Top 10 Ransomware Attacks

Ransomware attacks often target organisations to extort sensitive data and ultimately cause financial and ethical implications for companies worldwide. Despite increased security and education efforts, it is still cited by the FBI as the major cyber threat against business.

Hackers threaten to sell or publish data to convince organisations to pay a greater ransom payment. This type of payment increased 144% in 2021 from 2020, with the average reported ransomware payment in 2022 being US$4.7m.

Data hacks are becoming increasingly frequent, with Aon recently involved in the MOVEit data hack that left notable businesses compromised. Cyber Magazine therefore considers 10 ransomware attacks that had long-term large impacts in terms of financial loss.

10: AIDS Trojan

AIDS Trojan, or PC Cyborg, was the world’s first ransomware attack in 1989. Users were duped by a fake survey that subsequently gained access to users’ computers through a mailed floppy disc. The scam displayed a message that asked the user to pay US$189 to obtain a repair tool.

It was distributed by Dr Joseph L. Popp to roughly 20,000 individuals and medical institutions. The malware itself was weak and easy to remove with decryption software, but the attack itself is often viewed as the catalyst for future attacks, highlighting the need for data security measures.

9: CryptoLocker

The CryptoLocker ransomware attack used CryptoLocker ransomware that occurred between 2013 and 2014. Using a trojan that targeted computers running Microsoft Windows, it extorted US$3m from victims.

It is a ransomware that restricts access to infected computers by encrypting its content, before demanding its victims to pay a ransom to recover their files. This was done either via bitcoin or a pre-paid cash voucher. Although it was neutralised in 2014, variations of ransomware still use the name to hack organisations and individuals today.

8: SamSam 

The SamSam actors targeted multiple industries predominantly in the US that were using Windows servers, including some within critical infrastructure. Targeting large companies, the ransomware infects the entire network and encrypts all hosts connected to it instead of attacking individual systems.

The attackers aimed to exploit vulnerabilities in Windows servers to establish permanent access to network assets, causing the FBI, NCCIC and CISA to put out a joint statement about the threat in 2018. As of that year, the total net loss was roughly US$6m.

7: DoppelPaymer

Still an active ransomware threat, DoppelPaymer is a ransomware that uses Process Hacker to terminate services related to security, email server, backup and database software. It then threatens its victims with publication of their stolen files on its data leak site.

First appearing in 2019, it caused incidents that left its victims, often critical companies, struggling to properly carry out operations. It is also believed to be based on the BitPaymer ransomware due to similarities in their code, ransom notes and payment portals. Ransom demands have reached as high as US$1m for large organisations. 

6: Costa Rica Government

Having only been released last year, the ransomware attack on the Costa Rican government has been identified as an act of war by the pro-Russian Conti group. It targeted 30 institutions and demanded a US$10m ransom in exchange for not releasing information stolen from the Ministry of Finance, containing potentially sensitive information like citizens’ tax returns and companies operating in the nation.

Losses incurred amounted to US$30m a day, resulting in the government having to cease operating due to the scale of the hack. The nation is still dealing with its repercussions today.

5: Ryuk

Also with a US$1m ransom demand per target was Ryuk, a ransomware that preyed on big organisations that could meet its demands. In September 2020, a ransomware attack hit Universal Health Service (UHS) and caused US$67m of damage. 

Ryuk was discovered to have been used in the attack. The ransomware does not launch as soon as it infiltrates the victim’s system, but instead takes a couple of days for it to start encrypting files and spreads through the entire system. 

It also disables Windows System Restore features so that the victim cannot roll back to a previous uninfected version of the system.

4: REvil (Sodinokibi)

REvil (Ransomware Evil; also known as Sodinokibi) was a Russia-based private ransomware-as-a-service (RaaS) operation. Sodinokibi is the name of organised ransomware attacks that victimised the transportation industry and the financial sectors.

The ransomware encrypts files on a system and shows a ransom note on the screen, affecting files like .jpg, .java, .raw and .png, to name a few. In 2021, it focused on US companies. Its attacks on JBS and Kaseya triggered a huge crackdown on cybersecurity and has now been reported to be most likely inactive. Net losses have been predicted to be around US$200m.

3: TeslaCrypt

Although net loss is unknown, it is expected that this Trojan Horse Cryptovirus caused losses of approximately US$500 per victim. However, the scale of TeslaCrypt was huge, having targeted 185 game files of 40 popular games like the Call of Duty series, World of Warcraft and Minecraft, to name a few. 

The ransomware targets saved data, player profiles, custom maps and game modifications stored on the victim’s hard drive, encrypting files up to 4GB in size. Later versions also encrypted Word, PDF, JPEG and other file types, prompting victims to pay the US$500 to get the decryption key.

2: NotPetya

NotPetya used the same method of infiltration as WannaCry (see below), but the encryption of files was permanent. Starting in 2017, it infected the master boot record of Windows computers to take the system hostage.

It used the EternalBlue hack to infect systems as well as being modified so that its effect could not be reverted even if the victim paid the ransom. At the time, it was alleged that NotPetya was politically motivated and targeted against Ukraine by the Russian Military Agency, as 80% of the affected companies were Ukrainian.

It was discovered that a backdoor was created during an update of the Ukrainian company M.E.Doc was used to spread the malware. As a result, NotPetya remains one of the most impactful ransomware attacks to date, with financial losses worth US$10bn.

1: WannaCry

Although a slightly smaller net loss than NotPetya of US$4bn, WannaCry is often described as the biggest ransomware attack in history in terms of impact. The 2017 cryptoworm affected thousands of computer systems worldwide and held hostage the files of 250,000 users of Microsoft Windows users across 150 countries.

A hacker group called Shadow Brokers also used EternalBlue, which had been stolen and leaked to them from the United States National Security Agency (NSA), to exploit a vulnerability in Microsoft Windows PCs. They encrypted files on computers and demanded a ransom worth between US$300 and US$600 to be paid in Bitcoin.

The ransomware managed to infect numerous companies, including multiple NHS systems across England and Scotland. This ultimately caused huge disruptions to health services and £92m (US$104.36) in losses.

Ultimately, the torment came to an end when British computer security researcher ​​Marcus Hutchins implemented a killswitch to stop the spread of the malware.