Famous Ransomware Attacks

In the first two parts of this series on ransomware, we looked at what ransomware actually is, and at prevention and protection of your devices. In this third and final part, let’s turn to ten of the biggest, most famous ransomware attacks so far this century.

1. Locky

Locky was first used for an attack in 2016 by a hacker organization. They encrypted more than 160 file types and spread their virus by fake emails with infected attachments. Users fell for the email trick and installed the ransomware on their computers. This method of spreading is called phishing — a form of social engineering. Locky ransomware targets file types that are often used by designers, developers, and engineers.

2. WannaCry

12th May 2017, that is the date many experts claim WannaCry changed cybersecurity forever. It was the biggest attack the world had ever seen and resulted in great aftershocks in the worlds of business, politics, hacking and the cybersecurity industry.

WannaCry hit over 300 organizations spread across a huge 150 countries. It was so large that even after the kill-switch was found, the virus continued to terrorize all systems and data it had hitherto come into contact with. Estimates put the total cost at over $4 billion, the UK’s NHS alone suffering over £92 million worth in damage. The attack was traced to the Lazarus Group, which has strong links to North Korea, but an air of mystery still clouds the details on what exactly happened.

3. Bad Rabbit

Bad Rabbit was a ransomware attack in 2017 that spread via drive-by attacks. In a drive-by ransomware attack, a user visits a website, unaware that it has been taken over by hackers. In most drive-by attacks, all that is required is for a user to visit a page that has been compromised in this way — reminiscent of Little Red Riding Hood and her grandmother/wolf. Bad Rabbit asked the user to run a fake Adobe Flash installation, thereby infecting the computer with malware.

4. Ryuk

Ryuk ransomware is an encryption Trojan that spread in the summer of 2018, freezing the recovery functions on Windows OS. This made it impossible to restore encrypted data without an external back-up. Ryuk also encrypted network hard disks. The impact was devastating: most US organizations that were targeted were reported to have paid the ransom sums. The total damage is estimated at over $650,000.

5. Sodinokibi (REvil)

The ransomware Sodinokibi (AKA REvil) first appeared in 2019. This ransomware is characterised by its advanced evasion capacity and the large number of measures that it takes in avoiding detection. This ransomware attacked a wide range of targets across the world. The main focus of attacks was Europe, the USA, and India. Its multiple infection vectors include exploiting known security vulnerabilities and also the use of email phishing campaigns.

In April 2021, the group behind Sodinokibi claimed to have hacked the computer network of Quanta, a Taiwan-based company that manufactures MacBooks. They demanded $50 million for the encryption key but Quanta didn’t cave in. Shortly after this public back-and-forth, the group made good on its threats and released various MacBook schematics and component listings. Last month, two of the cybercriminals were hunted down and arrested.

6. CryptoLocker

CryptoLocker was another Trojan that terrorized the web back in 2013/14. It was spread via phishing emails (and malicious attachments). Like many viruses, it worked by encrypting victims’ files — the hackers then demanded a ransom in order to unlock the files (normally 400 USD or Euro).

Eventually it was taken down by various bodies — such as the FBI and Interpol — in Operation Tovar. It has since been difficult to estimate the economic damage, as the figures for people who paid the ransom appear to be vastly different depending on sources; nonetheless, it ran to many millions of dollars.

7. Petya

Petya is a ransomware attack that occurred in 2016 and was resurrected as GoldenEye in 2017. Instead of encrypting certain files, this malicious ransomware encrypted the victim’s entire hard-drive. This was done by encrypting the Master File Table (MFT), which made access impossible. Petya ransomware spread to corporate HR departments via a fake application that contained an infected Dropbox link. Another variant goes by the name, Petya 2.0 — both are equally fatal for the victim’s device.

8. GoldenEye

The resurrection of Petya as GoldenEye resulted in a worldwide ransomware infection in 2017. GoldenEye, known as WannaCry’s “deadly sibling”, hit over 2,000 targets. Victims included large oil producers in Russia as well as several banks. GoldenEye even forced the personnel of the Chernobyl nuclear power plant to rely on manually checking their radiation levels after they were locked out of their Windows OS.

9. NotPetya

In June 2017, a new ransomware strain was discovered in Ukraine. NotPetya quickly spread across Europe, targeting the likes of banks, airports, and energy companies. Because this ransomware caused an estimated $10 million in damage, it has been called one of the most devastating ransomware attacks in history.

NotPetya manually restarts victims’ computers, encrypts the hard-drive’s master file table (MFT), and then makes the master boot record (MBR) inoperable, preventing access to the system by stealing the victim’s credentials and location on the physical disk. After completing the infection of one computer, NotPetya scans the local network and immediately infects all other computers on the same network.

10.  SamSam 

SamSam ransomware was detected in late 2015 and substantially expanded in the following years. Its creators are very particular in choosing their targets: in short, those most likely to pay to get their data back, such as hospitals and universities. The ransoms demanded are much higher than the marketplace average, recently climbing to $6 million in ill-gotten gains.

SamSam ransomware uses security vulnerabilities to obtain access to the victims’ network; alternatively, it utilizes brute-force tactics against weak passwords. Once in the network, the cybercriminal uses a combination of hacking tools to advance their privileges until they reach the domain admin account.

We hope this article has been a good read, folks. As always, if it’s been of use and/or interest to you, please do SHARE it with family and friends to help keep the online community secure and protected.