Top 5 Asian Ransomware Attacks

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.

While previously confined to Fortune 500 companies and nation state infrastructure, ransomware attacks are now a threat to SMEs and individuals with new strains and ransom demands making headlines every week. 


Attackers carry out ransomware attacks on businesses or individuals by gaining access to their networks most often through simple methods such as phishing or remote desktop compromise. Once the ransomware is downloaded onto an endpoint, it encrypts all the data on it and can spread to other endpoints in the network. This can happen within minutes of the attack’s penetration. By holding information hostage and locking users out of their systems, cyber attackers are able to demand ransom money in exchange for access to the system, giving the attack its distinctive name.


History of Ransomware

While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago. In 1989, a program dubbed “AIDS Trojan'' was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, these victims inserted the malware into their computers and watched their files become encrypted with the attackers demanding ransom by mail in exchange for instructions to decrypt their systems. 


In the early 2000s, Distributed Denial of Service (DDoS) attacks were more common than ransomware. This trend shifted with the catastrophic attack known as WannaCry, which in 2017 compromised entire sectors around the world, initiating what some have called “the era of ransomware.”


The Era of Ransomware

One of the biggest innovations that supported the explosion of ransomware was the emergence of cryptocurrencies such as Bitcoin’s rise in 2010. This provided an easy and untraceable method for receiving payment from victims which created the opportunity for ransomware to become a lucrative and low-risk undertaking.


With the growth of ransomware came developments in its supply-chain as cyber criminal groups began to offer Ransomware-as-a-Service packages whereby malware programs are leased to clients around the world in exchange for a portion of their profit from ransom payments.


The most recent trend in ransomware development is data exfiltration. In 2020, there was a widespread adoption of ransomware paired with data-leak extortion tactics, which were rarely used by threat actors in previous years. This method involves both encrypting a victim organization’s environment and also exfiltrating data with the threat to leak it if the extortion demand is not paid.


This rapid evolution of ransomware is expected to continue at an accelerated rate as attackers and criminal groups continue to reinvent their techniques in order to apply as much pressure as possible to organizations in crisis. Ransom demands are also on the rise, with the average ransomware payment reaching USD $570,000, up almost 5x from USD $115,123 in 2019. 


With Asia being particularly targeted—incidents spiked 64% in 2021 compared to the previous year—, the attacks in this region show now sign of slowing. In an effort to put future breaches into context with the attacks that have come before them, this article explores the most notable incidents that Asia has faced, thus far. 


What are the most famous ransomware events in Asian history?


1. WannaCry

What: Global ransomware attack affecting Asian hospitals and other public and private organizations.


Where: Over 200,000 targets in at least 150 countries were severely affected by WannaCry. In Asia, nearly all computers in two major hospitals in Indonesia—Dharmais Hospital and Harapan Kita Hospital—were encrypted. Some Japanese and Singaporean organizations were also affected, along with university hospitals in Seoul and educational institutions in China.


When: On the 12th of May 2017, WannaCry began to spread around the world. The malware was halted a few hours later by the registration of a kill switch discovered by Marcus Hutchins. This prevented already infected computers from being further encrypted or spreading WannaCry, although the virus had already spread globally.


How: The virus exploited a vulnerability in Microsoft’s Windows software, which allowed it to penetrate computers and encrypt files on the PCs hard drive, rendering the devices inaccessible to users. The virus then demanded a ransom payment in bitcoin in order to decrypt them. The rapid spread of WannaCry was supported by the numerous high-profile systems, including Britain's National Health Service, that were hit by the attack and spread it across external systems that were connected. Of note, a novel variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018.


Who: The attackers went long undetected, until in December 2017 the United States and United Kingdom formally asserted that Lazarus Group, a cybercrime organization that may be connected to the North Korean government, was behind the attack.


2. Singapore SingHealth and Hong Kong Health Department 


What: A ransomware attack was launched against several businesses based in Singapore including multinational companies with operations in the city-state. SingHealth, Singapore’s public health network consisting of four hospitals, five national speciality centres, and eight polyclinics, was the most prominent institution hit by the attack. Files containing confidential outpatient prescriptions of 160,000 citizens, including Singapore Prime Minister Lee Hsien Loong and other ministers, were breached. In Hong Kong, computers belonging to the health department’s Infection Control Branch, Clinical Genetic Service and Drug Office were also hit, rendering the data inaccessible. 


Where: Singapore and Hong Kong.


When: Between July and August 2018. Singapore was hit two weeks before Hong Kong with the attacks lasting a total of four weeks.


How: On the 20th of July, the Singapore Government declared that the personal particulars of 1.5 million patients in SingHealth were compromised in the Republic's worst ever cyber attack. Files stored on the computers were encrypted by ransomware and an e-mail address to contact for a decryption key was left behind but no ransom was demanded. SingHealth and Singapore's public healthcare sector IT agency IHIS were punished with penalties of S$250,000 and S$750,000 respectively, for the attack that breached the country's Personal Data Protection Act. The fines were the highest paid out to that date.


Who: A cyber criminal group named Whitefly was found by the Singapore government to be responsible for the attacks, six months after they occurred.


3. AXA Asia

What: One week after cyber insurer AXA France announced it changed its cyber insurance policy to stop coverage for ransom payments, the company's Asia Assistance division was hit by a ransomware attack. Hackers claimed to have seized three terabytes worth of sensitive data in Asia. Stolen data included screenshots of customer identity cards, passports, bank documents, hospital bills, and medical records. 


Where: AXA’s Asia division was attacked, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines. As a result, certain data processed by Inter Partners Asia (IPA) in Thailand was also accessed.


When: May 2021.


How: The Avaddon malware likely gained access to AXA’s network through a phishing email in Thailand, and then rapidly spread across the network to reach all the other endpoints. It then encrypted all files within a few minutes, making them irrecoverable and giving AXA ten days to make a decision regarding the ransom payment.


Who: The attack has been attributed to Avaddon, which had been active for about a year prior to the incident affecting the French insurance company. The group is thought to be based in Russia and offers its malware on a “Ransomware-as-a-Service” model to less sophisticated clients.


4. Tokio Marine


What: The attack targeted the company’s internal Windows servers, spreading to a large number of computers in the network. By intervening promptly, Tokio Marine was able to keep providing its insurance services during the course of the attack.


Where: Tokio Marine Insurance Singapore, a subsidiary of Tokio Marine Group, was targeted by the attack.


When: Between July and August 2021. 


How: The ransomware attack affected Tokio Marine Singapore on a large scale, encrypting critical data across all company endpoints. After the ransomware was discovered, the network was isolated to prevent further damages. Tokio Marine also immediately filed the necessary reports to local governmental agencies, displaying a good level of preparedness to such a cyber attack. The Tokio Marine and the AXA ransomware attacks, which occurred within a few months from one another, is a sign of a growing trend of ransomware attacks targeting insurance companies. While some see this as a natural part of the shift in targets in the cyber crime industry, others recognize this as an answer to the hardening of the cyber insurance market, which is becoming more reluctant to paying for ransomware requests, effectively undermining the ransomware business model.


Who: The attacker of Tokio Marine was never disclosed, and investigations are still underway to understand exactly what type of malware was deployed and where it came from.


5. Eye & Retina Surgeons Singapore Eye Clinic

What: The attack affected the Eye & Retina Surgeons clinic server and management system. Data for an estimated 73,000 patients was affected by the breach. This comprised patient information, including names, addresses, identity card numbers, contact details,  and clinical information such as clinical notes and eye scans.

Where: The Eye & Retina Surgeons clinic is based in Singapore.


When: The incident occurred on the 6th of August 2021.


How: A ransomware virus penetrated the network likely through a malicious email or phishing link, encrypting patient data as soon as it gained access to the business endpoints. Eye & Retina Surgeons decided not to pay the requested ransom and was unable to  recover the lost files, although reports claim no data was leaked. The company worked closely with the Cyber Security Agency of Singapore to restore system health and resume its activities.


Who: The hackers responsible for this ransomware attack have not yet been identified. 


Bonus: Notable ransomware attacks in international history

Ransomware is a global phenomenon, affecting businesses in every sector worldwide. Here is a summary of the key ransomware attacks that have occurred beyond Asia.


The first recorded ransomware demand note

AIDS Trojan


The AIDS Trojan, also known as PC Cyborg, was the first ransomware attack ever recorded, taking place in 1989. It affected the healthcare industry, which is still one of the most targeted sectors by ransomware threat actors. The malware was devised by Joseph Popp, a PhD doctor and AIDS researcher. Popp distributed 20,000 floppy disks to AIDS researchers in over 90 countries, with the claim that such disks contained a program that analyzed an individual’s risk of acquiring AIDS through a questionnaire. But this was not all the disk did. In fact, Popp’s disk also contained a malware program that initially remained dormant in computers, and activated itself after a computer had been powered on 90 times. After such activation requirement was met, the malware displayed a message on the computer desktop demanding a payment of USD189 and another USD378 for a software lease.


CNA Financial


The CNA Financial attack occurred in March 2021 and was recognized to be the biggest ransomware attack to date after the ransomware encrypted critical data for the insurance giant. In the end, CNA Financial decided to pay the requested ransom of USD $40M.


Colonial Pipeline


The attack on US petrol giant Colonial Pipeline occurred in May 2021, but it has already become the most popular ransomware attack in history. The attack was carried out by a Ransomware-as-a-Service client of the criminal group DarkSide. The attacker gained entry into the networks of Colonial Pipeline through a virtual private network account, which allowed employees to remotely access the company’s computer network. The hackers entered the account through a password that a Colonial Employee had used multiple times, and which had been leaked on the dark web. The attack was so devastating that petrol supply to the entire West Coast was cut off, and a state of national emergency was declared. Colonial paid out USD$ 4.4M in ransom.




The Brazilian meat packing company, which produces nearly a quarter of America's beef, was also attacked in May 2021. The attack forced the firm to halt cattle slaughtering across its US plants for an entire day, disrupting the entire US food supply chains and inflating meat prices. JBS paid USD $11M in ransom to the Russia-linked cyber gang REvil Sodinokibi.


Marriott International


In September 2018, the Starwood guest reservation database for Marriott International hotels was encrypted in a ransomware attack.The data included guests’ names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, as well as payment card numbers and expiration dates. By liaising with professional incident responders, Marriott was able to decrypt the data in November without paying the attackers. Still, the company was fined GBP 18.4 Million, after negotiating down from GPB £99M by the UK Information Commissioner's Office (ICO) in 2020 for failing to keep customers’ personal data secure.


To learn more about how Blackpanda expertly handles ransomware attacks, click here.

If your organization has been hit by a ransomware attack or you suspect you may have been breached, contact Blackpanda.

Interested in speaking to a DFIR specialist?