13 Biggest Ransomware Attacks in History

Ransomware attacks are a digital nightmare that seems to come straight out of a dystopian novel. Yet it's a harsh reality faced by organizations worldwide. Across industries, from healthcare to higher education, no sector is left untouched by this kind of cybercrime. 

These 13 attacks, drawn from different corners of the world, lay bare the magnitude of financial losses, the ingenious strategies of the attackers, and the need for proactive cybersecurity measures.

Among these measures, agile penetration testing, a targeted and faster pentest designed to reveal vulnerabilities efficiently, emerges as a key piece to arm organizations with the needed defenses in this constant game of cat and mouse against cyber criminals.

13. MOVEit

• Type of Attack: Ransomware (exploiting a zero-day vulnerability in file transfer software)
• Year: 2023
• Attackers: Clop Ransomware Group
• Target Company: Various, including multiple organizations and government agencies
• Monetary Impact: Ransom demands in the hundreds of millions, with extensive data breaches reported.

In May 2023, the Clop ransomware group executed a significant attack targeting the MOVEit Transfer software, a widely used tool for secure file transfers. The attackers exploited a zero-day vulnerability in the software, allowing them to gain unauthorized access to sensitive data from various organizations, including government entities, universities, and private companies.

Clop not only encrypted files but also exfiltrated sensitive information, including personal data of employees and clients. The attackers utilized a double extortion strategy, threatening to release the stolen data if the ransom was not paid. As a result, many organizations faced significant reputational damage and legal implications, with some estimates suggesting the total ransom demands exceeded $100 million.

This incident highlights the ongoing evolution of ransomware tactics, where attackers not only seek immediate financial gain through ransom payments but also exploit vulnerabilities in widely used software, underscoring the critical importance of maintaining updated security protocols and software patches.

12. BlackCat/ALPHV

• Type of Attack: Ransomware-as-a-Service (RaaS)
• Year: 2021-Present
• Attackers: Unknown, believed to be a group of experienced ransomware operators
• Target Company: Various sectors, including healthcare and critical infrastructure
• Monetary Impact: Estimated damages in excess of $30 million, with significant ransom demands reported.

Since its emergence in late 2021, BlackCat (also known as ALPHV) has rapidly gained notoriety for its sophisticated approach to ransomware attacks. Utilizing a RaaS model, BlackCat allows affiliates to conduct attacks while sharing profits with the developers. The ransomware is known for its use of advanced encryption techniques and is capable of running on various operating systems, including Windows and Linux.

BlackCat operators typically employ phishing campaigns, exploit vulnerabilities, and leverage initial access brokers to gain entry into networks. Once inside, they exfiltrate sensitive data, deploy the ransomware, and threaten to release the stolen information if the ransom demands—often ranging from $1 million to several million—are not met.

The rise of BlackCat illustrates the growing trend of ransomware groups adopting modular approaches to attacks, allowing for greater customization and effectiveness. Organizations must prioritize cybersecurity measures, including employee training on recognizing phishing attempts and implementing robust endpoint security solutions, to defend against such threats.

11. DoppelPaymer

• Type of Attack: Ransomware (spear-phishing, unpatched vulnerabilities)
• Year: 2019-Present
• Attackers: DoppelPaymer Group
• Target Company: Various, including the City of Torrance, CA, Pemex (Mexican Oil Company), and University Hospital in Düsseldorf (resulting in the death of a patient)
• Monetary Impact: Estimated in the tens of millions; Europol reports at least €40 million

DoppelPaymer emerged in 2019, and unlike many ransomware campaigns that use automated systems for mass distribution, it is manually delivered after an initial network compromise. To maximize disruption, the attackers perform thorough network mapping, data exfiltration, and privilege escalation before initiating the DoppelPaymer ransomware.

The ransomware uses multi-threading for faster encryption, and it can also operate offline, encrypting files without needing to communicate with its command and control servers. DoppelPaymer has been responsible for several high-profile attacks, random demands ranging from 2 to 100 Bitcoin, and data breaches leading to sensitive information being sold on the dark web.

10. Ryuk 

• Type of Attack: Ransomware (initial compromise, usually TrickBot infection)
• Year: 2018-present
• Attackers: Unclear, possibly various groups using the Ryuk malware or Wizard Spider (Russia)
  
• Target Company: Various, mostly healthcare and municipalities.
• Monetary Impact: Some sources claim they've made over $150 million; individual ransom demands reported from 15 to 500 Bitcoin.

Emerging in mid-2018, Ryuk ransomware quickly became a major threat to large organizations. Unlike many ransomware campaigns that use automated mass distribution, Ryuk is manually delivered after an initial network compromise. The attackers carry out extensive network mapping, data exfiltration, and credential harvesting before launching the Ryuk ransomware, causing maximum disruption.

Ryuk uses a combination of RSA-2048 and AES-256 for encryption, making it virtually unbreakable without the decryption keys. The malware is also designed to encrypt network drives, resources, and remote hosts. Ryuk has been responsible for numerous high-profile attacks, with ransom demands ranging from 15 to 500 Bitcoin (approximately $100,000 to $3.7 million). The list of communities that paid ransom includes Jackson County, Georgia ($400,000), Riviera Beach, Florida ($594,000), and LaPorte County, Indiana ($130,000). Bedform, MA and New Orleans refused to pay.

9. Colonial Pipeline 

• Type of Attack: Ransomware (phishing, remote system exploitation)
• Year: 2021
• Attackers: Believed to be the hacker group known as DarkSide.
• Target Company: Colonial Pipeline
• Monetary Impact: $4.4 million ransom

In May 2021, a hacker group named DarkSide launched a ransomware attack on the Colonial Pipeline's IT network. The group exploited an exposed VPN account with a reused password, stealing 100 gigabytes of data within two hours. To isolate the operational technology systems from the compromised IT network, Colonial Pipeline shut down its operations, causing a disruption in fuel supply across the East Coast.

To regain control of its systems, the company paid a ransom of 75 Bitcoin, approximately $4.4 million at that time. This marked the largest publicized cyber-attack on US critical infrastructure. In response, the US government rolled out initiatives like stopransomware.gov and the Joint Ransomware Task Force to bolster the nation's cyber defenses.

8. REvil/Sodinokibi 

• Type of Attack: Ransomware (zero-day vulnerability)
• Year: 2019-2021
  
• Attackers: REvil Group
• Target Company: Kaseya and downstream customers; JBS
• Monetary Impact: Demanded $70 million ransom for universal decryption code.

The REvil group emerged as a major ransomware threat in 2019, but their most disruptive operations started in 2020. Their tactics evolved over time, but the main methods were to target vulnerabilities in software or trick users into downloading the ransomware through phishing emails or by exploiting Remote Desktop Protocol (RDP) weaknesses. Once inside a network, REvil moved laterally, escalating privileges, gaining administrative control, and then deploying the ransomware to encrypt files on the affected system.

REvil is known for using a double extortion method. Before launching the encryption process, they stole sensitive data from the targeted networks. After encrypting the victim's files, they demanded a ransom in exchange for the decryption key. If victims hesitated or refused to pay, REvil threatened to leak the stolen data on their "Happy Blog" to increase pressure on the victims.

One of their most notorious attacks was the Kaseya VSA supply-chain attack in 2021. REvil exploited a zero-day vulnerability in the Kaseya VSA software, a tool IT organizations use to manage and monitor IT infrastructure. By exploiting this vulnerability, they could distribute ransomware to many of Kaseya's clients, affecting up to 1,500 businesses worldwide.

Another significant attack involved JBS, the world's largest meat processor. In that case, REvil used a successful spear-phishing campaign to gain access to the JBS systems, leading to JBS paying $11 million to prevent the data leak.

7. NetWalker/UCSF

• Type of Attack: Ransomware (phishing, exploiting VPN vulnerabilities)
• Year: 2020
• Attackers: NetWalker (aka "Malito," aka Sebastien Vachon-Desjardins, a Canadian national)
• Target Company: Dozens of victims, specifically the University of California, San Francisco (UCSF)
• Monetary Impact: Tens of millions; a $1.14 million ransom from UCSF)

NetWalker, a RaaS company, is known for targeting those who would likely pay large ransoms due to the critical nature of their data. The ransomware is typically delivered via phishing emails with malicious attachments, exploiting vulnerabilities in VPN appliances or brute-forcing Remote Desktop Protocol (RDP) credentials. Once inside the network, NetWalker can move laterally, escalate privileges, and then deploy the ransomware.

In June 2020, UCSF fell victim to a NetWalker ransomware attack that significantly disrupted their operations. The UCSF attack, primarily affecting the School of Medicine's IT infrastructure, didn't compromise patient care or ongoing COVID-19 research, but the ransomware encrypted critical academic data and important records.

6. GandCrab

• Type of Attack: Ransomware-as-a-service (RaaS) (phishing, exploit kits)
• Year: 2018-2019
• Attackers: Unknown, operators announced 'retirement' in 2019
  
• Target Company: Various, including businesses and individuals (PCs using MS Windows)
• Monetary Impact: Estimated to have extorted over $2 billion from victims

GandCrab emerged in 2018 and rapidly became one of the most widespread and lucrative ransomware attacks. What set GandCrab apart was its RaaS model, where the malware was licensed to affiliates who then conducted attacks and shared a percentage of the profits with the GandCrab developers.

The ransomware was primarily spread through phishing emails and exploit kits, particularly the GrandSoft and RIG kits. Once on a victim's system, GandCrab encrypted files and demanded a ransom in Dash cryptocurrency to decrypt them.

5. SamSam

• Type of Attack: Ransomware (manual deployment after network penetration)
• Year: 2016-2018
• Attackers: The US indicted Faramarz Shahi Savandi and Mohammad Mehdi Shah of Iran.
• Target Company: Over 200 victims, including municipalities, hospitals, and public institutions.
• Monetary Impact: Over $6 million in ransom payments and $30 million in other losses were estimated.

From 2016 to 2018, SamSam ransomware targeted a variety of sectors, specifically healthcare, government, and education. Unlike other ransomware attacks that are usually automated, the attackers manually deployed SamSam after gaining access to the target networks through JBoss servers or by exploiting vulnerabilities in VPNs or RDP connections. They then escalated privileges and moved laterally through the network before deploying the ransomware.

The city of Atlanta and Hancock Health were among the notable victims, with ransom demands often exceeding $50,000. The attack caused massive disruption, with the city of Atlanta spending more than $2.6 million on recovery efforts.

4. Locky

• Type of Attack: Ransomware (phishing emails distributing a macro in a Word document)
• Year: 2016 - 2018
• Attackers: Unknown, possibly the Dridex hackers (aka Evil Corp or TA505)
• Target Company: Various ( predominantly healthcare providers in the US, Canada, France, Japan, Korea, and Thailand)
• Monetary Impact: Estimated at $1 billion.

Locky, active primarily between 2016 and 2018, was one of the most prolific ransomware strains, spreading via massive phishing campaigns. It was delivered through an email with a malicious Word document attachment. Once the user opened the document and enabled macros, the ransomware payload was downloaded and executed.

Locky encrypted a wide range of data file types, scrambled filenames, and demanded a Bitcoin payment for decryption. Notably, it could also encrypt files on network shares, amplifying its potential for damage. Locky used a combination of RSA and AES encryption, rendering the victim's files inaccessible until a ransom was paid. Typically, the attackers demanded between 0.5 to 1 Bitcoin.

3. ExPetr / NotPetya 

• Type of Attack: Ransomware (A wiper exploiting an SMB vulnerability)
• Year: 2017
• Attackers: Likely Russian-sponsored threat actors
• Target Company: Various, but severely impacted Maersk and Merck
• Monetary Impact: Estimated $10 billion

In June 2017, the ExPetr, also known as NotPetya, ransomware attack swept the globe, causing significant disruptions and damages. Unlike conventional ransomware, ExPetr wasn't designed to extort money; instead, it was engineered to cause maximum destruction. It was designed to attack Ukraine but was too effective to be contained.

NotPetya was soon discovered to be a wiper — malware designed to erase data — in disguise. It targeted Windows systems, exploiting an SMB vulnerability called EternalBlue, which was also exploited by the infamous WannaCry ransomware a month earlier.

The wiper spread rapidly, encrypting the master boot record (MBR) to make the affected systems unbootable. Once inside a network, it used a variety of methods, including the Mimikatz tool, to gather credentials and spread laterally.

Maersk, a global shipping company, and pharmaceutical giant Merck were among the hardest hit, with Maersk reporting losses of approximately $300 million. The overall financial damage caused by NotPetya was estimated at around $10 billion, making it the most expensive known attack in history.

2. WannaCry 

• Type of Attack: Ransomware (vulnerability in SMB protocol)
• Year: 2017
• Attackers: Believed to be the Lazarus Group
• Target Company: Multiple (global attack); Microsoft Windows users
• Monetary Impact: Estimated $4 billion.

In May 2017, the WannaCry ransomware attack spread across 150 countries, ultimately affecting over 200,000 computers. Initial cost estimates reached about $4 billion, but some groups have claimed that potential future losses in the U.S. alone could exceed $7 trillion.

The WannaCry ransomware attack was particularly effective and damaging due to its method of propagation and the vulnerabilities it exploited. WannaCry capitalized on a critical vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol called EternalBlue. The vulnerability is believed to have been developed by the US National Security Agency (NSA) and later leaked by a group called the Shadow Brokers.

The purpose of WannaCry, like all ransomware, was to encrypt files on a victim's computer, rendering them inaccessible. Once the files were encrypted, the ransomware would display a screen informing the victim of the encryption and demanding a ransom in Bitcoin in exchange for a decryption key. The standard demand was $300, which would be doubled if the payment wasn't made within three days.

Once it infected a system, WannaCry acted like a worm, moving laterally through networks and automatically spreading itself without any user interaction. This gave it the ability to propagate quickly on a massive, global scale, causing widespread damage and disrupting critical infrastructures like healthcare services, finance, logistics, and transportation networks.

1. CryptoLocker

• Type of Attack: Ransomware (Trojan Horse)
• Year: 2013-2014
• Attackers: Evgeniy Mikhailovich Bogachev (Russia) is wanted by the FBI for this role
• Target Company: Various, primarily Windows users
• Monetary Impact: Approximately $3 million in ransom payments.

CryptoLocker ransomware is a Trojan Horse delivered to victims mostly through malicious email attachments, typically in the form of a ZIP file posing as a PDF. Once the victim opened the file, the malware would encrypt a range of file types, including documents and photos, on the victim's computer and mapped network drives. The victim would then see a ransom demand, typically around $300 in Bitcoin or via a prepaid voucher, with a time limit for payment. If the ransom wasn't paid within the stipulated time, the decryption key was deleted, leaving the files permanently inaccessible.

The ransomware was unique for its time in that it used advanced encryption methods, making it virtually impossible for victims to recover their files without paying the ransom. It also used a decentralized infrastructure for command and control, leveraging the Gameover ZeuS botnet, which made it challenging for authorities to disrupt.

CryptoLocker was eventually neutralized in May 2014 through Operation Tovar, a concerted effort by international law enforcement and cybersecurity firms.

The Role of Pentesting in Preventing Cybercrime

After reading through the details, it's clear why companies need penetration testing as part of their cybersecurity strategy. Pentesters help identify vulnerabilities and provide actionable remediation advice, improving an organization's security posture and helping them build cyber resilience - whether it's against ransomware or other types of cyberattacks. Learn more about more recent ransomware attacks with Bitcoin.

Read more about Cobalt's innovative approach to Pentesting with our Pentest as a Service platform for Comprehensive Penetration Testing for Compliance or our targeted and cost-efficient approach with Agile Pentesting Services.

FAQ