Blog

Top Ransomware Examples: Real-Life Threats and Mitigation Strategies

Written by ShardSecure | March 11 2024

For the last decade, ransomware attacks have been one of the most pervasive and damaging cybersecurity threats, harming businesses, government agencies, and even critical infrastructure worldwide. We write about this kind of cybercrime often, covering developments like ransomware-as-a-service (RaaS), intermittent-encryption ransomware, encryption-less ransomware, and more.

But what does ransomware look like on the ground, so to speak? What are some of the most damaging attacks, and how did they come about? Today, we’ll dive into real-life examples of ransomware attacks and explore best practices to mitigate this ever-growing cyber threat.

Real-life ransomware examples

We all know the basics: Ransomware encrypts (and sometimes exfiltrates) a victim’s data, rendering the encrypted files and systems inaccessible until a ransom demand is paid and the decryption key is turned over. But the actual forms that ransomware takes — as well as the methods by which it accesses victim networks and the means by which it demands a payment — can vary widely. Below, we cover some of the most notorious and damaging ransomware infections of the last decade by sector.

Ransomware attacks on critical infrastructure

Cyberattacks targeting critical infrastructure represent a significant threat to national security and public safety. There are two particularly notable ransomware attacks that have targeted critical infrastructure in the past decade: the Colonial Pipeline attack in 2021 and the Ukraine power grid attacks in 2015 and 2016.

In May 2021, Colonial Pipeline, one of the largest fuel pipeline operators in the United States, fell victim to an attack by the DarkSide ransomware group. The attack forced Colonial Pipeline to temporarily shut down its operations, leading to fuel shortages and disrupting the gasoline supply chain on the East Coast.

Meanwhile, Ukraine experienced significant cyberattacks on its critical infrastructure and power grid in December 2015 and 2016. These cyberattacks, widely attributed to Russian state-sponsored actors, disrupted power distribution in Ukraine, leaving hundreds of thousands of people without electricity. While the exact ransomware variants used in these attacks were not disclosed, the incidents serve as stark reminders of the impact of ransomware on essential services.

Ransomware attacks in healthcare

Healthcare organizations are prime targets for ransomware attacks due to the sensitive nature of their patient data and the essential role they play in public health. In fact, according to an FBI report, healthcare was the top critical sector targeted by ransomware in 2022.

One of the largest attacks in recent months was on the CommonSpirit Health system, which saw 620,000 patient records impacted. Although patient data was not believed to be leaked, the nonprofit health system had to take its electronic medical records and patient portal offline and reschedule appointments.

Another particularly notable attack targeted the Vastaamo practice in Finland in 2020. Tens of thousands of psychotherapy patients at the practice had their confidential treatment records hacked, with threats to leak them online unless they paid the ransom.

Ransomware attacks in higher education

Higher education institutions store vast amounts of sensitive data, including financial records, research, student records, and intellectual property, making them attractive targets for ransomware attacks. Cybercriminals are known to target colleges and universities during school breaks, when IT staff aren’t around to prevent or mitigate attacks.

The most devastating ransomware attack on higher education was undoubtedly the one on Lincoln College, a historically Black college in Illinois that was ultimately forced to close in 2022 after the attack led to major financial damages and a drop in enrollment. Other institutions — including the University of California, San Francisco and Minnesota State University-Moorhead — have also been hit hard by ransomware in recent years.

Supply-chain ransomware attacks

Supply-chain ransomware attacks involve targeting third-party vendors or service providers to gain access to their clients’ networks. They can be particularly insidious because third parties often have weaker security controls than the large enterprises they serve.

The most notorious supply-chain ransomware incident was the SolarWinds attack in 2020. That attack involved compromised software updates from supplier SolarWinds that were distributed to thousands of organizations worldwide. The hackers also inserted a backdoor into the software, allowing them to gain unauthorized access to the networks of SolarWinds customers, including government agencies and Fortune 500 companies like Microsoft, Intel, and the Pentagon.

However, SolarWinds isn’t the only vendor to be hit by this kind of attack. In July 2021, a supply-chain ransomware attack targeted Kaseya, a provider of remote management software used by managed service providers (MSPs) to administer IT systems. The attackers managed to distribute the ransomware to hundreds of organizations through their MSPs, highlighting the interconnected nature of supply-chain ecosystems and the potential ripple effects of ransomware attacks.

Top ten ransomware variants

Ransomware variants are essentially different versions or families of ransomware, with each variant possessing its own distinct encryption methods and propagation techniques. Variants can vary widely in their sophistication, ranging from easily detectable versions to highly complex and evasive strains.

Because of this wide variety in ransomware families, it’s important to understand the general ransomware landscape. Different types of ransomware often require different mitigation techniques, and knowing which variants they’re facing helps cybersecurity professionals to stay ahead of evolving threats. 

From Petya and NotPetya to Locky, CryptoLocker, and Bad Rabbit, there are dozens of examples of ransomware families. Here are a few of the most common and most dangerous variants from the last decade.

  1. REvil (Sodinokibi). REvil, also known as Sodinokibi, emerged as a prolific ransomware-as-a-service (RaaS) operation based in Russia. Notable targets of REvil attacks included managed service providers (MSPs), which resulted in cascading infections across hundreds or possibly even thousands of clients.
  2. Lockbit. Lockbit is a sophisticated RaaS variant that first emerged on the dark web in 2019 (when it was called ABCD), and it’s since gained traction among cybercriminals. It’s set apart from other ransomware by its ability to spread rapidly across network environments, enabling attackers to efficiently target entire organizations. Lockbit also incorporates double extortion tactics to increase the pressure on victims to comply. In 2022, it was the most deployed ransomware variant worldwide.
  3. BlackCat. BlackCat ransomware, also known as ALPHV or Noberus, is another RaaS variant. It first appeared in 2022 and is notable for using Rust programming language, which allows it to infect both Windows- and Linux-based computer systems. It’s also known for using triple-extortion tactics, demanding a ransom for 1) decrypting infected files, 2) not publishing stolen data, and 3) avoiding denial-of-service DoS attacks.
  4. WannaCry. One of the most infamous ransomware attacks in history, WannaCry struck in May 2017, rapidly infecting hundreds of thousands of computers by exploiting a vulnerability in Microsoft Windows systems. Attackers demanded payment in Bitcoin cryptocurrency, which was an emerging form of payment at the time. WannaCry caused unprecedented disruption to businesses, healthcare institutions, and government agencies worldwide, highlighting the significant impact that ransomware infections can have on both public and private sectors.
  5. Medusa. The Medusa ransomware variant is known for wiping out local backups, shadow copy backups, and virtual hard disks to make recovery difficult. It gained notoriety for its focus on the healthcare sector, especially during the COVID-19 pandemic. According to some reports, Medusa ransomware — also known as MedusaLocker — has intensified its destruction in the past year.
  6. Ryuk. The Ryuk variant surfaced in 2018 and has since become notorious for targeting large organizations, particularly in the healthcare and financial sectors. Unlike many ransomware strains, Ryuk is often deployed manually after threat actors use sophisticated tactics to gain access to a network. It’s a highly damaging form of crypto ransomware that demands substantial ransom payments into the millions of dollars.
  7. Maze. First identified in 2019, Maze ransomware gained attention for its double-encryption approach, not only encrypting files but also stealing sensitive data from victims. If the ransom was not paid, Maze operators threatened to release the stolen information, amplifying the pressure on organizations.
  8. Black Basta. This ransomware variant has gained notoriety for its aggressive and destructive capabilities. Unlike some ransomware variants that focus solely on encryption, Black Basta may also deploy additional malicious payloads, such as data-wiping routines, to inflict further damage and increase the pressure on victims to pay the ransom. It mainly targets the US construction and manufacturing industries, but its effects have also been felt by the American Dental Association, Deutsche Windtechnik, and more.
  9. Play. Also known as PlayCrypt, this variant emerged in June 2022 and quickly became known for targeting companies and government institutions in Europe and the Americas. Its name is based on its behavior: It adds the extension “.play” after encrypting victims’ files and writes PLAY in all its ransom notes. Play ransomware also disables anti-malware solutions, including Microsoft Defender’s real-time monitoring and antivirus protection capabilities.
  10. BianLian. BianLian ransomware, named after the Chinese theatrical technique of face-changing, is a highly sophisticated and adaptable ransomware variant discovered in 2021. BianLian is known for its polymorphic nature, constantly changing its code to evade detection by antivirus software and other security measures. These advanced evasion techniques make it particularly challenging for traditional security tools to detect and mitigate.

    Top ransomware mitigation strategies

    Given the severe consequences of ransomware attacks, it’s crucial for individuals and organizations to implement robust cybersecurity measures. An effective ransomware mitigation plan will encompass everything from advanced technical safeguards to a security-conscious company culture. Here are some top tips and strategies:

    Regularly back up data. Maintain regular backups of essential data and ensure they are stored securely offline or in the cloud. Regularly test the backups to verify their integrity and effectiveness in restoring operations.

    Patch systems regularly. Keep operating systems, software, and firmware up to date with the latest security patches. Vulnerability management plays a critical role in mitigating ransomware and other types of malware attacks and avoiding data breaches.

    Employee training and awareness. Educate employees about phishing emails, malicious email attachments, smishing on mobile devices, and other social engineering tactics used by threat actors. Make sure workers are also up to speed on good password hygiene and multi-factor authentication (MFA). Encourage a culture of cybersecurity awareness, with regular training sessions or cybersecurity exercises to reinforce office security procedures. And, if your employees are working from home via a Remote Desktop Protocol (RPD), make sure their connection is secure, since this is one of the most common entry points for ransomware attacks today.

    Create incident response plans. Develop or amend your incident response plans to include the steps to take in the event of a ransomware infection. Ensure that roles and responsibilities, including communication with relevant stakeholders, are clearly defined to facilitate a swift and coordinated response.

    Network segmentation and endpoint protection. To contain ransomware inside your organization and limit its impact on critical data, implement network segmentation. To detect ransomware threats early, deploy advanced endpoint protection solutions — especially those that utilize tools like behavioral analysis, threat intelligence, and AI and machine learning.

    Know your remedies. For many common forms of ransomware, there are now decryptor tools available online, some of them free. The FBI, for instance, released a decryption tool for Blackcat in December 2023, and other sources have solutions for other types of ransomware.

    Consider ShardSecure. The ShardSecure platform mitigates the impact of ransomware in on-prem, cloud, and hybrid-cloud architectures. It protects the accuracy and integrity of data with multiple data health checks that detect unauthorized tampering by ransomware. In the event that a health check fails, the platform’s self-healing feature immediately begins to reconstruct affected data, protecting it from unauthorized deletion, compromise, or loss.

    ShardSecure also protects sensitive data from double extortion attacks, automatically reconstructing and relocating data compromised by ransomware. With virtual clusters that deploy on-prem or in the cloud, the platform also offers high availability during attacks and other disruptions to maintain robust data resilience.

    To learn more about how the ShardSecure platform mitigates ransomware attacks, visit our ransomware solutions page or check out our other resources.

    Sources

    Cybersecurity Policy Responses to the Colonial Pipeline Ransomware Attack | Georgetown Environmental Law Review

    Cyber-Attack Against Ukrainian Critical Infrastructure | CISA

    FBI: Healthcare it with most ransomware attacks of any critical sector | Healthcare Executive

    'Shocking' hack of psychotherapy records in Finland affects thousands | The Guardian

    Lincoln College in Illinois to Close, Hurt by Covid and Ransomware Attack | The New York Times

    A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack | NPR

    The Kaseya ransomware attack: A timeline | CSO Online

    REvil ransomware attack against MSPs and its clients around the world | Securelist

    Law enforcement disrupt world’s biggest ransomware operation | Europol

    The Top 10 Ransomware Groups of 2023 | BlackFog

    Ransomware WannaCry: All you need to know | Kaspersky

    MedusaLocker Ransomware Leveraged In Healthcare Cyberattacks | Health IT Security

    RYUK Ransomware | Trend Micro

    What is Maze ransomware? | Cloudflare

    The Top 10 Ransomware Groups of 2023 | BlackFog

    Ransomware Spotlight: Play | Trend Micro

    Unmasking the Shapeshifter: Threat Hunting for BianLian Malware | Medium

    RDP Ransomware: Everything You Need to Know | ransomware.org 

    FBI disrupts Blackcat ransomware operation, creates decryption tool | Bleeping Computer