Examples of Ransomware Attacks

Famous ransomware examples

The increase of ransomware attacks has seen different types of ransomware used to exploit system vulnerabilities in different ways.

Ryuk

Ryuk has been responsible for some of the most notorious ransomware attacks targeting organizations worldwide. It is a form of crypto ransomware that has specifically targeted large enterprises, often with the intent of demanding a hefty ransom.

Locky

Locky is a notorious ransomware variant primarily distributed via phishing email attachments, usually disguised as invoices, documents, or software updates. Once clicked, the malicious attachment locks the victim’s files, making them inaccessible

Wannacry

The WannaCry attack caused a global crisis, infecting more than 230,000 computers across 150 countries and causing an estimated $4 billion in damages. The attack exploited a vulnerability in Microsoft Windows systems, specifically targeting systems that had not been patched with a critical security update

Bad rabbit

Bad Rabbit was a drive-by ransomware attack, meaning it spread via compromised websites that unsuspecting users visited. The malware appeared to be a legitimate Adobe Flash installer, but it was actually a piece of ransomware that encrypted the ransomware victim’s files

Jigsaw

Petya ransomware spreads by encrypting the Master Boot Record (MBR) and rendering the entire system inoperable. It often uses phishing emails as a delivery method, causing severe disruptions to businesses by locking their computers at the system level.

NotPetya

NotPetya initially appeared to be a variant of Petya, but it was far more destructive. It spread quickly using exploits from the same Windows vulnerability as WannaCry and was designed not just to extort money but to cause massive damage to systems. It impacted organizations across the globe, particularly in Ukraine.

Cerber

Cerber is a highly sophisticated ransomware strain that uses advanced encryption techniques to lock files. It is commonly spread through phishing emails with malicious attachments and has been notorious for its ability to adapt and change its tactics to avoid detection.

BitPaymer

BitPaymer ransomware is often linked to large, well-coordinated attacks. It targets corporate environments and encrypts files before demanding a Bitcoin payment for the decryption key. The ransom note typically includes a URL to a TOR-based payment portal.

Cryptolocker

One of the most notorious ransomware strains, Cryptolocker encrypted files and demanded ransoms in digital currencies like Bitcoin. It was spread through spam emails and successfully infected a vast number of users, causing significant damage before its takedown.

DarkSide

DarkSide is a Ransomware-as-a-Service (RaaS) operation, primarily targeting enterprise environments. It gained attention for its role in the Colonial Pipeline cyber attack, which disrupted U.S. fuel supplies. DarkSide typically demands large ransoms, often in the millions, and its operators have recently expanded to Linux-based systems.

Dharma

Dharma ransomware operates through a RaaS model, where attackers license the ransomware and launch it via affiliates. Dharma primarily targets small and medium-sized businesses, often demanding a ransom of around $500-$2,000 in Bitcoin.

DoppelPaymer

DoppelPaymer is a highly dangerous strain of ransomware that has been used in numerous high-profile attacks. It encrypts files on infected systems and demands payment through a TOR-based payment portal. DoppelPaymer is known for its aggressive tactics and has been linked to major breaches.

GandCrab

GandCrab was one of the most active and widely distributed ransomware families, with its developers consistently updating the strain. GandCrab was spread primarily via phishing emails and exploit kits, and its affiliates used various tactics to infect targets worldwide.

Maze

Maze ransomware is known for its double extortion ransomware technique, where attackers not only encrypt data but also steal it and threaten to release it unless the ransom is paid. Maze has targeted numerous high-profile organizations and has become notorious for its use of data exfiltration in addition to encryption.

Common types of ransomware

Ransomware can be broadly categorized into two main types: locker ransomware and crypto ransomware. Knowing the difference between these attack methods is crucial for implementing the right defense strategies in your organization.

Locker ransomware

Locker ransomware is designed to lock the user out of their system entirely. Typically, this type of ransomware prevents access to essential system functions, like applications, files, or settings, until a ransom is paid.

While initially more common among individual users, it has evolved into a ransomware threat for organizations as well. Once the system is locked, the attacker demands ransom payment, often with the threat of escalating damage or data loss.

This type of attack can lead to significant downtime, affecting productivity and potentially damaging your brand’s reputation.

Locker ransomware locks up essential functions of the computer except to allow the user to pay the ransom and communicate with the cyber-attackers. It was more commonly seen against consumers and home-users during the early history of ransomware attacks.

Crypto ransomware

Crypto ransomware is one of the most damaging forms of ransomware. It encrypts critical files or entire systems, making them inaccessible without the decryption key. In many cases, businesses are unable to retrieve their data unless they comply with the attacker’s demands.

Even if a decryption key is provided after payment, there is no guarantee that the data will be restored fully or without compromise. The financial toll of a crypto ransomware attack can be staggering, both in terms of direct costs (such as the ransom paid) and indirect costs (such as lost revenue due to operational disruption).

Crypto ransomware encrypts data, making it irretrievable without the decryption key. This can cause panic as users can typically see the files, but won’t be able to access them, which can damage a company’s bottom line every day it remains locked.

Ransomware attack examples for healthcare businesses

All types of organizations have been targeted by ransomware attacks, and healthcare organizations, including hospitals, are no exception.

Compromised protected personal information (PPI) data

In many ransomware attacks, files are encrypted so that they cannot be accessed or systems are locked so that they cannot function. However, there have also been significant breaches that compromised sensitive information and personal data.

In one case, cyber-attackers infiltrated the network of a healthcare organization and accessed personal data of patients and donors. From February to May, the cybercriminals covertly accessed the data and made copies for themselves, which included names, personal addresses, and donation history. This prompted their victims to eventually pay a ransom for the copied data to be deleted.

The lesson to be learned from this example of a ransomware attack is to protect stored data as much as you protect your network.

Mimecast offers cloud security solutions to empower organizations to safely (and simply) store and access sensitive data.

Rise in healthcare ransomware attacks since COVID-19

According to Comparitech, ransomware attacks cost the US healthcare industry over $20 billion in 2020 alone.

Compared to previous years, healthcare organizations and hospitals saw an unprecedented spike in ransomware attacks during 2020, and some speculate that COVID-19 made hospitals more vulnerable to cyberattacks and perhaps even more willing to pay ransom.

One thing that can be learned from this trend is that an organization can be even more vulnerable during times of crisis. That’s why it’s best to prepare today for tomorrow’s potential ransomware threats.

Examples of ransomware attacks in enterprise businesses

In addition to being compromised by the methods noted above, enterprise businesses can be particularly vulnerable to compromised passwords (given the size of their organization). Additionally, when they are compromised, they may consider paying a ransom to cut losses, but recent examples prove that paying ransoms may not be effective in preventing future losses.

Compromised passwords

A compromised password is a password that someone outside the intended organization has access to. Cyber-attackers can use a compromised password to gain direct access to a network.

In other cases, credentialed employees have intentionally compromised passwords by selling them on black markets.

This is what many suspect happened in a major cyberattack in April of 2021. On one hand, there’s not much that can be done to stop disgruntled employees from selling confidential company information, but additional layers of ransomware protection can be implemented to safeguard against this behavior.

For example, access points for a cyber criminal can require multiple passwords from multiple users in order to access them (multifactor verification). To learn how Mimecast’s email security programs can help protect passwords, schedule a demo.

When to cut losses?

According to a report published by Cybereason, 80% of companies that paid ransom suffered another attack, nearly half of those suffering a repeat attack from the same cyber-attackers.

In many recent instances of cyberattacks that impact businesses, cyber-attackers have claimed that paying their ransom is more cost-effective than hiring attorneys to pursue legal action or hiring a company to help them unlock compromised systems and data. While it’s difficult to know whether or not paying a ransom is the easiest or cheapest solution, paying a ransom doesn’t always make the problem go away.

This is one of many reasons why cyber experts typically advise organizations not to pay ransoms: after all, there’s no guarantee cyber-attackers will honor their terms of the deal to delete data.

Protecting your business from ransomware attacks

Email and cloud security services can help organizations take the necessary steps to protect themselves from ransomware attacks.

By learning from the past, we can create a more secure future together for all organizations.

While ransomware remains an ever-evolving threat, Mimecast offers data and email security solutions that can help prevent ransomware from infiltrating your systems. To learn more about protecting your team from a ransomware attack, schedule a Mimecast demo today.