27 ransomware examples: How these attacks occurred

Ransomware examples

Here are some of the most famous ransomware examples from recent years. And if you want to learn more about these malicious practices and how to protect yourself, check out our blog post about how ransomware works.

Rorschach (2023)

Discovered after an attack on a US-based company in 2023, Rorschach (a strain of BabLock ransomware) displayed one of the highest speeds of encryption compared to other ransomware variants. Spread through security vulnerabilities, phishing emails, malvertising, and malicious software downloads, Rorschach mainly targets large businesses and industrial companies, demanding from targets a few thousand to several million US dollars in ransom payments.

In October 2023, Rorschach hit the major Chilean telecommunications provider Grupo GTD, which operates across a large part of Latin America. The attack disrupted Grupo GTD’s data centers, Voice-over-IP services, and internet access.

Rorschach is partly autonomous and self-propagating, and it leverages Active Directory (AD) Domain Group Policy Objects (GPO) to quickly propagate across the network and execute ransomware on every endpoint. Different from most locker ransomware types, it uses hybrid cryptography to encrypt only part of the file, which allows for speedy encryption.

LockBit 3.0 (2022)

LockBit 3.0, also known as LockBit Black, became one of the most used ransomware variants in the world in 2022. It mostly targets large organizations and government entities, taking advantage of their network security vulnerabilities. The ransom demands vary but typically run into millions of US dollars.

In October 2023, LockBit gained access to Boeing’s internal data. Boeing refused to pay the ransom, so LockBit leaked the data. LockBit also hit the US Cybersecurity and Infrastructure Security Agency (CISA) among other 1,700 US organizations.

LockBit 3.0 is also famous for its bug bounty program. Cybercriminals behind this LockBit version offered thousands of US dollars to anyone who could find a bug in their ransomware code.

Black Basta (2022)

Detected in 2022, Black Basta breached the cybersecurity of nearly 100 organizations, including the American Dental Association, Swiss electrification and automation company ABB, Yellow Pages Canada, German wind farm operator Deutsche Windtechnik, French aerospace and security giant Thales, and the British outsourcing company Capita. It is estimated that since its emergence, Black Basta has raked in at least 100 million US dollars from over 300 infections.

The gang behind Black Basta uses a double extortion tactic, encrypting their victims’ critical data and vital servers and threatening to publish sensitive data on a public leak site.

Royal (2022)

Since September 2022, the Royal ransomware gang has targeted over 350 organizations worldwide, including critical infrastructure. These cybercriminals demanded ransom ranging between 1 and 11 million US dollars in Bitcoin and managed to extort around 275 million dollars in total. Royal’s top victims are US companies in the services, wholesale, and technology industries.

Royal is an efficient and evasive ransomware strain that spreads via phishing emails. It uses a specific partial encryption approach — it encrypts small amounts of data to avoid detection by anti-malware and other threat detection software. Royal exfiltrates and extorts the victim’s data prior to encryption then publishes it to a leak site if a ransom is not paid.

Lapsus$ (2021)

The Lapsus$ hacking group made headlines in 2021 by attacking the website of the Brazilian Ministry of Health and taking down several of their systems. The group is known for using a combination of social engineering and hacking tactics and tools rather than one specific type of malware.

Since its inception, the group has managed to either steal the data or disrupt the services of Nvidia, Samsung, Microsoft, Vodafone, and Ubisoft.

BlackCat (2021)

The BlackCat ransomware, also known as ALPHV, made headlines for being the first ransomware strain written in the Rust programming language. It has the capability to encrypt both Windows and Linux devices as well as VMWare instances by exploiting flaws in Exchange Server, SonicWall, and Windows.

Blackcat and its affiliates have already compromised over 1,000 entities, mostly in the US, demanded over 500 million US dollars in total and received nearly 300 million in blackmail payments. This ransomware group is responsible for attacks on Oiltanking GmbH, Swissport, Western Digital, and the Austrian state of Carinthia.

Hive (2021)

The group behind the Hive ransomware gained notoriety in 2022, after attacking the Costa Rican Social Security Fund. Hive infiltrates systems via RDP and other remote network connection protocols as well as through phishing scams and exploitation of security vulnerabilities. It also uses triple extortion techniques.

The group has already breached the cybersecurity of over 1,300 companies worldwide, receiving about 100 million US dollars in ransom payments. Hive targets a wide range of businesses, including the IT and critical infrastructure sectors, especially healthcare.

DarkSide (2020)

The DarkSide ransomware hit the Colonial Pipeline in early May 2021, severely disrupting fuel supply on the US East Coast. Company executives decided to pay the 4.4 million dollar ransom. Toshiba and Brenntag are also among DarkSide victims because these hackers mostly target large, high-revenue organizations to encrypt and steal their sensitive data and demand a ransom in the millions of dollars.

In mid 2021, the ransomware gang declared they’re suspending operations after pressure from the US government.

Egregor (2020)

Egregor is a double extortion ransomware strain that was used in attacks against Barnes & Noble, Kmart, and video game developers Ubisoft and Crytek among others. Egregor spread by using stolen credentials, hacking remote access technologies, and spear-phishing scams.

The ransom amounts demanded ranged from 100,000 to 35 million US dollars. Luckily, a number of Egregor’s affiliates were arrested in 2021, and the gang’s infrastructure went offline soon after that.

REvil (2019)

REvil ransomware has striking similarities with the GandCrab ransomware strain. It mostly spreads via phishing emails with malicious attachments and links to trick users into downloading malware. REvil uses the ransomware-as-a-service (RaaS) model and the double extortion tactic. RaaS means that cybercriminals can use its networks and resources but must share a percentage of their profit with its creators. Basically, they rent someone else’s ransomware infrastructure.

Some of REvil’s most significant targets include Lady Gaga, a law firm working for Donald Trump, Acer, Apple, the major business service provider Kaseya, and the space- and weapon-tech contractor HX5. REvil’s ransom demands are usually in the millions, tailored to its high-profile victims and their financial capacity to pay up. For example, in 2021, the US meat processing company JBS Foods ended up paying an 11 million US dollar ransom to get its data decrypted.

Maze (2019)

In 2019, the Maze ransomware started spreading via spam emails, RDP attacks, and exploit kits, becoming one of the first examples of the double extortion model. The most high-profile attack that Maze ever committed was against the IT service provider Cognizant in 2020, causing damage of about 60 million US dollars. However, Maze suspended its operations at the end of 2020.

GandCrab (2018)

GandCrab is infamous for being one of the most aggressive RaaS operations ever carried out. It spread through emails, exploit kits, and various malware campaigns, including phishing. The GandCrab group would demand payments ranging from a few hundred to several thousand US dollars in cryptocurrencies like Bitcoin or Dash for decrypting the stolen data.

It is estimated that GandCrab has infected over 1.5 million machines, with hospitals and dental practices among those affected. In 2019, bragging about earning more than 2 billion US dollars from its criminal activities, the group behind GandCrab retired and released a decryption tool.

Ryuk (2018)

Having emerged in 2018, Ryuk ransomware spreads via phishing emails containing malicious Microsoft Office attachments. It gained notoriety in 2018, after it attacked multiple US newspapers. Besides the media, Ryuk typically targets governments, school systems, healthcare organizations, and other public and private sector companies. It is estimated that Ryuk generated over 60 million US dollars in the couple of years since its inception. It remains active to this day.

WannaCry (2017)

WannaCry used vulnerabilities in outdated versions of Windows to inject a file-encrypting virus. It employed the EternalBlue exploit, believed to be developed by the US National Security Agency and leaked by The Shadow Brokers hacker group. Hackers were able to spread the ransomware without users even opening an email, clicking a link, or downloading malicious software.

The cybercriminals behind WannaCry targeted over 300,000 devices in 150 countries that mainly belonged to healthcare organizations and utility companies. They demanded relatively low payments of 300-600 USD in Bitcoin for decryption, but financial damage to the companies reached into the millions. The authorities managed to stop the attack, and their investigation identified two North Korean hackers as the culprits. WannaCry illustrates the importance of updating your systems to prevent such attacks.

Bad Rabbit (2017)

The Bad Rabbit ransomware spreads disguised as an Adobe Flash installer in drive-by downloads on compromised websites. Devices can catch this infection when users simply browse a malicious website. The malware is embedded in the compromised websites using JavaScript injected into the site’s HTML code.

Once a device is infected, the victim receives a message demanding a ransom payment in Bitcoin. If the victim doesn’t pay within 40 hours, the ransom amount goes up. In 2017, Bad Rabbit primarily targeted organizations in Russia and Ukraine but did not stop there — it also infected computer systems in Türkiye, Bulgaria, Germany, Japan and other countries.

Petya (2016)

The Petya attack began in Germany in 2016, targeting Microsoft Windows-based systems of businesses and corporations. Initially, the ransomware spread through phishing emails containing malicious Word documents. Instead of encrypting files individually, Petya would encrypt the master file table (MFT) and replace the computer’s master boot record (MBR) with malicious code, making the entire system unusable until a ransom is paid.

In 2017, a later version, known as NotPetya, attacked numerous Ukrainian businesses and infrastructure, causing extensive damage and disruption. Both Petya and NotPetya signal the importance of cautious email practices.

SamSam (2016)

SamSam caused significant damage to governmental and healthcare organizations in the US by using brute-force attacks to crack weak passwords. Hackers spread it by using phishing emails.

In 2018, cybercriminals used SamSam to attack the city of Atlanta and Colorado’s Department of transportation. The FBI is still searching for the two cybercriminals behind SamSam who extorted over 6 million US dollars and caused 30 million worth of damage.

SamSam taught us a lesson — use strong passwords to protect your data. Our NordPass tool can memorize your complex passwords, increasing your data security.

Locky (2016)

Locky is email-distributed ransomware that targets Windows devices and requires active user participation. It sends them a document requiring the user to enable macros, which are the recorded sequences of virtual events. If the user agrees, the ransomware downloads a trojan that encrypts files with particular extensions. To decrypt them, users are instructed to use the Tor browser and to follow further instructions. The result is a demand for payment in Bitcoin.

In 2016, Locky made headlines after infecting computers in a medical center in California and demanding a ransom of 40 Bitcoin, equivalent to about 17,000 US dollars. The hospital paid in order to receive a decryption key and restore its data, even though it’s not advisable to pay the ransom or negotiate with blackmailers.

Cerber (2016)

Cerber is another example of ransomware-as-a-service (RaaS). It started spreading in 2016 and helped the attackers collect around 200,000 US dollars the same year.

Cerber mostly targets Microsoft Office users in post-Soviet countries. It spreads via phishing emails and has a distinct voice message feature — the ransom note is read to the victim out loud.

ZCryptor (2016)

One of the first examples of a cryptoworm, Zcryptor is a hybrid between a computer worm and ransomware software. This dual capacity allows Zcryptor to self-replicate and spread across networks, encrypting files on infected devices and demanding a ransom payment for decryption.

Zcryptor would demand a relatively modest ransom payment of 1.2 Bitcoin and, if the victim did not pay up, the hackers would increase it to 5 or more, reaching an equivalent of a few thousand US dollars. This strain of ransomware typically targeted individual users through phishing emails and fake software installers.

Jigsaw (2016)

Cybercriminals inject this malware into devices using a compromised Flash update. Devices with compromised Flash could catch this infection while the user is browsing legitimate websites. Once Jigsaw infests your device, it can encrypt more than 200 file types.

Jigsaw gained notoriety for progressively deleting the encrypted files if a ransom of 150 US dollars isn’t paid, using a countdown timer and unsettling imagery for intimidation purposes. The gang operating Jigsaw targets both businesses and individuals indiscriminately.

Fusob (2015)

Fusob ransomware infects mobile devices. Like Reveton, it intimidates users by masquerading as a legal authority and demands that a ransom between 100-200 US dollars be paid using an iTunes gift card. It targets Western European and US users.

Cybercriminals spread Fusob using a video player for adult video content. When installed, it locks the device and asks for a ransom.

CryptoWall (2014)

The CryptoWall ransomware was one of the most destructive pieces of malware on the internet in 2014. The same year, it infected over 630,000 systems and the cybercriminals behind it received over 1.1 million US dollars in ransom payments ranging from 200 to 10,000 US dollars.

CryptoWall spread via phishing emails and malicious advertisements on legitimate sites belonging to Disney, Facebook, and The Guardian, among others. These attacks could typically have been avoided if users had updated their software and backed up their servers.

SimpleLocker (2014)

SimpleLocker was one of the first pieces of ransomware to target Android devices. It would encrypt files on the device’s storage, like images, videos, and documents, and lock the screen, rendering the operating system unusable. Then it would display a ransom note in Russian.

SimpleLocker primarily focused on individual Android users in Eastern Europe, demanding a relatively modest ransom payment of under 50 USD to unlock files on the SD cards.

Cryptolocker (2013)

In 2013 and 2014, the Cryptolocker ransomware extorted around 3 million US dollars, mostly from small to medium sized businesses and individuals. Cybercriminals used a Trojan to target Windows computers.

By using compromised emails and a botnet for dissemination, Cryptolocker encrypted files with keys stored in the cybercriminals’ servers. They demanded that victims pay the ransom before the deadline or else they’d destroy the encryption key. Usually, the ransom simply increased after the deadline.

Law enforcement shut down the botnet and retrieved the decryption keys. However, the “success” of Cryptolocker inspired many copycat ransomware attacks.

Reveton (2012)

Reveton is a financial extortion ransomware delivered via drive-by-download attacks. Once it got into your computer, it would lock you out of your system and show you a fake law-enforcement warning. The warning would say that the institution had locked your computer due to illegal activities (e.g., downloading inappropriate content or pirated software, or buying drugs online, etc.). It would also threaten you with imprisonment unless you paid a fine of 300 US dollars. Of course, the fine was also fake and went straight into the cybercriminals’ pockets.

Later, Reveton started using victim’s webcams and demanding payments in Bitcoin, distributing password-stealing malware, and infecting MacOS and mobile OSes.

WinLock (2008)

WinLock was among the first examples of locker ransomware. It attacked PC users by locking them out of their Windows operating systems, displaying pornographic images, and demanding payment to unlock the system.

WinLock mainly targeted individual users, exploiting their lower security awareness and poor protection on personal computers. The ransom demand was usually equivalent to a few dollars, and the victim was expected to pay it via a text message. People responsible for WinLock were arrested in 2010, having earned around 16 million US dollars from their SMS scheme.

Types of ransomware

Here are the main ransomware types:

• Crypto ransomware encrypts your computer files and demands a ransom payment in exchange for a decryption key. It’s one of the most common forms of ransomware, and it targets both individuals or organizations.
• Locker ransomware blocks access to a computer system entirely. You are locked out of your operating system, unable to access your desktop, files, and applications. The ransom note usually appears on the locked screen.
• Scareware is a tactic cybercriminals use to scare you into believing your device is infected with malware or has serious technical problems, though it’s not. You receive an alarming pop-up message urging you to pay a fee or purchase software to fix the issue. If you download the software, it simply infects your device with more malware.
• Leakware, also known as doxware, threatens to publish the sensitive data from your computer unless you pay a ransom. Unlike typical ransomware, it does not encrypt your data — it only threatens you with its public release.
• Double extortion ransomware both encrypts your data and threatens to release it to the public unless you pay a ransom.
• Ransomware-as-a-service (RaaS) is a business model and ransomware delivery method that ransomware developers use. They profit by leasing their ransomware variants to other cybercriminals, making ransomware attacks more accessible to less skilled attackers.
• Mobile ransomware targets mobile devices. It typically locks the device or encrypts the files, then demands a ransom in exchange for unlocking or decrypting them.
• State-sponsored ransomware is a sophisticated attack that a nation state launches. It is often part of a larger political or economic strategy and can target critical infrastructure.

Because most ransomware spreads through phishing scams and other types of social engineering attacks, the best way you can protect yourself is to keep aware of these attacks and stay vigilant. Educating yourself about different cyberthreats also pays off.

When it comes to technical solutions, you should regularly update your security software and use secure authentication methods. So be on the lookout for signs of malware and stay safe!