10 Major Ransomware Attacks And Data Breaches In 2024

The year saw a surge in attacks targeting disruptions of U.S. critical infrastructure, with a focus on exploiting network devices and compromising SaaS systems.

Major Ransomware Attacks And Data Breaches

Just two weeks into 2024, the cybersecurity world already had its first crisis of the year with the mass exploitation of Ivanti VPNs. The attacks would signal one of the major themes of cyberattacks and data breaches in 2024 — the incessant targeting of network security devices by threat actors. The irony of the attacks, as Xage Security CEO Geoffrey Mattson told CRN, is that “it’s the security devices that are making us less secure. And it’s the access devices providing access to the bad guys.”

Another recurring theme was the massive real-world disruption from attacks against SaaS providers. Most infamously, the ransomware attack against the IT systems of UnitedHealth-owned Change Healthcare led to widely felt impacts after the company responded by shutting down its SaaS-based prescription processing platform.

Notably, given that the Change Healthcare incident was just one of the many attacks to disrupt health care and other critical sectors in the U.S. this year, it’s clear that something changed in the threat landscape in 2024, according to Accenture’s Robert Boyce. “In 2024, we saw more targeting of critical infrastructure than we’ve ever seen before,” said Boyce, senior managing director and global lead for cyber-resilience services at Accenture, No. 1 on the CRN 2024 Solution Provider 500. “The impacts from that have been very, very real.”

The Change Healthcare attack also typified another theme of the non-stop cyber ordeal that was 2024: The continued rise of data theft and extortion threats. While the ransomware attack against Change Healthcare prompted immediate disruptions for many U.S. patients and health care providers, the theft of a trove of data — including patient medical data — may have led to the exposure of sensitive data for millions of Americans. Several of the other highest-profile cyberattacks of 2024 likewise involved data theft and extortion, including the campaign targeting Snowflake customers.

Nation-state threat actors also upped their game in 2024. For instance, the China-linked espionage group tracked as Salt Typhoon was held responsible for massive compromises of Verizon, AT&T and T-Mobile, which exposed customer data including communications involving U.S. officials as well as those of President-elect Donald Trump and Vice President-elect JD Vance.

This year also saw a spate of attacks against water treatment facilities along with a broad-based campaign targeting U.S. critical infrastructure through the hijacking of small office/home office (SOHO) routers. “Historically, other than nation-states, critical infrastructure has really been off-limits,” Accenture’s Boyce said. “I think those limits are removed at this point.”

What follows are the key details on 10 of the biggest ransomware attacks and data breaches of 2024.

Ivanti VPN Attacks

Ivanti’s widely used Connect Secure VPNs saw mass exploitation by threat actors following the January disclosure of two high-severity, zero-day vulnerabilities in the systems. Researchers said thousands of Ivanti VPN devices were compromised during the attacks, with the list of victims including the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Other victims included Mitre, a major provider of federally funded R&D and the promulgator of a cyberattack framework that’s become ubiquitous in the security industry.

While several additional vulnerabilities ultimately were disclosed, researchers at Google Cloud-owned Mandiant reported that the two original Ivanti VPN vulnerabilities saw “broad exploitation activity” by a China-linked threat group tracked as UNC5221, as well as “other uncategorized threat groups.” The attacks by UNC5221 — a “suspected China-nexus espionage threat actor” — went back as far as early December 2023, the researchers at Mandiant said. The attacks prompted CISA to issue an urgent order to civilian executive branch agencies, requiring the unusual measure of disconnecting their Ivanti Connect Secure VPNs within 48 hours. Ivanti released the first patch for some versions of its Connect Secure VPN software on Jan. 31, three weeks after the initial vulnerability disclosure. “In this case, we prioritized mitigation releases as patches were being developed, consistent with industry best practices,” Ivanti said in a statement provided to CRN.

Microsoft Executive Accounts Breach

In January, Microsoft disclosed the compromise of multiple senior executive accounts, in a breach that ultimately led to the theft of emails from U.S. government officials by a Russian-linked threat group. Microsoft confirmed in late January that the hacker group tracked as Midnight Blizzard initially gained access by exploiting a lack of multifactor authentication on a “legacy” account.

In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the threat actor was able to steal emails from federal agencies through the compromise of Microsoft corporate email accounts. The group used exfiltrated information — which included details shared between Microsoft and customers related to authentication — “to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said in an emergency directive. Midnight Blizzard was previously held responsible for attacks including the widely felt 2020 breach of SolarWinds.

In an interview with CRN in September, Joy Chik, president of identity and network access at Microsoft, acknowledged the significance of the Midnight Blizzard attack — saying that it has helped to inform the tech giant’s efforts to bolster its own security. The company’s broad, coordinated effort around its Secure Future Initiative — involving 34,000 Microsoft engineers — has produced “acceleration” in the advancement of the company’s internal cybersecurity, Chik said. On the whole, “we feel we’re not only strengthening [Microsoft’s internal] security — but also we’re sharing a lot of these learnings with our customers, in terms of what they [can] do for their applications, what are the best practices,” she said.

Volt Typhoon Attacks

In February, the FBI said that a China-linked espionage group was found to have hijacked “hundreds” of small office/home office (SOHO) routers based in the U.S. as part of a campaign to compromise U.S. critical infrastructure providers. The FBI said it succeeded at disrupting the efforts of the group, tracked as Volt Typhoon, which is backed by the Chinese government. Targets of the Volt Typhoon attacks included providers of critical services including communications, energy, water and transportation, the FBI said.

The routers compromised by the group together formed an assembly of malware-infected devices, known as a botnet, which the threat group could use for launching an attack against U.S. critical infrastructure, the FBI said. Volt Typhoon has been known to obtain initial access to targeted IT infrastructure by exploiting network appliances from vendors including Fortinet, Ivanti, Cisco, NetGear and Citrix, according to a February advisory from the FBI, NSA and CISA.

In November, researchers at SecurityScorecard suggested that while the group was thought to have been dismantled, “Volt Typhoon has returned.” The researchers pointed to evidence indicating that the group and its botnet were active as recently as September.

Change Healthcare Ransomware Attack

In February, the widely felt ransomware attack against UnitedHealth Group-owned prescription processor Change Healthcare was disclosed, leading to disruption in the U.S. health care system for weeks. The IT system shutdown initiated in response to the attack prevented many pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.

A Russian-speaking cybercriminal group known by the names of Blackcat and Alphv claimed responsibility for the ransomware attack. UnitedHealth paid a $22 million ransom following the attack, UnitedHealth Group CEO Andrew Witty confirmed in May. UnitedHealth also disclosed that hackers gained access to Change Healthcare IT systems using stolen credentials, which enabled them to log in to a Citrix remote access portal. The credentials belonged to an account that didn’t have multifactor authentication enabled, the company said.

MSPs told CRN the incident underscores the massive vulnerability of the U.S. health-care system—an issue with no easy fix. “They don’t have budget for the security tools, and they don’t have people that can run them,” said Mike Shook, CEO of Cary, N.C.-based 5S Technologies.

Change Healthcare Data Theft

In April, the impacts from the Change Healthcare attack expanded significantly as it emerged that a massive trove of data had also been stolen during the incident. Despite UnitedHealth paying the $22 million ransom, the data ended up in the hands of a different cybercriminal gang, known as RansomHub, which proceeded to post data it claimed had been stolen in the attack.

During testimony at a U.S. House of Representatives hearing in May, UnitedHealth Group CEO Andrew Witty said that data belonging to “maybe a third” of all Americans were impacted in the attack. In June, Change Healthcare disclosed that sensitive patient medical data was among the data exposed in the attack. Medical data stolen during the attack may have included “diagnoses, medicines, test results, images, care and treatment,” according to a data breach notification posted by Change Healthcare.

Snowflake Customers Targeted

In June, widespread attacks targeting Snowflake customers led to a cascade of major data breaches affecting a number of well-known corporations including telecommunications giant AT&T. According to researchers from Mandiant, there were “approximately 165 potentially exposed organizations” in the series of attacks tied to Snowflake, with a “significant” volume of data stolen. Victims included Ticketmaster, Santander Bank, Pure Storage, Neiman Marcus Group and Advance Auto Parts. The wave of data theft attacks utilized stolen passwords and targeted accounts that were not configured with multifactor authentication (MFA), researchers at Google Cloud-owned Mandiant said.

In July, Snowflake said it had rolled out changes enabling administrators to make MFA mandatory for users and to monitor for compliance. Also in July, AT&T said that records of phone and text messages for “nearly all” customers were exposed in a massive breach, which a spokesperson reportedly tied to the Snowflake attacks. The breach affected the records of phone and text messages from a seven-month period of 2022, according to the telecom firm. In November, the U.S. Department of Justice unsealed an indictment against two suspects — Connor Riley Moucka and John Erin Binns — who had been arrested in connection with the Snowflake attacks. The suspected hackers were accused of extorting “at least three victims” for $2.5 million worth of bitcoin, according to the indictment.

CDK Global Attack

Disruption came to U.S. auto dealerships and car buyers in June after a pair of cyberattacks struck CDK, a provider of software used by 15,000 dealerships. CDK provides SaaS-based functionality including CRM, payroll and finance for dealerships — much of which became unavailable after the attacks, causing a significant drop in sales for dealerships in June.

While CDK was working to recover from the first attack on June 18, the company said it was hit by a second attack the following day. “Late in the evening of June 19, we experienced an additional cyber incident and proactively shut down most of our systems,” CDK said in a statement. Restoration began the following week and on July 2, CDK said that “substantially all” of the car dealerships it serves were back online. According to a report from CNN citing multiple sources, CDK paid a $25 million ransom to accelerate the recovery and end the outage. CDK did not respond to requests for comment on the report.

Salt Typhoon Attacks

In what a U.S. senator called the most significant hack of the nation’s telecommunications ever, a China-linked espionage group tracked as Salt Typhoon carried out a reportedly months-long compromise earlier this year of carriers including Verizon and AT&T.

Media outlets reported in October that the Salt Typhoon attacks had targeted the campaigns of both of the then-candidates for president, Donald Trump and Kamala Harris, as well as then-vice presidential nominee JD Vance. Some U.S. government officials did see their communications compromised in connection with the attacks, the FBI and CISA confirmed in a joint statement in November. The agencies have “identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies,” the FBI and CISA said in the statement. The hack exposed some customer call records and also involved copying “certain information that was subject to U.S. law enforcement requests pursuant to court orders,” the statement said. Media reports also indicated that T-Mobile had joined the list of major telecom firms compromised in the Salt Typhoon attacks, though the telecom firm said that sensitive data belonging to customers was not impacted in the campaign.

Sen. Mark R. Warner told the Washington Post in November that the Salt Typhoon attacks amounted to the “worst telecom hack in our nation’s history — by far.” In December, Sen. Ron Wyden released draft legislation that would force the FCC to “fix its own failure to fully implement telecom security requirements already required by federal law,” the senator’s office said in a news release.

Blue Yonder Ransomware Attack

More real-world disruption originating from the cyber sphere arrived in November following a ransomware attack against Blue Yonder, a Panasonic-owned maker of logistics software. A number of retailers — such as several major U.K. grocery chains and Starbucks — reportedly faced disruptions to parts of their operations in the wake of the attack.

At Starbucks, for instance, the attack reportedly impacted barista paychecks and forced manual calculations of pay for employees. “A significant majority of our impacted customers have had their service restored,” Blue Yonder said in a statement provided to CRN. “Our associates continue to work closely with our impacted customers on the restoration process and keep them updated as appropriate.”

The Termite ransomware group subsequently claimed responsibility for the ransomware attack, according to reports, and also claimed to have stolen data from Blue Yonder. “We are aware that an unauthorized third-party claims to have taken certain information from our systems,” the company said in its statement. “We are working diligently with external cybersecurity experts to address these claims and the investigation remains ongoing.”

Network Device Attacks

Throughout 2024, threat actors showed a particular focus on targeting network security devices such as firewalls and VPNs for exploitation — whose position as the front door to the IT environment makes them a prized target.

In February, for instance, CISA disclosed that a “critical” vulnerability impacting numerous versions of Fortinet’s FortiOS operating system was seeing exploitation in attacks, while attackers in October exploited a critical-severity vulnerability in Fortinet FortiManager as part of a reported nation-state espionage campaign. In April, Cisco Systems disclosed two zero-day firewall vulnerabilities that the tech giant said had been exploited by a state-sponsored attacker in an espionage campaign targeting global governments. In September, meanwhile, researchers at Arctic Wolf said that a critical-severity vulnerability affecting a wide array of SonicWall firewalls was being exploited by threat actors to deploy ransomware. And in November, researchers at Shadowserver said that a wave of cyberattacks exploiting vulnerabilities in Palo Alto Networks’ PAN-OS software had compromised at least 2,000 firewalls.

Security experts told CRN there’s no indication that attacks targeting firewalls and VPNs are likely to de-escalate anytime soon. For one thing, such devices are appealing targets because they must be connected to the internet, noted Elisa Costante, Forescout’s vice president of research. And for a hacker, “once I am within a firewall or within a router, or within a VPN system, I’m in a very good place to start [an attack],” Costante said.