Top 5 Asian ransomware attacks


While previously confined to Fortune 500 companies and nation state infrastructure, ransomware attacks are now a threat to SMEs and individuals with new strains and ransom demands making headlines every week.

While previously confined to Fortune 500 companies and nation state infrastructure, ransomware attacks are now a threat to SMEs and individuals with new strains and ransom demands making headlines every week.

Attackers carry out ransomware attacks on businesses or individuals by gaining access to their networks most often through simple methods such as phishing or remote desktop compromise. Once the ransomware is downloaded onto an endpoint, it encrypts all the data on it and can spread to other endpoints in the network. This can happen within minutes of the attack’s penetration. By holding information hostage and locking users out of their systems, cyber attackers are able to demand ransom money in exchange for access to the system, giving the attack its distinctive name.

History of ransomware

While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago. In 1989, a program dubbed “AIDS Trojan'' was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, these victims inserted the malware into their computers and watched their files become encrypted with the attackers demanding ransom by mail in exchange for instructions to decrypt their systems. 

In the early 2000s, Distributed Denial of Service (DDoS) attacks were more common than ransomware. This trend shifted with the catastrophic attack known as WannaCry, which in 2017 compromised entire sectors around the world, initiating what some have called “the era of ransomware.”

The era of ransomware

One of the biggest innovations that supported the explosion of ransomware was the emergence of cryptocurrencies such as Bitcoin’s rise in 2010. This provided an easy and untraceable method for receiving payment from victims which created the opportunity for ransomware to become a lucrative and low-risk undertaking.

With the growth of ransomware came developments in its supply-chain as cyber criminal groups began to offer Ransomware-as-a-Service packages whereby malware programs are leased to clients around the world in exchange for a portion of their profit from ransom payments.

The most recent trend in ransomware development is data exfiltration. In 2020, there was a widespread adoption of ransomware paired with data-leak extortion tactics, which were rarely used by threat actors in previous years. This method involves both encrypting a victim organization’s environment and also exfiltrating data with the threat to leak it if the extortion demand is not paid.

This rapid evolution of ransomware is expected to continue at an accelerated rate as attackers and criminal groups continue to reinvent their techniques in order to apply as much pressure as possible to organizations in crisis. Ransom demands are also on the rise, with the average ransomware payment reaching USD 570,000, up almost 5x from USD 115,123 in 2019. 

With Asia being particularly targeted—incidents spiked 64% in 2021 compared to the previous year—, the attacks in this region show now sign of slowing. In an effort to put future breaches into context with the attacks that have come before them, this article explores the most notable incidents that Asia has faced, thus far. 

What are the most famous ransomware events in Asian history?

1. WannaCry

What: Global ransomware attack affecting Asian hospitals and other public and private organizations.

Where: Over 200,000 targets in at least 150 countries were severely affected by WannaCry. In Asia, nearly all computers in two major hospitals in Indonesia—Dharmais Hospital and Harapan Kita Hospital—were encrypted. Some Japanese and Singaporean organizations were also affected, along with university hospitals in Seoul and educational institutions in China.

When: On the 12th of May 2017, WannaCry began to spread around the world. The malware was halted a few hours later by the registration of a kill switch discovered by Marcus Hutchins. This prevented already infected computers from being further encrypted or spreading WannaCry, although the virus had already spread globally.

How: The virus exploited a vulnerability in Microsoft’s Windows software, which allowed it to penetrate computers and encrypt files on the PCs hard drive, rendering the devices inaccessible to users. The virus then demanded a ransom payment in bitcoin in order to decrypt them. The rapid spread of WannaCry was supported by the numerous high-profile systems, including Britain's National Health Service, that were hit by the attack and spread it across external systems that were connected. Of note, a novel variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018.

Who: The attackers went long undetected, until in December 2017 the United States and United Kingdom formally asserted that Lazarus Group, a cybercrime organization that may be connected to the North Korean government, was behind the attack.

2. Singapore SingHealth and Hong Kong Health Department 

What: A ransomware attack was launched against several businesses based in Singapore including multinational companies with operations in the city-state. SingHealth, Singapore’s public health network consisting of four hospitals, five national speciality centres, and eight polyclinics, was the most prominent institution hit by the attack. Files containing confidential outpatient prescriptions of 160,000 citizens, including Singapore Prime Minister Lee Hsien Loong and other ministers, were breached. In Hong Kong, computers belonging to the health department’s Infection Control Branch, Clinical Genetic Service and Drug Office were also hit, rendering the data inaccessible. 

Where: Singapore and Hong Kong.

When: Between July and August 2018. Singapore was hit two weeks before Hong Kong with the attacks lasting a total of four weeks.

How: On the 20th of July, the Singapore Government declared that the personal particulars of 1.5 million patients in SingHealth were compromised in the Republic's worst ever cyber attack. Files stored on the computers were encrypted by ransomware and an e-mail address to contact for a decryption key was left behind but no ransom was demanded. SingHealth and Singapore's public healthcare sector IT agency IHIS were punished with penalties of S$250,000 and S$750,000 respectively, for the attack that breached the country's Personal Data Protection Act. The fines were the highest paid out to that date.

Who: A cyber criminal group named Whitefly was found by the Singapore government to be responsible for the attacks, six months after they occurred.

3. AXA Asia

What: One week after cyber insurer AXA France announced it changed its cyber insurance policy to stop coverage for ransom payments, the company's Asia Assistance division was hit by a ransomware attack. Hackers claimed to have seized three terabytes worth of sensitive data in Asia. Stolen data included screenshots of customer identity cards, passports, bank documents, hospital bills, and medical records. 

Where: AXA’s Asia division was attacked, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines. As a result, certain data processed by Inter Partners Asia (IPA) in Thailand was also accessed.

When: May 2021.

How: The Avaddon malware likely gained access to AXA’s network through a phishing email in Thailand, and then rapidly spread across the network to reach all the other endpoints. It then encrypted all files within a few minutes, making them irrecoverable and giving AXA ten days to make a decision regarding the ransom payment.

Who: The attack has been attributed to Avaddon, which had been active for about a year prior to the incident affecting the French insurance company. The group is thought to be based in Russia and offers its malware on a “Ransomware-as-a-Service” model to less sophisticated clients.

4. Tokio Marine

What: The attack targeted the company’s internal Windows servers, spreading to a large number of computers in the network. By intervening promptly, Tokio Marine was able to keep providing its insurance services during the course of the attack.

Where: Tokio Marine Insurance Singapore, a subsidiary of Tokio Marine Group, was targeted by the attack.

When: Between July and August 2021. 

How: The ransomware attack affected Tokio Marine Singapore on a large scale, encrypting critical data across all company endpoints. After the ransomware was discovered, the network was isolated to prevent further damages. Tokio Marine also immediately filed the necessary reports to local governmental agencies, displaying a good level of preparedness to such a cyber attack. The Tokio Marine and the AXA ransomware attacks, which occurred within a few months from one another, is a sign of a growing trend of ransomware attacks targeting insurance companies. While some see this as a natural part of the shift in targets in the cyber crime industry, others recognize this as an answer to the hardening of the cyber insurance market, which is becoming more reluctant to paying for ransomware requests, effectively undermining the ransomware business model.

Who: The attacker of Tokio Marine was never disclosed, and investigations are still underway to understand exactly what type of malware was deployed and where it came from.

5. Eye & Retina Surgeons Singapore Eye Clinic

What: The attack affected the Eye & Retina Surgeons clinic server and management system. Data for an estimated 73,000 patients was affected by the breach. This comprised patient information, including names, addresses, identity card numbers, contact details,  and clinical information such as clinical notes and eye scans.

Where: The Eye & Retina Surgeons clinic is based in Singapore.

When: The incident occurred on the 6th of August 2021.

How: A ransomware virus penetrated the network likely through a malicious email or phishing link, encrypting patient data as soon as it gained access to the business endpoints. Eye & Retina Surgeons decided not to pay the requested ransom and was unable to  recover the lost files, although reports claim no data was leaked. The company worked closely with the Cyber Security Agency of Singapore to restore system health and resume its activities.

Who: The hackers responsible for this ransomware attack have not yet been identified. 

IR-1: The most effective cyber risk management solution for SMEs in Asia

Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.

Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1  aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.

Get in touch with us to learn more about IR-1.

Sign Up to Our Newsletter

Our weekly Asia Cyber Summary is a snappy, non-technical overview of regional cyber security news that helps you stay informed. Test it today, you can always unsubscribe.