5 biggest ransomware attacks in history

  • The highlighted ransomware attacks resulted in substantial financial losses, reaching billions of dollars collectively.
  • Attackers employed sophisticated tactics, such as exploiting software vulnerabilities and utilising social engineering techniques like phishing emails, to infiltrate systems and maximise their impact.
  • Ransomware attacks targeted organisations across various industries globally, demonstrating the widespread nature of the threat.

Ransomware attacks represent a significant threat in today’s digital landscape, leaving devastating impacts on organisations worldwide. In this blog post, we will show the five most significant ransomware attacks in history, each showcasing the extent of financial losses, sophisticated strategies of the attackers, and the pressing need for robust cybersecurity measures.

1. ExPetr

Type of attack: Ransomware (a wiper exploiting an SMB vulnerability)

Year: 2017

Attackers: Likely Russian state-sponsored actors

Target company: Various, but severely impacted Maersk and Merck

Monetary impact: Estimated $10 billion

In June 2017, the ExPetr, also referred to as NotPetya, ransomware assault swept across the world, resulting in substantial disruptions and damages. Diverging from typical ransomware tactics, ExPetr wasn’t crafted to demand ransom money; rather, its aim was to inflict maximum harm. Initially targeting Ukraine, it proved too virulent to be confined.

NotPetya was soon identified as a wiper — a form of malware engineered to erase data — masquerading as ransomware. It exploited a vulnerability in Windows systems known as EternalBlue.

The wiper rapidly propagated, encrypting the master boot record (MBR) to render affected systems unbootable. Upon infiltrating a network, it employed various techniques, including the Mimikatz tool, to gather credentials and propagate laterally.

The collective financial toll attributed to NotPetya was estimated at approximately $10 billion, rendering it the most costly documented attack in history.

Also read: World’s largest bank hit by LockBit ransomware gang linked to Boeing, Ion attacks

2. WannaCry

Type of attack: Ransomware (vulnerability in SMB protocol)

Year: 2017

Attackers: Believed to be the Lazarus Group

Target company: Multiple (global attack); Microsoft Windows users

Monetary impact: Estimated $4 billion

In May 2017, the WannaCry ransomware attack hit 150 countries, affecting over 200,000 computers. Initial cost estimates reached $4 billion, with potential future losses in the U.S. alone projected to exceed $7 trillion.

WannaCry exploited a critical vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol known as EternalBlue, allegedly developed by the US National Security Agency (NSA) and leaked by the Shadow Brokers group.

The ransomware encrypted files on victims’ computers, demanding payment in Bitcoin for a decryption key, typically $300, doubling if not paid within three days. Acting as a worm, WannaCry spread automatically through networks, causing widespread disruption to critical infrastructures like healthcare, finance, and transportation.

Also read: EvilProxy Phishing Campaign Targets Microsoft 365 Users, Focuses on C-Level Executives

3. GandCrab

Type of attack: Ransomware-as-a-service (RaaS) (phishing, exploit kits)

Year: 2018-2019

Attackers: Unknown, operators announced ‘retirement’ in 2019

Target company: Various, including businesses and individuals (PCs using MS Windows)

Monetary Impact: Estimated over $2 billion

In 2018, GandCrab emerged as a highly pervasive and profitable ransomware attack. What distinguished GandCrab was its Ransomware-as-a-Service (RaaS) approach, wherein affiliates were licensed to carry out attacks and share profits with the developers.

GandCrab spread primarily through phishing emails and exploit kits, notably the GrandSoft and RIG kits. Upon infecting a victim’s system, GandCrab encrypted files and demanded a ransom in Dash cryptocurrency for decryption.

4. Locky

Type of attack: Ransomware (phishing emails distributing a macro in a Word document)

Year: 2016 – 2018

Attackers: Unknown, possibly the Dridex hackers (aka Evil Corp or TA505)

Target company: Various (predominantly healthcare providers in the US, Canada, France, Japan, Korea, and Thailand)

Monetary Impact: Estimated $1 billion

Locky, active mainly from 2016 to 2018, stood out as one of the most widespread ransomware variants, propagated through extensive phishing campaigns. It infiltrated systems via email attachments containing malicious Word documents. Upon opening the document and enabling macros, the ransomware payload was downloaded and activated.

Locky encrypted various types of data files, scrambled their filenames, and demanded payment in Bitcoin for decryption. Notably, it could encrypt files stored on network shares, increasing its potential for harm. Using a mix of RSA and AES encryption, Locky rendered victim files inaccessible until a ransom was paid, typically ranging from 0.5 to 1 Bitcoin.

Also read: HKBN offers free phishing assessments to SPO

5. Ryuk

Type of attack: Ransomware (usually TrickBot infection)

Year: 2018 – 2020

Attackers: Unclear, possibly various groups using the Ryuk malware or Wizard Spider (Russia)

Target company: Various, mostly healthcare and municipalities

Monetary Impact: Estimated $150 million

Debuting in mid-2018, Ryuk ransomware swiftly emerged as a significant menace to large-scale enterprises. Diverging from typical ransomware tactics reliant on automated distribution, Ryuk is manually deployed following an initial network breach. Attackers meticulously map networks, extract data, and gather credentials before unleashing Ryuk ransomware, aiming for maximal disruption.

Ryuk employs a blend of RSA-2048 and AES-256 encryption, rendering it highly resistant to decryption without the requisite keys. Moreover, the malware is engineered to encrypt network drives, resources, and remote hosts. Ryuk has been linked to numerous high-profile attacks, with ransom demands spanning from 15 to 500 Bitcoin (approximately $100,000 to $3.7 million).


Lydia Luo

Lydia Luo, an intern reporter at BTW media dedicated in IT infrastructure. She graduated from Shanghai University of International Business and Economics. Send tips to j.y.luo@btw.media.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *