Learned Lessons From 5 Headline-Making Ransomware Attacks

The recently announced "National Cybersecurity Plan 2025-2030," published by the Mexican federal government, acknowledges the seriousness of the ransomware problem, noting that 155 ransomware attacks were recorded between 2019 and 2025, placing Mexico second in the region after Brazil. The plan also highlights the costs associated with recovery processes following these types of cyberattacks.

It is important to mention that the country actually suffered many more attacks that were of public knowledge, but those organizations were not disclosed in the attackers' sites, known as DLS (Dedicated Leak Site). I can recall between at least 15 and 20 incidents in the same period in multiple organizations based in Mexico City, Guadalajara, and Monterrey.

Ransomware is a critical, boardroom-level business risk that threatens continuity, financial stability, and reputation:

• The “Global Cybersecurity Outlook 2026” recently published by The World Economic Forum highlights that CISOs have ransomware attacks as the top cyber risk for 2026, just like for 2025. As one of the most lucrative tactics for cybercriminals, ransomware remains a persistent threat, and the increasing integration of AI into attack methods is expected to make these attacks even more effective.
• There has been a significant rise in ransomware campaigns which do not rely on encryption as cybercriminal extortion groups shift their operations. An increasing number of cybercriminals (for example, Scattered LAPSUS$ Hunters) are relying on data theft alone to extort ransom payments out of victims, according to a new research paper by Symantec and Carbon Black.
• Despite arrests, takedowns, and the apparent collapse of several major ransomware groups, 2025 did not bring any slowdown in the damage caused by ransomware, which continues to increase due to a fragmentation or re-aggrupation of many groups, according to "The State of Ransomware in the U.S.: Report and Statistics 2025," by Emsisoft.

Boeing

Two days into November 2023, Boeing self-reported what would be one of the most impactful breaches to date. During the closing week of Oct. 27th, Lockbit, also known as ALPHV/BlackCat, exploited a Citrix Bleed vulnerability (CVE-2023-4966), which was among the Top 15 most exploited vulnerabilities as of November 2024, leveraging an array of tools to gain access. This resulted in a leak of 43GB worth of sensitive data and a US$200 million ransom demand. Data from Citrix appliances and email backups, provisioning services, audits, security controls, aircraft production details, contracts, and IT management configurations were included in the breach.

While Boeing’s team detected and restored disrupted services within weeks, the damage caused by the stolen data impacted Boeing’s public image and reputation.

CyberScoop reported that the ransom demand was so outrageous that Boeing ultimately refused to pay it. This quickly led to the stolen data being published on Lockbit’s Tor site, exposing several other vulnerabilities to secondary threat actors. While Boeing’s team detected and restored disrupted services within weeks, the damage caused by the stolen data impacted Boeing’s public image and reputation.

Change Healthcare

Lockbit, targeting the medical industry, struck again, hitting Change Healthcare and causing the most significant healthcare data breach in American history to date. On Feb. 21, 2024, Lockbit compromised a Citrix remote access portal lacking multifactor authentication, which proved to be the perfect entry point. Armed with stolen credentials, Lockbit spent roughly nine days exfiltrating between 4 and 6 TB of data before encrypting all systems. The result? Approximately 70,000 pharmacies, 8,000 healthcare facilities, and 5,500 hospitals lost complete access to prescription claims, processing, and authorization. To make matters worse, 94% of providers had negative financial impacts, and 60% experienced daily revenue shortfalls exceeding $1 million, as reported by CNBC.

Unfortunately, the impact was felt beyond the providers. It’s estimated that 192.7 million individuals (or 1 in 3 Americans) were exposed to the attack. Included in those exposures was an array of PHI data consisting of names, addresses, Social Security numbers, clinical data, and payment details, all of which became accessible on the dark web. A total of US$22 million was paid for the ransom, and this was promptly followed by a second data extortion payment demand, which was refused. Impacted systems would not be restored for nine months. Congressional hearings on pure negligence swiftly followed suit.

Ascension

In May 2024, Ascension found itself in a similar scenario to Change Healthcare. Using a classic phishing email against an unsuspecting employee, the ransomware group Black Basta successfully infiltrated Ascension’s critical systems. The threat actor wasted no time moving laterally across electronic health care (EHR), MyChart portals, and telephony servers. By May 8, 2024, seven of the organization’s 25,000 servers were compromised, and data exfiltration began. The problem? As reported by HealthCare IT News, all seven servers contained PHI and PII data. Here is the kicker: Ascension had all the right tools in place, including email filtering, EDR, and user training. One successful phishing attempt was all it took to bypass security measures.

The attack brought down 140 hospitals across 19 different states, several emergency departments, and increased wait time for critical imaging results. Full recovery took roughly five weeks, and several class action lawsuits followed, alleging failure to adhere to industry HIPAA compliance standards.

Threat actors have evolved to get around these tools first, giving them all the time they need to exfiltrate data, encrypt files, and leave behind a friendly reminder that payment in Bitcoin will suit just fine.

CDK

Even after two major breaches, there was more to come in 2024. On June 18, 2024, 15,000 car dealerships across the United States were affected by the threat actor BlackSuit. CDK, a heavily utilized SaaS-based car dealer management system, was initially compromised when the threat actor gained access through a phishing attempt. Successful attempts led to CDK’s files becoming encrypted and data being exfiltrated. Shortly after the breach, CDK attempted to restore services using backups to get dealerships back online. A day later, CDK was hit again, causing a complete shutdown of all online dealership services. Security professionals quickly criticized CDK for moving to restore operations too quickly, according to articles on BleepingComputer.

This resulted in car sales, inventory searches, financing, and service requests all screeching to a halt, leaving everyone dusting off clipboards and rediscovering the ancient art of pen and paper sales. What made this breach even more dangerous was the “always-on” VPN tunnel connecting every dealership to CDK’s data centers. Due to the VPN requirement, the risk for downstream exposure and encryption escalated for all 15,000 dealerships tied to CDK.

BlackSuit gained access to use API keys or session IDs to potentially compromise dealerships using the VPN connection. Payment was sent by CDK on June 21 for roughly US$25 million or 387 Bitcoin at that time. Dealership losses exceeded $1 billion in revenue, with sales dropping by as much as 50% and 100,000 fewer cars sold in June (a 7% decrease). Almost all dealerships were back up and running by July 4, and 10 lawsuits were filed against CDK by dealership groups like Fowler Buick-GMC and Kinley Automotive Group.

Blue Yonder

Rounding out our Top 5 attacks is a unique supply chain attack against Blue Yonder, a software company specializing in supply chain, logistics, retail, and commerce solutions for global brands. As 2024 ended, the threat actor group Termite launched an attack on Nov. 21, targeting Blue Yonder with a modified version of Babuk ransomware, whose source code had been publicly leaked. The attack on Blue Yonder’s hosted environment disrupted inventory, demand forecasting, and warehouse management for 3,000 clients, including Starbucks, UK retailer Morrisons and Sainsbury’s, Renault, Tesco, and Procter & Gamble.

In the aftermath, over 11,000 Starbucks stores lost access to automated scheduling and payment systems, while UK retailers Morrisons and Sainsbury’s had their warehouse management systems taken offline. Blue Yonder’s server data was encrypted, but not before Termite exfiltrated 680 GB of data, which included sensitive information such as databases, email addresses, and over 200,000 insurance documents, according to a report by Cyberscoop. With one fell swoop, over 3,000 clients globally lost access to Blue Yonder without the ability to use backup systems in one of the largest ever supply chain attacks.  By December, Blue Yonder successfully restored services to most of its clients.

What Are the Lessons for Mexican Organizations?

These aren’t just cautionary tales; they’re grim reminders that the hard lessons surface during and after a crisis, when decisions carry real weight and visibility is clearest. Understanding what went wrong isn’t about pointing fingers; it’s about preparing smarter. According to Halcyon, organizations should start to consider these insights to strengthen their defenses:

• Identify exfiltration attempts quickly.
• Detect ransomware behaviors and patterns early. Consider that AI will accelerate attackers´ playbook and defenders will need to respond more quickly.
• Detect when attackers tamper with security tools.
• Manage 24/7 using ransomware experts.
• Decrypt your data, avoiding the ransom.

In a connected world, where every minute offline is costly, resilience isn’t built in the middle of an attack; it’s built long before one ever begins.