7 real and famous cases of ransomware attacks

Published at: Oct 13, 2020
By Gatefy

Computer to illustrate a ransomware case.

Ransomware is a type of malware that hijacks and blocks files or systems, preventing the user from having access to them. Ransomware is a hijacker. Using encryption, it holds files and systems hostage. Theoretically, when the victim pays the ransom amount, he receives the decryption key, releasing blocked files or systems.

I used the word theoretically because, in many cases, the victim pays the amount that was required and still doesn't receive the key. By the way, it's usually required that the ransom is paid in cryptocurrency, such as, for example, bitcoin and monero. The point is precisely to make it difficult to track the cybercriminal.

Ransomware has been terrifying individuals and, most importantly, companies for about 30 years. The worse is that, over time, they have become more advanced and sophisticated threats. New tactics and technologies are used, either to deceive detection solutions, to encrypt different types of files, or to convince the user to pay the ransom amount.

Both the FBI and Europol point to ransomware as one of the main threats in the digital world. In fact, the European agency named ransomware the main cyber threat of 2019. The US agency pointed out that, in 2019, about 2,400 ransomware attacks were registered in the world, resulting in losses of more than USD 8 million.

The examples of ransomware attacks listed below show you how these attacks can work, giving an idea of the damage that ransomware do to companies and people. In this article, we'll cover the following examples of ransomware:

  • Ryuk.
  • SamSam.
  • WannaCry.
  • Petya.
  • TeslaCrypt.
  • CryptoLocker.
  • AIDS Trojan or PC Cyborg.

Check out 7 examples of ransomware attacks

1. Ryuk, 2019 and 2020

Like most infections caused by ransomware, Ryuk is spread mainly via malicious emails, or phishing emails, containing dangerous links and attachments. The ransom amount to be paid to release an entire system can exceed USD 300,000, making Ryuk one of the most expensive ransomware in history, well above the average.

According to the FBI, Ryuk's attacks have already caused more than USD 60 million in damage worldwide since this type of ransomware gained prominence in 2018 after stopping the operations of major newspapers in the United States. More than 100 companies suffered attacks.

In 2020, for example, EMCOR Group (engineering and industrial construction company) and Epiq Global (legal services company) suffered incidents involving Ryuk.

An interesting fact is that Ryuk's ransom notes contain contact emails with the end @protonmail.com or @tutanota.com. The victim needs to send a message to find out how much they must pay for the decryption key.

2. SamSam, 2018

SamSam ransomware was identified a few years ago, more precisely in late 2015. But it was in 2018 that it gained much more prominence after infecting the city of Atlanta, the Colorado Department of Transportation and the Port of San Diego, in the U.S., abruptly stopping services.

In the same year, two Iranian hackers were accused of using SamSam against more than 200 organizations and companies in the U.S. and Canada, including hospitals, municipalities and public institutions. A loss of USD 30 million is estimated as a result of the attacks.

Just the city of Atlanta spent more than USD 2 million to repair the damage. Hancock Health, an Indiana hospital, paid a ransom of USD 55,000. To spread, this type of ransomware often exploits vulnerabilities in Remote Desktop Protocols (RDP) and File Transfer Protocol (FTP).

A curious fact about SamSam is that the victim is asked to make a first payment for a first key, which would unlock only a few machines. It would be like a sign of honesty.

“With buying the first key you will find that we are honest”, says the ransomware message. Would you believe that?

3. WannaCry, 2017

One of the most devastating ransomware attacks in history in terms of loss volume was caused by WannaCry, launched in 2017. The estimated value at the time was USD 4 billion in losses. The amount required to release each machine was around USD 300.

WannaCry spread via email scams, or phishing. Worldwide, more than 200 thousand people and companies were affected, such as, for example, FedEx, Telefonica, Nissan and Renault. WannaCry exploits a vulnerability in Windows.

By the way, even today there are phishing emails claiming that you were infected by WannaCry, demanding ransom payment. But they’re plain emails, with no files. Pay attention!

4. Petya, 2016

Petya is a ransomware that started to be propagated in 2016, via emails with malicious attachments. Since its launch, it's estimated that different variations of Petya have caused more than USD 10 billion in financial losses.

Petya acts by infecting the boot record of machines that use the Windows system. That is, it blocks the entire operating system. To unlock, you need to pay a ransom of around USD 300 per user.

This type of ransomware affected different organizations in the world, such as banks and companies in the areas of transportation, oil, food and health. Let us cite as an example the National Bank of Ukraine, Mondelez (food company), Merck (pharmaceutical company) and Rosneft (oil company).

5. TeslaCrypt, 2015

Like other types of ransomware, TeslaCrypt has several versions. But the attacks of this type of ransomware became famous because, in the beginning, it infected game files, blocking maps and user profiles, for example. We’re talking about games like Call of Duty, Minecraft and Warcraft.

The evolved versions of TeslaCrypt were able to encrypt other files, such as PDF and Word, for example.

In any case, the victim was forced to pay at least USD 250 to release the files. But there are cases where the hijacker required USD 500 per machine.

6. CryptoLocker, 2013

The CryptoLocker ransomware has been added to our list because it was a milestone for its time. When it was launched in 2013, CryptoLocker used a large, non-standard encryption key, which has challenged cybersecurity experts.

This type of ransomware is believed to have caused losses of more than USD 3 million, infecting more than 200 thousand Windows-based computers. CryptoLocker was distributed mainly via email, using malicious files.

7. AIDS Trojan or PC Cyborg, 1989

AIDS Trojan, also known as PC Cyborg, is the first registered ransomware in history. That is why its creator, Joseph Popp, a Harvard-trained biologist, can be considered the father of ransomware.

AIDS Trojan was distributed using infected floppy disks. They were sent to participants at the World Health Organization's international AIDS conference, in Stockholm, Sweden, in 1989.

After hiding file directories and blocking file names, this type of ransomware asked the victim to send USD 189 to a mailbox in Panama. Only then could the data be recovered. But since it had weak encryption, there were no major problems.

Ransomware fighting project: No More Ransom

Have you heard of the No More Ransom (NMR) project? This is a worldwide initiative by Europol and several government agencies and cybersecurity companies to fight ransomware. Gatefy is a partner of the project.

No More Ransom helps victims of infections caused by ransomware to recover blocked data without having to pay the ransom amount. For more information, visit nomoreransom.org.

Email is the primary vector for ransomware attacks: invest in protection

In the case of a ransomware intrusion, the recommendation is to not pay the requested ransom. As seen in the cases and examples of ransomware attacks that we presented, the main form of ransomware delivery are emails. In fact, email is the platform most used by cybercriminals to commit fraud and scams.

To solve this security problem, Gatefy has an email gateway solution that protects companies of all sizes against various types of threats, including ransomware, malware, phishing and BEC (Business Email Compromise). It’s based on artificial intelligence and machine learning. And it's compatible with several email providers, such as Office 365, G Suite, Exchange, and Zimbra.

We also offer a DMARC-based anti-fraud solution, so that you have control and visibility over the use of your business's domain.

Request a demo or more information.