An increasing number of organizations are experiencing a ransomware attack. According to Sophos, 59% of organizations experienced one in 2024 and the majority of them (70%) resulted in data encryption.
Not just the number of ransomware attacks, but the payment amount has also been rising. The median ransomware payment was less than $200k in 2023, which surged 650% to $1.5 million in about a year, as per IBM data.
These attacks are projected to cost $275 billion in global damages annually by 2031. So, what are ransomware attacks?
Ransomware is a type of malware, malicious software designed to block an organization’s access to its system or encrypt its data.
To do this, attackers infect a system with a virus, which they use to send phishing emails that may contain a malicious link or steal an employee’s login credentials to gain unauthorized access to the enterprise network.
In exchange for decryption keys or restoring access to the system, cybercriminals demand ransom money from the victims. Organizations are put in a difficult situation where paying the ransom seems like the simplest and cost-effective way to get their access back.
Some ransomware variants have added functionality like data theft, which gives yet another incentive to pay the ransom. But in some high-profile cases, paying the ransom could actually be the least damaging option, despite the risks.
Companies That Paid Ransom to Protect Their Customers
While agreeing to the demands of the attackers and paying ransom is not the ideal way to deal with cybercrimes, as not only does it not guarantee the safe return of stolen data or restoration of the entity’s operations, but it also encourages further cyber attacks, sometimes there’s no other choice to protect the business and customers.
With that, now let’s take a look at some of the most high-profile cybercrime cases where the companies paid the ransom and all that occurred afterwards.
One of the largest insurance companies in the US, CNA Finance Corp., became the victim of a ransomware attack in March 2021. It paid a ransom of $40 million in Bitcoin (BTC), the biggest disclosed ransomware payout ever, to regain control after being locked out of its systems for two weeks.
The attack came from a cybercriminal group called Phoenix, which initially demanded a ransom for 999 BTC (about $55 million at the time) before raising it to 1099 BTC, stating:
“Wasting time. The cost went up.”
The attackers claimed that the data they had was important and that “It will hit hard if leaked.” The ransom was demanded in exchange for not publicly disclosing the theft, returning data, deleting the copies of the stolen data, and restoring everything.
But how exactly did the breach happen? Well, it was due to a small lapse in security that led to such a major incident. The attackers actually convinced a single CNA employee to accept a fake browser update. They then moved quickly to disable the system, and the attack couldn’t be detected immediately.
It actually took CNA a couple of weeks to discover that it had been hacked. During this time, attackers stole customer data and locked CNA out of their network.
The company didn’t provide an update either, until a week after the attack occurred. It then published an update explaining that the attack had been contained and that they were working on resuming normal business operations. Two weeks later, it was disclosed that endpoint detection and monitoring tools had been deployed as part of the restoration process.
Two months after the attack, CNA released its incident report, in which it noted that it wasn’t a targeted attack. And upon detecting the ransomware, the company disconnected its systems from the network to stop the threat from spreading.
A couple of months after that, the insurer announced that its investigation had been concluded, which revealed that the threat actor copied information before deploying the ransomware, but that they recovered the information quickly and have “no reason to suspect the information has or will be misused.”
The Chicago-based insurance holding company also consulted the government, including the FBI and the Office of Foreign Assets Control (OFAC), about the attack. In a statement, it said, “CNA followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter,” but did not comment on the ransom.
According to this guidance, the agency could impose civil penalties on U.S. persons who make payments to prohibited entities.
The company’s investigation revealed that a threat group called Phoenix used Phoenix Cryptolocker ransomware to attack its network. At the time, the group was not subject to US sanctions.
CNA Financial Corporation (CNA -1.37%)
CNA is a $13 billion market cap company, whose shares, as of writing, are trading at $48.16, down 0.43% year-to-date (YTD) but up 32.27% in the past two years. With that, its earnings per share (EPS) trailing twelve months (TTM) is 3.28, the P/E (TTM) is 14.67, and ROE (TTM) is 8.98%. CNA shareholders also enjoy a decent 3.82% dividend yield.
Its recent quarter financials show net income of $274 million and a core income of $281 million.
The casino-entertainment company paid $15 million in a ransom to a cybercrime group called Scattered Spider, the same threat actor that took down MGM’s computer system just days after receiving the ransom payment from Caesars Entertainment. The attackers also demanded a ransom from MGM, but they didn’t pay.
In Caesars’ case, as reported in a filing with the U.S. Securities and Exchange Commission (SEC), the attackers demanded a $30 million ransom, but the company agreed to pay only half of that, which was partially covered by the company’s cyber insurance policies. The company didn’t anticipate the payment or the fallout having a material effect on its bottom line.
The attack happened in mid-August 2023 and was carried out by Scattered Spider, also known as UNC3944 or Roasted 0ktapus. The group, composed of young hackers based in the US and UK who are skilled at social engineering, has been connected to attacks on other companies, including Cloudflare, Twilio, and Okta.
To target Caesars, the hackers first breached an outside IT vendor. For this, the attackers impersonated a Caesars employee and convinced the vendor to provide login credentials to Okta, Caesars’ access management provider.
This gave the cybercriminals unauthorized access to the hotel and casino giant’s network. They then stole the data of Caesars’ loyalty members, which included driver’s licenses and social security numbers, before deploying the BlackCat/ALPHV ransomware. There was no evidence that attackers accessed PINs, passwords, bank account, or payment card data, said the company.
Reuters meanwhile reported the Scattered Spider hacking group saying that they took six terabytes of data from the systems of Caesars and MGM.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.”
– Caesars said in the filing
While the company did not disclose how many customers were impacted, the filing listed just under 42,000 people affected. At the time, Bloomberg reported that Caesars paid the ransom after the threat group hacked it and threatened to release company data.
By late September, the company had restored normal operations. However, in the aftermath, Caesars faced financial and reputational damage as well as multiple class action lawsuits accusing the company of negligence and unjust enrichment for failing to secure the personal data of their guests.
Caesars Entertainment, Inc. (CZR -4.93%)
With a market cap of just over $6 billion, CZR shares are currently trading at $29.41, down 12% this year so far. Its stock prices are also far from the 2021 peak of about $119. Its EPS (TTM) is -1.10, and the P/E (TTM) is -26.80.
As for company financials, GAAP net revenues for Q1 2025 came in at $2.8 billion and Adjusted EBITDA grew 4% YoY to $43 million “driven by significant gains” in its Digital segment.
In 2020, cybercriminals infiltrated the servers of Blackbaud, a company that provides software for nonprofits and educational facilities, compromising the data of more than 13,000 organizations. The South Carolina-based company paid a ransom of $235,000 in BTC to the hackers on the promise of deleting personal customer data.
The cyber attack occurred in February that year, but it wasn’t discovered until a few months later in May. At that time, affected organizations were already dealing with disruptions caused by the COVID-19 pandemic.
The cybercriminals targeted the servers of Blackbaud to gain access to the company’s system. With Blackbaud unaware of the breach, the attackers were able to operate undetected for months, during which they encrypted data sets and exfiltrated a subset of them.
When the customer relationship management (CRM) services provider finally discovered that it had been breached, which happened while Blackbaud was conducting routine security checks, it implemented measures to prevent further damage.
In July, the company made a public disclosure about suffering a ransomware attack. Blackbaud announced that education and third-sector organizations may have had their data compromised, which, of course, sent shockwaves through affected communities and raised concerns about the security of sensitive donor information.
The company prevented the criminals from fully encrypting files and blocking system access, but they had already removed a backup file containing personal information.
Blackbaud assured that bank account or payment card details were not affected, but that much information, such as names, addresses, contact information, Social Security numbers, and estimated wealth, among others, were in fact involved in the data breach.
The company also admitted to paying a ransom to retrieve the data and protect the interests of its clients.
Following the attack, the Federal Trade Commission (FTC) began an investigation and believed it was caused by “Blackbaud’s shoddy security and data retention practices.”
According to the FTC complaint, the company failed to implement the most basic security practices, didn’t follow Blackbaud’s own policies regarding data retention, and allowed customers to store critical data like bank accounts in unencrypted fields. The agency also claimed that Blackbaud significantly misrepresented the incident’s extent and severity.
In 2024, the FTC and Blackbaud reached a settlement, which didn’t involve a financial penalty but rather required the company to delete the data it no longer requires, develop a comprehensive information security program, and notify the FTC if there’s a future data breach.
Blackbaud’s settlement with the SEC, however, involved a $3 million fine for providing misleading information about the breach. The company also settled for $49.5 million with 50 state attorney generals regarding HIPAA violations.
Blackbaud, Inc. (BLKB -2.57%)
When it comes to Blackbaud’s market performance, its shares are currently trading at $63.76, down 13.74% YTD, which puts its market cap at $3 billion. With that, its EPS (TTM) is -5.83 and the P/E (TTM) is -10.94.
In Q1 2025, the company achieved a 5.8% organic revenue growth, recording $271 million in revenue. Blackbaud is also busy investing in innovation, particularly in AI, to boost its internal productivity and customer operations.
The health insurance giant, UnitedHealth Group Incorporated, has been experiencing a tough time over the past year and a half. It all started in February 2024 when its subsidiary, Change Healthcare, suffered a cyber attack.
UnitedHealth Group operates through two segments: UnitedHealthcare, which focuses on health insurance, and Optum, which provides technology services, direct healthcare services, and pharmacy care services through Optum Insight, Optum Health, and Optum Rx.
In 2022, UnitedHealthGroup acquired the Change Healthcare platform and integrated it into Optum Insight. The company processes as many as 15 billion medical claims per year, which is about 40% of all claims, so you can imagine the disruption an attack on Change Healthcare can cause.
In February, ransomware infected Change Healthcare’s systems, rendering them inaccessible and wreaking havoc on the U.S. healthcare system. It wasn’t until several months later, in November, that the company was able to resume full operations.
As to what went down, the then CEO, Andrew Witty, told Congress that the attack first began on Feb. 12. The attackers used compromised credentials to gain access to the Change Healthcare Citrix portal, which was used for remote desktop connections and didn’t have 2FA enabled. A small mistake that would cost UNH billions.
From there, the attackers started collecting data and then, several days later, deployed ransomware, initiating the encryption of the company’s systems. In response, UnitedHealth disconnected Change Healthcare data centers from the network to prevent the ransomware attack from spreading to its other systems and outside entities.
As for the attackers, the BlackCat/ALPHV cybercrime gang took responsibility, claiming to have exfiltrated 6TB of confidential data. The data stolen included medical records, personal information, and financial documents. UnitedHealth Group has publicly confirmed that about 190,000,000 individuals were affected by this breach.
In March 2024, the company paid a $22 million ransom, but the BlackCat ransomware group reportedly didn’t pay the affiliate who conducted the attack, which then worked with another ransomware group, RansomHub, which tried to extort more money from UnitedHealth. It’s not yet known if UnitedHealth paid for the second time, too.
The incident, as reported by UnitedHealth Group in January 2025, resulted in a total annual loss of $3.09 billion.
While the company continues to deal with the fallout from the largest cyberattack in healthcare history, company stocks didn’t really feel the brunt of it as UNH stock hit an all-time high of $625 per share in November 2024 and a market cap of $575 billion.
UnitedHealth Group Incorporated (UNH -5.78%)
But now, six months later, it’s all crashing down. UnitedHealth’s share price, which has a $292 billion market cap, has declined 36.43% YTD. It currently trades at $321.58, a 49% drop from its ATH.
Besides a greater-than-expected hit from the cyberattack, the company has been dealing with leadership loss, with UnitedHealthcare CEO Brian Thompson killed on investor day in New York City, the company missing earnings, and the Department of Justice pursuing a criminal investigation of UHG’s Medicare Advantage practices.
To now take a look at the company’s profitability and efficiency, it has an EPS (TTM) of 23.89, a P/E (TTM) of 13.46, and an ROE (TTM) of 24.33%, while the dividend yield paid is 2.61%. For Q1 2025, its revenues grew to $109.6 billion, and cash flows from operations were $5.5 billion.
5. AT&T (T -1.12%)
The leading global provider of telecommunications and technology services suffered two major data breaches in 2024.
The first one came in March, which affected between 50 to 70 million of its current and former customers both. The reports of the company’s data circulating on the dark web first came out in mid-March and then AT&T took a couple of weeks to confirm that the information actually belongs to its customers.
Among the information compromised was customers’ full name, date of birth, email, phone number, mailing address, social security number, and AT&T account number and passcode. The company said the following to the impacted individuals:
“To the best of our knowledge, personal financial information and call history were not included.”
The data has been believed to have been circulating online for a few years now, but its origin is unknown, and AT&T denies that it came from its own systems.
Then, in April, it fell victim to a breach that compromised almost all of its landline, cellular, and wireless network customers. A few months later, in July, AT&T publicly disclosed the breach.
This breach was linked to an American hacker, a member of the ShinyHunters group, who demanded a ransom of $1 million but agreed to far less. The company paid a $370,000 ransom in Bitcoin in May to prevent the data from getting leaked. The attacker provided the company with a video showing proof of deleting the data.
In this attack, the records of customer call and text interactions on January 2, 2023, and between May 1, 2022, and October 31, 2022, were exfiltrated. This time around, the data originated from the company’s ‘workspace’ on a third-party cloud platform.
While the content itself wasn’t impacted, the compromised records can identify other phone numbers that affected customers interacted with, the company explained. AT&T notified about 110 million customers about the incident.
As of this writing, the $200 billion market cap company’s shares are trading at $27.78, up 22% YTD. Its EPS (TTM) is 1.63, the P/E (TTM) is 17.04, and ROE (TTM) is 11.28%. The dividend yield offered is an attractive 4%.
Financially, its revenue in Q1 2025 was $30.6 billion, net income was $4.7 billion, and free cash flow was $3.1 billion.
So, as we saw, ransomware attacks are hitting companies across sectors. And while paying the ransom can help protect the company and its customers, that’s not always the case. It actually risks incentivizing criminal behavior. Not to mention, the damage it cost the company financially and reputationally.
What companies need to do is take proactive security measures to prevent breaches from happening in the first place. This includes conducting security assessments regularly, continuously monitoring for potential threats, keeping your systems updated, having backup of data and protecting those files, putting robust data encryption in place, providing appropriate employee training, and maintaining effective incident response readiness.
In the end, the real defense against ransomware isn’t negotiation but preparation, so better invest in cybersecurity resilience today!
Click here for a list of top cybersecurity stocks.