Ransomware examples
Ransomware attacks can cause significant damage and are not easy to spot right away.But if you want to know more about how ransomware evolved as a piece of malware as well as a business model, here are some of the most famous ransomware examples throughout history.
AIDS trojan
The AIDS trojan is considered one of the first examples of ransomware. It was distributed to a mailing list on floppy disks titled “AIDS Information Introductory Diskette” — that’s how old it is! After infiltrating a device, it waited until the computer had been restarted 90 times. Then, the trojan activated, encrypted the names of the directories, and demanded the user pay $189 for the "lease of the software."
CryptoLocker
After the AIDS trojan, hackers experimented with various tactics. Some merely pretended to lock a device, hoping that the frightened user would pay anyway, while others locked a device but claimed to be law enforcement, coercing the user into paying a fine. However, in 2013, CryptoLocker appeared, and it was unlike anything the world had seen before in both technique and scale.
CryptoLocker was the first ransomware to use both RSA and AES encryption. It spread through compromised emails and a botnet, encrypting files with keys stored on cybercriminals’ servers. The criminals demanded that victims pay the ransom before a set deadline, or they would destroy the encryption key. Typically, the ransom amount increased after the deadline.
In just two years, the ransomware group extorted approximately $3 million, primarily from individuals and small to medium-sized businesses. Law enforcement eventually shut down the botnet and retrieved the decryption keys. However, the "success" of CryptoLocker inspired numerous copycat ransomware attacks.
WannaCry
First seen in 2017, WannaCry exploited vulnerabilities in outdated versions of Windows to inject a file-encrypting virus. It leveraged the EternalBlue exploit, believed to have been developed by the U.S. National Security Agency (NSA) and leaked by the hacker group The Shadow Brokers. This allowed hackers to spread the ransomware without requiring users to open an email, click a link, or download malicious software.
The cybercriminals behind WannaCry targeted over 300,000 devices in 150 countries, primarily belonging to healthcare organizations and utility companies. They demanded relatively low payments of $300-$600 in Bitcoin for decryption, though the financial damage to affected companies reached into the millions. Authorities eventually managed to stop the attack, and the investigation identified two North Korean hackers as the culprits. WannaCry illustrates the critical importance of regularly updating systems to prevent such attacks.
NotPetya
While the Petya attack began in Germany in 2016, targeting Microsoft Windows-based systems of businesses and corporations, a later version of the virus, NotPetya, primarily attacked Ukrainian businesses and infrastructure, causing widespread damage and disruption.
The key difference is that Petya attacks were financially motivated, with a ransom demanded for data decryption. In contrast, NotPetya acted more like wiper malware, destroying systems indiscriminately and never intending to collect ransom payments.
Cerber
Cerber was one of the first pieces of ransomware that doubled as a business through ransomware as a service (RaaS). In simple terms, RaaS is when ransomware creators lease their malware to other criminals for a cut of their earnings.
Cerber started to spread in 2016 and helped the attackers collect around $200,000 the same year. Over three years, it typically targeted Microsoft Office users in post-Soviet countries. Cerber was dormant for a while but resurfaced in 2019, 2020, and 2023.
Cerber spreads via phishing emails and has a distinct voice message feature — the ransom note is read to the victim out loud.
GandCrab
GandCrab is infamous for being one of the most aggressive ransomware as a service (RaaS) operations ever conducted. Between 2018 and 2019, it infected over 1.5 million machines, often targeting hospitals, dental practices, and individuals.
GandCrab spread through various channels, including emails, exploit kits, and phishing campaigns. The group demanded ransoms ranging from a few hundred to several thousand US dollars, typically paid in cryptocurrencies such as Bitcoin or Dash.
In 2019, after boasting about earning more than $2 billion from its criminal activities, the group behind GandCrab released a decryption tool and announced closure. However, cyber researchers suspect many gang members moved on to other groups, such as REvil.
Ryuk
Active since 2018, Ryuk ransomware spreads via phishing emails containing malicious Microsoft Office attachments. It gained notoriety in 2018, after it attacked multiple US newspapers. Besides the media, Ryuk typically targets governments, school systems, healthcare organizations, and other public and private sector companies.
It is estimated that Ryuk has earned cybercriminals over $150 million since its inception. This ransomware remains active to this day.
Maze
In 2019, the Maze ransomware became one of the first examples of the double extortion ransomware model. Essentially, criminals encrypt and steal your data. If you refuse to pay the ransom, they will decrypt some of your information and publish it online, pressuring you to make the payment.
To spread, Maze ransomware used spam emails, RDP (Remote Desktop Protocol) attacks, and exploit kits. The most high-profile attack Maze ever committed was against the IT service provider Cognizant in 2020, causing damage of about $60 million. The Maze gang claimed it suspended its operations at the end of 2020, but it’s likely that the gang members migrated to other ransomware groups such as Egregor.
REvil
REvil ransomware first appeared in 2019, quickly establishing itself as one of the most advanced ransomware operations to date. It spread primarily through phishing emails, containing malicious attachments or links, tricking users into downloading malware. REvil used double extortion tactics, encrypting victims' data and threatening to leak sensitive information unless a ransom was paid. It was also offered as RaaS.
Some of REvil’s most notable targets include Lady Gaga, a law firm associated with Donald Trump, Acer, Apple, Kaseya, and HX5, a space and defense contractor. REvil typically demanded millions in ransom, adjusting the amount based on the financial capacity of its high-profile victims. For instance, JBS Foods, a major U.S. meat processing company, paid an $11 million ransom in 2021 to decrypt its data.
LockBit
LockBit 3.0, also known as LockBit Black, became one of the most widely used ransomware variants in the world by 2022. It primarily targets large organizations and government entities, exploiting vulnerabilities in their network security systems. The ransom demands vary but typically run into millions of US dollars. For example, LockBit gained access to Boeing’s internal data in October 2023 and demanded a $200 million ransom. After Boeing refused to pay, the attackers leaked 43 GB of stolen data.
LockBit has reportedly attacked over 1,700 organizations, including UK Royal Mail and the city of Oakland. One of the notable aspects of LockBit 3.0 is its bug bounty program, where the cybercriminals offered thousands of dollars to anyone who could identify and report bugs in their ransomware code.
DarkSide
The DarkSide ransomware is similar to REvil, but it gained infamy when it hit the Colonial Pipeline in early May 2021, severely disrupting fuel supply on the US East Coast. Things got so bad that, at one point, even the hackers apologized because they “didn’t mean to create problems.” To regain control of the pipeline, executives paid $4.4 million. The Darkside ransomware also successfully hit companies such as Toshiba and Brenntag. In mid 2021, the ransomware gang declared that they were suspending operations after pressure from the US government.
Conti
For two years during the Covid-19 pandemic, Conti was a dominant ransomware group. Conti was notorious for targeting healthcare organizations, such as Ireland’s Health Service Executive (HSE). As was typical for ransomware groups in the early 2020s, Conti employed a ransomware as a service (RaaS) model and used tactics like double extortion.
In early 2022, internal communication from the Conti group was leaked, revealing details of their operations and helping law enforcement track and dismantle the criminal group.
Egregor
Egregor is a double extortion ransomware strain that was used in attacks against Barnes & Noble, Kmart, and video game developers Ubisoft and Crytek, among others. Egregor spread by exploiting stolen credentials, hacking remote access technologies, and through spear-phishing scams.
The ransom amounts demanded ranged from $100,000 to $35 million. Fortunately, due to coordinated efforts between France and Ukraine, a number of Egregor’s affiliates were arrested in 2021, and the gang’s infrastructure went offline shortly afterward.
WhisperGate
In early 2022, WhisperGate emerged as destructive malware, primarily targeting Ukrainian organizations. While it initially appeared to be ransomware by locking devices, preventing reboots, and displaying a ransom message, this was merely a facade.
WhisperGate was actually wiper malware, designed to corrupt and destroy files, regardless of whether a ransom was paid. It is likely part of a state-sponsored campaign, linked to Russia’s planned invasion of Ukraine.
BlackMatter
BlackMatter, a likely successor to DarkSide, appeared in mid-2021. BlackMatter targeted critical infrastructure, including agribusinesses and energy sectors. The group was linked to ransomware attacks on major companies, including an agricultural cooperative in the U.S., demanding millions in ransom. However, law enforcement shut down BlackMatter before the year’s end.
Hive
The group behind the Hive ransomware gained notoriety in 2022 after attacking the Costa Rican Social Security Fund. Hive infiltrates systems via RDP and other remote network connection protocols as well as through phishing scams and the exploitation of security vulnerabilities. It also uses triple extortion techniques, meaning that, in addition to stealing data and threatening to make it public, hackers contact the victim’s partners to put additional pressure on them to pay the ransom.
The group has already breached the cybersecurity of over 1,300 companies worldwide, receiving approximately $100 million in ransom payments. Hive targets a wide range of businesses, including the IT and critical infrastructure sectors, with a particular focus on healthcare.
Types of ransomware
There are two main types of ransomware:
- Locker ransomware locks your system. The victim can’t unlock or reboot the device — all they see is a ransom message, often trying to scare them into paying the ransom.
- Crypto ransomware locks your files. Its effectiveness made it much more commonly used compared to the locker ransomware. Instead of locking the entire device, crypto ransomware encrypts files, so the user can still follow the instructions, like opening the ransom message, or use the browser to buy cryptocurrency and pay the ransom.
What about RaaS? Or scareware? Technically, both terms are connected to ransomware but are not defined in the same way. Here are a few examples:
- Scareware never locks or encrypts anything. It’s designed to trick the user into believing their computer has been infected.
- Extortionware (also called leakware or doxware) is a model of cybercrime where criminals threaten to leak your data unless you pay a ransom.
- Wiper malware does not demand a ransom. Instead, it simply destroys as much of the victim’s system as possible.
- Double extortion is a technique used by ransomware gangs that involves both encrypting and stealing data. If the ransom is not paid, the stolen data is released to the public.
- RaaS (ransomware as a service) is a business model where cybercriminals allow others to use their malware in exchange for a cut of the ransom payments.
How to protect yourself from ransomware attacks
Ransomware, like any other malicious software, looks for weaknesses in software or tries to exploit human error through phishing campaigns.
- Update your software. The success of a ransomware attack often relies on the malware exploiting a known vulnerability that hasn’t been patched yet. Update your software whenever an update is available to close any potential doors for criminals.
- Use strong passwords. Password security has come a long way from what it once was. For example, password managers can help you create and store strong passwords, while two-factor authentication (2FA) ensures your accounts remain secure even if your password is compromised.
- Back up your data regularly. In the event of a ransomware attack, having a recent backup can make all the difference. Store backups offline or in a location separate from your network, ensuring they remain untouched even if your main systems are compromised.
- Be cautious about email attachments and links. Criminals have been using phishing emails for decades. Never open attachments or click on links from somebody you don’t know. Even if the email looks legit, double check with the sender if they meant to send that link or attachment.
- Beware of social engineering tactics. When software is too secure to crack, hackers will attempt to exploit human weaknesses. Always be wary of unsolicited calls or emails asking for sensitive information.
- Use security software. Firewalls, antivirus, and various security features of your VPN help you stay safe online. For example, NordVPN’s Threat Protection Pro™ can prevent malicious links, check files for malware during download, and block trackers.
Online security starts with a click.
Stay safe with the world’s leading VPN