See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.
See our Fast Start promotion and start your first pentest on The Cobalt Offensive Security Testing Platform for only $4,950.

11 Biggest Ransomware Attacks in History

Ransomware attacks are a digital nightmare that seems to come straight out of a dystopian novel. Yet it's a harsh reality faced by organizations worldwide. Across industries, from healthcare to higher education, no sector is left untouched by this kind of cybercrime. 

These 11 attacks, drawn from different corners of the world, lay bare the magnitude of financial losses, the ingenious strategies of the attackers, and the need for proactive cybersecurity measures.

Among these measures, agile penetration testing, a targeted and faster pentest designed to reveal vulnerabilities efficiently, emerges as a key piece to arm organizations with the needed defenses in this constant game of cat and mouse against cyber criminals.

1. ExPetr / NotPetya 

Type of Attack: Ransomware (A wiper exploiting an SMB vulnerability)
Year: 2017
Attackers: Likely Russian-sponsored threat actors
Target Company: Various, but severely impacted Maersk and Merck
Monetary Impact: Estimated $10 billion

In June 2017, the ExPetr, also known as NotPetya, ransomware attack swept the globe, causing significant disruptions and damages. Unlike conventional ransomware, ExPetr wasn't designed to extort money; instead, it was engineered to cause maximum destruction. It was designed to attack Ukraine but was too effective to be contained.

NotPetya was soon discovered to be a wiper — malware designed to erase data — in disguise. It targeted Windows systems, exploiting an SMB vulnerability called EternalBlue, which was also exploited by the infamous WannaCry ransomware a month earlier.

The wiper spread rapidly, encrypting the master boot record (MBR) to make the affected systems unbootable. Once inside a network, it used a variety of methods, including the Mimikatz tool, to gather credentials and spread laterally.

Maersk, a global shipping company, and pharmaceutical giant Merck were among the hardest hit, with Maersk reporting losses of approximately $300 million. The overall financial damage caused by NotPetya was estimated at around $10 billion, making it the most expensive known attack in history.

2. WannaCry 

Type of Attack: Ransomware (vulnerability in SMB protocol)
Year: 2017
Attackers: Believed to be the Lazarus Group
Target Company: Multiple (global attack); Microsoft Windows users
Monetary Impact: Estimated $4 billion.

In May 2017, the WannaCry ransomware attack spread across 150 countries, ultimately affecting over 200,000 computers. Initial cost estimates reached about $4 billion, but some groups have claimed that potential future losses in the U.S. alone could exceed $7 trillion.

The WannaCry ransomware attack was particularly effective and damaging due to its method of propagation and the vulnerabilities it exploited. WannaCry capitalized on a critical vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol called EternalBlue. The vulnerability is believed to have been developed by the US National Security Agency (NSA) and later leaked by a group called the Shadow Brokers.

The purpose of WannaCry, like all ransomware, was to encrypt files on a victim's computer, rendering them inaccessible. Once the files were encrypted, the ransomware would display a screen informing the victim of the encryption and demanding a ransom in Bitcoin in exchange for a decryption key. The standard demand was $300, which would be doubled if the payment wasn't made within three days.

Once it infected a system, WannaCry acted like a worm, moving laterally through networks and automatically spreading itself without any user interaction. This gave it the ability to propagate quickly on a massive, global scale, causing widespread damage and disrupting critical infrastructures like healthcare services, finance, logistics, and transportation networks.

3. GandCrab

Type of Attack: Ransomware-as-a-service (RaaS) (phishing, exploit kits)
Year: 2018-2019
Attackers: Unknown, operators announced 'retirement' in 2019
Target Company: Various, including businesses and individuals (PCs using MS Windows)
Monetary Impact: Estimated to have extorted over $2 billion from victims

GandCrab emerged in 2018 and rapidly became one of the most widespread and lucrative ransomware attacks. What set GandCrab apart was its RaaS model, where the malware was licensed to affiliates who then conducted attacks and shared a percentage of the profits with the GandCrab developers.

The ransomware was primarily spread through phishing emails and exploit kits, particularly the GrandSoft and RIG kits. Once on a victim's system, GandCrab encrypted files and demanded a ransom in Dash cryptocurrency to decrypt them. 

4. Locky

Type of Attack: Ransomware (phishing emails distributing a macro in a Word document)
Year: 2016 - 2018
Attackers: Unknown, possibly the Dridex hackers (aka Evil Corp or TA505)
Target Company: Various ( predominantly healthcare providers in the US, Canada, France, Japan, Korea, and Thailand)
Monetary Impact: Estimated at $1 billion.

Locky, active primarily between 2016 and 2018, was one of the most prolific ransomware strains, spreading via massive phishing campaigns. It was delivered through an email with a malicious Word document attachment. Once the user opened the document and enabled macros, the ransomware payload was downloaded and executed.

Locky encrypted a wide range of data file types, scrambled filenames, and demanded a Bitcoin payment for decryption. Notably, it could also encrypt files on network shares, amplifying its potential for damage. Locky used a combination of RSA and AES encryption, rendering the victim's files inaccessible until a ransom was paid. Typically, the attackers demanded between 0.5 to 1 Bitcoin.

5. Ryuk 

Type of Attack: Ransomware (initial compromise, usually TrickBot infection)
Year: 2018-present
Attackers: Unclear, possibly various groups using the Ryuk malware or Wizard Spider (Russia)
Target Company: Various, mostly healthcare and municipalities.
Monetary Impact: Some sources claim they've made over $150 million; individual ransom demands reported from 15 to 500 Bitcoin.

Emerging in mid-2018, Ryuk ransomware quickly became a major threat to large organizations. Unlike many ransomware campaigns that use automated mass distribution, Ryuk is manually delivered after an initial network compromise. The attackers carry out extensive network mapping, data exfiltration, and credential harvesting before launching the Ryuk ransomware, causing maximum disruption.

Ryuk uses a combination of RSA-2048 and AES-256 for encryption, making it virtually unbreakable without the decryption keys. The malware is also designed to encrypt network drives, resources, and remote hosts. Ryuk has been responsible for numerous high-profile attacks, with ransom demands ranging from 15 to 500 Bitcoin (approximately $100,000 to $3.7 million). The list of communities that paid ransom includes Jackson County, Georgia ($400,000), Riviera Beach, Florida ($594,000), and LaPorte County, Indiana ($130,000). Bedform, MA and New Orleans refused to pay.

6. REvil/Sodinokibi 

Type of Attack: Ransomware (zero-day vulnerability)
Year: 2019-2021
Attackers: REvil Group
Target Company: Kaseya and downstream customers; JBS
Monetary Impact: Demanded $70 million ransom for universal decryption code.

The REvil group emerged as a major ransomware threat in 2019, but their most disruptive operations started in 2020. Their tactics evolved over time, but the main methods were to target vulnerabilities in software or trick users into downloading the ransomware through phishing emails or by exploiting Remote Desktop Protocol (RDP) weaknesses. Once inside a network, REvil moved laterally, escalating privileges, gaining administrative control, and then deploying the ransomware to encrypt files on the affected system.

REvil is known for using a double extortion method. Before launching the encryption process, they stole sensitive data from the targeted networks. After encrypting the victim's files, they demanded a ransom in exchange for the decryption key. If victims hesitated or refused to pay, REvil threatened to leak the stolen data on their "Happy Blog" to increase pressure on the victims.

One of their most notorious attacks was the Kaseya VSA supply-chain attack in 2021. REvil exploited a zero-day vulnerability in the Kaseya VSA software, a tool IT organizations use to manage and monitor IT infrastructure. By exploiting this vulnerability, they could distribute ransomware to many of Kaseya's clients, affecting up to 1,500 businesses worldwide.

Another significant attack involved JBS, the world's largest meat processor. In that case, REvil used a successful spear-phishing campaign to gain access to the JBS systems, leading to JBS paying $11 million to prevent the data leak.

7. DoppelPaymer

Type of Attack: Ransomware (spear-phishing, unpatched vulnerabilities)
Year: 2019-Present
Attackers: DoppelPaymer Group
Target Company: Various, including the City of Torrance, CA, Pemex (Mexican Oil Company), and University Hospital in Düsseldorf (resulting in the death of a patient)
Monetary Impact: Estimated in the tens of millions; Europol reports at least €40 million

DoppelPaymer emerged in 2019, and unlike many ransomware campaigns that use automated systems for mass distribution, it is manually delivered after an initial network compromise. To maximize disruption, the attackers perform thorough network mapping, data exfiltration, and privilege escalation before initiating the DoppelPaymer ransomware.

The ransomware uses multi-threading for faster encryption, and it can also operate offline, encrypting files without needing to communicate with its command and control servers. DoppelPaymer has been responsible for several high-profile attacks, random demands ranging from 2 to 100 Bitcoin, and data breaches leading to sensitive information being sold on the dark web.

8. SamSam

Type of Attack: Ransomware (manual deployment after network penetration)
Year: 2016-2018
Attackers: The US indicted Faramarz Shahi Savandi and Mohammad Mehdi Shah of Iran.
Target Company: Over 200 victims, including municipalities, hospitals, and public institutions.
Monetary Impact: Over $6 million in ransom payments and $30 million in other losses were estimated.

From 2016 to 2018, SamSam ransomware targeted a variety of sectors, specifically healthcare, government, and education. Unlike other ransomware attacks that are usually automated, the attackers manually deployed SamSam after gaining access to the target networks through JBoss servers or by exploiting vulnerabilities in VPNs or RDP connections. They then escalated privileges and moved laterally through the network before deploying the ransomware.

The city of Atlanta and Hancock Health were among the notable victims, with ransom demands often exceeding $50,000. The attack caused massive disruption, with the city of Atlanta spending more than $2.6 million on recovery efforts.

9. NetWalker/UCSF

Type of Attack: Ransomware (phishing, exploiting VPN vulnerabilities)
Year: 2020
Attackers: NetWalker (aka "Malito," aka Sebastien Vachon-Desjardins, a Canadian national)
Target Company: Dozens of victims, specifically the University of California, San Francisco (UCSF)
Monetary Impact: Tens of millions; a $1.14 million ransom from UCSF)

NetWalker, a RaaS company, is known for targeting those who would likely pay large ransoms due to the critical nature of their data. The ransomware is typically delivered via phishing emails with malicious attachments, exploiting vulnerabilities in VPN appliances or brute-forcing Remote Desktop Protocol (RDP) credentials. Once inside the network, NetWalker can move laterally, escalate privileges, and then deploy the ransomware.

In June 2020, UCSF fell victim to a NetWalker ransomware attack that significantly disrupted their operations. The UCSF attack, primarily affecting the School of Medicine's IT infrastructure, didn't compromise patient care or ongoing COVID-19 research, but the ransomware encrypted critical academic data and important records.

10. Colonial Pipeline 

Type of Attack: Ransomware (phishing, remote system exploitation)
Year: 2021
Attackers: Believed to be the hacker group known as DarkSide.
Target Company: Colonial Pipeline
Monetary Impact: $4.4 million ransom

In May 2021, a hacker group named DarkSide launched a ransomware attack on the Colonial Pipeline's IT network. The group exploited an exposed VPN account with a reused password, stealing 100 gigabytes of data within two hours. To isolate the operational technology systems from the compromised IT network, Colonial Pipeline shut down its operations, causing a disruption in fuel supply across the East Coast.

To regain control of its systems, the company paid a ransom of 75 Bitcoin, approximately $4.4 million at that time. This marked the largest publicized cyber-attack on US critical infrastructure. In response, the US government rolled out initiatives like and the Joint Ransomware Task Force to bolster the nation's cyber defenses.

11. CryptoLocker

Type of Attack: Ransomware (Trojan Horse)
Year: 2013-2014
Attackers: Evgeniy Mikhailovich Bogachev (Russia) is wanted by the FBI for this role
Target Company: Various, primarily Windows users
Monetary Impact: Approximately $3 million in ransom payments.

CryptoLocker ransomware is a Trojan Horse delivered to victims mostly through malicious email attachments, typically in the form of a ZIP file posing as a PDF. Once the victim opened the file, the malware would encrypt a range of file types, including documents and photos, on the victim's computer and mapped network drives. The victim would then see a ransom demand, typically around $300 in Bitcoin or via a prepaid voucher, with a time limit for payment. If the ransom wasn't paid within the stipulated time, the decryption key was deleted, leaving the files permanently inaccessible.

The ransomware was unique for its time in that it used advanced encryption methods, making it virtually impossible for victims to recover their files without paying the ransom. It also used a decentralized infrastructure for command and control, leveraging the Gameover ZeuS botnet, which made it challenging for authorities to disrupt.

CryptoLocker was eventually neutralized in May 2014 through Operation Tovar, a concerted effort by international law enforcement and cybersecurity firms.

The Role of Pentesting in Preventing Cybercrime

After reading through the details, it's clear why companies need penetration testing as part of their cybersecurity strategy. Pentesters help identify vulnerabilities and provide actionable remediation advice, improving an organization's security posture and helping them build cyber resilience - whether it's against ransomware or other types of cyberattacks. Learn more about more recent ransomware attacks with Bitcoin.

Read more about Cobalt's innovative approach to Pentesting with our Pentest as a Service platform for Comprehensive Penetration Testing for Compliance or our targeted and cost-efficient approach with Agile Pentesting Services.

OffSec Shift report cover image

Back to Blog
About Jacob Fox
Jacob Fox is a search engine optimization manager at Cobalt. He graduated from the University of Kansas with a Bachelor of Arts in Political Science. With a passion for technology, he believes in Cobalt's mission to transform traditional penetration testing with the innovative Pentesting as a Service (PtaaS) platform. He focuses on increasing Cobalt's marketing presence by helping craft positive user experiences on the Cobalt website. More By Jacob Fox
Apporwa Verma, Cobalt: “when time is money, the business value of on-demand pentesting cannot be overstated”
Apporwa Verma, application security engineer at Cobalt, shared with us how top-tier penetration testing helps improve businesses’ information security systems.
Feb 23, 2022
Bitcoin ransomware Akira snags $42 million and prompts FBI warning
This post provides a comprehensive analysis of the Akira ransomware, shedding light on its inner workings and the implications it poses. 
May 3, 2024