis -based healthcare system disclosed that ransomware disrupted its electronic health record (EHR), some phone systems, patient portals and other important systems patients use to order tests, procedures and medications. Patient portals and EHR systems remained down for a little more than one month.

Additionally, some of the health system's sites, including certain Ascension Saint Thomas hospitals in Tennessee were forced to divert ambulances to different hospitals. Ascension operates in 17 states and its network includes 33,000 affiliated providers, 118 hospitals and 34 senior living facilities.

Cleveland city government

On June 10, Cleveland's city government disclosed it was forced to shut down city hall following a disruptive ransomware attack. City hall remained closed for 11 days while the staff worked to restore systems. The attack affected residents' ability to submit payments, permits and building or house applications.

While a lack of transparency can be common when it comes to victim organizations reporting ransomware, Sarah Johnson, the City of Cleveland's chief communications officer, told ABC News 5 Cleveland that the city did not intend to pay a ransom at that time. The city also said an investigation into the attack was ongoing and could not confirm if employee data had been stolen. It appears the city has not disclosed a data breach as of December.

CDK Global

CDK Global experienced a damaging ransomware attack on June 18. The automotive technology provider, which currently serves 15,000 dealerships, forced most of its systems offline to contain the threat. Subsequently, the ransomware attack caused significant disruptions for downstream customers.

During restoration efforts, CDK Global suffered a second ransomware attack. To make matters worse, Bleeping Computer reported attackers were calling customers and posing as CDK agents to gain access to their systems. CDK restored its systems on July 4.

The BlackSuit ransomware gang claimed responsibility for the attack. In October, insurance cyber provider Coalition published its "2024 Cyber Claims Report: Mid-year Update" that highlighted BlackSuit's exorbitant ransom demands compared to other ransomware groups.

McLaren Healthcare

A ransomware attack on Aug. 5 significantly disrupted services at Michigan-based McLaren Healthcare. The healthcare organization was forced to reschedule non-emergency and elective procedures, but the attack also affected primary and specialty care clinics as well as cancer care. Patients were asked to bring in a list of medications, printed physicians orders and a list of known allergies as the electronic medical records remained down due to the attack. McLaren operates 13 hospitals in Michigan with 28,000 employees and more than 113,000 network providers.

Systems were not fully restored until Aug. 27. The notorious Alphv/BlackCat ransomware gang, which was behind the Change Healthcare attack, also claimed responsibility for this attack.

Port of Seattle

On Aug. 24, the Port of Seattle in Washington began experiencing outages related to a ransomware attack. The Port of Seattle is a public agency that also oversees the Seattle-Tacoma International Airport. While the port's website was down, the airport suffered the brunt of disruptions as bag checking, check-in services, flight information displays and phone systems went down due to the attack. Some services remained down two weeks after ransomware encrypted the agency's systems.  

In a September update, the agency said it refused to pay the ransom and, as a result, the threat actors may post stolen data on a public leak site because it refused to pay the ransom. In the update, the Port of Seattle attributed the attack to the Rhysida ransomware gang and said it was still working to fully restore systems.

Blue Yonder

On Nov. 22, Arizona-based Blue Yonder disclosed it suffered a ransomware attack one day prior. The attack disrupted the supply chain management company's managed services hosted environment and led to massive fallout for downstream customers including Starbucks, Sainsbury's and Morrisons Supermarkets.. Morrisons was forced to rebuild a new warehouse management system for fresh foods and produce while Sainsbury's suffered service disruptions.

In the latest update on Dec. 12, Blue Yonder said it was working with external cybersecurity firms to bolster its security protocols as a result of the attack. Additionally, it provided an update on restoration efforts as well. 

"A significant majority of our impacted customers have had their service restored. Our associates continue to work closely with our impacted customers on the restoration process and keep them updated as appropriate," Blue Yonder wrote in the update.

Krispy Kreme

Ransomware disrupted online ordering services for Krispy Kreme on Nov. 29. The doughnut giant disclosed the attack in an 8K filing with the SEC on Dec. 11. Krispy Kreme said it was notified of suspicious activity on its information and technology systems on Nov. 29 and subsequently initiated an investigation, contained the threat and began remediation. In addition to online ordering, deliveries to retail and restaurant partners were also disrupted.

"The expected costs related to the incident, including the loss of revenues from digital sales during the recovery period, fees for our cybersecurity experts and other advisors, and costs to restore any impacted systems, are reasonably likely to have a material impact on the Company's results of operations and financial condition," Krispy Kreme wrote in the 8K. "The Company holds cybersecurity insurance that is expected to offset a portion of the costs of the incident."

On Dec. 19, the Play ransomware gang claimed responsibility for the attack and threatened to leak the allegedly stolen data on Dec. 21. On Dec. 30, Krispy Kreme announced online ordering services were restored.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.