Hackers exploit security weaknesses and holding the data of organisations and governments hostage, demanding hefty ransom amounts. Ransomware is a present danger to companies in 2021. Below we outline 5 of the biggest and frightful ransomware attacks in history.
Table of Contents
In May 2017, Companies across the world were attacked by a fast-spreading piece of malware known as WannaCry. This ransomware infected 7000 computers in the first hour and 110000 distinct IP addresses in two days, making WannaCry one of the most notoriously destructive ransomware attacks of all time. Various entities in different industries lost control over their industrial processes, including car giants Renault and Honda.
WannaCry arrives via a phishing email and disseminates like a worm using covert channels and exploiting the Windows SMB vulnerability. The attackers first demanded $300 worth of bitcoins within 3 days and then later increased the ransom demand to $600 worth of bitcoins within 6 days.
The file extensions WannaCry is targeting are commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi), archives, media files (.zip, .rar, .tar, .mp4), database files (.sql, .accdb, .mdb, .odb), graphic designer and photographer files (.vsd, .raw,, .svg, .psd), and etc. Ransomware is writing itself into a random character folder in the ‘ProgramData‘ folder with the file name of “tasksche.exe” or in ‘C:\Windows\‘ folder with the filename “mssecsvc.exe” and “tasksche.exe“.
TeslaCrypt is a highly popular ransomware that was first discovered at the beginning of 2015. Since its first emergence, this ransomware underwent several version changes, with each version introducing new abilities and adding new evasion techniques. It started by utilising social engineering to make a user click on a link in a phishing email and later added malicious attachments to these emails.
Regarding the malware distribution vector, TeslaCrypt was spread by the Angler and Nuclear browser exploit kits. Exploit kits are efficient tools for cyber criminals to distribute their malware. These kits exploit patched vulnerabilities in popular web technologies like Internet Explorer, Adobe Reader, Microsoft Silverlight, and Oracle Java.
This ransomware encrypts the user’s files and prompts a message asking the user $500 ransom in bitcoins to obtain the key to decrypt the files. Surprisingly, the creators of TeslaCrypt have released the master decryption key to the public in 2016, shutting down their business model.
June 27, 2017 – a new ransomware outbreak was discovered in Ukraine. The malware quickly spread across Europe, hitting several industries, including banks, airports, power companies, and others. Because this ransomware caused an estimated $10 million in damage to businesses, it has been called one of the biggest and devastating ransomware attacks in history.
The initial NotPetya infection vector is not yet precisely known, but some sources point to a spread through Ukrainian accounting software called MeDoc. The attackers first hijacked the MeDoc update servers. They gathered information from the servers and developed a false update patch, which would be then distributed to all computers using the MeDoc software.
NotPetya reboots victims’ computers, encrypts the hard drive’s master file table (MFT), and renders the master boot record (MBR) inoperable, preventing access to the full system by stealing the victim’s Windows credentials and location on the physical disk. After infecting one computer, it scans the local network and immediately infects all other computers on the same network.
4. REvil or Sodinokibi
The ransomware Sodinokibi (also known as REvil – an amalgam of “ransomware” and “evil”) first appeared in April 2019. This ransomware is characterised by its sophisticated evasion capacity and the high number of measures that it takes to avoid being detected by antivirus engines. Like many other ransomware families, Sodinokibi is ransomware as a service (RaaS). It means that while one group develops the code, another group delivers the malware.
This ransomware has attacked a wide range of targets across the world. But, the main focus of attacks has been Europe, the USA, and India. Other countries affected by Sodinokibi are Japan, UK, Italy, and Spain. Its multiple infection vectors include exploiting known security vulnerabilities and phishing campaigns. Sodinokibi encrypts a user’s files and can obtain administrative access by exploiting a known vulnerability.
This ransomware group claimed to have hacked the computer network of Quanta, a Taiwan-based company that manufactures MacBooks, demanding $50 million for the decryption key to unlock their systems. The company has acknowledged an attack without explaining how much of its data was stolen.
IMPORTANT NOTE: On September 16th (2021), Bitdefender announced the availability of a universal decryptor for REvil/Sodinokibi. Victims of this ransomware can download the new decryption tool here for free to recover their data.
SamSam ransomware was first detected in late 2015, but it made a strong start in 2018, hitting meticulously selected organisations. Unlike most of the famous ransomware attacks, SamSam was used against particular entities, these most likely to pay to get their data back, such as hospitals and educational institutions. Interestingly, SamSam ransomware payments are much higher than the ransomware marketplace average. Did you know that this ransomware has earned its creators nearly US$6 Million since 2015? This is what makes SamSam one of the biggest ransomware attacks in history.
The criminals behind this ransomware used vulnerabilities to obtain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP). Once in the network, the criminal utilises a combination of hacking tools and exploits to advance their privileges to a domain admin account. This has been known to take several days, that the attacker was waiting for a domain admin to log in.
Another interesting fact about this ransomware is that SamSam does not have any virus capabilities, meaning it does not spread independently. Instead, the intruder deploys the malware using legit Windows network administration tools and the stolen credentials.
Final words on the biggest ransomware attacks in history
Ransomware incidents can seriously affect businesses and leave organisations without the data they need to operate. Malicious actors have changed their ransomware tactics over time. Also, the monetary value of ransom demands has hiked up to even US$1 million. The 5 attacks we have covered above illustrate what makes these attacks really disastrous.
In cyber security, it is important to stay current and competitive to succeed. Keep an eye on our weekly blog posts. Why not start with reading the top 6 worst computer viruses in history and 5 password security best practices you can’t live without.