CSO's guide to the worst and most notable ransomware attacks

CSO's guide to the worst and most notable ransomware attacks

The ransomware gangs and malware listed here have victimised millions of companies and caused billions of dollars in costs

Credit: Dreamstime


History: Ryuk first appeared in August 2018 but is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017.

How it works: It is often used in combination with other malware like TrickBot. The Ryuk gang is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

The Ryuk attackers demand high ransom payments from their victims, typically between 15 and 50 Bitcoins (roughly $100,000 to $500,000), although higher payments have reportedly been paid.

Targeted victims: Businesses, hospitals and government organisations—often those must vulnerable—are the most common Ryuk victims.

Attribution: First attributed to the North Korean Lazarus Group, which used Hermes in an attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, Ryuk is now believed to be the creation of a Russian-speaking cybercriminal group that obtained access to Hermes. The Ryuk gang, sometimes called Wizard Spider or Grim Spider, also operates TrickBot. Some researchers believe that Ryuk could be the creation of the original Hermes author or authors operating under the handle CryptoTech.


History: SamSam has been around since 2015 and targeted primarily healthcare organisations and ramped up significantly in the following years.

How it works: SamSam is an RaaS operation whose controllers probe pre-selected targets for weaknesses. It has exploited a range of vulnerabilities in everything from IIS to FTP to RDP. Once inside the system, the attackers escalate privileges to ensure that when they do start encrypting files, the attack is particularly damaging.

Targeted victims: Hardest hit were US-based healthcare and government organisations including the Colorado Department of Transportation and the City of Atlanta.

Attribution: Initially believed by some to have an Eastern European origin, SamSam mostly targeted US institutions. In late 2018, the US Department of Justice indicted two Iranians that they claim were behind the attacks.


History: SimpleLocker, discovered in 2014, was the first widespread ransomware attack that focused on mobile devices, specifically Android devices.

How it works: SimpleLocker infects devices when the victim downloads a malicious app. The malware then scans the device’s SD card for certain file types and encrypts them. It then displays a screen demanding a ransom and instructions on how to pay.

Targeted victims: Since the ransom note is in Russian and asks for payment in Ukrainian currency, it is assumed that the attackers originally targeted that region.

Attribution: SimpleLocker is believed to have been written by the same hackers who developed other Russian malware such as SlemBunk and GM Bot.


History: Sodinokibi, also known as REvil, is another RaaS platform that first emerged in April 2019. Apparently related to GandCrab, it also has code that prevents it from executing in Russia and several adjacent countries, as well as Syria. It was responsible for shutting down more than 22 small Texas towns, and on New Year’s Eve 2019 it took down the UK currency exchange service Travelex.

How it works: Sodinokibi propagates in several ways, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN. It targets Microsoft Windows systems and encrypts all files except configuration files. Victims then receive a double threat if they don’t pay the ransom: They won’t get their data back and their sensitive data will be sold or published on underground forums.

Targeted victims: Sodinokibi has infected many different organisations globally outside the regions it excludes.

Attribution: Sodinokibi rose to prominence after GandCrab shut down. An alleged member of the group, using the handle Unknown, confirmed that the ransomware was built on top of an older codebase that the group acquired.


History: TeslaCrypt is a Windows ransomware Trojan first detected in 2015 that targets players of computer games. Several newer versions appeared in quick succession, but the developers shut down operations in May 2016 and released the master decryption key.

How it works: Once it infects a computer, typically after a victim visits a hacked website that runs an exploit kit, TeslaCrypt looks for and encrypts gaming files such as game saves, recorded replays and user profiles. It then demands a $500 fee in Bitcoin to decrypt the files.

Targeted victims: Computer gamers

Attribution: Unknown


History: The Thanos RaaS is relatively new, discovered in late 2019. It is the first to use the RIPlace technique, which can bypass most anti-ransomware methods.

How it works: Advertised in underground forums and other closed channels, Thanos is a customised tool that its affiliates use to create ransomware payloads. Many of the features it offers are designed to evade detection. The Thanos developers have released multiple versions, adding capabilities such as disabling third-party backup, removal of Windows Defender signature files, and features to make forensics more difficult for response teams.

Targeted victims: As an RaaS platform, Thanos can victimise any organisation.

Attribution: Unknown


History: The WannaCry worm spread through computer networks rapidly in May 2017 thanks to the EternalBlue exploit developed by the US National Security Agency (NSA) and then stolen by hackers. It quickly infected millions of Windows computers.

How it works: WannaCry consists of multiple components. It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself including: 

  • An application that encrypts and decrypts data
  • Files containing encryption keys
  • A copy of Tor 

Once launched, WannaCry tries to access a hard-coded URL. If it can't, it proceeds to search for and encrypt files in important formats, ranging from Microsoft Office files to MP3s and MKVs. It then displays a ransom notice demanding Bitcoin to decrypt the files.

Targeted victims: The WannaCry attack affected companies globally, but high-profile enterprises in healthcare, energy, transportation and communications were particularly hard hit.

Attribution: North Korea’s Lazarus Group is believed to be behind WannaCry.


History: One of the more recent to appear, the WastedLocker ransomware began victimising organisations in May 2020. It is one of the more sophisticated examples of ransomware, and its creators are known for asking high ransom fees.

How it works: The malware uses a JavaScript-based attack framework calle SocGholish that is distributed in ZIP file form via a fake browser update that appear on legitimate but compromised websites. Once activated WastedLocker then downloads and executes PowerShell scripts and a backdoor called Cobalt Strike. The malware then explores the network and deploys "living off the land" tools to steal credentials and gain access to high-value systems. It then encrypts data using a combination of AES and RSA cryptography.

Targeted victims: WastedLocker focuses on high-value targets most likely to pay high ransoms, mainly in North America and Western Europe.

Attribution: A known criminal gang, Evil Corp, is responsible for WastedLocker. The group is also known for operating the Dridex malware and botnet.


History: Discovered in 2017, WYSIWYE (What You See Is What You Encrypt) is an RaaS platform that targets Windows systems.

How it works: scans the web for open Remote Desktop Protocol (RDP) servers. It then executes sign-in attempts using default or weak credentials to access systems and spread across the network. Criminals who purchase WYSIWYE services can choose what types of files to encrypt and whether to delete the original files after encryption.

Targeted victims: WYSIWYE attacks first appeared in Germany, Belgium, Sweden and Spain.

Attribution: Unknown


History: Zeppelin first appeared in November 2019 and is a descendent of Vega or VegasLocker RaaS offering that victimised accounting firms in Russia and Eastern Europe.

How it works: Zeppelin has more capabilities than its ancestors, especially when it comes to configurability. Zeppelin can be deployed in multiple ways, including as an EXE, a DLL, or a PowerShell loader, but it some of its attacks came via compromised managed security service providers.

Targeted victims: Zeppelin is much more targeted than Vega, which spread somewhat indiscriminately and mostly operated in the Russian-speaking world. Zeppelin is designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Most of its victims were healthcare and technology companies in North America and Europe.

Attribution: Security experts believe that a new threat actor, likely in Russia, is using Vega's codebase to develop Zeppelin.

Attribution: Unknown

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments