Is your company protected from ransomware?
Ransomware is a type of malware that infiltrates your network and encrypts important files. It can get in through email attachments, malicious links, and even vulnerabilities in your network security.
Unlike other cyber attacks, ransomware holds your information hostage while attackers demand a fee for restoring access to your data. This prevents you from accessing any of your essential systems, wreaking havoc on your business. And if you refuse to pay the ransom, hackers will often threaten to leak your sensitive information to the public.
Unfortunately, ransomware is a growing threat. Thanks to digital transformation, more of our data is digitized and accessible online. Ransomware-as-a-service (RaaS) has also made it much easier for attackers to conduct sophisticated, orchestrated attacks against businesses. With ransomware now targeting critical infrastructure, it’s only a matter of time before we see real risks to personal safety, food security, and more.
One of the best ways to protect yourself from ransomware is to understand the current threat landscape. Check out these 50 examples of ransomware to see how your organization can better protect itself.
50 Examples of Ransomware Attacks
- Bad Rabbit drive-by attacks affect media outlets, metro systems, and airports in Europe.
In 2017, Bad Rabbit ransomware conducted a series of drive-by attacks in Russia and Ukraine. It targeted media outlets and even transportation services like the metro system and airports. The small-scale attack targeted many organizations and demanded 0.5 Bitcoin in exchange for a decryption key from hundreds of victims.
- Ransomware delays Ferrara candy company’s Halloween production.
Ferrara is a company that makes Nerds, SweeTarts, and other beloved candies. But in October 2021, ransomware encrypted Ferrara’s critical systems, threatening to shut the company down during its busiest month of the year. Ferrara refused to pay the ransom and worked with cybersecurity professionals to recover access.
- Locky ransomware attack in 2016 encrypts healthcare files.
Locky ransomware uses phishing to gain access to a target company’s systems, typically going after files used by designers, engineers, and testers. When it came out in 2016, Locky was able to encrypt more than 160 file types spread by fake emails with infected attachments. In this case, a new-and-improved Locky update managed to gain access to several healthcare providers’ systems with infected Word documents.
- Ryuk ransomware disrupts Tribune Publishing, The New York Times, and The Wall Street Journal.
First appearing in August of 2018, Ryuk ransomware takes over a system and shuts down core processes. Once it takes control of a system, Ryuk encrypts files. It can even remotely wake computers to encrypt them, maximizing its reach. Tribune Publishing was a victim of Ryuk in 2018: the ransomware was able to stop print operations both in California and Florida. Since Tribune Publishing shares facilities with The New York Times and The Wall Street Journal, these outlets’ print operations were also temporarily disabled.
- Jigsaw ransomware threatens file deletion.
Named after the disturbing puppet from the Saw movies, Jigsaw is a type of ransomware attack that progressively encrypts and deletes files. First spotted in 2016, this ransomware displays an image of the Jigsaw puppet (which understandably causes more distress to its victims) and gives users 24 hours to pay a ransom before deleting files. Jigsaw commonly infiltrates networks by pretending users’ bank information has been compromised and persuading them to click on fake links.
- Phoenix CryptoLocker shuts down insurance company CNA.
CryptoLocker ransomware was first spotted in 2007, initially spreading through infected email attachments. Over 500,000 computers have been affected by the original CryptoLocker, although law enforcement was able to offer decryption keys to many victims. CryptoLocker no longer exists, although a new variant named Phoenix CryptoLocker took down operations at CNA, a large insurance company, in March 2021. It managed to encrypt over 15,000 devices at the company, including those of employees working remotely through the company’s VPN.
- GoldenEye nearly causes a disaster at Chernobyl.
Known as WannaCry’s deadly sibling, GoldenEye is actually a resurrection of Petya. Over 2,000 companies were affected by a GoldenEye attack, including Russian oil companies and banks. Most notably, this ransomware locked Chernobyl power plant workers out of their computers, forcing them to check their radiation levels manually.
- B0r0nt0k ransomware encrypts Windows- and Linux-based servers.
First discovered in 2019, B0r0nt0k is ransomware that’s likely of Vietnamese origin. It primarily targets websites using Windows or Linux servers. It not only attacks files, but also changes settings, disables applications, and adds programs. This ransomware demands 20 Bitcoin (worth $75,000 at the time) for a decryption key.
- Fake WordPress ransomware targets in-demand WordPress sites.
Do you run a website on WordPress? The more high-profile a WordPress site, the more likely it is to be a victim of this false ransomware attack. Hackers are installing plugins that mimic a ransomware attack and demanding 0.1 Bitcoin (worth over $6,000 as of November 2021) in ransom payments.
- Ransomware takes down Wolverine Solutions Group in 2018.
In 2018, ransomware encrypted valuable files at this healthcare organization. Instead of paying the ransom, Wolverine hired computer experts to decrypt the data. However, in an early form of double extortion, the attackers did compromise patient data because of Wolverine’s refusal.
- Cerber ransomware targets GitLabs and Confluence.
Cerber was first seen in 2016, but it petered off in 2019. Unfortunately, this ransomware is back with a ransomware-as-a-service (RaaS) model. It recently went after Atlassian Confluence and GitLab, affecting users in the U.S., Germany, China, and Russia.
- Reveton pretends to be law enforcement so victims will pay up.
Reveton has existed since 2012, but it’s come a long way from its early days as a mechanism to steal passwords. Today, Reveton ransomware victims will see a popup that says their computer has been locked by the police. They have to pay a “fine” to access their computer or risk threats of arrest.
- SamSam holds the Colorado Department of Transportation hostage.
SamSam goes after administrative rights, which means that users don’t have to download a file to be held ransom—which makes SamSam hard to track down. In 2018, SamSam ransomware infected CDOT employees’ machines, revoking access until CDOT paid SamSam’s ransom. CDOT refused to pay the ransom, but it did cost the state nearly $2 million to restore its systems after the attack.
- SimpleLocker targets Android devices.
SimpleLocker has the dubious distinction of being the first detected ransomware for Android devices. SimpleLocker goes after Android SD cards, encrypting files so users can’t access their files unless they pay a ransom. The best way to prevent a SimpleLocker attack, aside from using an iOS device, is to download apps only from Google Play.
- Chemical company Brenntag pays DarkSide ransomware $4.4 million.
Although it’s a German company, Brenntag is one of the largest chemical distributors in North America. In May 2021, DarkSide ransomware stole 150 GB of data and demanded a $4.4 million ransom, which Brenntag paid.
- LeChiffre goes after US wholesale companies in 2020.
LeChiffre has been around since 2015, but in 2020 it managed to infect the network of a wholesale distribution company in the U.S. LeChiffre encrypts files and changes their extensions to “.lechiffre,” which is French for “cipher.” Unlike other ransomware, hackers have to run LeChiffre manually, looking for poorly secured laptops where they can log in remotely.
- Ransomware drops Sinclair Broadcast Group’s value by 3%.
Sinclair Broadcast Group, a large TV company in the US, experienced a ransomware attack in October 2021. Hackers encrypted swaths of Sinclair’s network, breaking its email and phone system. The attack was so bad that Sinclair couldn’t air certain ads or TV shows, which led to a 3% drop in its share price.
- Evil Corp attacks Olympus twice with Macaw Locker.
In September 2021, the Evil Corp ransomware gang attacked Japanese medical technology firm Olympus not once, but twice. Over the span of five weeks, Evil Corp managed to disrupt Olympus’s operations in Europe, the Middle East, Africa, and the U.S.
- Petya uses fake Dropbox links to infect HR files.
Originating in 2016, Petya is a malicious type of ransomware that encrypts the entire hard disk, taking over the entire operating system. It cleverly infiltrates HR departments by sending HR professionals fake applications with infected Dropbox links. Petya successfully infiltrated industries like healthcare, transportation, and banking, often demanding ransom payments at $300 per user.
- Weir Group loses $6.8 million after a ransomware attack.
Ransomware managed to shut down a Scottish engineering company’s IT systems and engineering applications in September 2021. Weir Group estimated the attack alone could cost $6.8 million, but it expects to see an overall $55 million loss in profits because of the disruption.
- Everest ransomware steals 60 GB of data from an Italian agency.
The Società Italiana degli Autori ed Editori (SIAE) is an Italian agency that handles intellectual property. Members of the Everest ransomware group targeted SIAE to expose celebrities’ personal information in October 2021. The organization lost 60 GB of data, including driver’s license and ID information.
- DarkSide ransomware takes down the Colonial Pipeline in 2021.
In what was the most infamous ransomware incident of the year, DarkSide hit the Colonial Pipeline Company, a large utilities company. This not only led to supply chain concerns for gas, but Colonial also paid $4.4 million in ransom money to regain access to their systems. To add insult to injury, attackers also stole nearly 100 GB of data from Colonial.
- REvil ransomware infiltrates an IT company and its clients.
In July 2021, REvil committed the largest ransomware attack ever recorded. It targeted Kaseya, an IT management company. REvil pushed malicious updates to Kaseya’s clients’ systems, demanding $45,000 for the decryption key. This directly affected 60 of Kaseya’s clients, but it also disrupted as many as 1,500 companies in Kaseya’s supply chain.
- GandCrab threatens to post webcam footage of victims.
GandCrab is a two-fold threat: it not only claims to hack its victims’ webcams, but it also threatens to disclose their footage to the world if they don’t pay a ransom. Although it’s now defunct, over 54,000 people fell victim to GandCrab.
- Eurofins Scientific pays ransom to Ryuk for a ransomware decryption key.
Eurofins Scientific is the United Kingdom’s largest provider of forensic services. When Ryuk ransomware stopped the company in its tracks, it not only had to pay a ransom, but the attack also resulted in a backlog of more than 20,000 forensic samples.
- Reckitt Benckiser loses over $140 million after NotPetya ransomware attack.
NotPetya caused massive damage to Reckitt Benckiser, a pharmaceutical company in the UK. The ransomware encrypted critical files, preventing Reckitt Benckiser from invoicing and shipping some of its orders. It’s estimated that the attack led to $142 million in losses from undelivered goods and recovery costs.
- Brrr takes advantage of remote desktop services.
Remote desktop services aren’t safe from ransomware. Brrr, which is a new variant of Dharma, is installed directly by hackers through remote desktops. Brrr will then encrypt network drives, host drives, and virtual machines. It can also automatically run when the victim logs into Windows, which can give the ransomware access to files created after the initial attack.
- The British and Foreign Bible Society was fined $132,000 for losing supporters’ bank information.
The British and Foreign Bible Society had over 400,000 records compromised in a 2016 ransomware attack. Thanks to weak passwords, attackers encrypted well over a million files in the society’s network. This not only led to a loss of data for the organization, but it also led to a stiff $132,500 GDPR fine.
- Ransomware halts operations at an English police union.
In 2019, ransomware took over the computers at The Police Federation of England and Wales. Data and email services were down during the attack, which also infected local servers and networks and deleted backup servers.
- Bad Rabbit targets Russian websites with time-sensitive ransom demands.
Bad Rabbit operates with drive-by attacks. Attackers compromise a real website, pushing a so-called “Adobe Flash installation” update to site visitors, who are none the wiser. In this case, Bad Rabbit took over several Russian websites, giving victims just 40 hours to pay before increasing the ransom.
- GlobeImposter 2.0 takes down A2 Hosting.
The web hosting company A2 Hosting experienced a ransomware attack by Globeimposter 2.0 in 2019. The ransomware infected all of A2’s Windows servers, taking down all WordPress hosting services. This led to two weeks of outages for A2’s customers, ruining its reputation and leading to thousands of dollars in lost revenue for the business.
- KeRanger was the first ransomware to infect Mac devices.
KeRanger has the dubious distinction of being the first ransomware to infect Mac devices running OS X. KeRanger uses an open-source BitTorrent client to access users’ machines, silently taking over the system. KeRanger encrypts over 300 different file types before demanding a 1 Bitcoin ransom (about $400 at the time).
- Netwalker destroys a year’s worth of data at Michigan State University.
Netwalker ransomware exploited an unpatched VPN at Michigan State University in 2020. The university refused to pay the ransomware, which led to it losing a year’s worth of data from its physics and astronomy department.
- Maze attack takes down Canon’s website.
Canon experienced a Maze ransomware attack in July 2020. Instead of a simple ransomware attack, Maze used the threat of exfiltrating data to encourage a ransom payment. Canon refused to pay the ransom and experienced outages through August 2020 as a result. Fortunately, as of November 2020, Maze ransomware is no longer active.
- WastedLocker infects eight Fortune 500 companies.
WastedLocker is infamous for its high ransomware demands, asking its targeted victims for millions of dollars. According to a report from Symantec, WastedLocker has infected eight Fortune 500 enterprises in the U.S., along with countless other smaller companies. With ransoms in the $500,000 – $10 million range, this is a significant threat to any business.
- Ransomware affects the Toronto transit system’s app and displays.
Toronto’s transit system serves 1.7 million people every day. In October 2021, the agency experienced a ransomware attack targeting its bus, subway, and streetcar operations. Although the outage only affected the transit system’s app and digital displays, it caused disruptions for several days.
- REvil demands $50 million ransom after Acer attack.
In May 2021, REvil demanded a hefty ransom from computer company Acer. It infiltrated Acer through a vulnerability in its Microsoft server, encrypting essential files and leaking Acer’s sensitive financial data.
- Ransomware compromises over 400,000 Planned Parenthood patient files.
Although attackers haven’t demanded a ransom just yet, Planned Parenthood experienced an attack against its Los Angeles chapter in December 2021. The attack leaked over 400,000 patient records, including insurance information, diagnoses, and prescription information.
- Food company pays $11 million ransom from REvil.
In May 2021, ransomware held the files of JBS Foods hostage. As one of the world’s largest food processors, the attack led to fears of food shortages. JBS Foods did pay REvil’s $11 million ransom in Bitcoin, which is one of the largest ransomware payments of all time.
- TeslaCrypt goes after online gamers to decrypt games.
TeslaCrypt was the first ransomware to exclusively target online games. Although it’s now defunct, it searched for 185 file extensions related to online games like Call of Duty and Minecraft. TeslaCrypt would then encrypt the game files and demand ransoms ranging from $500 – $1,000 for the decryption key.
- REvil exfiltrates computer manufacturer designs and demands $50 million.
REvil originally wanted to target Apple, but it decided to go after Apple’s vendors instead. In this 2021 ransomware attack, REvil demanded a $50 million ransom from Quanta, threatening to expose sensitive files. Quanta refused to negotiate and REvil leaked Quanta’s sensitive Apple blueprints.
- Egregor targets one of the world’s largest recruitment agencies, Randstad.
As one of the world’s largest recruiting agencies, Randstad has access to millions of job seekers’ sensitive information. That’s why Egregor ransomware targeted the agency, exfiltrating data and demanding a ransom. Randstad refused to pay the ransom and Egregor published data on Randstad’s operations in the U.S., Poland, Italy, and France.
- French building company lost $230 million in sales after a ransomware attack.
In a July 2017 attack, NotPetya ransomware led to significant losses for Saint-Gobain, a major French building materials company. It’s estimated that the business lost $230 million in sales as a result of the attack.
- Ransomware halts Honda manufacturing.
Snake ransomware was likely responsible for a June 2020 ransomware attack on Honda. Instead of going after individual workstations, Snake went after entire networks to cause more damage. Honda reported that it didn’t pay a ransom, but that the attack temporarily halted many of its factory operations outside of Japan.
- Food shortages are coming as a result of a ransomware attack on a farming cooperative.
NEW Cooperative, a large farm Cooperative in Iowa, is responsible for organizing farm animal and grain production for much of the United States. A September 2021 attack by DarkMatter caused NEW to shut down its systems to contain the attack. DarkMatter demanded a $5.9 million ransom in closed-door negotiations with NEW, but it’s unclear if NEW paid the ransom.
- Ransomware targets energy, health, and manufacturing companies in Canada.
The Canadian government logged 235 ransomware attacks in 2021, with half of the attacks targeting critical businesses in industries like energy, health, and manufacturing. Hospitals were hit particularly hard: a Toronto hospital was forced to shut down all IT systems, which caused it to cancel appointments for x-rays and chemotherapy.
- The City of Atlanta refused to pay $51,000 ransom and lost $17 million.
In March 2018, a variant of SamSam took down bill pay features for the City of Atlanta. The attackers demanded 6 Bitcoin ($51,000 at the time) in ransom, which the mayor refused to pay. Instead, the city spent $17 million rebuilding its systems and spent months working on recovery.
- WannaCry infects one-third of NHS hospitals in the UK.
Created in 2017, WannaCry ransomware spread to over 150 countries in 2017. This classic example of ransomware locks users out of their accounts, demanding a Bitcoin ransom in exchange for a decryption key. WannaCry’s most notable attack was on the National Health Service hospitals in the UK, with damages estimated at £92 million.
- Shade / Troldesh targets individual users with infected .zip files.
Shade (also known as Troldesh) is one of the oldest forms of ransomware, first appearing in 2014. While the group behind Shade allegedly ended operations in 2020, it’s still valuable to understand how this ransomware operates. Shade spread widely in 2015 via spam emails with infected files or attachments. It was a more personal type of ransomware, opening up two-way communication and room for negotiation between victims and the attacker.
- Babuk steals 500 GB of confidential data from the NBA.
In April 2021, the hacker group Babuk carried out a ransomware attack against the National Basketball Association (NBA). The group threatened to leak sensitive information about the Houston Rockets, including financial information and contracts. The NBA refused to pay the ransom and lost 500 GB of data.
These examples demonstrate the fact that ransomware doesn’t discriminate; attackers go after companies of all sizes and target different types of data and systems. Visit our risk calculator to learn your company’s estimated risk and take action to protect your business.