The Biggest Ransomware Attacks in History
DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.
Perpetrators of ransomware attacks all have the same goal: They all aim to extort money from their victims by blackmailing them. To get their hands on important data they can use as leverage, cybercriminals use malicious software called ransomware.
What Is Ransomware?
Ransomware is a type of malware that prevents users from accessing their files, usually by encrypting them. It infects the victim’s device by various means ranging from email phishing to brute force attacks.
Cybercriminals usually target companies and organizations since they’re more willing to pay to regain access to their sensitive data. Besides, ransom amounts in these cases are significantly higher.
That said, ordinary people can become victims of ransomware attacks, too, so we’ll discuss what steps you can take to protect yourself later in this article.
Types of Ransomware Attacks
Cybercriminals keep developing new types of ransomware but at the end of the day, all this variety of malicious code can be classified into just two categories: the ones that encrypt your files (crypto ransomware) and the ones that lock you out from your device (locker ransomware).
In a crypto ransomware attack, the perpetrator aims to encrypt a victim’s files, after which they leave a ransom note with payment details on the victim’s desktop. To scramble the victim’s data, cybercriminals use strong encryption – AES (Advanced Encryption Algorithm), RSA (Rivest, Shamir, Adleman), or a combination of them.
Once the files are encrypted, it’s practically impossible to decrypt them without a key. This leaves the user with few to no alternatives. They can either pay to get the key, restore the data (provided that they’ve previously backed them up), or accept the loss of their data.
Locker ransomware or screen-locking ransomware limits the victim’s access to their own device by blocking essential functions while leaving them with limited use of mouse and keyboard so they can continue to interact with the attacker. Since locker ransomware doesn’t encrypt victims’ files, it leaves them with more options to combat it.
To sum it up, the difference between crypto and locker ransomware is that crypto ransomware encrypts the files, but locker ransomware doesn’t. Instead, it prevents the user from accessing their data.
To be able to glimpse the future, you first need to understand the past. The same applies to ransomware attacks. A look at the most significant breaches in the past four decades can help us predict how ransomware will evolve.
AIDS Trojan/PC Cyborg (1989)
The first known ransomware attack wasn’t executed through an email or unverified link. Instead, biologist Joseph Popp distributed thousands of floppy disks labeled “AIDS information – Introductory Diskettes” to his colleagues at the World Health Organisation AIDS conference held in Stockholm. Each floppy disk contained a Trojan.
Once the virus was in the system, it would count down until the PC booted up 90 times, and then, it would launch an attack. Ransomware would hide the directories and encrypt or lock the victim’s files.
Then it would demand a $189 ransom to be sent to the “PC Cyborg Corporation” PO box in Panama. Luckily, the encryption wasn’t strong, and a free decryption tool was soon released to help out the victims.
CryptoLocker debuted in September 2013, announcing a new era of ransomware attacks. It’s believed this piece of malicious code was used to extort more than $3 million from its victims. It targeted devices running on Windows and spread via email attachments and compromised websites.
When activated, CryptoLocker would encrypt specific files on local and shared drives. It would then request users to pay ransom in Bitcoin or prepaid cash vouchers.
Authorities managed to shut down the CryptoLocker operation in 2014 by shutting down the Gameover ZeuS botnet server used to distribute the ransomware. They also obtained a set of database keys used for decrypting files, which were later used to create a decryption tool.
Koler.a ransomware initially targeted adult website visitors. It masked itself as a video file or a video player or redirected the user to a compromised website where it would infect their PC or smartphone.
It accessed the unsuspecting user’s geolocation to create a locked screen with a message that impersonated local police authorities, saying they had found illegal pornographic material on the device and that the victim had to pay a fine or face criminal charges.
TeslaCrypt was a CryptoLocker strain that used the same methods to gain access to its victims’ devices – phishing emails and website vulnerabilities. In addition to encrypting personal files, it also targeted popular game files from World of Warcraft and other games. In 2016, the group behind TeslaCrypt released a universal master key for decrypting files.
The same modularity gave this piece of malware multiple avenues of attack, although the attackers mainly relied on phishing emails. To this day, there is no publicly available decryption for it.
Locky ransomware creators used spear phishing to trick their victims into believing that the attachment they had received in an email is an invoice. For ransomware to be deployed fully, the victim had to download the file and install the macro from it.
That “macro” was Locky. Locky was used for one of the first major ransomware attacks on hospitals. It targeted a Los Angeles hospital that was forced to pay $17,000 in ransom.
Locky had some success with hospital ransomware attacks, but WannaCry, launched in May 2017, managed to infect multiple National Health Service (NHS) systems in England and Scotland, causing significant disruptions and a staggering £92 million loss.
WannaCry exploited a Microsoft Windows vulnerability developed by the US National Security Agency and exposed by the ShadowBrokers group a month before the attack. After the vulnerability was exposed, Microsoft released a security patch that addressed the issue, but the attack targeted computer systems that hadn’t installed the patch.
Thanks to British computer security researcher Marcus Hutchins, a killswitch was implemented to stop the spread of WannaCry malware while security teams rushed to patch all the vulnerabilities in crucial systems. During that time, French cybersecurity researchers found a method to unlock and decrypt infected computers, but it worked only in certain situations.
Petya malware was first revealed in 2016. Engineered to attack Microsoft Windows devices, it would encrypt its victims’ hard drive’s file system table, preventing Windows from booting.
In 2017, another strain of Petya, called NotPetya, was used in a malware attack in Ukraine. It used the same method of infiltration as WannaCry, but the encryption of files was permanent. There was no way to revert it even if the victim paid the ransom.
REvil a.k.a Sodinokibi is a type of crypto ransomware created by the REvil cybercriminal group based in Russia. It mostly spreads by phishing, although the group is known to have launched brute force attacks on high-profile targets. It mainly targeted US and European companies, refraining from attacks on companies from countries that used to be part of the Soviet Union.
One of its targets was foreign currency exchange and travel insurance company Travelex. The hackers exploited a vulnerability of a VPN service often used in corporate settings to enter the company’s systems and extract 5 GB of customer data from it. They demanded a $6 million ransom but settled for $2.3 million after negotiations.
In January 2022, the Russian Federal Security Service reported that it had dismantled the REvil group with the help of intelligence provided by the US.
In September 2020, a massive hospital ransomware attack hit Universal Health Services (UHS), causing $67 million (pre-tax) in damage. UHS decided not to pay the ransom. It collaborated with internal and external security experts to regain access to its systems and data.
A strain of malware called Ryuk was discovered to have been used in the attack. Ryuk doesn’t launch an attack as soon as it infiltrates the victim’s system. Instead, it takes a couple of days for it to start encrypting files.
In the meantime, it spreads through the system to inflict maximum damage. Ryuk disables the Windows System Restore feature so the victim can’t roll back to a previous uninfected version of the system.
A hacker crew known as DarkSide used a strain of REvil malware in a recent ransomware attack on oil pipeline system Colonial Pipeline, heralding the rise of cyber attacks on critical infrastructure. The result? Colonial Pipeline had to temporarily close its 5,500-miles-long pipeline on the East Coast. In a matter of hours, the company paid $4.4 million in Bitcoin. The FBI later managed to track down and recover part of the ransom money.
Conti ransomware was first detected in 2020, but it earned its notoriety in 2021 when a group known as Wizard Spider used it to attack the Irish Health Service Executive. Just like the UHS, the HSE refused to pay the ransom. It responded by shutting down its IT systems and disconnecting the National Healthcare Network from the internet.
This caused disruptions in healthcare services countrywide as doctors and other medical personnel instantly lost access to their patients’ medical records. It took four months for the HSE to recover from the incident.
Some of the malicious software from our list, for example, Ransom32, belongs to a type of ransomware called ransomware-as-a-service.
RaaS is typically developed by one hacker or a group of hackers and used by another to mount an attack. RaaS functions like a business model where prospective executors of a cyberattack pay the developers a one-time fee or a percentage of the ransom amount.
This makes ransomware accessible to cybercriminals who don’t have the knowledge required to create malicious code themselves. RaaS is likely one of the reasons behind the increased number of ransomware attacks in 2021 and 2022.
Cybercriminals use various methods to infect a victim’s systems. These include:
- Phishing attacks
- Malicious websites
- Exploiting remote desktop protocol vulnerabilities
- Exploiting system vulnerabilities
- Brute force
To avoid becoming part of inglorious phishing statistics, you need to know how to protect yourself. Here are some tips to help you with that.
- Keep your operating system and software up to date. In the WannaCry ransomware attack, the perpetrators used an operating system vulnerability that had in fact been previously fixed by Microsoft but was never installed by the end-user. This is just one of the many illustrations of how important it is to keep your system software up to date and regularly install new security patches.
- Don’t open emails from unknown senders. If an email is suspicious, contact your IT department. If that’s not an option, verify if the email arrived from a trusted source or contact the sender to check if they’ve sent you the file.
- Avoid using unknown USB sticks or other portable media devices. While this is not as common as other methods, USB sticks with malicious software on them are still used to carry out cyberattacks.
- Download files only from trusted websites. Trusted websites have a shield or lock icon next to the website address.
- Avoid using public Wi-Fi. Public Wi-Fi is accessible to anyone and can be used to obtain sensitive data you transmit over it. If you have to use it, get a VPN to protect yourself.
- Install anti-malware software. Anti-ransomware programs can protect you from catastrophic scenarios as long as you keep them up to date.
- Use backup. Back up your data, either on a cloud or external hard drive. In case of a successful ransomware attack, you’ll always have an option to clean your system and restore your data without paying the ransom that may or may not restore your data. Just don’t forget to keep your external hard drive unplugged from your device when not in use.
What Does the Future Hold?
In 2021, recovering from a ransomware attack cost $1.85 million on average. Even when a company had a backup, it still impacted its operations and caused a revenue loss.
About 32% of affected companies in 2021 decided the lesser evil would be to pay the ransom. However, there is no guarantee that cybercriminals will honor their part of the bargain.
Given that ransomware attacks in 2021 rose by 92% compared to 2020 and the trend is likely to continue in 2022, for most organizations, the best course of action would probably be to invest more in prevention and employee education.