Top 10: Highest Ransomware Payment Demands

What are the highest ransomware payment demands to date?

The ransomware threat is on the rise – again.

While 2022 was marked by a surge in disruptive cyber-attacks and cyber espionage campaigns, many related to the war in Ukraine, ransomware attacks decreased for the first time in history.

The data analysis firm Chainalysis observed a significant decline in ransomware payments, falling from $766m in 2021 to $457m in 2022.

However, this didn’t last very long: in 2023, financially motivated threat actors seem to be back at it again and have already extorted $176m more than in the same period in 2022. According to Chainalysis, ransomware is even on track to have one of its biggest years to date.

In parallel, ransomware groups seem more brazen than ever in their payment demands, with recent amounts reaching unheard-of highs.

Infosecurity has compiled a list of the largest confirmed, or at least widely reported, ransomware payment demands at the time of writing. Some have reportedly been paid, in part or in full, while some victims have refused to pay. Others have denied being breached.

In November 2021, MediaMarkt, a German-headquartered multinational electronics retail giant, suffered a Hive ransomware with an initial ransom demand of $240m, causing IT systems to shut down and disrupting store operations in Netherlands and Germany. The ransom was reportedly negotiated down to $50m. MediaMarkt never disclosed whether it had paid up.

A ransomware attack hit the Taiwanese electronics manufacturer Acer in March 2021. REvil claimed the attack and demanded $50m if the victim responded quickly and up to $100m if no progress had been made after eight days. Acer offered to pay the group $10 million, but the REvil gang rejected that offer. Acer was hit by another attack later that same year, coming from the Desorden group.

In January 2023, Royal Mail, the UK’s postal service, suspended its international deliveries following a “cyber incident.” While the company resumed operations a few weeks later, it was later reported that LockBit, behind the attack, set a ransom of nearly $80m, which they claimed was equal to 0.5% of the company’s revenue, in exchange for decrypting the files. “Under no circumstances will we pay that absurd amount,” Royal Mail reportedly responded.

In the summer of 2021, the ransomware gang REvil infiltrated Kaseya, a popular, Florida-based IT and security services provider, accessed its customers’ data, and demanded a $70m ransom for the data’s return before lowering the asking price to $50m. This supply chain attack could have hit up to 2000 companies across the world. Kaseya refused to pay and allegedly offered a “100% effective” decrypting tool.

In June 2023, National Hazard Agency, a sub-group of the LockBit ransomware gang, posted the name of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest chip manufacturer, on LockBit’s dark web leak site. The threat actor has demanded TSMC pay a $70m ransom to prevent them from leaking the data they allegedly possess. The victim was initially given seven days to respond, but the deadline has since been extended to August 6. However, TSMC rapidly shared a statement admitting that one of its contractors had been breached but that the incident had not affected TSMC's business operations and had not compromised any customer information.

Pendragon Group, a car dealer who owns CarStore, Evans Halshaw, and Stratstone luxury car retailer and sells cars from many brands, including Porsche, Ferrari, BMW, Renault, Ford, Hyundai, and Dacia, was breached by the LockBit ransomware gang, who requested a $60m ransom. Pendragon said it quickly remediated the attack and refused to pay the ransom.

One of the US’ largest insurance firms, CNA Financial, reportedly agreed to pay $40m a few weeks after its IT systems were locked down and data was stolen by threat actors, in March 2021. The initial demand was $60m. This was the highest paid ransomware demand at the time of a previous analysis published on Infosecurity Magazine’s website in 2021.

A new ransomware gang, Yanluowang, claimed in January 2022 to have breached the IT systems of US retail giant Walmart and demanded a $55m ransom to decrypt the files. Walmart quickly denied the attack, saying their security team didn’t notice any breach.

ADVERTISEMENT

The German car parts manufacturer Continental reported in August 2022 that it had been targeted in a cyber-attack that resulted in hackers accessing some of its systems. LockBit, the ransomware group behind the attack, offered to sell the files for $50m. Continental said that the attack had been “averted” and that business activities were unaffected. 

IT consultancy Accenture confirmed in October 2021 that LockBit ransomware operators stole data from its systems during an attack that hit the company's systems in August 2021. The cyber criminals claimed to have stolen six terabytes of data from Accenture's network and demanded a $50m ransom. Accenture denied claims made by the LockBit gang that they also stole credentials belonging to Accenture customers that would enable them to compromise their networks. It assured that all affected systems were fully restored from backups without impacting Accenture's operations or its clients' systems.

Public disclaimer: It’s plausible that other payments not listed here have occurred that are not public knowledge.

Enjoyed this article? Make sure to share it!

Looking for something else?