The 7 Worst Ransomware Examples of All Time
Imagine you’re at home, and suddenly, your door locks behind you. A stranger’s voice says they’ve taken control of your house, and they’ll only give you the key back if you pay them. This scenario, scary as it sounds, is exactly what ransomware does to your computer.
In this article, we’ll explore some of the worst ransomware attacks ever, revealing just how far some cybercriminals will go to take what’s not theirs.
What is ransomware?
Ransomware is a piece of malware that encrypts your files and takes them hostage. Before you can regain control of your files, you have to pay hundreds of dollars in ransom.
Don’t become a victim of ransomware. Protect your devices with the best antivirus software and your privacy with the best VPN service.
These are the worst ransomware examples of all time:
- CryptoLocker (2013): This was one of the first major ransomware attacks to hit the internet. It encrypted users’ files and demanded a ransom to release them.
- WannaCry (2017): Perhaps the most infamous ransomware attack to date, WannaCry affected hundreds of thousands of computers across 150 countries, causing billions of dollars in damages.
- NotPetya (2017): Disguised as a common form of ransomware, NotPetya was a devastating cyberweapon that caused widespread destruction, especially in Ukraine.
- Bad Rabbit (2017): This ransomware spread through a “drive-by” attack where innocent-looking websites hosted the malicious software.
- GandCrab (2018-2019): Known for its constant evolution, GandCrab targeted more than a million users and caused over $2 billion in damages before its creators claimed they retired.
- Ryuk (2018-2020): Ryuk targeted large organizations for high-ransom payoffs. It’s known for its attacks on the healthcare industry during the COVID-19 pandemic.
- Sodinokibi/REvil (2019-2020): The successor to GandCrab, Sodinokibi/REvil caused havoc in various sectors, with notable attacks including Travelex and the Texas court system.
Read on for more details on each ransomware example.
1. CryptoLocker (2013)
The Birth of a Cyber Menace
It all began in September 2013, when an internet boogeyman named CryptoLocker started making headlines. This piece of malicious software, or malware, was the brainchild of an elusive cybercriminal gang, later identified as the Gameover ZeuS botnet. For around three months, CryptoLocker held the digital world hostage.
CryptoLocker did not discriminate in its choice of victims. From individual users to businesses, anyone with a Windows computer was fair game. It crept into systems through infected email attachments, typically disguised as a legitimate file.
Once activated, CryptoLocker worked like a thief in the night. It encrypted users’ files—pictures, documents, spreadsheets—and held them hostage. The victims had one choice: pay a ransom in Bitcoin, or lose their data forever.
The attack was global, reaching across continents and affecting an estimated half a million people. The financial damage was monumental, with FBI estimates suggesting a loss of around $30 million.
The nature of the data compromised was broad. Personal memories stored as photos, essential business documents, financial data—all locked away, out of reach.
The saving grace came from Operation Tovar, a multinational effort that managed to disrupt the Gameover ZeuS botnet in May 2014, effectively neutralizing CryptoLocker. For the victims, the recovery process was slow and sometimes impossible without backups of the encrypted data.
Despite the scale of the attack, the legal consequences for the perpetrators were minimal. The anonymous nature of the internet helped the criminals behind CryptoLocker evade capture, underlining the immense challenges in policing cybercrimes.
2. WannaCry (2017)
The Outbreak That Shook The World
Fast forward to May 2017, when the cyberworld was rocked by the most extensive ransomware attack in history: WannaCry. The duration of the attack was mercifully short—lasting just a few days—but the devastation was widespread and profound.
The suspects behind the attack were the Lazarus Group, an entity linked to North Korea. This group had a more specific set of targets: old, unpatched Windows operating systems, often found in large organizations and government bodies.
WannaCry was indiscriminate and ruthless. It affected everyone from individual users to entire sectors. It froze hospitals in the UK, causing significant disruption to healthcare services. It attacked corporations, government agencies, and universities, locking out users and demanding ransom.
The scale of the attack was truly global, with over 150 countries reporting incidents. It affected an estimated 200,000 computers, causing financial damage that soared into the billions.
From patient records in hospitals to classified academic research, the nature of data compromised varied widely, causing a ripple effect of disruption and chaos.
The attack was eventually halted by a cybersecurity researcher, who discovered a “kill switch” in the malware. This discovery didn’t reverse the damage, but it stopped the spread. In the aftermath, victims scrambled to recover data, and organizations worldwide were reminded of the importance of regular system updates and robust cybersecurity measures.
In a rare turn of events, the US Department of Justice charged a North Korean programmer for his role in the WannaCry attack in 2018. However, due to international relations and the nature of cybercrime, the chances of prosecution remain slim.
3. NotPetya (2017)
The Masked Marauder
In June 2017, only a month after the WannaCry attack, a new threat emerged, seemingly more menacing and devastating. It was named NotPetya, a deceptively benign name for a cyber weapon of mass destruction. NotPetya was not the work of your everyday cybercriminal; it was a state-sponsored attack, believed to have originated from the Russian military.
The primary target of this attack was Ukraine. It cleverly infiltrated systems through a popular tax software, MEDoc, which was widely used in the country. But the effects of NotPetya weren’t limited to Ukraine; the malware quickly spread through corporate networks, impacting businesses globally.
The attack was swift and brutal, lasting just a few hours. But in that time, it caused untold damage. NotPetya was not a typical ransomware. While it demanded a ransom, it was a smokescreen for its true purpose: complete and utter data destruction. The compromised data spanned financial records, government files, and business operations.
The financial loss was staggering, with global damages estimated at $10 billion, making it one of the costliest cyberattacks in history.
The aftermath was a world in shock. Companies bolstered their defenses, governments reevaluated their cybersecurity policies, and the need for international cooperation in cybercrime became evident. Despite the scale of the attack, no significant legal consequences have come to light, once again highlighting the challenges of attribution and prosecution in the cyber realm.
4. Bad Rabbit (2017)
The Rapid Replicator
2017 seemed to be a year of relentless cyberattacks, and in October, another major threat hopped onto the scene: Bad Rabbit. This ransomware attack, believed to be linked to the creators of NotPetya, targeted media organizations and infrastructure providers in Russia and Eastern Europe.
Bad Rabbit spread through ‘drive-by’ attacks. Visiting an infected website was enough to download the malicious software, which then locked up files and demanded a ransom.
The geographic scope of the attack was more limited compared to its predecessors, largely contained within Russia and Ukraine. However, isolated incidents were reported in other parts of Europe, the US, and Asia.
The financial damage, while significant, was not as high as other major attacks, but the disruption caused was substantial. The nature of the data compromised was primarily business and operational data, crippling affected organizations and causing widespread disruption.
The countermeasures against Bad Rabbit involved isolating infected systems and removing the malware. Affected entities had to restore data from backups or, if they had none, consider paying the ransom. The incident served as another reminder of the importance of regular data backups and robust cybersecurity measures.
The legal consequences of the Bad Rabbit attack remain unclear, largely due to difficulties in identifying and prosecuting the perpetrators. The attack reinforced the ongoing challenges in combating cybercrime and the urgent need for international cooperation in this area.
5. GandCrab (2018-2019)
The Ever-Evolving Threat
In early 2018, a new menace named GandCrab started crawling its way through the internet. This ransomware was the brainchild of an anonymous group of cybercriminals who employed an innovative business model known as Ransomware-as-a-Service (RaaS).
For about a year and a half, GandCrab terrorized users worldwide. The perpetrators frequently updated the ransomware to evade detection and exploit new vulnerabilities, demonstrating a terrifying adaptability.
GandCrab primarily targeted individual users but didn’t shy away from businesses either. The victims were scattered across the globe, with a significant number in the US and Western Europe.
The financial toll of GandCrab was enormous. Before the authors mysteriously “retired” in mid-2019, they claimed to have extorted over $2 billion from their victims, with hundreds of thousands of individuals and businesses affected.
Personal files, business documents, and sensitive data—all were grist to GandCrab’s mill. The nature of the data compromised was as diverse as the victims themselves.
In response to the escalating threat, cybersecurity firms teamed up with law enforcement agencies in a unique international collaboration. They launched a counter-offensive, providing free decryption tools to help victims unlock their files without paying the ransom.
Despite the global nature of the attack and its extensive damages, no significant legal consequences have been reported for the perpetrators. The unknown authors of GandCrab remain at large, illustrating the ongoing challenges in combating cybercrime.
6. Ryuk (2018-2020)
The Silent Stalker
While the world was grappling with GandCrab, another ransomware quietly emerged, specifically designed to target large organizations: Ryuk. Believed to be linked to a cybercriminal group from North Korea, Ryuk began its silent stalking in 2018 and continued through 2020.
Unlike other ransomware attacks, Ryuk was highly targeted. It preyed on large organizations, especially those in the healthcare industry. Its timing was particularly cruel, striking at the height of the COVID-19 pandemic when healthcare services were already under immense pressure.
While Ryuk’s geographic scope was global, its victims were fewer in number due to its selective nature. However, the financial damage was significant, with individual ransoms often running into hundreds of thousands of dollars.
Sensitive patient data, crucial medical research, operational data—Ryuk held it all hostage, causing severe disruption and endangering lives.
Countermeasures against Ryuk involved a combination of isolating infected systems, removing the ransomware, and restoring data from backups. The incident underscored the urgent need for strong cybersecurity measures, particularly in critical sectors like healthcare.
As of now, no substantial legal consequences have been reported for the Ryuk attacks. The difficulty in tracing the perpetrators, coupled with geopolitical complexities, continues to pose significant challenges in prosecuting cybercrimes.
7. Sodinokibi/REvil (2019-2020)
The Ruthless Successor
In the spring of 2019, a new villain stepped onto the cyber stage. Known as Sodinokibi or REvil, this ransomware emerged as the successor to the infamous GandCrab. The attack was conducted by an unknown group of cybercriminals, who like their predecessors, operated under the Ransomware-as-a-Service (RaaS) model.
Sodinokibi/REvil carried on its malicious spree well into 2020, leaving a trail of digital destruction in its wake. It targeted a wide range of victims, from individuals to large organizations, including the foreign currency exchange company Travelex and multiple government entities in Texas.
This ransomware was not limited by geography—it spread across the globe, inflicting pain and causing significant disruption. The financial damage, while not precisely known, is believed to be substantial given the high-profile nature of many of its targets.
The compromised data varied widely, from personal files on individual computers to sensitive corporate and government information. The attack on Travelex, for instance, disrupted the company’s operations for weeks, while the incident in Texas resulted in significant governmental disruption.
Countering Sodinokibi/REvil required a combination of isolating affected systems, removing the malware, and restoring data from backups. In some instances, victims chose to pay the ransom to regain access to their files.
As of now, no substantial legal consequences have been reported for the Sodinokibi/REvil attacks. The perpetrators remain elusive, illustrating the challenges that law enforcement agencies face in tackling the global problem of ransomware.
Staying Safe in a Digital World
As we’ve seen from these ransomware attacks, cybercriminals are always seeking ways to exploit our digital vulnerabilities. However, there’s a lot we can do to shield ourselves and our data from such threats.
Firstly, always keep your devices updated. Software updates aren’t just about adding new features—they often include security patches to protect against known threats. Ignoring these updates can leave your devices open to attack.
Secondly, consider investing in one of the best antivirus software for Windows 11 like Norton, Bitdefender, McAfee, Panda or Kaspersky. It acts as a digital guardian, continuously scanning your devices for any signs of malicious activity. Remember, it’s always better to prevent an attack than deal with its aftermath.
Educating yourself about cybersecurity is another crucial step. Be aware of the threats that exist and learn how to recognize potential risks. A suspicious email, an odd-looking link, or an unexpected attachment could be a cybercriminal’s bait.
Here are a few trusted cybersecurity resources and official reports where you can learn more:
- National Cyber Security Centre (NCSC)
- Federal Bureau of Investigation – Internet Crime Complaint Center (IC3)
- U.S. Computer Emergency Readiness Team (US-CERT)
- European Union Agency for Cybersecurity (ENISA)
- Australian Cyber Security Centre (ACSC)
In the digital age, knowledge is power. Staying informed about cyber threats and practicing good digital hygiene can go a long way in keeping your data safe and secure. Remember, in the battle against ransomware, every one of us has a part to play. Stay safe out there!
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.
Over the years, he has tested most of the best antivirus software for Windows, Mac, Android, and iOS, as well as many VPN providers.
He uses Norton to protect his devices, CyberGhost for his privacy, and Dashlane for his passwords.
This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.