Incidents from
REvil/Sodinokibi operators detonated against Travelex on New Year's Eve 2019 after dwelling in the network for six months via an unpatched Pulse Secure VPN. Travelex paid $2.3 million; parent Finablr failed; PwC put Travelex into administration with the loss of over 1,300 jobs.
TA505 used Clop ransomware to encrypt 267 Maastricht University servers over Christmas 2019 after two phishing emails on 15β16 October had compromised the network. The university paid 30 BTC (~$220,000). The ransom Bitcoin β later seized from a money mule β was returned and had appreciated, leaving the university ahead by ~$300,000.
DoppelPaymer ransomware paralysed corporate IT systems at Mexican state oil company Pemex, freezing payments and communications for weeks. Attackers demanded 565 BTC (~$5M). Pemex refused to pay; total recovery cost reached approximately $71 million.
Former AWS engineer Paige Thompson exploited a misconfigured Web Application Firewall to extract personal data on roughly 106 million Capital One credit-card applicants and customers from S3.
An insider at Desjardins β the largest financial cooperative in Canada β exfiltrated personal data on 9.7 million members and businesses over two years before being caught. The defining Canadian insider-threat case.
Aluminium producer Norsk Hydro lost most of its global IT estate to the LockerGoga ransomware. Hydro publicly refused to pay, ran operations on paper for weeks, and set the editorial standard for transparent incident communication.