Ransomware continues to be a major and evolving threat to businesses and individuals alike. For individuals, ransomware can result in the loss of sensitive or sentimental data, and costs in terms of paying ransoms or resolving issues that arise as a result of a ransomware attack. For businesses, the ransom demand is typically insignificant compared to the resulting damages of an attack, including the expenses associated with an interruption in operations, loss of customer data, and a damaged reputation.
While ransomware is nothing new, it is becoming increasingly sophisticated. Over the years, attacks have ranged in severity in terms of the number of machines affected and the resulting damages. They have also differed with regard to which systems they target and how the attack is carried out. Moreover, while early attacks were indiscriminate, some more recent ones have specifically targeted select organizations with devastating results.
Here, we explain more about ransomware and the nature of attacks and reveal the 10 worst ransomware attacks in history to date.
What is Ransomware?
Ransomware generally involves the takeover of systems or files, with the perpetrator demanding the payment of a fee. Once the victim pays up, the hope is (on their end at least) that their device will be returned to its pre-attack state.
Most modern ransomware attacks involve the use of encryption. Systems or files are scrambled, often using virtually uncrackable encryption protocols. The victim typically receives a message instructing them to pay a fee in exchange for the decryption key.
There are other types of ransomware, including scareware and screen-locker viruses. However, these are typically easier to overcome than encrypting ransomware.
Some ransomware attacks target specific sets of individuals (for example, gamers) or single organizations, whereas others are designed to simply infect any computer with the required prerequisites (often a system or application vulnerability).
Many types of ransomware are more geared toward targeting businesses, with various malicious intentions. It may be to glean data, cause damage to critical systems (damage costs often far surpass the value of ransom requests), or simply to obtain the highest ransom possible. For many businesses, retrieving data is worth far more than the ransom being requested, so there’s a good chance they will pay up.
How Ransomware Works
Ransomware attacks involve two main steps. First, the ransomware has to find its way on to the device. Then, once executed, it needs to encrypt files and deliver the ransom message.
Ransomware attack methods
Depending on the malware itself, there are several main methods of attack that the criminals behind ransomware can employ. Here are some possible ways ransomware and other malware can find its way onto a device:
- Email attachment or link: This is a very common means of infecting a device with ransomware or other type of malware. Either the user is prompted to click on an attachment that contains the malware or there’s a link in the body of the email. In some cases, criminals double down on their efforts and include both. Common file types used to distribute malware are .exe and .zip file extensions.
- Malvertisements: Those ads and popups you see on websites can be more than just annoying. Once clicked on, a malicious advertisement (malvertisement) can download and execute malware (including ransomware) onto your device.
- Malicious apps: While most ransomware attacks target Windows operating systems, there have been some that seek to extort mobile users instead. These usually come from malicious apps, typically installed from outside of legitimate app stores such as the Google Play Store and Apple’s App Store.
- Exploit kit: Exploit kits are automated programs that enable criminals to attack systems or applications via known vulnerabilities, and are usually stumbled across by victims in web browsers. Once in effect, they exploit one or more vulnerabilities in systems or applications on the device in order to download and execute their malware payload. Common targets for exploit kits are Adobe Flash and Internet Explorer which have many known vulnerabilities.
- Removable devices: Although less common, a user could inadvertently download ransomware from a corrupted USB drive, CD, or DVD. For example, the Spora ransomware was able to spread itself onto USB sticks and could infect subsequent machines the stick was plugged into.
- Worms: Worms are self-replicating malware designed to spread throughout networks. If one computer gets infected with a ransomware worm, there’s a big chance other computers on the same network can become infected too.
How ransomware executes
Once the ransomware has found its way onto the device, it typically works by searching for specific file types and encrypting them. In some cases, it will also encrypt shadow files and backups to make restoration efforts more difficult. While some types of ransomware only encrypt the file content, some also encrypt filenames, again hampering restoration efforts.
In most cases, the victim will receive a message, often in the form of a popup, which explains that the files are being held under ransom. Some messages will be entirely honest about what is happening, while others will attempt to exaggerate the situation or tell complete mistruths. The message will contain instructions for how to pay the ransom and obtain the decryption key. Many ransoms are now demanded in the form of cryptocurrencies such as bitcoin, as the identity of the recipient is difficult to trace in these transactions, among other reasons.
10 Worst Ransomware Attacks in History
Our list of the worst ransomware attacks in history covers the most notable attacks that garnered intense media coverage. While some attacks did relatively little damage, some are more notorious for their advancement in the field of ransomware at the time of the attack, the way in which attacks were executed, or the motives behind the attacks.
- Initially detected in 2013, the CryptoLocker ransomware attack was one of the first to use strong encryption, and many subsequent attacks were based on this one. CryptoLocker ransomware attacked by encrypting Windows files and demanding a fee for unscrambling.
CryptoLocker typically entered systems via a phishing email that had a malicious attachment. Eventually, security experts managed to find the decryption key and offered it for free to victims, although it was found that around 1.3% of victims paid the ransom.
One notable example of a CryptoLocker ransomware attack in action was that involving the Swansea, MA police department. The department’s files were locked, and they were forced to pay an (albeit low) fee of $750. However, the ransomware was believed to be indiscriminate with no specific targets. An estimated 500,000 devices were infected with CryptoLocker, with ransom requests ranging from $200 to $10,000.
Early reports suggested CryptoLocker victims paid a total of $27 million, but according to a CNET report, a total $3 million was extorted. Unfortunately, some users who paid were unable to decrypt their files. A Datto survey estimates that in one in four cases where the ransom was paid, the perpetrators failed to unlock encrypted files.
- The CryptoWall ransomware attack involved a variant of CryptoLocker, but the value of damages caused in its wake make it worthy of its own spot on this list. This ransomware first appeared in 2014 and has been updated or iterated multiple times.
CryptoWall arrives in typical ransomware fashion targeting Windows systems via exploit kits, through malicious ads, or via a ZIP file email attachment. The latter accounted for around two-thirds of CryptoWall attacks. Inside the ZIP file was the virus posing as a PDF file, which once opened, installed the CryptoWall malware.
Unlike many of its predecessors, CryptoWall could run on both 32-bit and 64-bit systems, increasing its chances of success. Updates to the software included the encrypting of filenames to make it more difficult to restore individual files, as well as stronger encryption.
Aside from encrypting your files and asking for a ransom to be paid, CryptoWall had other implications. It deleted shadow copies of files to hamper restoration efforts, attempted to obtain passwords, and tried to access bitcoin wallets.
One report pegs the total haul for this ransomware’s creators as at least $18 million. However, the estimated damages were significantly higher at $325 million.
- While most of the ransomware on this list attacks Windows systems, the SimpleLocker ransomware attack had a new target: Android users. In 2015, we started to see a spike in Android infections, with many attacks simply making it difficult for users to access some parts of the user interface. These were dubbed blocker attacks.
The SimpleLocker ransomware was far more aggressive. Using a trojan downloader to deliver its payload, it did actually encrypt user’s files, making them inaccessible.
Although the ransomware first started spreading in Eastern Europe, most SimpleLocker victims were in the United States. By late 2016, it had managed to infect around 150,000 devices.
The gateway to most Android ransomware infections is through suspect apps downloaded outside of the Google Play store. As such, similar forms of ransomware should be fairly easy for Android users to avoid.
- TeslaCrypt ransomware attacked all versions of Windows and was distributed by the Angler Adobe Flash exploit kit. It generally held encrypted files to ransom for around $250–$1,000. While an early version of TeslaCrypt was spotted in 2014, its wide distribution wasn’t apparent until March 2015.
TeslaCrypt generated an executable and launched it to scan your computer for files to encrypt. It then erased shadow volume copies to stop you restoring affected files. The original version of TeslaCrypt targeted individuals (specifically gamers) rather than businesses.
Once a computer was infected, the malware would search for file extensions related to popular games, including World of Warcraft and Call of Duty. It would encrypt those files, including player profiles, game modifications, and custom maps that were stored on the hard drives of the victims.
While the original versions targeted gamers, newer variants were less selective and would simply target all Word, .jpeg, .pdf, and other files. It’s unknown exactly how many users were affected by TeslaCrypt, but by June 2016, 32,000 users had downloaded a decryption tool released by ESET two weeks prior.
After updating the ransomware several times to fix flaws, the creators eventually called its quits in May 2016 and released the master decryption key.
- The Cerber ransomware attack reared its head in March 2016, with a new variant popping up well into 2017. The creators of Cerber ransomware used a Ransomware as a Service (RaaS) model. In this case, criminals purchase the malware from its developers and proceed to spread it to victim’s devices. The affiliate pays the developer a commission for the use of the Cerber malware. One reason this type of ransomware is so popular with cybercriminals it requires very little coding experience and is easy to execute.
The Cerber ransomware attacked personal and business-related files (such as databases) within Windows systems and was spread via two main methods. One was a double-zipped Windows file containing a WSF (Windows Script File) sent as an email attachment. The same email that contains the attachment also has an unsubscribe link at the bottom, which links to the same file as the attachment.
An October 2016 campaign using this malware caused more than 150,000 infections. It’s estimated that Cerber was making upwards of $200,000 per month and made developers $2.3 million in 2016 alone. At its peak, Cerber ransomware was responsible for 25% of ransomware infections.
- Petya took hold in March 2016. When this ransomware attacked, it infected the user’s computers, encrypted some of the data stored on the computer, and as with most other ransomware, produced a message with instructions for paying the bitcoin ransom in order to obtain the decryption keys.
A popular method of delivery for this ransomware was an email attachment posing as a resume for a job applicant. Once you clicked on the attachment and agreed to Windows User Access Control, the ransomware rebooted your computer while continuing to work in the background. It didn’t actually encrypt individual files like past ransomware did, but rather encrypted the master boot record.
Petya affected thousands of machines worldwide and generally demanded a ransom of a few hundred dollars worth of bitcoin. While the ransomware didn’t have a high infection rate or ransom, it did earn the title of “the next step in ransomware” due its novel method of encryption. But it’s biggest claim to fame is that it appeared to lay the groundwork for a far more destructive ransomware, NotPetya, which we’ll delve into below.
- Most of the ransomware attacks we’ve discussed so far have been non-discriminate. While in most cases they target specific operating systems and file types, earlier forms of ransomware generally didn’t go as far as targeting specific individuals or organizations. Enter SamSam, one of the most well-known targeted ransomware attacks using custom infections.
Before an attack, an organization would be studied for vulnerabilities. Then, SamSam broke into networks using a variety of tactics including brute force attacks and exploit kits. It encrypted files on multiple computers in the target organization, before issuing a large ransom demand. The going rate requested by this ransomware was 0.8 bitcoin per PC or 4.5 bitcoins for all affected PCs on a network.
One attack believed to involve SamSam was that on the city of Atlanta which saw more than a hundred of the city’s software programs taken offline or partially disabled. The ransom request was for $51,000 worth of bitcoin, which the city didn’t pay. This occurred in March 2018 and the cleanup costs reportedly surpassed $10 million.
There seemed to be a pattern of SamSam targeting government organizations as the city government of Newark, New Jersey and the Port of San Diego were also affected by SamSam. The scale of SamSam was so large that it even led to a restructuring of the FBI’s model for handling cyberattack investigations.
Although the nature of the targets indicated that there may have been some political motive, it was eventually determined that the perpetrators were focused on monetary gain, rather than extracting data from the targets. Indeed, other types of organizations were targeted, including LabCorp and Hancock Health.
8. WannaCry Ransomware Attack
- The WannaCry ransomware attack is likely the most well-known of recent years. It took advantage of a Windows vulnerability by using a stolen National Security Agency (NSA) tool. It’s considered a worm because it can spread itself.
The ironic thing is that there was actually an update available that would have rendered this exploit useless. However, many businesses tend to be slow in rolling out such patches and individuals often delay updating as well. Even though the patch was issued in March 2017 and WannaCry didn’t start waging war until May 2017, there were still plenty of vulnerable machines to infect.
The WannaCry issue was initially solved by a cybersecurity researcher who found a kill switch within the malware. The fix involves him registering a website domain that was checked for within the WannaCry variant and resulted in him successfully slowing the virus. However, new variants followed and continued to affect systems worldwide.
Although the haul for its creators (an estimated $140,000 worth of bitcoin) wasn’t huge, what was impressive about this ransomware was its speed and scope of spread. The fastest-spreading ransomware in history, it managed to infect 70,000 machines in just a few hours. In total, it’s estimated that more than 200,000 machines were affected. Some reports peg total damages at $4 billion, with the British National Health Service (NHS) alone forking out over $100 million to recover from WannaCry.
Although we rarely see WannaCry in the current media, it may not be gone yet. As recently as Nov 2018, Kaspersky labs reported that WannaCry was responsible for one-third of all ransomware attacks in Q3 of 2018.
- Arriving on the scene in June 2017, NotPetya (also named ExPetr) was originally thought to be a variant of Petya (hence the name). While it had a similar method of encryption to Petya, this new ransomware was able to quickly spread across a network from computer to computer. This trojan worm is believed to have spread via the same NSA tool as WannaCry, EternalBlue.
It didn’t require the same email attachment click and access control that Petya did, and instead was able to spread on its own. It did so initially through MEDoc, which is a popular accounting software in the Ukraine, explaining why Ukraine devices originally made up the large majority of affected devices. Eventually, the ransomware spread, but the majority of victims were Ukrainian and Russian.
Another dissimilarity from Petya was that when the NotPetya ransomware attacked, it would encrypt more than just the master boot record, and targeted other files. What’s more, files were overwritten such that decryption is impossible. This means that even if someone paid the ransom, it would be impossible for the criminals behind NotPetya to restore the encrypted files.
While NotPetya was branded a ransomware, it’s suspected that money may not have been the real motive behind the worm, with the linked bitcoin address only receiving around $13,500 worth of bitcoin. Instead, it’s thought that the attack was designed to be destructive, with a primary target on Ukrainian organizations.
Although Ukraine may have been in the line of fire, companies based in other parts of the globe saw mass devastation as a result of NotPetya. For example, Danish company Maersk Line lost up to $300 million as a result of the ransomware. Similarly, FedEx’s profits were slashed by a reported $300 million due to a NotPetya attack. This ransomware is also believed to have been responsible for taking the radiation monitoring system at Chernobyl offline. All in all, NotPetya is estimated to have cost businesses a whopping $1.2 billion.
- The GandCrab ransomware attack is an existing threat that doesn’t seem to show any signs of slowing down. A February 2019 estimate from Bitdefender cited GandCrab as holding roughly 40% of the ransomware market.
Bitdefender itself is trying to keep up with new variants and offering victims the decryption keys as they are discovered. Early versions of the GandCrab ransomware attacked via the RIG exploit kit, which used malvertisements on websites. These original versions gave GandCrab its reputation of porn extortion malware because its message included threats along the lines of “we’ve hacked your webcam and have footage of you watching porn.”
Other methods of infection include an attachment on an email posing as a new exit map for the building, a payment confirmation email, and a flu pandemic warning. While many ransoms are demanded in bitcoin, GandCrab typically requests dash, another popular (and arguably more private) cryptocurrency.
The value of the GandCrab ransom ranges from $600–$700,000. The ransomware uses custom ransom notes which is thought to be a motivator behind the higher ransom requests. Indeed, GandCrab is enjoying a very high payment rate with almost half of all victims coughing up. Bitdefender speculated that the developers may have earned as much as $300 million by early 2019.
Worst Ransomware Attacks Compared
The following table summarizes some of the key points regarding the above attacks:
Main Entry Methods
|CryptoLocker||September 2013||Windows||Trojan||Spam email||Affected 500,000 devices. Average ransom paid was $300 to $500. $3 million total paid (early reports suggested $27 million).
1.3% of victims paid the ransom
|CryptoWall||June 2014||Windows||Trojan||Spam email, exploit kit, malvertisement||Affected around 70,000 devices. $1.1 million in earnings for the creators. Estimated $325 million damages. Two-thirds of attacks occurred via phsihing emails|
|SimpleLocker||June 2014||Android||Trojan||Via third-party apps||Affected 150,000 devices as of late 2016|
|TeslaCrypt||February 2015||Windows||Trojan||Spam email, originally targeted gaming files||32,000 victims downloaded the decryption key in the two weeks after its release|
|Cerber||March 2016||Windows||Trojan||Spam email (attachment and link), exploit kit||Estimated $2.3 million in earnings for 2016. Infected 150,000 computers in October 2016. At peak, responsible for 25% of ransomware infections|
|Petya||March 2016||Windows||Trojan||Spam email||Ransom was set at 0.9 bitcoin (around $590 at the time). Distributors got 25% for making 5 BTC per week or 85% on 125 BTC per week|
|SamSam||March 2016||Windows||Trojan (targeted)||Custom attacks using various tactics||Hundreds of thousands of devices affected. Caused more than $10 million in damages in just one organization. Demanded 0.8 bitcoin per PC and 4.5 bitcoin for entire network|
|WannaCry||May 2017||Windows||Trojan, Worm||Spam email, exploit kit, self-replicating||$50,000 worth of bitcoin. Total damages of $4 billion. 200,000+ devices affected 70,000 in first few hours|
|NotPetya||June 2017||Windows||Trojan||Software backdoor, self-replicating||More than $10 billion in damages. Caused more than $300 million in damages for just one company|
|GandCrab||January 2018||Windows||Trojan (targeted)||Spam email, exploit kit||Ransom ranging from $600–$700,000|
Ransomware Remains a Real Threat
Ransomware is an ever-evolving risk and newer, more sophisticated attacks are popping up all the time. As you can see by the attacks we’ve discussed, these are very real threats with potentially catastrophic effects.
While some industries tend to be affected more than others, most ransomware can pose a risk to all businesses. According to MalwareBytes, consulting was the most-commonly attacked industry in 2018, but a Beazley report states that healthcare organizations were the most impacted. Further, a 2018 Datto report found that construction and manufacturing was the most highly affected, but also noted that no industry is immune to attacks.
Judging by the number of iterations of attacks like TeslaCrypt and GandCrab, attackers can be seriously persistent in continuing their threats. While white hat researchers can do their best to keep up and provide public decryption keys as quickly as possible, the fact remains that criminals will continue to make money off ransomware as long as users lack adequate protection and continue to pay ransoms.
he attacks we’ve described here may be just the very beginning of what we can expect to see in the future as criminals become greedier and better at getting what they want. While many attacks involve seemingly small ransoms of few hundred dollars, other asks are much higher, often in the tens of thousands.
Take, for example, the relatively new Ryuk ransomware, which launches targeted attacks against enterprise victims. According to Security Boulevard, Ryuk is one of the main reasons the average ransom paid in a ransomware attack has risen by 90% to over $12,000 in Q1 of 2019. And, of course, the costs don’t stop there. The same report suggests that the average attack lasts 7.3 days, resulting in $64,645 of incident-related costs.
With ransomware attacks expected to hit a business every 14 seconds in 2019 and every 11 seconds in 2021, it’s all too likely you or your company will be attacked in the near future.
Clearly, individuals and businesses need to be proactive in preventing ransomware attacks and should be ready to act if an attack does occur.
At Cytelligence we offer cybersecurity training to help you prevent ransomware attacks occurring within your organization. What’s more, if you do find yourself victim of a ransomware attack, we will deal with every step of the process, including communicating with perpetrators, organizing ransom payment (if deemed necessary), recovering data, and putting measures in place to protect against potential subsequent attacks.