Hackers exploit security weaknesses and hold the data of organizations and governments hostage, demanding hefty ransom amounts like Garmin paid $10 million in 2020. Ransomware is a present danger to companies in 2021. Below we outline 5 of the biggest and most frightful ransomware attacks in history.
Table of Contents
In May 2017, Companies across the world were attacked by a fast-spreading piece of malware known as WannaCry. This ransomware infected 7000 computers in the first hour and 110000 distinct IP addresses in two days, making WannaCry one of the most notoriously destructive ransomware attacks of all time. Various entities in different industries lost control over their industrial processes, including car giants Renault and Honda.
WannaCry arrives via a phishing email and disseminates like a worm using covert channels and exploiting the Windows SMB vulnerability. The attackers first demanded $300 worth of bitcoins within 3 days and then later increased the ransom demand to $600 worth of bitcoins within 6 days.
The file extensions WannaCry is targeting are commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi), archives, media files (.zip, .rar, .tar, .mp4), database files (.sql, .accdb, .mdb, .odb), graphic designer and photographer files (.vsd, .raw,, .svg, .psd), and etc. Ransomware is writing itself into a random character folder in the ‘ProgramData‘ folder with the file name of “tasksche.exe” or in ‘C:\Windows\‘ folder with the filename “mssecsvc.exe” and “tasksche.exe“.
TeslaCrypt is popular ransomware that was first discovered at the beginning of 2015. Since its first emergence, this ransomware underwent several version changes, with each version introducing new abilities and adding new evasion techniques. It started by utilizing social engineering to make a user click on a link in a phishing email and later added malicious attachments to these emails.
Regarding the malware distribution vector, TeslaCrypt was spread by the Angler and Nuclear browser exploit kits. Exploit kits are efficient tools for cybercriminals to distribute their malware. These kits exploit patched vulnerabilities in popular web technologies like Internet Explorer, Adobe Reader, Microsoft Silverlight, and Oracle Java.
This ransomware encrypts the user’s files and prompts a message asking the user $500 ransom in bitcoins to obtain the key to decrypt the files. Surprisingly, the creators of TeslaCrypt have released the master decryption key to the public in 2016, shutting down their business model.
June 27, 2017 – a new ransomware outbreak was discovered in Ukraine. The malware quickly spread across Europe, hitting several industries, including banks, airports, power companies, and others. Because this ransomware caused an estimated $10 million in damage to businesses, it has been called one of the biggest and most devastating ransomware attacks in history.
The initial NotPetya infection vector is not yet precisely known, but some sources point to a spread through Ukrainian accounting software called MeDoc. The attackers first hijacked the MeDoc update servers. They gathered information from the servers and developed a false update patch, which would be then distributed to all computers using the MeDoc software.
NotPetya reboots victims’ computers, encrypts the hard drive’s master file table (MFT), and renders the master boot record (MBR) inoperable, preventing access to the full system by stealing the victim’s Windows credentials and location on the physical disk. After infecting one computer, it scans the local network and immediately infects all other computers on the same network.
4. REvil or Sodinokibi
The ransomware Sodinokibi (also known as REvil – an amalgam of “ransomware” and “evil”) first appeared in April 2019. This ransomware is characterized by its sophisticated evasion capacity and the high number of measures that it takes to avoid being detected by antivirus engines. Like many other ransomware families, Sodinokibi is ransomware as a service (RaaS). It means that while one group develops the code, another group delivers the malware.
This ransomware has attacked a wide range of targets across the world. But, the main focus of attacks has been Europe, the USA, and India. Other countries affected by Sodinokibi are Japan, the UK, Italy, and Spain. Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns. Sodinokibi encrypts a user’s files and can obtain administrative access by exploiting a known vulnerability.
This ransomware group claimed to have hacked the computer network of Quanta, a Taiwan-based company that manufactures MacBooks, demanding $50 million for the decryption key to unlock their systems. The company has acknowledged an attack without explaining how much of its data was stolen.
SamSam ransomware was first detected in late 2015, but it made a strong start in 2018, hitting meticulously selected organizations. Unlike most of the famous ransomware attacks, SamSam was used against particular entities, these most likely to pay to get their data back, such as hospitals and educational institutions.
Interestingly, SamSam ransomware payments are much higher than the ransomware marketplace average. Did you know that this ransomware has earned its creators nearly US$6 Million since 2015? This is what makes SamSam one of the biggest ransomware attacks in history.
The criminals behind this ransomware used vulnerabilities to obtain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP). Once in the network, the criminal uses a combination of hacking tools and exploits to advance their privileges to a domain admin account. This has been known to take several days, that the attacker was waiting for a domain admin to log in.
Another interesting fact about this ransomware is that SamSam does not have any virus capabilities, meaning it does not spread independently. Instead, the intruder deploys the malware using legit Windows network administration tools and the stolen credentials.
Final words on ransomware attacks
Tackling the ransomware challenge requires collaboration from the government and the private sector. We will be hosting the Global Cyber Conference in Zurich in September where we will discuss the state of ransomware, how security teams can react quickly enough, and how to limit its impact. The Global Cyber Conference aims to gather over two days 500 security leaders and over 50 world-class speakers from Swiss and international companies. It will provide a unique opportunity to network amongst peers, share insights and learn on the latest trends to enhance cyber security within businesses. See the Conference Agenda here.