15 Examples of recent Ransomware Attacks

Trend Micro: Cutting Ransomware risk with proactive Attack Surface Management

15 Ransomware Examples

Ransomware is a type of malware designed to encrypt a victim’s data and demand a ransom payment in exchange for the decryption key. What makes ransomware especially destructive is its ability to completely block access to data, often leaving recovery impossible without recent backups. Even when ransoms are paid, victims may never receive a working key.

Ransomware has evolved into a cybercrime-as-a-service model known as Ransomware-as-a-Service (RaaS) which has broadened their reach. This new approach allows ransomware developers to lease their ransomware tools to affiliates resulting in more attacks.

Every year more ransomware groups have emerged—each with distinct tactics, targets, and impacts. Below are 15 ransomware examples that highlight the diversity and evolution of this persistent cyber threat

RansomHub

RansomHub is a Ransomware-as-a-Service (RaaS) group first detected in February 2024 and has rapidly gained notoriety for its "big game hunting" strategy, by targeting large enterprises more likely to pay substantial ransoms. Tracked by Trend Micro as Water Bakunawa, RansomHub has been observed exploiting vulnerabilities in cloud storage backups and misconfigured Amazon S3 instances, leveraging the trust between providers and clients to enhance their extortion tactics.

Rhysida

Rhysida is a ransomware group that came to light in early 2023, employing double extortion tactics by both encrypting victims' data and threatening to publish it unless a ransom demand is paid in Bitcoin. They masquerade as a cybersecurity team offering to help their victims by highlighting security weaknesses in their networks and systems. They will use Phishing attacks to gain initial access and follow up with Cobalt Strike beacons for lateral movement in compromised machines before deploying their ransomware.

Figure 1: The RansomHub ransomware observed infection chain

Figure 1: The RansomHub ransomware observed infection chain

Akira

Akira emerged in early 2023 and rapidly established itself as one of the most notorious ransomware families. Akira utilizes double extortion tactics, a ransomware-as-a-service (RaaS) delivery model, and unconventional payment options—an approach that has contributed to its operational success. Akira is known to demand large ransom payments that can range from US$200,000 to over US$4 million.

WannaCry

The WannaCry ransomware attack in May 2017 exploited a Microsoft Windows vulnerability that infected over 200,000 systems across more than 150 countries. The malware encrypted files and demanded ransom payments in Bitcoin for decryption keys. One of the largest victims of the WannaCry attack was the UK's National Health Service (NHS) with up to 70,000 devices infected and approximately 19,000 medical appointments or procedures being cancelled.

Figure 2. Infection diagram

Figure 2: Infection diagram

Clop

Clop ransomware sometimes referred to as Cl0p has been active since 2019 and is renowned for its multilevel extortion tactics, and high-profile attacks, extorting over US$500 million between 2019 and 2021. Clop has also exploited vulnerabilities in widely used software, such as Accellion's File Transfer Appliance, to maximize its reach.

8Base

8Base is a ransomware group that poses as penetration testers while primarily targeting small businesses. They employ a double-extortion strategy, encrypting data and threatening to expose sensitive information unless victims pay a ransom. 8Base adopt a "name-and-shame" tactic, and claims to exclusively target organizations that have neglected data privacy, aiming to harm their victims' reputations by exposing confidential information.

Trigona

The Trigona ransomware group has rapidly evolved by releasing multiple versions with varying capabilities, including command-line arguments for customized encryption. They aggressively advertised high revenue shares of 20% to 50% for affiliates, indicating a lucrative operation. However, their activities ceased abruptly in October 2023 when their leak site was taken down, leaving their operational status uncertain.

Figure 3. Trigona ransomware’s infection chain

Figure 3: Trigona ransomware’s infection chain

LockBit

LockBit is a prominent ransomware group operating on a Ransomware-as-a-Service (RaaS) model. They have released multiple versions, including LockBit 2.0 and 3.0, introducing features such as double-extortion tactics and custom encryption methods. In February 2024, Operation Cronos, a coordinated international law enforcement effort, significantly disrupted LockBit's operations by seizing their infrastructure and arresting key members. Despite these setbacks, LockBit remains a significant threat in the ransomware landscape.

BlackCat

BlackCat, also known as ALPHV or AlphaVM, is a sophisticated ransomware group operating on a Ransomware-as-a-Service (RaaS) model since late 2021. They have targeted various industries, including finance and professional services, with a significant number of victims in the United States. BlackCat utilizes advanced techniques, such as malvertising and exploiting vulnerabilities like Log4J, to gain initial access. They are also known for their public data leak site, which exerts pressure on victims to meet ransom demands.

Ryuk Ransomware

Ryuk is a ransomware variant linked to the cybercrime group known as Wizard Spider. In 2019, Ryuk demanded ransoms as high as $12.5 million and was responsible for some of the largest ransom demands that year, including $5.3 million and $9.9 million. Its victims spanned various sectors, including government, healthcare, and media. The group is also associated with other malware, such as TrickBot and Emotet, to facilitate initial system compromises.

Source: Malwarebytes

Source: Malwarebytes

Black Basta

Black Basta is a ransomware group operating as ransomware-as-a-service (RaaS) and rapidly gained prominence in the ransomware landscape by targeting a wide range of industries and critical infrastructure across the globe. The group has been observed exploiting vulnerabilities such as QakBot, Brute Ratel, and Cobalt Strike to infiltrate networks and exfiltrate sensitive data.

Royal

Royal, a ransomware group active since early 2022, has rapidly gained notoriety for its aggressive tactics and high ransom demands, ranging from $250,000 to over $2 million. Royal employs double extortion methods, encrypting and exfiltrating data, and has expanded its operations to target Linux-based systems, including ESXi servers. Their victims span various sectors, with a significant concentration in North America.

Figure 5. Royal ransomware’s attack flow

Figure 5: Royal ransomware’s attack flow

Water Ouroboros

Water Ouroborosemerging in October 2023, operates as a Ransomware-as-a-Service (RaaS) group, allegedly evolving from Hive ransomware following its disruption by the FBI in January 2023. They focus more on data theft than encryption, exploiting vulnerabilities, performing credential dumping, and using advanced malware written in languages like Rust. Their primary targets include the United States, Canada, the UK, France, Germany, and Italy.

Hive

Hive is a Ransomware-as-a-Service (RaaS) group that emerged in 2021, targeting various industries globally, including healthcare, finance, and manufacturing. They employ double-extortion tactics, encrypting data and threatening to release sensitive information unless a ransom is paid. In January 2023, the FBI disrupted Hive's operations, but the group continues to operate under different aliases. ​

Trend Micro Ransomware Protection

Last year, 83% of organizations faced multiple breaches costing $4.4 million each, while reducing risk exposure led to average savings of $1.3 million.

Cyber Risk Exposure Management, part of our Trend Vision One™ enterprise cybersecurity platform, dramatically reduces cyber risk with continuous discovery, real-time assessments, and automated mitigation across cloud, hybrid, or on-premises environments.

Related Research

Related Article