Top 10 Ransomware Attacks of This Decade, and What we Learned From Them

Here are 10 of the most significant ransomware attacks since 2020, plus the key lessons they teach us about protecting ourselves.

1. Colonial Pipeline (USA, 2021)

• What happened: The DarkSide group hit Colonial Pipeline, the largest fuel pipeline operator in the U.S., forcing a temporary shutdown that disrupted fuel supplies along the East Coast.​How they got in: Attackers used a compromised password on an old VPN account that did not have multi‑factor authentication (MFA).​

• Impact: Fuel shortages, panic buying,

• government emergency measures, and a multi‑million‑dollar ransom payment.​

Key lessons

• Old, “forgotten” accounts and services are dangerous if not removed.

• Strong authentication (MFA) on remote access is non‑negotiable.

• Critical infrastructure depends on basic cyber hygiene just as much as advanced defenses.

  
  

2. Costa Rican Government (2022)

• What happened: The Conti ransomware group attacked multiple Costa Rican government ministries, including finance and labor, disrupting tax collection and trade.

• Extortion angle: The group demanded $10 million and then escalated their threats when the government refused to pay, leaking hundreds of gigabytes of data.

• Impact: National emergency declaration, serious economic disruption, and long recovery efforts.

Key lessons

• Governments and public services are prime targets, not just private companies.

• Refusing to pay can lead to more aggressive extortion and data leaks, so you need a prepared communication and recovery plan.

• National‑level incidents show why incident response and backup resilience matter beyond finances.

  ​

3. Kaseya VSA Supply‑Chain Attack (2021)

• What happened: The REvil group exploited a vulnerability in Kaseya’s VSA remote management software used by managed service providers (MSPs).

  Why it was huge: By compromising one vendor, they reached hundreds of downstream businesses at once, encrypting systems and demanding ransoms across many organizations.​

Key lessons

• Third‑party and supply‑chain risk is central: your security depends on your vendors’ security.

• Centralized management tools are powerful — and therefore high‑value targets that require extra hardening.

• Fast patching of critical vulnerabilities and strong monitoring around admin tools are essential.

4. JBS Foods (Global, 2021)

• What happened: JBS, one of the world’s largest meat suppliers, suffered a ransomware attack that disrupted operations in North America and Australia.​

• Impact: Temporary plant shutdowns, concerns about food supply, and an $11 million ransom payment.​

Key lessons

• Manufacturing and food supply chains are exposed and attractive targets.

• Operational technology (OT) and IT environments are increasingly linked; securing office networks alone is not enough.

• Business continuity planning must consider cyber‑driven shutdowns of physical production.​

5. Irish Health Service Executive (HSE, 2021)

• What happened: The Conti group hit Ireland’s public health service, encrypting systems and forcing hospitals to cancel appointments and revert to pen‑and‑paper processes.​

• Impact: Disrupted patient care across the country and long‑running system restoration.​

Key lessons

• Healthcare systems are uniquely sensitive, especially in regards to patients' safety and PII.

• Network segmentation, offline backups, and tested recovery procedures are crucial in health environments.

• Recovery can be slow and painful if preparedness is weak (in other words, stay prepared for these events!).

6. MOVEit Transfer / Cl0p Mass Extortion (2023)

• What happened: The CL0p group exploited a zero‑day SQL injection vulnerability in the MOVEit Transfer file‑transfer product.

• Scale: Hundreds of organizations worldwide were affected, including major enterprises and government agencies that used MOVEit to exchange sensitive files.

• Tactic: CL0p focused on data theft and extortion rather than just encryption, threatening to leak stolen data from many victims.

Key lessons

• Zero‑day exploitation against widely used software can create “mass extortion” events.

• Data‑only extortion (steal then threaten to leak) is now a mainstream ransomware model.

• Keeping internet‑exposed services patched and monitored is critical, and sensitive file‑transfer systems need extra scrutiny.​

7. City of Dallas (USA, 2023)

• What happened: The Royal ransomware group attacked the City of Dallas, disrupting IT systems, including police communications.

• Visible signs: City printers reportedly began spewing ransom notes, and various public services experienced outages.​

Key lessons

• Local governments remain attractive targets due to broad services and often limited budgets.

• Incident response must include clear plans for maintaining emergency services and communication during IT outages.

• Basic segmentation between critical services and general IT systems can reduce blast radius.

8. Change Healthcare / UnitedHealth (USA, 2024)

• What happened: A major ransomware attack against Change Healthcare (owned by UnitedHealth) disrupted prescription processing and billing across the U.S. healthcare system.​

• Impact: Pharmacies couldn’t verify insurance, doctors struggled to get paid, and patients faced delays in medications and care.​

Key lessons

• Single points of failure in national‑scale services (clearinghouses, payment hubs, claims processing) are high‑impact targets.

• Robust segmentation, redundant systems, and contingency plans are vital at ecosystem “choke points.”

• Regulatory and industry pressure is likely to grow around resilience for such critical intermediaries.

9. PowerSchool Education Platform (North America, 2024–2025)

• What happened: The BlackSuit group claimed a ransomware attack on PowerSchool, a widely used education platform.​

• Scale: Attackers claimed to hold data on more than 62 million individuals and initially demanded millions in Bitcoin.

• Follow‑on extortion: Even after reported negotiations, criminals targeted individual school districts with further threats.​

Key lessons

• Education sector platforms hold massive amounts of sensitive data on students, parents, and staff.

• Paying ransom can invite additional waves of extortion; you cannot trust criminals to keep promises.

• Data minimization and strong data governance (limiting who holds what, and for how long) reduce the damage when breaches occur.​

10. Synnovis / NHS London Pathology (UK, 2024)

• What happened: A ransomware attack on Synnovis, a pathology services provider, severely disrupted laboratory services for hospitals in London.​

• Impact: Cancelled or delayed medical tests and procedures, with reports of confirmed patient harm.​

Key lessons

• Third‑party healthcare providers are as critical as hospitals themselves.

• Contracts and vendor management must address security standards, incident response, and transparency.

• The line between “IT issue” and “patient safety issue” has effectively disappeared in modern healthcare.

What these ransomware attacks have in common

Across these diverse incidents, several patterns stand out.

1. Initial access is usually avoidable

Many attacks still begin with:

• Compromised or reused passwords.

• Lack of MFA on remote access (VPNs, RDP, admin portals).

• Unpatched vulnerabilities in internet‑facing systems.

• Phishing and social engineering.

Lesson: If organizations would just consistently enforce strong authentication, remove unused accounts, and patch critical systems quickly, a large chunk of attacks would never happen. And, look, we're not the type of people who say that everything in IT should be automated, but the fact remains that humans are the weakest link. However, rather than remove the weak links, we'd rather strengthen those links.

2. Ransomware is now extortion‑centric

The big shift since 2020 is from “encrypt and hope they pay” to double extortion and data‑only extortion:

• Attackers quietly steal data first, then encrypt systems.

• They threaten to leak sensitive information publicly, contact customers, or expose trade secrets.

• Some campaigns skip encryption entirely and focus only on blackmail with stolen data.

Lesson: It's the old debate as to which is better: being reactive, or proactive. We say: Why not both? Backups are still essential, but they are no longer enough. You must also protect data confidentiality (encryption, segmentation, minimization) and be ready to manage the fallout of data exposure.

3. Supply‑chain and third‑party risk multiply impact

MOVEit, Kaseya, Change Healthcare, PowerSchool, Synnovis, and others show the same theme: attacking one central provider can impact hundreds or thousands of downstream organizations.

Lesson: Security programs must treat key vendors as part of their own attack surface. That means:

• Strong due diligence and security requirements in contracts.

• Regular risk assessments of critical providers.

• Plans for continuing operations if a key vendor is knocked offline.

4. Critical infrastructure and public services are prime targets

Pipelines, healthcare systems, government ministries, city services, and national payment or claims processors keep showing up in major cases.

Lesson: For these sectors, ransomware is not just about money; it is about national security and human safety. They need:

• Extra investment in resilience (segmentation, redundant systems, offline backups).

• Clear crisis‑management structures that involve technical, operational, legal, and government stakeholders.

• Regular, realistic exercises for nightmare scenarios (“what if systems are down for weeks?”).

5. Ransom payments don’t guarantee resolution

Several high‑profile cases show that payment:

• Does not ensure data will be deleted.

• Can encourage follow‑up extortion or targeting of related organizations.

• May not lead to full technical recovery if systems and backups are badly managed.

Lesson: Organizations should plan for the possibility of not paying: robust backups, documented rebuild procedures, and communications plans are essential. If they decide to pay in extremis, it should be within a pre‑approved framework involving legal and law‑enforcement guidance.

How to better protect ourselves going forward

From these 10 attacks, you can extract a practical playbook.

Strengthen access and identity

• Enforce MFA on all remote access and admin accounts.

• Eliminate unused or legacy VPN and RDP accounts.

• Apply least privilege and regularly review who has high‑risk access.

Harden exposed systems and monitor for abuse

• Prioritize patching for internet‑facing systems and widely-used third‑party tools.

• Use endpoint protection and centralized logging to detect lateral movement and unusual behaviors.

• Treat file‑transfer, remote‑management, and backup platforms as crown jewels.

Reduce the value of stolen data

• Classify and minimize data: do not keep what you do not need.

• Encrypt sensitive data at rest and in transit, with strong key management.

• Segment networks to limit how much data an intruder can see or steal at once.

Build resilience and practice response

• Maintain reliable, tested backups — including offline or immutable copies.

• Develop and rehearse incident‑response plans that explicitly cover ransomware and extortion, not just generic “breach.”

• Involve leadership, legal, PR, and operations in tabletop exercises to align on ransom‑payment policy and crisis communication.

Treat third‑party risk as first‑class risk

• Map your critical vendors and services: who could bring you down or expose your data if they were hit?

• Set clear security expectations, reporting requirements, and minimum controls in contracts.

• Plan alternatives or workarounds for key providers, especially in healthcare, finance, logistics, and government services.

Across all of these incidents, the core message is consistent: ransomware is a mature criminal industry that exploits the same basic weaknesses again and again. Organizations that invest in strong identity controls, disciplined patching, data protection, and realistic incident response are the ones best positioned to absorb attacks without catastrophic damage.