Ransomware is extortion software designed to encrypt files on a device, rendering them unusable. The attacker then demands a ransom in exchange for decryption. This ransom can vary depending on individuals or organizations. Typically, it is between $100-$200 for individuals and $150,000-$200,000 for small businesses, and it must be paid in cryptocurrencies.
Ransomware attacks can severely impact companies’ data and their critical operations. Both economic and reputational impacts of these attacks — throughout the initial disruption to extended recovery — have been proven challenging for small and mid-size businesses.
According to the Verizon Data Breach Investigations Report, ransomware accounts for 10% of all breaches. More than 90% of all the ransomware samples are Windows-based executable files or dynamic link libraries.
Below, we have listed some of the worst examples of ransomware of all time that caused huge financial losses and complete shutdown of businesses’ operations.
Table of Contents
Initial Outbreak: February 2016
Financial Damages: $1+ million
Locky ransomware is capable of encrypting various file types, including videos, MS Office files, and Windows source code. It renames those files and changes their extensions to new ones, which may include .locky, .odin, .thor, .osiris, and .aesir.
The malware usually spreads through emails with an attached MS Word document that contains the malicious code. The document is gibberish and prompts the victim to enable macros in order to view the document.
When the victim clicks on the “enable” button, the malicious code loads into the primary memory and starts encrypting essential files. It is powerful enough to encrypt all network files that the user has access to.
Locky utilizes a combination of RSA-2048 and AES-128 cipher with ECB mode to encrypt data. Since keys are produced on the server-side, it is almost impossible to decrypt the infected files on RAM, fixed drives, and removable drives.
Once the files are encrypted, it will should you the ransom note. The note contains the instruction to install the Tor browser and transfer Bitcoin in exchange for the decryption key.
Within the first month of its initial outbreak, Locky was sent more than one million users. The most notable attack was perhaps on the Hollywood Presbyterian Medical Center, which paid a $17,000 ransom to recover large amounts of patients’ data.
Initial Outbreak: February 2015
Financial Damages: $1+ million
TeslaCrypt uses phishing emails to get people to click malicious URLs and email attachments. The early versions of this ransomware search for data files related to popular games like World of Warcraft, Minecraft and World of Tanks, and Call of Duty series. They target players’ profiles, saved data, game mods, and custom maps stored on users’ hard drives.
The newer version (now defunct) was less restricted and capable of encrypting images, documents, and many other file types. They were using strong encryption algorithms, which made it almost impossible to recover the infected files without the decryption key. And this key can only be obtained by paying the ransom.
Within two months of its initial outbreak, the malware affected thousands of computers, and its authors made over $78,000. This proved how fast TeslaCrypt can propagate and how important it is to have cybersecurity protection.
Unexpectedly, the authors shut down the TeslaCrypt and released the master decryption key in May 2016, thus bringing an end to the malware.
Initial Outbreak: June 2016
Financial Damages: $4+ million
Cerber is quite different from other types of ransomware. It’s an example of evolved ransomware technology. The developer of the Cerber offloads the work of finding devices to a partner in exchange for a cut of the profit. This business model is called ransomware-as-a-service (RaaS).
In other words, the attacker licenses the malware over the internet and splits the ransom with the developer. For a 40% share of the ransom, anyone can sign-up as a Cerber affiliate and infect as many devices as he/she can.
Cerber can be distributed in many different ways. It may be packed with a free online tool, an email attachment, or could be disguised as harmless software. Once installed, it can infect the entire device, encrypting all essential files without user knowledge or consent.
Cerber is capable of preventing the execution of Microsoft Windows security features and third-party antivirus software. It can also disable the system restoration so users don’t have any choice except to pay the ransom to get back (decrypt) the files.
Within a month of its initial outbreak, it infected more than 150,000 computers through 161 identified campaigns. The attack peaked in early 2017 — this was the time when Cerber accounted for nearly 26% of all ransomware attacks.
Initial Outbreak: September 2014
Financial Damages: $20+ million
CryptoWall is known for its use of strong AES encryption, unique CHM (an extension for the Compiled HTML file format) infection technique, and vigorous C2 activity over the Tor anonymous network.
It is spread through emails with ZIP attachments, where the malicious code is hidden as PDFs. These PDFs usually disguise themselves as invoices, purchase orders, and bills. Once someone clicks on them, the malicious files get installed either in “Temp” or “AppData” folders, infecting the whole device.
The malware can then scan the local drive, Dropbox mappings, removable drivers, as well as devices on the same network. It can encrypt data on both 32-bit and 64-bit systems.
Unlike other ransomware, CryptoWall tries to hide inside the operating system and add itself to the bootable files. In fact, it can delete recovery and backup files, making it harder to restore data.
CryptoWall 3.0 has been the most notorious version of all. In addition to encrypting data, it also removes volume shadow copies and tries to steal passwords and Bitcoin wallets.
Initial Outbreak: September 2013
Financial Damages: $27 million
CryptoLocker utilized a trojan to target Windows-based devices. It propagated through infected email attachments and through an existing Gameover ZeuS botnet. These fake emails were designed to mimic the look of genuine business emails and UPS and FedEx tracking notices.
Once downloaded and activated, CryptoLocker searches for specific file types to encrypt them using RSA public-key cryptography. It is capable of encrypting files on external hard drives, USB drives, shared network drives, and even some cloud storage drives.
After encrypting the files, CryptoLocker transmits the private key to certain remote servers. The person (attacker) on the other side then demands the victim to pay a ransom in order to recover or decrypt all the infected files.
Although the malware itself is not hard to delete from the system, the infected files remain encrypted. At the time of the initial outbreaks, victims with no reliable backups had only two options: either pay the ransom or lose their data.
Within two months, CryptoLocker had infected more than 30,000 devices, mostly in developed nations. And by December 2013, it had infected 250,000 Personal Computers.
In 2014, a free encryption software program was released for this. However, $27.78 million was already extorted (in the form of Bitcoin) by then.
Initial Outbreak: December 2015
Financial Damages: $30 million
At the end of 2015, a new strain of ransomware emerged, targeting JBoss servers. The attackers exploit Microsoft Windows servers to gain access to a victim’s network and infect all reachable hosts.
The ransomware utilizes Remote Desktop Protocol (RDP) brute-force attacks to guess weak passwords until one is broken. After getting access to a specific network, the attackers escalate privileges for admin rights, install malware onto the server, and execute the file — all without victims’ authorization or knowledge.
Unlike many ransomware programs that rely on certain actions performed by victims, such as visiting a compromised URL or opening an email, SamSam allows cyberattackers to infect devices with minimal detection.
This malware targeted many industries in the United States, including a few within a crucial infrastructure. The major damage was done to the Colorado Department of Transportation, which resulted in clean-up costs of over $1.5 million.
Ryuk ransomware notes
Initial Outbreak: August 2018
Financial Damages: $3+ billion
Ryuk has been described as one of the most dangerous ransomware groups that operate through phishing campaigns. It targets large organizations and public companies rather than individuals.
The malware is believed to be developed and used by two or more criminal groups, most likely Russian, who utilize open source tools and manual hacking techniques to gain administrative access to as many computers as possible before encrypting the data.
Ryuk uses a combination of symmetric AES (256-bit) encryption and asymmetric RSA (2048-bit or 4096-bit) encryption algorithms to lock the files on victims’ computers. The symmetric key encrypts the file content and the asymmetric public key encrypts the symmetric key. Once the victim pays the ransom (in the form of untraceable Bitcoins), the corresponding asymmetric private key is released which decrypts the file content.
The malware has not been completely wiped out. It is still out there. In January 2021, a new variant of the Ryuk ransomware was detected that had worm-like features. It can self-propagate and infect all machines within the Windows domain. The French national cybersecurity agency ANSSI found that this new variant can infect every reachable device on which Windows RPC accesses are possible.
Initial Outbreak: May 2017
Financial Damages: $4.9 billion
WannaCry was a global cyberattack that targeted Windows-based computers by encrypting files and demanding ransom payments in the Bitcoin cryptocurrency. This ransomware propagated via EternalBlue, a cyberattack exploit created by the U.S. National Security Agency for older Microsoft operating systems.
More specifically, it targets networks using a file-sharing protocol called SMBv1, which enables computers to communicate with other devices, such as printers, connected to the same network.
Once WannaCry is installed on a computer, it can scan a network to find more vulnerable devices. It utilizes the EternalBlue exploit to enter the device. And the ransomware installs and executes itself by using a backdoor called DoublePulsar.
Since WannaCry can self-propagate without human intervention, it is classified as a worm (not as a virus). Within a few days of the initial outbreak, the worm infected more than 230,000 machines across 150 countries. Most of them were government agencies and hospitals.
Various organizations and universities were hit, including
- Universities: University of Montreal, Dalian Maritime University, Guilin University of Electronic Technology.
- Companies: Hitachi, Honda, FedEx, Renault
- Government agencies: National Health Service (UK), Instituto Nacional de Salud (Colombia), Chinese public security bureau, and several state governments of India.
- Transport companies: Russian Railways, LATAM Airlines Group, Deutsche Bahn.
The attackers demanded $300 from a single user and later increased the demand to $600 worth of bitcoin. Although a few people and organizations made payments, the total recovery cost (including damage control and cleanup costs) was more than $4 billion.
Microsoft released the patch within a couple of days, but those using the outdated version of Windows were still vulnerable to attack.
NotPetya’s ransom note
Initial Outbreak: June 2017
Financial Damages: $10 billion
NotPetya is one of the most fascinating ransomware attacks in recent history. It came shortly after the infamous WannaCry malware. What makes this ransomware interesting is the speed at which it propagates between devices and networks.
It doesn’t require any action from the user’s end, and can travel from one system to another, accessing admin credentials. In 2017, it took down a large Ukrainian bank’s network in 45 seconds, and infected a major part of the country’s transit hub in 16 seconds.
NotPetya is just a modified version of Petya, which targets Microsoft Windows-based systems. It utilizes two known exploits to encrypt a hard drive’s file system table:
- EternalBlue: A digital skeleton key disclosed in a catastrophic NSA data breach in early 2017. It allows attackers to run their own code remotely.
- Mimikatz: A proof-of-concept exploit revealed by a French security expert Benjamin Delpy. He showed that user passwords could be extracted from RAM on Windows-based machines.
These two exploits made NotPetya a perfect weapon. Unlike its predecessor, NotPetya didn’t allow the victim’s machines to be decrypted even after the ransom payment was made.
It turns out that the malware is specifically configured to make it impossible to recover the victim’s data after the payload had been executed.
During its initial outbursts (in June 2017), it halted the operations of Ukraine’s Chernobyl Nuclear Power Plant and several Ukrainian banks, ministries, and metro systems. It also affected French construction company Saint-Gobain, German logistics company DHL, Russian oil company Rosneft, German personal care company Beiersdorf, American pharmaceutical company Merck & Co., and United States food company Mondelez International.
As per the former Homeland Security adviser Tom Bossert, the total damages caused by NotPetya exceed $10 billion. The malware hasn’t been wiped out completely. It can still emerge as bouts in different countries and cause even more damage.
Recent Ransomware Attacks
Initial Outbreak: August 2020
DarkSide offers its RaaS (short for Ransomware-as-a-Service) to affiliate for a split of the profit. The malware is believed to be run by former affiliates of other ransomware campaigns who came up their own malicious program.
DarkSide executes brute force attacks and exploits vulnerabilities of RDP (remote desktop protocol) to gain unauthorized access. More specifically, it uses known vulnerabilities, such as CVE-2019-5544 and CVE-2020-3992, to gain intial access in to the system. The ransomware then collects data about device name and system languages.
Patches for such vulnerabilities are widely available, but attackers majorily targets organizations that are still running the older versions of the software. DarkSide group has publicly stated that they do not attack schools, hospitals, and non-profit organizations, but rather big companies that can afford to pay hefty amounts.
Previous incidents show that the ransom demand falls between $200,000 and $2,000,000. One of the most notable DarkSide attacks was occurred in May 2021, when Colonial Pipeline, a company that handles almost 50% of all the fuel supply for the US East Coast, was forced to shut down operations. According to the Bloomberg report, the company paid $5 million ransom with cryptocurrency.
Initial Outbreak: May 2020
REvil (combination of ‘ransomware’ and ‘evil’) is a private RaaS operation. REvil members have formed online infrastructure on the dark web for other attackers to publish stolen data and collect ransoms from victims. In exchange for REvil’s technology and services, members receive 80% of the profit while REvil keep the remaining 20% of any ransomware payments.
Although it is very hard to point the location of its developers, they are assumed to be based in Russia. The assumption is based on the simple fact that the group doesn’t target Russian organizations.
REvil attacks have been linked to several high-profile cases. In April 2021, stole data from Quanta, a Taiwanese company that manufacturing electronics products for Apple, Dell, Amazon, many other tech giants.
The attackers were able to steal sensitive data which is said to include plans for new Apple Watch, Macbooks, and a new Lenovo ThinkPad. They demanded a $50 million ransom. However, they mysteriously deleted all information related to the extortion attempt from the dark web. It’s still not clear whether Quanta or Apple paid the ransom.
In September 2021, Bitdefender, a Romanian cybersecurity company, released a free decryption tool to help victims recover their infected files (that were encrypted before July 2021). This universal tool was used by more than 1,400 firms to avoid paying $500 million in ransom.
Initial Outbreak: February 2019
Since Avaddon operates as a RaaS, its target are not chosen by its authors but by its affiliated buyers. However, the author prohibits the buyers from targeting Commonwealth of Independent States.
The malware runs a script to detect the location of the target. If the device is found to be using Ukrainian or Russian language, it terminates its operation. In some cases, it deactivates itself if it detect the victims is using a Russinan keyboard layout.
The ransomware typically arrives through phishing emails with attached zip or jpeg file, which acts as a downloader for Avaddon. It exploits various infection vectors, including Remote Desktop Protocol and Virtual Private Networks.
In 2021, the United Kingdom’s National Health Service described Avaddon as a type of ransomware that can both steal and encrypt files in double extortion attacks.
Avaddon doesn’t infect critical files of the Windows system to allow the victim to use their device and witness the damage. If the ransom is not paid within 10 days, the attackers publish all the stolen information on the dark web. In a few cases, they have been found to implement DDoS attacks against their victims until the ransom was paid.
Initial Outbreak: February 2021
The creators of Babuk ransomware defines themselves as a non-malicious group who works to reveal to security issues of big corporate networks. According to security experts, Babuk’s encryption technique is somewhat incompetent but it can prevent victims from recovering their data for free.
Babuk targets systems running on Windows and Linus operating system. Once it gets the access, it terminates services and background opeations related to backup applications, endpoint security solutions, and server software.
The malware uses HC-128/ChaCha8 symmetric encryption algorithms to encrypt the file and Elliptic-curve Diffie–Hellman (ECDH) protocol to encrypt the file key, making it impossible to recover the file without the correct decryption key.
So far, Babuk ransomware has been able to bring the networks of the at least five big companies. Perphaps its most notable attack was against Washington D.C.’s Metropolitan Police Department. The attackers stole 250 GigaBytes of sensitive data from the department’s systems and demanded a $4 million ransom. However, it’s still not clear how much the department paid to recover the data.
The Babuk gang has stated that they do not attack schools, hospitals, non profit organizations, and small and mid enterprises with annual revenue of less than $4 million.
Frequently Asked Questions
When was the first instance of ransomware recorded?
The first ransomware was created by Dr. Joseph Popp in 1989. He distributed it to over 20,000 attendees at the 1989 World Health Organization AIDS conference via floppy disk. That’s why the malware is named AIDS Trojan. It is also known as PC Cyborg.
What is the largest ransomware ever paid?
The Chicago-based company CNA Financial paid $40 million in late March 2021 to regain control of its network after the ransomware attack. It is one of the largest US insurance firms with a market capatilization of over $11 billion.
The attackers reportedly demanded $60 million. However, after two weeks of negotations, the company paid the lower sum.
Have ransomware attacks increased in recent years?
Yes! The number of ransomware attacks has more than double in past few years. The manufacturing segment is the most targeted industry followed by financial services, transporation, technology, and legal and human resources. These five industries account for about 60% of total victims.
How can you protect your device from ransomware?
To protect your files and passwords from cyber breach, the advice more or less remains the same. Install a reilable antivirus program, keep an up-to-date backup, always use strong and unique passwords, and don’t click on unknown attackments and harmful URLs.