2022 has shaped up to be a pricey year for victims of cyberattacks.

Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack.

Let’s look at the 13 costliest cyberattacks of the past year and the trends that defined major threats from now to the beginning of 2022.

1. November 2022: Government of Costa Rica

The government of Costa Rica recently declared a state of emergency after enduring weeks of ransomware attacks on its critical systems. As a result, the government could not pay its workers on time and asked them to apply for payment through email or paper-based methods. The attack also disrupted tax and customs systems, causing the country’s import/export logistics to collapse. The Conti ransomware gang demanded a $20 million ransom payment, claiming the attacks were done to overthrow the government. The criminal gang published an estimated 50% of the data stolen during the weeks-long attack. The Costa Rican government has not paid the ransom.

2. October 2022: Medibank

A costly attack on health insurer Medibank affected all of its 3.9 million current and former customers. Attackers demanded a ransom payment of $9.7 million not to publish the stolen data, which Medibank refused to pay. The criminal gang then threatened to release data each day the ransom remained unpaid. Even before customer compensation and regulatory and legal costs were paid, the attack was estimated to cost Medibank $25 to $35 million. In addition, Medibank delayed insurance premium increases until January 2023, which will cost the company another $62 million.

3. October 2022: CommonSpirit Health System

A ransomware attack on CommonSpirit Health System affected patients across the country. As one of the largest U.S. hospital operators, the system operates 140 hospitals and 2,000 patient care sites. Electronic health records were unavailable while the hospital’s system was offline. The attack directly affected patient care when some patients received the wrong dosages and others had to delay important surgeries, including at least one cancer surgery. An estimated 20 million patients were affected by this attack.

4. September 2022: Uber

The attack on Uber this year showcased the dangers presented by social engineering. Threat actors broke through the company’s defense by sending a fake two-factor authentication notification urging the victim to click a link to verify a request. After compromising the employee account, the attackers used the company’s virtual private network to access internal network resources. They gained access to the company’s privilege access management service, used it to escalate account privileges and claimed to have access to several Uber systems, including AWS, Duo, GSuite, OneLogin, Slack, VMware and Windows.

5. September 2022: Rockstar Games

After gaining access to the company’s internal systems, an attacker downloaded the complete source code for Grand Theft Auto 5 and 6 and other confidential information in an attack on Rockstar Games. This breach occurred by targeting collaboration tools used by developers, such as Slack and Confluence Wiki. The attackers appeared to be more interested in extortion than publishing the stolen data.

6. May 2022: AcidRain Wiper Malware

Widespread wiper malware attacks have wracked Ukraine since its war with Russia began. The AcidRain malware uses brute-force attacks to find device file names and then wipes every file it can find. The attacks have knocked tens of thousands of modems offline since they began in early 2022.

7. April 2022: U.K. National Health Service (NHS)

The NHS provides infrastructure for tens of thousands of health organizations. Over a period of six months, an attack compromised over 100 NHS employee accounts and used them to send phishing emails. Some phishing campaigns attempted to steal Microsoft credentials. These phishing emails were primarily fake document download alerts, complete with an NHS disclaimer at the end of each message. Though the NHS migrated to Office 365, that didn’t entirely end the fraudulent messages, which continued in much smaller numbers.

8. April 2022: Austin Peay State University

A ransomware attack on Austin Peay State University brought the university to a halt just before final exams began. The university urged faculty, staff and students to disconnect university computers from the network and avoid using any university devices on campus or at home. Only personal devices such as laptops and cell phones could continue to access email and other university resources. The university canceled final exams and closed all computer labs.

9. April 2022: Florida International University

A ransomware gang attacked Florida International University just weeks after the attack on North Carolina Agricultural and Technical State University (A&T). The same group, ALPHV/BlackCat, claimed responsibility for both. Attackers exfiltrated 1.2 terabytes of sensitive data, including social security numbers, accounting documents and email databases. At the time of the incident, the university announced there was no evidence that the attack had compromised information. However, security researchers examined stolen data and verified it was real.

10. March 2022: North Carolina A&T

North Carolina Agricultural and Technical State University became a ransomware victim during spring break. The attack targeted multiple systems, including Blackboard, Banner ERP, Qualtrics, VPN, Jabber and Chrome River. Extended outages meant students could not submit assignments, and classes were canceled. The ransomware gang responsible for the attack claimed it stole the personal data of faculty, staff and students, as well as contracts, financial data and multiple databases.

11. February 2022: Nvidia

Earlier this year, microchip maker Nvidia suffered an attack during which one terabyte of data was stolen, including usernames and cryptographic hashes for more than 70,000 Nvidia employees. The Lapsus$ ransomware gang claimed responsibility for the hack. The criminal gang first demanded the removal of a feature that makes Nvidia graphic cards less desirable for crypto mining, then later modified the demand for open-source graphics drivers for all future cards. The gang threatened to release the stolen data if Nvidia did not meet their demands.

12. January 2022: Red Cross

Attackers targeted a Red Cross family reunification program through an unpatched vulnerability in the organization’s enterprise password management platform. The targeted reunification program reconnects families separated by migration, war and disaster. State-sponsored threat actors were likely responsible since the attack was tailored specifically for Red Cross systems. Attackers remained in the system for more than 70 days with access to personally identifiable information, including location, of more than 515,000 people in the program.

13. January 2022: Twitter

At the beginning of 2022, an attacker used a zero-day vulnerability to gain access and siphon the usernames, phone numbers and email addresses of nearly 6 million Twitter users. Stolen user data was likely combined with other information scraped from the web to build a database later offered for sale on a hacker forum.

Above all, these attacks illustrate the importance of continuous vigilance against cyberattacks. Clearly, ransomware and high-profile attacks have proved especially insidious. Whatever 2023 brings, we must be ready to face it with the right strategies and resources. IBM’s Security Framing and Discovery Workshop is a great no-cost option to improve your organization’s cybersecurity posture in time to meet the next threat.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read