Real-World Ransomware Examples

The two main types of ransomware are generally considered:

• Crypto ransomware (Encryptors) - a type of ransomware that encrypts files on a victim's system, rendering them inaccessible without a decryption key. Examples include WannaCry and CryptoLocker.
• Locker ransomware – which prevents the victim from accessing their device files or apps entirely. Examples include WinLock, Reveton, and Android-targeting Simplocker.

However, over time, various other types of ransomware with unique characteristics and methods of attack emerged:

• Scareware - uses scare tactics to trick victims into paying a ransom, often claiming to have detected a non-existent virus or legal issue.
• Doxware (Leakware) - threatens to publish the victim's data online unless a ransom is paid. An example is the Maze ransomware.
• Ransomware as a Service (RaaS) - a business model where ransomware developers sell or lease their ransomware tools to affiliates who then carry out attacks. This model has democratized access to ransomware, leading to a proliferation of attacks.

The exact ransomware impact is difficult to estimate due to fragmented information and the reluctance of many victims to come forward. Nevertheless, there are general trends that can be observed, such as that judging by purely ransomware payments, 2023 hit an all-time record of $1.1 billion. But this is only the tip of the iceberg. If we include ransom payments, downtime, lost data, and recovery costs, the cost could likely exceed $70 billion in damages by 2026. 

The frequency of ransomware attacks and their sophistication have been increasing steadily. According to cybersecurity studies, there was a significant spike in ransomware attacks during the COVID-19 pandemic, with attackers exploiting the shift to remote work and the increased reliance on digital infrastructure. The number of ransomware attempts organizations detected in 2023 has decreased, meanwhile, to 317 million, from 623 million in 2021. Despite of that, studies indicate a year-over-year growth rate in ransomware provoked damages of approximately 30% to 40%. This growth is driven by factors such as the rise of Ransomware as a Service, the increasing value of digital data, and the relative ease with which attackers can target vulnerable systems.

Ransomware families are groups of ransomware that share common characteristics, codes, or methodologies, often created by the same threat actors. These families can evolve over time, adding new capabilities or modifying their attack strategies to evade detection and increase their impact. While some ransomware families are clearly associated with specific threat actors or groups, others are more difficult to attribute due to the use of obfuscation techniques and the nature of cybercriminal operations. 

Ransomware is evolving at a high rate, with different types frequently rising and falling in prevalence. For instance, in early 2024, LockBit was a major player, but its dominance quickly shifted due to factors like the arrest of its leader and the rise of other groups. To stay informed and protected, the safest method is to monitor threat intelligence by regularly reviewing reports from reputable cybersecurity sources to track the latest trends and shifts in ransomware activity. 

Based on their historical impact, prevalence, and the notable characteristics that distinguish them from other ransomware, here is our take on the top 5 ransomware families you should know about, as their tactics and techniques have had a lasting influence on the cybersecurity landscape.

1. WannaCry

This crypto ransomware worm exploited the EternalBlue vulnerability in Windows SMB protocol, spreading rapidly in 2017, infecting over 200,000 computers across 150 countries and causing an estimated $4 billion in damages. WannaCry encrypted files and demanded ransom payments in Bitcoin. A unique aspect of WannaCry's timeline is its accidental “kill switch,” discovered by researchers, which significantly slowed its spread. 

While widely believed to be the work of North Korea's Lazarus Group, there is still no definitive proof of attribution. Despite its age, WannaCry remains a threat to unpatched systems and has inspired numerous copycats. Its legacy is that today, organizations pay much more attention to patching vulnerabilities and maintaining regular backups.

2. Petya / NotPetya 

Also dubbed GoldenEye, this extremely destructive duo initially emerged in 2016, targeting the master boot record (MBR) of Windows computers to take systems hostage. The NotPetya variant, which appeared in 2017, was even more damaging, permanently encrypting files. Both Petya and NotPetya exploited the EternalBlue vulnerability; however, the latter is often considered a separate attack, designed more as a cyberweapon than a ransomware tool, with the primary goal of causing destruction rather than financial gain. Widely attributed to being a cyberweapon deployed by Russia against Ukraine, it caused around $10 billion in damages globally, with Ukraine being hit particularly hard. NotPetya spread through a compromised software update and rendered systems unbootable by overwriting the MBR, leading to severe operational disruptions.

3. Ryuk

This is a targeted ransomware that has heavily impacted large organizations and critical infrastructure since 2018. Operated by the cybercrime group Wizard Spider, Ryuk is known for its high ransom demands, sometimes over $1 million. It is manually deployed after network compromise and uses encryption to lock victims out of systems, disabling Windows System Restore to prevent recovery. 

4. GandCrab 

This innovative ransomware-as-a-service (RaaS) operation was active in 2018-2019. It relied on affiliates to distribute the malware, offering them a percentage of paid ransoms. GandCrab infected over 1.5 million victims globally, extorting an estimated $2 billion. It frequently evolved in order to evade detection and decryption, and gained notoriety for its aggressive marketing tactics on cybercrime forums. Files were encrypted with specific extensions like .GDCB and .CRAB, and ransom notes provided instructions for payment. GandCrab shut down in June 2019, claiming to have made enough money. There were also successful decryption efforts, offering some of the victims a way to recover their data.

5. REvil (Sodinokibi) 

This a highly prolific ransomware-as-a-service (RaaS) operation that emerged in 2019 and was active until 2021, when it mysteriously disappeared, likely due to law enforcement actions. It compromised numerous organizations worldwide, and the group made headlines for demanding a $70 million ransom in the Kaseya supply chain attack. REvil employed double extortion tactics, that is, encrypting files plus stealing data, putting extra pressure on victims to pay ransom. REvil operated a "Happy Blog" on the dark web where they leaked stolen data to further pressure victims. REvil's activities prompted increased scrutiny of supply chain vulnerabilities. Find here the free decryptor key.

• Cerber is known for its robust encryption methods and widespread use in 2016, often distributed via phishing emails. It caused extensive financial damage and data loss, targeting a wide range of sectors. Cerber was among the first ransomware strains to adopt the ransomware-as-a-service (RaaS) model, contributing to its widespread distribution and success. The ransomware underwent numerous updates, each with different features and encryption methods, challenging security researchers to develop effective countermeasures.
• Conti targets critical infrastructure and was first identified in 2020, operated by the Wizard Spider group. It employs double extortion tactics, encrypting files with a specific extension and threatening to publish stolen data on its dark web leak site if ransoms are not paid. Operating as a Ransomware-as-a-Service (RaaS), the ransomware often gained initial access through phishing emails, stolen credentials, or exploiting vulnerabilities. In May 2022, a Conti affiliate threatened to overthrow the new Costa Rican government after attacking the country’s administrative systems, demanding $20 million for decryption keys. The attack led to a state of emergency in Costa Rica. Despite officially shutting down in May 2022, its members are believed to have rebranded and continued operations under different names.
• CryptoLocker is one of the earliest and most well-known ransomware families, emerging in 2013 and spreading primarily through email attachments. It caused significant data loss and financial damage, using strong RSA encryption to lock files and demanding ransom payments in Bitcoin. CryptoLocker raised awareness of ransomware as a major cyber threat and was distributed through the Gameover ZeuS botnet. Law enforcement and security researchers disrupted the botnet in Operation Tovar, providing decryption keys for some victims. CryptoLocker inspired numerous copycat strains and significantly influenced the evolution of ransomware.
• DarkSide targets large organizations and high-value targets, emerging in 2020. Notorious for the Colonial Pipeline attack in May 2021, it caused significant fuel shortages in the southeastern United States. DarkSide employs double extortion tactics, encrypting files and threatening to release stolen data. Operating as a Ransomware-as-a-Service (RaaS), the group used advanced techniques, making it difficult to detect and combat, and maintained a dark web site to pressure victims. Despite allegedly shutting down in May 2021, its members likely rebranded and continued operations under different names. In 2021, Bitdefender released a decryptor key for DarkSide.
• DoppelPaymer is known for its double extortion tactics, active since mid-2019, targeting large enterprises. Likely operated by the Evil Corp cybercrime group, DoppelPaymer gains initial access through phishing emails or exploiting software vulnerabilities. It threatens to leak stolen data if the ransom is not paid, encrypting files with a specific extension. Notable victims include the city of Torrance, California, and Foxconn manufacturing. 
• Hive emerged in 2021, targeting healthcare organizations with double extortion tactics. Operating as a Ransomware-as-a-Service (RaaS), Hive spread rapidly, commonly gaining access through phishing emails, RDP vulnerabilities, and compromised credentials. Hive caused significant disruptions by publishing stolen data if ransoms were not paid, and notable incidents included high-profile attacks on healthcare organizations, severely impacting patient care. In early 2023, the FBI infiltrated Hive's network, obtained decryption keys, and distributed them to victims, significantly disrupting Hive's operations.
• LockBit is a ransomware family that emerged in 2019 and is known for its self-spreading capabilities, rapid encryption speeds, and double extortion tactics. Operating as a Ransomware-as-a-Service (RaaS), the ransomware gained prominence in early 2024, with a high number of victims reported in March. However, its dominance fluctuated throughout the year due to law enforcement actions and competition from other ransomware groups. LockBit employs advanced features like automation and anti-analysis techniques. It typically gains initial access through phishing emails, stolen credentials, or exploiting vulnerabilities. Once inside a network, LockBit can rapidly spread and encrypt files, appending a specific extension. To further pressure victims, LockBit operates a data leak site where they publish stolen data from those who refuse to pay.
• Locky is one of the most widespread ransomware families, first detected in 2016 and active for several years. It spread primarily through malicious email attachments, notably during a massive spam campaign in 2016. Locky encrypts a wide variety of file types, significantly disrupting affected systems and industries. It is known for its rapid updates to evade antimalware detection, appending specific extensions like .locky or .zepto to encrypted files. While some variants were decryptable, many remained resistant to decryption efforts.
• Maze is a ransomware family known for its double extortion tactics, which emerged in 2019 and often spread through exploit kits. Maze primarily targeted large corporations and government agencies, using sophisticated spear-phishing campaigns to gain initial access. Maze caused significant financial and reputational damage by publishing stolen data on a public website if the ransom was not paid, adding a specific extension to encrypted files. Although Maze officially shut down in November 2020, it later rebranded as Egregor, continuing its double extortion tactics and leaving a lasting impact on the ransomware landscape.
• SamSam targets vulnerable servers and has been particularly active between 2015-2018, focusing on healthcare, government institutions, and critical infrastructure. Unlike many other ransomware variants, SamSam is manually deployed after attackers gain access to a network, often through brute-force attacks or exploiting vulnerabilities. It is notorious for demanding high ransoms and causing prolonged operational disruptions. SamSam attacks are carefully planned and executed, with attackers sometimes engaging in ransom negotiations. 

Below we highlights some of the most significant ransomware attacks ever, based on their impact, tactics, and peculiarities. Understanding the evolution of these attacks can help organizations to prepare and defend against future threats.

1. AIDS Trojan (1989): The AIDS Trojan, also known as the PC Cyborg Virus, is considered the first ransomware attack. Distributed via 20,000 floppy disks labeled as an AIDS information program, it encrypted file names and demanded a $189 ransom sent to a P.O. box in Panama. Although primitive, it set the stage for future ransomware tactics.
2. GPCode (2006): GPCode marked the return of ransomware in the internet era. It spread via email and encrypted files, demanding ransoms between $20 to $70. Although it used weak encryption that was easily broken by security experts, GPCode demonstrated the potential of ransomware as a lucrative cybercrime.
3. CryptoLocker (2013): CryptoLocker, active from 2013 to 2014, was one of the first ransomware attacks to use strong encryption and demand Bitcoin for payment. It spread through phishing emails and extorted approximately $3 million from victims before being neutralized by Operation Tovar, a coordinated law enforcement effort​​.
4. CryptoWall (2014): Following CryptoLocker, CryptoWall became one of the most successful early ransomware campaigns, extorting over $18 million. It spread through phishing emails and exploit kits, manifesting growing sophistication and profitability for ransomware attacks.
5. SamSam (2016-2018): Unlike automated attacks, SamSam involved manual deployment after gaining network access through vulnerabilities in VPNs and RDP connections. The city of Atlanta and Hancock Health were notable victims, with recovery costs exceeding $2.6 million​​.
6. WannaCry (2017): Exploiting the EternalBlue vulnerability in Windows, WannaCry infected over 200 thousand computers in 150 countries, provoking an estimated $4 billion in damages. The attack highlighted the importance of timely software updates and patching vulnerabilities​​.
7. NotPetya (2017): NotPetya, initially targeting Ukraine, caused widespread disruption and financial losses estimated at $10 billion. It spread through the same EternalBlue vulnerability as WannaCry, demonstrating the severe impact of unpatched systems​​.
8. Ryuk (2018): Ryuk ransomware targeted large organizations, including healthcare providers and financial institutions, demanding high ransom payments, often in the millions. Known for its sophisticated encryption and deployment tactics, Ryuk caused significant operational disruptions and financial losses​​.
9. Colonial Pipeline (2021): The attack on Colonial Pipeline by the DarkSide group disrupted fuel supplies across the U.S. East Coast. The company paid a $4.4 million ransom, although some of it was later recovered. The incident prompted a federal response to bolster cybersecurity defenses for essential services​​.
10. Kaseya (2021): In a significant supply chain attack, REvil ransomware operators exploited a vulnerability in Kaseya’s VSA software, affecting around 1,500 businesses globally. The attackers demanded a $70 million ransom for a universal decryptor, emphasizing the risks associated with software supply chain vulnerabilities​​.
11. Costa Rica Government (2022): A ransomware attack by the Conti group forced Costa Rica to declare a national state of emergency. Multiple government agencies were affected, causing estimated daily losses of $30 million. This attack underscored the increasing threat of ransomware to national security​​.
12. British Library (2023): In October 2023, the British Library went through a ransomware attack that took down its website and compromised personal data. The attackers employed double extortion tactics, threatening to sell stolen data unless a ransom was paid. The incident showed that even cultural institutions are at risk and should pay special attention to robust cybersecurity measures​​.
13. Change Healthcare (2024): In early 2024, Change Healthcare, a major technology company, fell victim to a ransomware attack using double extortion tactics, encrypting critical systems and threatening to release stolen patient data unless a $22 million ransom was paid. This attack is notable for its large payout and the significant disruption it caused to healthcare services, delaying prescription fillings and leading to financial losses exceeding $1 billion. The incident follows the growing trend of double extortion and the increasing scale of ransom demands.

When people who have heard of ransomware think about it, WannaCry is likely the first name that pops out, and for good reasons, considering its massive global impact and extensive media coverage. In May 2017, WannaCry infected hundreds of thousands of computers in over 150 countries, disrupting businesses, government agencies, and critical infrastructure. While WannaCry is the most famous among the general public, NotPetya is equally significant within cybersecurity circles. Emerging shortly after WannaCry in 2017, NotPetya caused extensive economic damage, with losses estimated at $10 billion. It disrupted major corporations like Maersk, Merck, and FedEx. Unlike typical ransomware, NotPetya acted more as a wiper, designed to destroy data rather than extort ransom, showing ransomware's potential as a cyberweapon. Its spread through a compromised software update mechanism and the use of the EternalBlue exploit demonstrated a high level of sophistication.

It's important to remember that this list only includes publicly known and confirmed payments. Many organizations choose not to disclose ransom payments due to various reasons, including legal and reputational concerns. Therefore, the actual figures may be much higher.

1. CNA Financial (2021): The largest ransomware payment ever recorded was made by CNA Financial, a major U.S. insurance company. In March 2021, CNA Financial faced a ransomware attack that led to a ransom payment of $40 million to regain control of its IT systems and data.

Amount Paid: $40 million 

Ransomware: EvilCorp

2. Change Healthcare (2024):  The attack encrypted critical systems and threatened to release stolen patient data. Change Healthcare paid the ransom to secure the data and restore operations, but patient data still made it to the dark web

Amount Paid: $22 million

Ransomware: BlackCat/ALPHV

3. JBS Foods (2021): The attack disrupted global meat processing operations, forcing JBS to pay the ransom to restore operations and secure their data.

Amount Paid: $11 million 

Ransomware: REvil

4. CWT Global (2020): CWT, a travel management company, paid the ransom to recover stolen data and restore its systems after the ransomware attack affected 30,000 computers.

Amount Paid: $4.5 million 

Ransomware: Ragnar Locker

5. Colonial Pipeline (2021): The attack led to significant fuel supply disruptions across the U.S. East Coast. The company paid the ransom to regain control of its systems, and a portion of the money was later recovered by authorities.

Amount Paid: $4.4 million 

Ransomware: DarkSide