Ransomware is an increasing threat to businesses. New technologies, such as Artificial intelligence and Machine Learning, create opportunities for more robust and severe attacks.Â
The dawn of ransomware can be traced back to the “AIDS Trojan” (also known as “P.C. Cyborg”). This first-ever documented cyberattack was distributed via floppy disks. Its modus operandi involved obscuring file directories on victims’ computers and extorting $189 for their recovery. Yet, its impact was mitigated by a critical flaw: the malware only encrypted filenames, not the files themselves. Â
On the other hand, recent threats are sophisticated and nearly impossible to recover from, making data backups more needed than ever to ensure business continuity.
A recent prominent ransomware attack example is the 2024 Mother Of All Breaches.
Learning about past attacks can also help prevent future ones and minimize the chances of becoming a ransomware victim. This is a list of eight of the major ransomware attacks to date that we know the names of the threat actors responsible.
1. WannaCry
Summary: Caused extensive damage, infecting an estimated 200,000 computers across 150 countries, resulting in hundreds of millions to billions of dollars in damages.
WannaCry ransomware overview
WannaCry, also known as WannaCrypt, WannaCryptor, or Wanna Decryptor, was a devastating ransomware attack that occurred on May 12, 2017, and affected systems in 150 countries.Â
This cryptoworm, a self-replicating ransomware that rapidly encrypts data across a network, exploited a vulnerability in legacy versions of the Server Message Block (SMB) protocol, known as EternalBlue, which was leaked from the United States National Security Agency (NSA) a few months before the attack.Â
Despite Microsoft’s release of a patch in March 2017, many systems remained vulnerable due to poor patching practices.
WannaCry attack overview
WannaCry targeted tens of thousands of organizations and individuals, including government agencies, hospitals, telecommunications companies, and financial institutions, with computers running outdated versions of Microsoft Windows operating systems.Â
Once infected, WannaCry encrypted files on the affected system and demanded a ransom ranging from $300 to $600 to be paid in Bitcoin.Â
Notable victims included high-profile organizations such as the U.K.’s National Health Service (NHS), FedEx, Honda, and Boeing.
Impact of the WannaCry attack
The impact of WannaCry was substantial, causing hundreds of millions to billions of dollars in damages. The NHS, in particular, suffered significant disruptions, with multiple hospitals, general practitioners, and pharmacies affected in England and Scotland. Medical services were delayed and diverted, although no deaths were directly attributed to the attack.
Security experts from various countries, including the United States, United Kingdom, Canada, Japan, New Zealand, and Australia, formally asserted that North Korea was behind the attack. Despite efforts to mitigate the spread of WannaCry, it was able to infect an estimated 200,000 computers globally due to the widespread use of unpatched systems.
In response to the attack, Microsoft released patches to address the EternalBlue vulnerability and urged users to update their systems promptly. Additionally, efforts were made to disrupt the ransomware’s operations, including the discovery of a kill switch domain.
2. NotPetya
Summary: NotPetya, unleashed on June 27, 2017, marked a new era of state-sponsored cyber warfare, primarily targeting Ukrainian organizations but quickly spreading globally.
NotPetya ransomware overview
NotPetya, a variant of the Petya ransomware, emerged with unprecedented devastation, affecting over 2,000 organizations globally within days of its release. Despite its resemblance to ransomware, NotPetya’s true aim was not financial gain but indiscriminate destruction, making it distinct from its predecessors.
It leveraged the EternalBlue vulnerability, initially exposed by the NSA, to rapidly propagate through networks without user intervention.Â
NotPetya’s origins are traced back to the Russian military intelligence, the GRU, as part of a larger geopolitical conflict between Russia and Ukraine.Â
NotPetya attack overview
NotPetya utilized the EternalBlue vulnerability, initially disclosed by the NSA, to rapidly spread through networks without user interaction. It exploited a backdoor in Ukrainian accounting software, M.E.Doc, widely used for tax reporting, to infiltrate systems.Â
Once inside a network, NotPetya encrypted files and irreversibly encrypted master boot records, rendering infected machines unusable.
Unlike traditional ransomware, however, NotPetya did not offer a feasible decryption mechanism even if victims paid the ransom. This indicated that the attackers’ primary goal was not financial gain but rather widespread disruption and destruction of data.
Impact of the NotPetya attack
The financial toll of NotPetya was staggering, with multinational corporations bearing the brunt of losses.Â
Companies like Maersk, FedEx, and Merck reported losses ranging from hundreds of millions to billions of dollars, encompassing revenue loss, IT restoration costs, and operational disruptions. Maersk, for instance, faced a total shutdown of its operations, with significant manual intervention required to restore functionality over several months.
NotPetya victims:
- Maersk: Losses amounted to $250-300 million, with operations severely disrupted, including the shutdown of 45,000 workstations and 4,000 servers.
- FedEx: The European subsidiary, TNT Express, suffered $300 million in losses, leading to service delays and manual operational processes.
- Merck: The pharmaceutical giant incurred $870 million in losses due to disrupted manufacturing, research, and sales operations, impacting vaccine supplies.
- Mondelez: The food company recorded $180 million in damages, with its global logistics chain disrupted, leading to forensic analysis and restoration costs.
- Nuance: Cloud-based dictation and transcription services were affected, resulting in an estimated $92 million in lost revenues and restoration costs.
- Reckitt Benckiser: Production, shipping, and invoicing were halted, leading to $117 million in losses for the British consumer goods company.
- WPP: The multinational advertising firm incurred approximately £15 million in losses due to NotPetya’s impact on its operations.
3. Petya
Summary: Similar to NotPetya, Petya caused substantial damage by infecting computer systems’ master boot records (MBRs), encrypting files, and demanding ransom payments. It also triggered significant disruptions, such as the attack on the Ukrainian government and the Danish shipping company.
Petya ransomware overview
Petya ransomware, first identified in 2016, represents a significant advancement in the evolution of ransomware threats.Â
It targets Windows-based systems, employing sophisticated techniques to encrypt crucial system files, rendering the system inoperable until a ransom is paid.
The ransomware spreads through various vectors, including phishing emails containing malicious attachments disguised as PDF files.Â
Petya ransomware gained widespread attention in 2017 when a new variant, dubbed “NotPetya,” was unleashed in a massive cyberattack, targeting Ukrainian institutions and quickly spreading worldwide.Â
Differences between Petya and NotPetya:
While both Petya and NotPetya are variants of ransomware targeting Windows-based systems, there are notable differences between the two. NotPetya exhibited worm-like behavior, allowing it to spread rapidly across networks, whereas Petya relies on traditional ransomware tactics to infect individual systems. Additionally, NotPetya was believed to be a state-sponsored attack aimed at causing widespread disruption, whereas Petya variants may be deployed by cybercriminals seeking financial gain through ransom payments.
Petya attack overview
Petya operates by infecting the computer’s Master Boot Record (MBR), overwriting the Windows bootloader, and triggering a system restart.Â
Upon reboot, the malware encrypts the Master File Table (MFT) of the NTFS file system, which contains metadata and file location information.Â
The attackers behind Petya often utilize tactics to evade detection by antivirus software, making it challenging for victims to defend against or recover from an attack.
Victims are then presented with a ransom note demanding payment in Bitcoin, alongside deceptive messages indicating system repair processes.
Impact of the Petya ransomware attack
The impact of Petya ransomware is significant, leading to widespread disruption and financial losses for affected organizations. Furthermore, Petya’s propagation through the EternalBlue exploit, similar to WannaCry, exacerbates the scale of the attack by enabling rapid spread across networks and infecting a large number of computers within a short timeframe.
Petya initially targeted various institutions in Ukraine, including government agencies, banks, and critical infrastructure such as the country’s central bank and international airport. This resulted in widespread disruptions to essential services, such as banking operations, transportation systems, and government functions.
The Petya attack raised concerns about national security and cybersecurity vulnerabilities in Ukraine. The targeting of government agencies and critical infrastructure highlighted the potential risks posed by cyber threats to the country’s security and stability.
4. Cerber
Summary: Cerber ransomware, operating as a semi-private Ransomware-as-a-Service (RaaS), has resurfaced in recent years, targeting both Windows and Linux operating systems.
Cerber ransomware overview
Cerber ransomware, also known as C3RB3R, emerged in 2016 as a significant threat in the ransomware landscape.Â
Initially observed as a highly active operation, Cerber experienced periods of dormancy before resurfacing in contemporary campaigns targeting both Windows and Linux systems.Â
One notable resurgence occurred in late 2023, with Cerber campaigns focusing on exploiting vulnerabilities in Atlassian Confluence Datacenter and Server products, notably CVE-2023-22518.
Operating as a lucrative business venture for cybercriminals, Cerber is distributed to affiliates who deploy it in exchange for a share of the profits. Notably, Cerber employs advanced techniques to target cloud-based Office 365 users and utilizes elaborate phishing campaigns to infect users globally, with exceptions for specific geographical regions.
Cerber attack overview
Cerber ransomware historically propagates through phishing emails but has also been observed exploiting exposed vulnerabilities and leveraging third-party offensive frameworks such as Cobalt Strike and Sliver.Â
Early Cerber campaigns relied on malicious Microsoft Office files containing Visual Basic Script (VBScript) to initiate the ransomware payload. These payloads, equipped with anti-analysis safeguards, encrypt files using a combination of AES-256, RSA-2048, and RC4 ciphers, rendering them inaccessible to users. Cerber exhibits sophisticated evasion techniques, detecting virtual machine platforms to thwart automated analysis.
Following encryption, Cerber displays ransom notes to victims, demanding payment in Bitcoin through encrypted Tor browsers. The ransom amount may escalate over time to coerce victims into swift payment. Additionally, Cerber employs deceptive tactics, such as false system alerts and desktop backgrounds, to intimidate and coerce victims into compliance.
As a Ransomware-as-a-Service, Cerber’s targeting varies depending on the affiliate utilizing the malware. It displays little discrimination across industries, posing a threat to organizations and individuals alike.
Impact of the Cerber ransomware attack
Victims of Cerber ransomware are typically demanded payments in Bitcoin, facilitated through encrypted Tor browsers.Â
With over 442 file types targeted for encryption, Cerber ransomware locks away crucial data, rendering it inaccessible to victims. While the total financial impact of Cerber attacks is difficult to quantify accurately, ransomware victims collectively paid over $25 million in ransom between 2016 and 2017.Â
Cerber ransomware continues to pose a significant threat to organizations and individuals worldwide, leveraging evolving tactics and exploiting vulnerabilities to extort ransom payments.Â
Several security protocols and measures were recommended or created to prevent Cerber ransomware attacks and mitigate their impact. These protocols aim to enhance cybersecurity defenses, reduce vulnerabilities, and protect systems from ransomware threats like Cerber.Â
Organizations were advised to promptly apply security patches and updates released by software vendors, such as Atlassian, to address known vulnerabilities like CVE-2023-22518.Â
Sharing threat intelligence and indicators of compromise (IOCs) with relevant security organizations and communities can help identify emerging ransomware threats like Cerber and enable proactive defense measures.
5. CryptoLocker
Summary: CryptoLocker first surfaced in September 2013, leveraging phishing emails with deceptive attachments or links to infiltrate unsuspecting users’ systems.
CryptoLocker ransomware overview
CryptoLocker ransomware inflicted notable damage during its reign from 2013 to 2014. It targeted Windows computers and encrypted files stored on local and network drives. It extorted $3 million from victims before being partially mitigated by Operation Tovar.
CryptoLocker and its variants represent some of the earliest and most sophisticated examples of ransomware, combining locker and crypto-ransomware techniques.
CryptoLocker attack overview
Through cunning social engineering tactics, CryptoLocker disguised itself as legitimate communications from reputable organizations like FedEx and UPS, tricking recipients into opening malicious payloads.
Once activated, CryptoLocker encrypted files using RSA public-key cryptography, rendering them inaccessible to victims. A ransom message then demanded payment within a specified deadline, threatening deletion of the decryption key if payment was not made.
Impact of the CryptoLocker ransomware attack
CryptoLocker significantly damaged individuals, businesses, and organizations worldwide through its sophisticated ransomware operations.Â
Victims faced financial losses resulting from ransom payments demanded by CryptoLocker operators. The ransom amounts varied but often ranged from hundreds to thousands of dollars per victim.Â
Encryption of critical files caused operational disruptions for businesses and organizations, leading to productivity losses, delays in service delivery, and reputational damage.
To face this threat, several agencies and governments gathered to create Operation Tovar. It was a coordinated multinational law enforcement effort aimed at disrupting the CryptoLocker ransomware scheme.Â
Led by the U.S. Department of Justice, the operation involved collaboration between law enforcement agencies from Australia, Canada, Germany, the Netherlands, Ukraine, and the United Kingdom. They provided technical assistance, disseminated mitigation strategies, and facilitated victim remediation efforts to remove malware from infected computers and recover encrypted data where possible.
6. GandCrab
Summary: Emerged in 2018 as a formidable ransomware threat, exploiting vulnerabilities in Microsoft Windows and demanding ransom payments in the form of Dash cryptocurrency.
GandCrab ransomware overview
GandCrab emerged in January 2018 as a prominent encrypting ransomware targeting PCs running Microsoft Windows. It quickly gained notoriety for its sophisticated operations and ransomware-as-a-service (RaaS) licensing model.Â
Affiliates, responsible for infecting victims, purchased and spread the malware, sharing ransom payments with the GandCrab creators. The ransom payments were made in Dash cryptocurrency, with amounts ranging from $600 to $600,000.
Despite its widespread impact, GandCrab’s reign came to an end when its authors announced their retirement. However, fearing data loss for victims, cybersecurity experts, including Bitdefender and global law enforcement agencies, collaborated to release decryption tools. These tools, including the latest version neutralizer, helped victims recover data and weakened the ransomware operators’ monetization mechanisms.
GandCrab attack overview
GandCrab operated through various distribution channels, including emails, exploit kits, and malware campaigns, targeting victims worldwide, except in Russian-speaking countries and economically unviable regions.Â
The malware’s RaaS model allowed affiliates to focus on malware distribution while developers continually improved the code and added features such as antivirus evasion techniques. GandCrab’s business model also included a chat service for victims to negotiate discounts and payment deadlines, reflecting its sophisticated operation.
Impact of the GandCrab attack
GandCrab inflicted substantial damage, affecting over 1.5 million computers worldwide, including both home users and corporations.Â
Affected victims faced significant financial losses, with the ransomware operators and affiliates claiming to have extorted over $2 billion from victims. While the actual figure may be exaggerated, GandCrab’s impact was profound, prompting victims to pay hefty sums to recover encrypted data.
7. Locky
Summary: Although it caused substantial disruptions upon its release in 2016, Locky’s impact has diminished over time.
Locky ransomware overview
Locky ransomware emerged in 2016 as a sophisticated cyberattack targeting Windows devices through phishing emails.Â
The attack begins with victims receiving emails with infected Microsoft Word documents containing malicious macros. Upon opening the document, a trojan downloads and encrypts files with specific extensions using AES 128-bit and RSA 2048-bit encryption.Â
Encrypted files receive unique filenames with extensions such as .locky, .zepto, .odin, and others. Victims are then instructed to visit a dark web website via the Tor browser to pay a ransom in cryptocurrency for decryption.Â
Locky’s success spawned numerous variants such as PowerLocky, Diablo, Zepto, Odin, Osiris, Thor, Lukitus, and others, each posing unique challenges for detection and decryption.
Locky ransomware attack overview
Locky ransomware utilizes various hacking techniques, including phishing, social engineering, and malicious code distribution. The attack starts with the distribution of spam emails via the Necurs botnet, containing Word documents posing as invoices.Â
Victims are tricked into enabling macros, shortcuts that automate repetitive tasks, like transforming a few keystrokes into a complex sequence of commands. It leads to the execution of malicious scripts that download and run the ransomware trojan.Â
The trojan encrypts files, displays ransom messages, and directs victims to dark web portals for ransom payment.Â
Locky attacks have been linked to the Russian hacker group Evil Corp, responsible for the Necurs botnet and other malware distribution.
Impact of the Locky ransomware attack
Locky ransomware inflicted significant damage, particularly targeting healthcare institutions and other industries worldwide. Hospitals, in particular, faced severe disruptions, with encrypted databases and patient records leading to operational halts and financial losses.Â
The Hollywood Presbyterian Medical Center (HPMC) fell victim to a devastating attack on February 5, 2016, when Locky ransomware infiltrated its network. This cyber assault severely disrupted hospital operations, impacting patient care and administrative functions.Â
The attack originated from phishing emails received by HPMC employees, containing malicious attachments disguised as legitimate Microsoft Word documents.Â
In response to the attack, HPMC implemented emergency measures to contain the ransomware and mitigate its impact. Hospital administrators collaborated with cybersecurity experts and law enforcement agencies to assess the situation and explore recovery options.Â
After evaluating the severity of the attack and considering the potential consequences of prolonged downtime, HPMC decided to pay the ransom of $17,000 in bitcoins to obtain decryption keys from the attackers. Following the payment, the attackers provided the decryption keys needed to restore access to the encrypted files.
8. Bad Rabbit
Summary: Bad Rabbit caused notable disruptions upon its discovery in 2017, particularly in Russia and Ukraine.
Bad Rabbit ransomware overview
Bad Rabbit ransomware, emerging in October 2017, is a variant of NotPetya and operates by using fake Adobe Flash installer advertisements to target victims.Â
Similar to Petya, Bad Rabbit leverages EternalBlue and encrypts the Master Boot Record (MBR) upon infection.Â
While decryption for Bad Rabbit remains challenging, some recovery options exist, such as utilizing shadow copies if enabled on the endpoint.
Bad Rabbit ransomware attack overview
Bad Rabbit spreads through fake Adobe Flash updates, infecting victims primarily in Russia and Eastern Europe.Â
Disguised as a Flash installer, the malware infiltrates compromised websites through drive-by downloads, infecting users who click on the malicious installer. Once infected, computers are locked, and victims are presented with a ransom note demanding approximately $280 in Bitcoin within a 40-hour deadline.Â
The malware operates similarly to WannaCry and NotPetya, utilizing JavaScript injections into HTML or Java files on compromised websites to propagate and infect systems.
Impact of the Bad Rabbit ransomware attack
Bad Rabbit’s impact extended to organizations in Russia, Ukraine, and other countries, including Turkey, Germany, Poland, Japan, South Korea, and the United States.Â
High-profile targets such as Interfax, Odessa International Airport, Kiev Metro, and the Ministry of Infrastructure of Ukraine fell victim to the ransomware. The attack disrupted operations, encrypted files, and demanded ransom payments, affecting various industries and government entities.Â
While Bad Rabbit shares similarities with other ransomware variants, it introduced distinct tactics, including the use of watering hole drive-by downloads, a technique that targets specific groups of users by compromising websites they frequent.
