Ransomware is malicious software that encrypts a company’s data, preventing access until a ransom is paid and a decryptor is released. Most of the time, the identities of threat actors remain unknown, operating from corners of the globe where legal reach is limited.
Every year, these cybercriminal groups’ ever-increasing efficiency, exacerbated by companies’ continued inability to respond rapidly and lingering human defense deficiencies, ensures that cyber threats will keep increasing. New technologies, such as Artificial Intelligence and Machine Learning, create opportunities for more robust and severe attacks.
While 2021 was a turning point with over 623 million attack attempts, the threat has since evolved from ‘noise’ to precision strikes. According to the 2024 SonicWall Cyber Threat Report, while total attack volume can fluctuate, the severity of successful breaches has hit an all-time high. In fact, ransomware payments shattered records in 2023, exceeding $1.1 billion globally for the first time. This momentum has carried into 2025, with a 73% increase in the total value of ransoms paid in the last year alone, as threat actors pivot their focus toward high-value targets in infrastructure and healthcare.
A recent prominent ransomware attack example is the 2024 Mother of All Breaches.
Why is studying past ransomware attacks crucial for defense?
Studying historical attacks allows IT managers and legal teams to understand attack vectors, the paths hackers take to enter a system. By looking at the biggest ransomware attacks in history, we can identify patterns in poor patching practices, social engineering, and the critical importance of a fast response.
Learning from past attacks can help prevent future ones and reduce the risk of becoming a ransomware victim. This is a list of eight major ransomware attacks that have shaped the cybersecurity landscape.
At a Glance: The 8 Historic Attacks
| Attack & Year | Primary Target | Key Impact |
|---|---|---|
1. CryptoLocker (2013-14) |
Global (Windows users) | First major ransomware using RSA encryption. $3M extorted before Operation Tovar disrupted operations. |
2. WannaCry (2017) |
Global (Legacy Windows) | 200k+ systems in 150 countries using leaked NSA tools. Billions in damages. |
3. NotPetya (2017) |
Global (Ukraine-focused) | State-sponsored wiper disguised as ransomware. $10B in global damages – most expensive cyberattack ever. |
4. Colonial Pipeline (2021) |
U.S. Critical Infrastructure | Fuel shortages across US East Coast. $4.4M ransom paid immediately. |
5. Kaseya (2021) |
IT Supply Chain (MSP) | Single breach infected 1,500+ businesses simultaneously via software update. |
6. JBS Foods (2021) |
Global Meat Processing | Shutdown of major plants threatening global food supply chains. $11M ransom paid. |
7. Costa Rica Gov (2022) |
Sovereign Nation State | First country to declare National State of Emergency due to ransomware. |
8. Change Healthcare (2024) |
Healthcare Payment Processing | Paralyzed US medical payments for weeks; affected 1/3 of Americans. $2B+ total cost. |
1. CryptoLocker (2013-2014)
Summary: CryptoLocker inflicted notable damage during its reign from 2013 to 2014, targeting Windows computers and encrypting files stored on local and network drives. It extorted $3 million from victims before being partially mitigated by Operation Tovar.
CryptoLocker ransomware overview
CryptoLocker ransomware first surfaced in September 2013, leveraging phishing emails with deceptive attachments or links to infiltrate unsuspecting users’ systems. CryptoLocker and its variants represent some of the earliest and most sophisticated examples of ransomware, combining locker and crypto-ransomware techniques.
Through cunning social engineering tactics, CryptoLocker disguised itself as legitimate communications from reputable organizations like FedEx and UPS, tricking recipients into opening malicious payloads.
CryptoLocker attack overview
Once activated, CryptoLocker encrypted files using RSA public-key cryptography, rendering them inaccessible to victims. A ransom message then demanded payment within a specified deadline, threatening deletion of the decryption key if payment was not made.
The ransomware was unique for its time in that it used advanced encryption methods, making it virtually impossible for victims to recover their files without paying the ransom. It also used a decentralized command-and-control infrastructure, leveraging the Gameover ZeuS botnet, making it challenging for authorities to disrupt.
Impact of the CryptoLocker ransomware attack
CryptoLocker significantly damaged individuals, businesses, and organizations worldwide through its sophisticated ransomware operations. Victims suffered financial losses due to ransom payments demanded by CryptoLocker operators. The ransom amounts varied, often ranging from hundreds to thousands of dollars per victim.
The encryption of critical files disrupted business operations, leading to productivity losses, delays in service delivery, and reputational damage.
To face this threat, several agencies and governments gathered to create Operation Tovar. It was a coordinated multinational law enforcement effort aimed at disrupting the CryptoLocker ransomware scheme. Led by the U.S. Department of Justice, the operation involved collaboration between law enforcement agencies from Australia, Canada, Germany, the Netherlands, Ukraine, and the United Kingdom. They provided technical assistance, disseminated mitigation strategies, and facilitated victim remediation efforts to remove malware from infected computers and, where possible, recover encrypted data.
2. WannaCry (2017)
Summary: Caused extensive damage, infecting an estimated 200,000 computers across 150 countries, resulting in hundreds of millions to billions of dollars in damages.
WannaCry ransomware overview
WannaCry, also known as WannaCrypt, WannaCryptor, or Wanna Decryptor, was a devastating ransomware attack that occurred on May 12, 2017, and affected systems in 150 countries.Â
This cryptoworm, a self-replicating ransomware that rapidly encrypts data across a network, exploited a vulnerability in legacy versions of the Server Message Block (SMB) protocol, known as EternalBlue, which was leaked from the United States National Security Agency (NSA) a few months before the attack.Â
Despite Microsoft’s release of a patch in March 2017, many systems remained vulnerable due to poor patching practices.
Learn the importance of system patching with our complete guide.
WannaCry attack overview
WannaCry targeted tens of thousands of organizations and individuals, including government agencies, hospitals, telecommunications companies, and financial institutions, with computers running outdated versions of Microsoft Windows operating systems.Â
Once infected, WannaCry encrypted files on the affected system and demanded a ransom ranging from $300 to $600 to be paid in Bitcoin.Â
Notable victims included high-profile organizations such as the U.K.’s National Health Service (NHS), FedEx, Honda, and Boeing.
Impact of the WannaCry attack
The impact of WannaCry was substantial, causing hundreds of millions to billions of dollars in damages. The NHS, in particular, suffered significant disruptions, with multiple hospitals, general practitioners, and pharmacies affected in England and Scotland. Medical services were delayed and diverted, although no deaths were directly attributed to the attack.
Security experts from various countries, including the United States, United Kingdom, Canada, Japan, New Zealand, and Australia, formally asserted that North Korea was behind the attack. Despite efforts to mitigate the spread of WannaCry, it was able to infect an estimated 200,000 computers globally due to the widespread use of unpatched systems.
In response to the attack, Microsoft released patches to address the EternalBlue vulnerability and urged users to update their systems promptly. Additionally, efforts were made to disrupt the ransomware’s operations, including the discovery of a kill switch domain.
3. NotPetya (2017)
Summary: NotPetya, unleashed on June 27, 2017, marked a new era of state-sponsored cyber warfare, primarily targeting Ukrainian organizations but quickly spreading globally.
NotPetya ransomware overview
NotPetya, a variant of the Petya ransomware, emerged with unprecedented devastation, affecting over 2,000 organizations globally within days of its release. Despite its resemblance to ransomware, NotPetya’s true aim was not financial gain but indiscriminate destruction, making it distinct from its predecessors.
It leveraged the EternalBlue vulnerability, initially exposed by the NSA, to rapidly propagate through networks without user intervention.Â
NotPetya’s origins are traced back to the Russian military intelligence, the GRU, as part of a larger geopolitical conflict between Russia and Ukraine.Â
NotPetya attack overview
NotPetya utilized the EternalBlue vulnerability, initially disclosed by the NSA, to rapidly spread through networks without user interaction. It exploited a backdoor in Ukrainian accounting software, M.E.Doc, widely used for tax reporting, to infiltrate systems.Â
Once inside a network, NotPetya encrypted files and irreversibly encrypted master boot records, rendering infected machines unusable.
Unlike traditional ransomware, however, NotPetya did not offer a feasible decryption mechanism even if victims paid the ransom. This indicated that the attackers’ primary goal was not financial gain but rather widespread disruption and destruction of data.
Impact of the NotPetya attack
The financial toll of NotPetya was staggering, with multinational corporations bearing the brunt of losses.Â
Companies like Maersk, FedEx, and Merck reported losses ranging from hundreds of millions to billions of dollars, encompassing revenue loss, IT restoration costs, and operational disruptions. Maersk, for instance, faced a total shutdown of its operations, with significant manual intervention required to restore functionality over several months.
NotPetya victims:
- Maersk: Losses amounted to $250-300 million, with operations severely disrupted, including the shutdown of 45,000 workstations and 4,000 servers.
- FedEx: The European subsidiary, TNT Express, suffered $300 million in losses, leading to service delays and manual operational processes.
- Merck: The pharmaceutical giant incurred $870 million in losses due to disrupted manufacturing, research, and sales operations, impacting vaccine supplies.
- Mondelez: The food company recorded $180 million in damages, with its global logistics chain disrupted, leading to forensic analysis and restoration costs.
- Nuance: Cloud-based dictation and transcription services were affected, resulting in an estimated $92 million in lost revenues and restoration costs.
- Reckitt Benckiser: Production, shipping, and invoicing were halted, leading to $117 million in losses for the British consumer goods company.
- WPP: The multinational advertising firm incurred approximately £15 million in losses due to NotPetya’s impact on its operations.
4. DarkSide (2021)
Summary: DarkSide ransomware crippled the largest fuel pipeline in the U.S., forcing Colonial Pipeline to shut down operations for five days, leading to fuel shortages across the East Coast and a $4.4 million ransom payment.
Colonial Pipeline attack overview
DarkSide first emerged in August 2020 as a sophisticated Ransomware-as-a-Service (RaaS) operation, quickly establishing itself as one of the most professional cybercriminal enterprises in the ransomware ecosystem. The group operated under a unique “code of conduct,” claiming to avoid targeting hospitals, schools, universities, non-profit organizations, and government agencies, and instead focusing on large, profitable corporations.
On May 7, 2021, Colonial Pipeline, which operates the largest refined oil products pipeline in the United States, transporting over 100 million gallons of fuel daily from Houston, Texas, to Linden, New Jersey, suffered a devastating ransomware attack. The attack began when DarkSide affiliates gained access to Colonial Pipeline’s network via a compromised VPN password exposed in a previous data breach. Critically, this VPN account lacked multi-factor authentication, making it a vulnerable entry point.
DarkSide demanded a ransom of 75 bitcoins, valued at approximately $4.4 million at the time. Colonial Pipeline CEO Joseph Blount made the controversial decision to pay the ransom within hours of the attack, stating it was “the right thing to do for the country” given the uncertainty about the extent of the compromise and the critical nature of fuel supply to the Eastern United States. However, the decryption tool provided by DarkSide reportedly ran so slowly that Colonial Pipeline’s own backup and recovery processes proved more effective at restoring operations.
Impact of the Colonial Pipeline attack
The five-day shutdown had immediate and widespread consequences across the U.S. East Coast. Panic buying ensued, with approximately 30% of gas stations in metro Atlanta running out of gasoline, and similar shortages occurring throughout the Southeast. Average fuel prices rose to their highest point since 2014, and the airline industry faced jet fuel shortages affecting carriers, including American Airlines.
The incident also exposed significant vulnerabilities in U.S. critical infrastructure cybersecurity, leading to new federal directives and increased scrutiny of pipeline operators’ security practices.
5. REvil (Kaseya Attack - 2021)
Summary: REvil executed one of the most devastating supply-chain ransomware attacks in history by compromising Kaseya’s VSA software, simultaneously infecting over 1,500 downstream businesses and demanding an unprecedented $70 million ransom.
Kaseya attack overview
The REvil group (also known as Sodinokibi) emerged in April 2019 and is believed to be operated by the same developers behind the GandCrab ransomware operation, which retired after claiming to have earned over $2 billion in ransom payments. REvil quickly established itself as one of the most prolific and aggressive RaaS operations, earning an estimated $81 million in 2020 alone.
On July 2, 2021, REvil launched a sophisticated supply-chain attack targeting Kaseya’s VSA (Virtual System Administrator) software, a cloud-based managed service provider (MSP) platform used by IT departments to manage networks, perform patch management, backups, and client monitoring. The attack occurred over the July 4th holiday weekend to maximize the time before IT teams could respond.
The attackers exploited a zero-day vulnerability (CVE-2021-30116) in Kaseya’s VSA software that had been discovered by Dutch researcher Wietse Boonstra from the Dutch Institute for Vulnerability Disclosure (DIVD) on March 23, 2021. DIVD had responsibly disclosed the vulnerability to Kaseya, and the company was actively developing a patch when REvil discovered and exploited the flaw. The vulnerability involved an authentication bypass and SQL injection that allowed attackers to gain administrative access to VSA servers
Impact of the Kaseya attack
According to Kaseya, fewer than 60 of its direct customers running on-premises VSA servers were compromised. However, the cascade effect was devastating: these 60 customers were primarily MSPs who managed IT infrastructure for hundreds of other businesses. As a result, between 800 and 1,500 downstream companies were infected with ransomware.
REvil initially demanded a record-breaking $70 million in Bitcoin for a universal decryption key that would unlock all affected systems. This represented the largest single ransom demand in ransomware history at that time. Individual victims received smaller ransom demands ranging from tens of thousands to millions of dollars, depending on their size and criticality.
The attack highlighted the critical importance of securing software supply chains and implementing robust vendor risk management programs, particularly for MSPs and other service providers with access to multiple client networks.
6. REvil (JBS Foods - 2021)
Summary: REvil’s ransomware attack on JBS Foods, the world’s largest meat processor, forced the shutdown of slaughterhouses across three continents, threatened global food supply chains, and led to an $11 million ransom payment.
JBS Foods attack overview
By May 2021, REvil had established itself as one of the most aggressive ransomware operations globally, with a particular focus on critical infrastructure. In October 2020, a REvil representative stated in an online interview that the agriculture sector would be a primary target for the syndicate, threatening to auction off sensitive stolen data from victims who refused to pay ransoms.
On May 30, 2021, JBS S.A., a Brazil-based meat processing company that supplies approximately one-fifth of meat globally, suffered a devastating cyberattack. JBS is the world’s largest producer of beef, chicken, and pork by sales, operating facilities across multiple continents. The attack disrupted operations in the United States, Canada, and Australia simultaneously.
The attackers exploited weaknesses in JBS’s remote access technologies, specifically vulnerabilities in outdated VPN software or misconfigured Remote Desktop Protocol (RDP) connections. Once inside, they moved laterally across the network, targeting operational technology (OT) systems that controlled meat processing facilities. This represented a significant escalation, as the attack didn’t just affect office computers but could actually stop physical production lines.
Impact of the JBS Foods attack
On June 1, 2021, after months of reconnaissance and data theft, REvil encrypted JBS’s systems and deployed their ransom demand. Initial negotiations showed REvil demanding $22.5 million, with the negotiator warning that stolen data would be publicly leaked if payment wasn’t made. The ransomware group refused to provide proof of the stolen data until payment was received.Â
After a series of offers and counter-offers, JBS and REvil agreed to a ransom of $11 million in Bitcoin, paid on June 1, 2021.
The attack forced JBS to shut down operations at facilities across three continents. All facilities belonging to JBS USA, including those focused on pork, poultry, and beef production, faced disruption.
The attack exposed serious cybersecurity deficiencies within JBS and the broader food industry. A SecurityScorecard analysis found that 1 in 5 of the world’s food processing, production, and distribution companies had known vulnerabilities in their exposed internet assets.
7. Conti (2022)
Summary: Conti’s ransomware attack on Costa Rica became the first instance of a sovereign nation declaring a national emergency due to a cyberattack, crippling government operations for months and exfiltrating over 672GB of sensitive data.
Costa Rica attack overview
Conti ransomware emerged in mid-2020 as a replacement for the Ryuk ransomware operation, quickly establishing itself as one of the most prolific and destructive RaaS groups. The operation was attributed to the cybercriminal organization known as Wizard Spider, believed to be primarily Russia-based and to have strong ties to pro-Russian geopolitical positions.
Conti specialized in high-impact breaches of both private and public sector targets, including local governments, schools, and national healthcare systems. The ransomware was technically sophisticated, featuring some of the fastest encryption speeds in the ransomware landscape. Conti could run 32 simultaneous encryption threads and could be remotely controlled via command-line options, making it exceptionally efficient at quickly encrypting large networks.
On April 11, 2022, Conti ransomware operatives initiated what would become their final major attack with a five-day intrusion into the Costa Rican government’s network. The attack began during a politically sensitive time, as Costa Rica was undergoing a presidential transition. The initial attacks were detected on April 17, 2022, under outgoing President Carlos Alvarado Quesada, who characterized the cyberattacks as an effort to destabilize the country during the governmental handover.
According to detailed analysis from cyber intelligence company Advanced Intelligence (AdvIntel), the attack followed a sophisticated, multi-stage approach. Initial access was obtained using a compromised VPN credential. Once inside Costa Rica’s subnetwork, the attackers installed a crypted (obfuscated) version of Cobalt Strike, a legitimate penetration-testing tool frequently abused by threat actors.
Impact of the Costa Rica attack
On May 8, 2022, his very first day in office, newly inaugurated President Rodrigo Chaves Robles declared a national emergency due to the cyberattack, making Costa Rica the first country in the world to do so specifically because of a ransomware attack. The emergency declaration provided the government with expanded powers and resources to coordinate response efforts across affected agencies.
The attack crippled critical government operations for months. The Ministry of Finance, responsible for tax collection, customs, and treasury operations, was forced to conduct all processes manually. Tax filings and collections ground to a halt, and customs processing at borders and ports suffered severe delays, affecting international trade. The Costa Rican Social Security Fund (Caja Costarricense del Seguro Social) was unable to process payments to hospitals and healthcare providers.
In response to the crisis, the U.S. Department of State announced rewards of up to $10 million for information leading to the identification or location of Conti ransomware leadership, and up to $5 million for information leading to the arrest or conviction of individuals participating in Conti ransomware attacks.
8. ALPHV/BlackCat (2024)
Summary: The ALPHV/BlackCat attack on Change Healthcare paralyzed the U.S. medical payment system for weeks, affecting one-third of all American patients. The breach forced UnitedHealth Group to pay a $22 million ransom and resulted in an estimated $2 billion in recovery costs.
Change Healthcare attack overview
ALPHV/BlackCat emerged in late 2021 as one of the most sophisticated RaaS operations in the cybercriminal landscape. It was notable for being the first major ransomware strain written in Rust, which enabled it to be highly customizable and capable of infecting various operating systems, including Windows, Linux, and VMware ESXi.Â
Believed to be a rebrand of the DarkSide and BlackMatter groups, ALPHV operated on an affiliate model, recruiting skilled hackers to deploy their malware in exchange for a percentage of the ransom. The group was known for employing “triple extortion” tactics: encrypting files, stealing sensitive data to threaten leaks, and occasionally launching Distributed Denial-of-Service (DDoS) attacks against victims to increase pressure.
On February 21, 2024, the ALPHV/BlackCat group launched a targeted attack against Change Healthcare, a UnitedHealth Group subsidiary that processes 15 billion healthcare transactions annually. The breach was precipitated by attackers gaining access to the network through a compromised Citrix remote access portal.Â
Critically, the account used for initial entry was not protected by multi-factor authentication (MFA), a basic security control that could have prevented the intrusion. The attackers spent nine days inside the network, moving laterally and exfiltrating sensitive data before deploying the ransomware.
Impact of the Change Healthcare attack
The attack on Change Healthcare is considered the most significant threat to the U.S. healthcare system in history, given its systemic impact. The encryption of critical systems severed the connection between healthcare organizations and insurance companies, leaving pharmacies unable to process prescription claims and hospitals unable to verify patient eligibility or receive payments.Â
To restore operations and prevent the leak of sensitive patient data, UnitedHealth Group paid a $22 million ransom in Bitcoin. However, the financial toll extended far beyond the ransom; the company estimated total recovery costs would exceed $2 billion.Â
The disruption affected over 100 million individuals and pushed many smaller medical practices to the brink of insolvency due to the halt in cash flow. The incident prompted the U.S. Department of Health and Human Services to open an investigation into the breach and to emphasize the necessity of HIPAA compliance and advanced cybersecurity protocols.
How to handle a ransomware attack
The first step after a ransomware attack is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team that can be contacted 24/7/365.
What to do:
- Isolate: Disconnect the infected system from the internet and any connected devices immediately.
- Contact Authorities: In the US, contact the local FBI field office and the Internet Crime Complaint Centre (IC3).
- Preserve Evidence: Take screenshots of the ransom note. Capturing the RAM of a live system is vital, as it may contain the encryption key.
- Seek Professionals: Leave every infected machine as is and call an emergency ransomware recovery service.
What NOT to do:
- Do not delete the ransomware: You need the evidence for digital forensics.
- Do not restart or shut down: This may compromise the recovery process or delete the dropper file needed for reverse engineering.
