26 Ransomware Examples Explained in 2025

Explore 26 significant ransomware examples that have shaped cybersecurity, including the latest attacks from 2023-24. Understand how these threats impact businesses and how SentinelOne can help.
By SentinelOne October 17, 2024

Ransomware is rapidly turning into one of the most challenging threats a business can face in the modern digital environment, significantly affecting various industries. Ransomware is a type of malware that targets a victim’s files by encrypting them so they cannot be accessed unless the cyber criminal is given some amount of ransom. As per a report, by 2031, the amount lost to ransomware attacks will top USD 265 billion per year, and another attack will happen every two seconds. This alarming statistic shows how ransomware attacks are on the rise and why organizations need to step up their protection.

Ignoring ransomware threats is no longer feasible for any organization that wants to safeguard its resources and brand. This is because such cyber attacks have catastrophic financial and operational consequences, which may also include loss of critical data. Also, the costs related to recovery processes and the loss of customer confidence might be more disastrous in the long run. Hence, every organization is required to ensure that proper measures on cybersecurity strategies will act as a barrier to safeguarding your business assets.

In this article, we expand upon examples of ransomware and discuss 26 influential instances that define the ransomware industry by analyzing the most recent ransomware attack examples that occurred in 2023. From these examples of ransomware attacks, businesses can learn how such threats work and the havoc they are capable of causing. As for the examples of such ransomware attacks, we will also talk about how SentinelOne’s Singularity™ Platform provides organizations with an advanced form of protection against such types of cyberattacks.

26 Ransomware Examples

The following examples of ransomware attacks represent different methods that cyber attackers resort to gain access to the victim’s device to encrypt data and demand ransomware. Looking into these ransomware attack examples will better equip businesses with preparation, recognizing signs, and bringing effective strategies to ward off an impending threat.

#1. Clop Ransomware MOVEit Attack (2023)

  • Description: In June 2023, the Clop ransomware group utilized a zero-day attack in MOVEit Transfer to compromise organizations that used the software solution for secure file transfers. The group exfiltrated sensitive data with SQL injection techniques before deploying ransomware, striking many high-profile organizations. This attack showcased the speed at which Clop could capitalize on software vulnerabilities of popular business tools.
  • Impact: Over 255 victims were targeted, involving corporations and government agencies. Equally, 18 million users’ personal data was exposed. Thus, there have been substantial financial and reputational damages due to the breach. For this reason, timely software updating and sophisticated cybersecurity approaches are called for.

#2. Akira Ransomware (2023)

  • Description: Akira ransomware appeared early in 2023 to attack small to medium-sized businesses across several industries. Akira encrypted files with the “.akira” extension and demanded Bitcoin payments, applying double extortion by pressuring victims through data leaks. This was a pretty simple yet effective ransomware attack that has breached many SMBs.
  • Impact: In January 2024, Akira ransomware had compromised more than 250 organizations and claimed approximately $42 million in ransomware proceeds. The attacks exposed vulnerabilities among SMBs, as generally, the lack of resources makes it impossible to defend against advanced ransomware threats and reduce financial impact.

#3. BlackCat/ALPHV Ransomware (2023)

  • Description: BlackCat, or ALPHV, is Ransomware-as-a-Service that is written in Rust and enables its affiliates to carry out attacks, all while taking a cut of the proceeds. Its biggest attribute to date has been its flexible approach to encryption-which can be customized-but it has since grown into a cross-platform threat, extending its reach into different systems.
  • Impact: Targets included universities and technology companies, which faced severe data breaches and resultant financial losses. BlackCat’s rise epitomizes how the RaaS model has democratized access to advanced ransomware, increasing cybersecurity threats across multiple industries.

Return of MedusaLocker (2023)

  • Description: MedusaLocker became active in December 2022, or we can say at the beginning of 2023, attacking healthcare organizations and using ransomware via remote desktop protocol vulnerabilities. Attacks against hospitals resulted in operational disruptions and held them, hostage, until ransoms were paid to recover critical systems. The group zeroes in on disrupting healthcare services, capitalizing on the sector’s need to keep services running.
  • Impact: MedusaLocker ransomware attacked the unsecured RDP servers, desktops, and vulnerabilities in the software. This ransomware exploited the vulnerability within healthcare software and highlighted the need for strong cybersecurity measures for the protection of critical infrastructure.

#5. Play Ransomware Attack on the City of Oakland (2023)

  • Description: In February 2023, the Play ransomware group mounted a double-extortion attack on the City of Oakland by encrypting municipal systems while threatening to publish the data it had taken. Such an attack had significant impacts, including the disruption of key services like emergency operations and critical systems that were taken offline. This permutation underlined vulnerability points in public infrastructures amidst sophisticated ransomware attacks.
  • Impact: The IT systems in Oakland were compromised, including its emergency services like 911 and data of city employees and residents. This attack has underlined that stronger municipal cybersecurity defenses are needed to avoid data breaches and operational disruption.

#6. ESXiArgs Ransomware Campaign (2023)

  • Description: ESXiArgs ransomware attacked VMware ESXi, which had open vulnerabilities that allowed the attackers to encrypt the virtual machines of the hosts. This malware reached out to businesses that hadn’t updated their software, targeting data centers and hosting providers. The application of ransomware marked the vulnerability of unpatched systems in the decisive IT infrastructure.
  • Impact: This ransomware campaign compromised some 3,800 servers worldwide, thus creating operational chaos among the affected organizations. This attack underlined the timely patching of software as one of the key means of defense, especially in business-critical virtualized server environments.

#7. LockBit 3.0 Attacks (2023)

  • Description: LockBit 3.0 introduced a triple extortion model, including data encryption, data leaks, and  Distributed Denial of Service (DDoS) attacks that increased pressure on victims. Such a multilayered pressure aimed at maximizing ransom payments against large-scale industries like finance and manufacturing. The strategy adopted by LockBit manifested an evolution in ransomware attacks.
  • Impact: Major firms faced a supply chain disruption, while the ransom price was tagged in multi-million dollars. It shows how attacks by ransomware groups have grown and also how it affects business-critical services. Thus, it has become vital to have appropriate strategies for security.

#8. Black Suit (Formerly Royal) Ransomware (2024)

  • Description: Black suit, previously named Royal ransomware in 2024, targets organizations through initial access by phishing or through RDP exploits or vulnerable public applications. One of the famous tactics used by Blacksuit includes partial encryption. Furthermore, data exfiltration and disabling antivirus systems usually occur prior to the deployment of ransomware. With the encompassing of previous steps, this enabled Blacksuit to encrypt data at a very fast pace and remain offline.
  • Impact: Blacksuit has attacked several industries, and the ransom demands are between $1 million and $10 million. The peculiar aspect of Blacksuit’s extortion threat is a double extortion mechanism which means apart from encrypting data, they threaten to leak the data, and that creates severe operational and financial challenges to the affected organization.

#9. Black Basta Ransomware Threats (2022-2023)

  • Description: First to appear in late 2022, Black Basta rapidly became a major ransomware player with double extortion. Black Basta’s ransomware had encrypted data and threatened to leak sensitive information from many different industries, including sectors tied to automotive and real estate. The rate of speed that Black Basta was spreading, showed that its operators are capable of targeting many different sectors around the world.
  • Impact: The affected companies suffered from operational disruptions and even some legal consequences pertaining to data exposure. This ransomware underlined the potential financial loss and regulatory fallout, making companies take a closer look at investing in defensive cybersecurity practices.

#10. DeadBolt Ransomware on QNAP Devices  (2023)

  • Description: DeadBolt ransomware attacked QNAP Network Attached Storage (NAS) devices, encrypting the files and then asking for Bitcoin rigs for decryption. Most of these attacks have targeted individual users and small businesses. DeadBolt just underlined how IoT devices are increasingly susceptible to ransomware attacks. This campaign has exploited weak security in consumer-grade devices.
  • Impact: The impact was that several NAS devices were compromised, and it affected the users who were relying on these systems even for storing data. The lesson that DeadBolt provides is that better security protocols are required in IoT and NAS devices, especially at small businesses and individual levels that do not enjoy enterprise-level protections.

#11. Vice Society Attacks on Education (2023)

  • Description: In 2023, Vice Society ransomware attacked educational institutions by leveraging the poorly supported cybersecurity system to lock up files and even go into threatening mode to leak sensitive students’ and faculty information. This group has zeroed in on schools and colleges by exploiting gaps in their digital defenses. Most of the time, the tactics of the ransomware were double extortion just to pressure the victims.
  • Impact: As a result of this, many districts suffered service outages and data leaks, adding to the disruption of the academic calendar and exposure to socially confidential information. The case has simply pointed out the vulnerability of academic institutes regarding cybersecurity, which needs deeper scrutiny in order to protect sensitive educational information.

#12. Lorenz Ransomware (2023)

  • Description: Lorenz ransomware carried out its attacks tailor-made for each victim’s infrastructure and attacked medium to large businesses across various verticals. It employed double extortion to blackmail the victims into paying the ransom, threatening to release sensitive data. Its custom approach made it difficult for cybersecurity teams to detect and respond to.
  • Impact: Many organizations fell victim to significant data breaches and financial losses, while the ransom demands greatly varied depending on the size of the victim and the industry in which it operates. The attacks emphasized how sophisticated targeted ransomware attacks can be, with their ability to adapt according to the defenses of individual organizations.

#13. Cuba Ransomware Group Activities (2022)

#14. RansomEXX/Defray777 Switch (2023)

  • Description: Defray777, better known as RansomEXX, is a ransomware variant that has rebranded in 2023 and maintained its target focus on government and corporate targets with advanced encryption. That rebranding mirrored the evolution of tactics for this group and its renewed targeting of high-value sectors. This re-emergence underlined the agility of ransomware groups in changing their personas to keep the operations running.
  • Impact: The attacks caused data breaches in governmental departments, which caused concerns about national security. The incident reflected the need for cybersecurity in the public sector and how far these ransomware groups had come to stand tall against governmental law enforcement.

#15. Phobos Ransomware Targets SMBs (2023)

  • Description: Phobos ransomware continued its attacks via Remote Desktop Protocol vulnerabilities to gain access to business networks of small and medium sizes. By encryption of files and demanding ransoms, Phobos targets small companies with limited cybersecurity resources. Most of the time, it succeeded with weak password management and open RDP ports.
  • Impact: As an impact, most of the SMBs had inadequate backup solutions and encrypted systems, which led to operational disruption. This trend highlighted the ongoing threat of ransomware to smaller businesses that lack robust cybersecurity defenses, resulting in costly recovery efforts.

#16. Zeppelin Ransomware (2023)

  • Description: Zeppelin ransomware is the latest variant of Vega ransomware, targeting health care, information technology, and educational sectors via a Ransomware-as-a-Service model. An infamous ransomware attacker using double extortion tactics not only demands a ransom but also threatens to leak the stolen data if the payment isn’t made. The highly adaptable Zeppelin spreads via malvertising and phishing, making it very difficult to detect and mitigate.
  • Impact: The personalized approach from ransomware led to massive data loss and disrupted operations, while the amount of the ransom demanded varied greatly. Attacks like Zeppelin emphasize how ransomware is becoming increasingly adaptable and indicate that strong defenses are required.

#17. Noberus/DarkCat Ransomware Evolution (2023)

  • Description: Noberus, attributed to the BlackCat group, used cloud storage services to exfiltrate data and maximize its impact on high-revenue organizations in 2023. This ransomware uses complex methods for targeting large businesses with evasion techniques. Such capabilities include the advanced capabilities of modern ransomware.
  • Impact: As a result, very high financial losses were faced by the multinational companies due to data theft and encryption. Noberus used cloud services to exfiltrate data, introducing a new challenge for the cyber security teams to update the detection and prevention strategy against superior-class ransomware threats in real-time.

#18. Karakurt Data Extortion Group (2023)

  • Description: Unlike the more traditional ransomware cybercriminals, Karakurt did not bother encrypting the data and, instead, went directly into extortion-threatening to leak sensitive data unless paid. This approach enabled Karakurt to bypass some security mechanisms focused on preventing the encryption of information. The operations of the group lit up an ever-improving landscape of cyber extortion targeted at data.
  • Impact: This forced organizations to take a call on paying the ransom or risking severe data leaks that came with reputational and financial consequences. Karakurt’s modus operandi marked a turning point from ransomware based on encryption toward data extortion, where the emphasis is surely on comprehensive data protection policies.

#19. Black Matter Ransomware Re-Emerging Threat (2023)

  • Description: BlackMatter, after supposedly dissolving in 2021, the ransomware resurfaced in 2023 with revitalized ransomware strains in critical infrastructures such as energy companies. Its comeback showed the resilience of ransomware operators to put on new attire and move right along. BlackMatter’s attacks were closely watched by analysts because of past tactics from its operation.
  • Impact: Attacks against energy firms raised concerns about supply-chain disruptions affecting industries relying on unbroken energy supplies. The re-emergence of BlackMatter underlined the cyclical nature of ransomware threats and the persistence of the groups willing to return in new guises.

#20. RansomHouse Data Leak Marketplace (2023)

  • Description: RansomHouse is actually a marketplace for data leaks, buying stolen data from other groups and selling it independently via auctions and partnerships. Its collaboration model has helped the group get along with other cybercrime entities, as it is one of the leading players in the data leak market. RansomHouse embodies one of the new emerging business models in trading exfiltrated data.
  • Impact: Since sensitive data was auctioned, many organizations had to go through violations of privacy and regulatory fines. RansomHouse’s operations add new layers of complexity to the traditional defense mechanisms of ransomware by emphasizing data protection and regulatory compliance in the mitigation of potential fines and reputational harm.

#21. Quantum Locker Ransomware (2023)

  • Description: Quantum Locker opted for attack deployment speed, where the rapid encryption of files would mean a reduced detection time. Its modus operandi included installing malware within hours of the initial system compromise, targeting businesses with critical data. Quantum’s swift operations underlined how ransomware is all about speed, not stealth.
  • Impact: Victims had hardly any time to respond, and there were massive encryption incidents within a short amount of time. The incident made it crystal clear that monitoring would have to be in real-time and respond quickly, while the approach at Quantum simply showed how zero-day attacks work to exploit organizational vulnerabilities.

#22. LockFile Ransomware (2023)

  • Description: LockFile used the ProxyShell vulnerabilities in Microsoft Exchange servers with peculiar patterns of encryption to help it evade detection. Since it only attacks systems that haven’t been patched, the possibility of its success went up once an organization fell into its crosshairs. Its focus on Exchange servers has brought up one big, widely spread vulnerability.
  • Impact: Thousands of organizations’ data was encrypted by unpatched servers, and serious operational disruptions occurred in most of those organizations. The attacks underlined the importance of patch management in cybersecurity, especially for such commonly used platforms as Microsoft Exchange.

#23. Maui Ransomware – Attacking Healthcare (2022-2023)

  • Description: Maui ransomware was used solely against health organizations and showed signs of state-sponsored collaboration in compromising systems that provide essential services. The attacks caused disruptions to patient care as they attacked healthcare systems and servers. Maui’s tactics mirrored the increasingly targeted nature of ransomware used to carry out strategic disruptions.
  • Impact: This ransomware attack led to blackouts among care providers, took a hit on patients’ treatment, and the emergency services were affected. The ransomware attack was under the focus of international media, underlining that this is an ongoing menace to basic services, while large-scale defenses are called for to make critical infrastructures in health care secure.

#24. GoodWill Ransomware (2023)

  • Description: GoodWill ransomware did not make victims pay financially but asked their victims to perform some charitable work, such as donating to poor people or performing other community service. It was a different approach to disrupt business processes while doing a good deed. This illustrates how motives for ransomware differ way beyond simply making money.
  • Impact: Although the attack did not cause direct financial losses, productivity was disrupted in business as responses went into overdrive. The incident has outlined the various motivations of cyber-attacks; hence, organizations have to consider a wider variety of scenarios for possible threats.

#25. Stormous Ransomware (2023)

  • Description: Stormous was a combination of hacktivism and cybercrime, targeting organizations with political motives. It used both ransom leakage and PR strategies to broaden its reach, targeting companies with affiliations to particular geopolitical controversies. Stormous exemplifies how ransomware attacks can be used as an instrument in politically motivated attacks.
  • Impact: Affected businesses faced data breaches with public relations difficulties, bearing the dual pressures of the ransomware’s politically driven agenda. The incident underlines a cross-section of geopolitics and cybercrime, where constant vigilance is needed due to the complex landscape of threats.

#26. LV Ransomware (2023)

  • Description: LV ransomware is a completely new type of ransomware attack that appeared in mid-2023. This began attacking large enterprises with super-sophisticated encryption algorithms. Another interesting thing about this particular attack is that it was designed with the formula of triple extortion, including the harassment of customers and partners.
  • Impact: The victims faced severe operational disruption, data breaches, and reputational harm. The pressure tactics added in this ransomware attack raised the chances for the ransom actually being paid by victims. This highlights some of the merciless tactics new ransomware groups have taken up to force victims to pay ransom.

How SentinelOne Protects Against Ransomware Attacks?

Swift detection, containment, and recovery are important steps in cloud ransomware protection. While we’ve discussed various strategies, managing them all can be challenging.

Integrated solutions like SentinelOne’s Cloud Workload Protection Platform (CWPP) can streamline this process. Let us explore how CWPP addresses these critical aspects:

  • Real-time threat detection: SentinelOne’s AI-powered engine continuously monitors cloud workloads for suspicious activity, detecting ransomware attacks early in the attack lifecycle.
  • Automated prevention: The platform can automatically block ransomware attacks before they cause significant damage, minimizing the impact of incidents.
  • Rapid response: SentinelOne enables security teams to respond quickly to ransomware incidents by providing detailed insights into the attack’s origin, scope, and impact.
  • Continuous monitoring: The platform constantly monitors cloud environments to identify and address potential vulnerabilities that ransomware attackers could exploit. It can defend against ransomware, zero days, and fileless attacks in real time.
  • Integration with cloud platforms: SentinelOne’s real-time CWPP integrates with leading cloud platforms, providing comprehensive protection across hybrid and multi-cloud environments.
  • Forensic visibility of workload telemetry: Informs investigation and incident response with a data log of OS process-level activity. CWPP deploys millions of agents that are trusted worldwide by leading brands, hyper-scalers, and hybrid cloud organizations.
  • eBPF architecture and threat intelligence: Behavioral AI Engine adds the dimension of time in assessing malicious intent. SentinelOne’s Static AI Engine is trained on over half a billion malware samples and inspects file structures for malicious characteristics. The Application Control Engine defeats rogue processes not associated with the workload image.
  • Enriched runtime detection with build time context: Automated Storyline™ attack visualization and mapping to MITRE ATT&CK TTP. Also includes IaC for DevOps provisioning, Snyk integration, and supports 15 Linux distros, 20 years of Windows servers, and 3 container runtimes.

Conclusion

The ransomware examples discussed highlight how rapidly cyber threats are evolving every day. Each ransomware attack example serves as a stark reminder for organizations of the potential damages from financial losses to reputational harm. It is imperative for businesses to stay vigilant, keep systems updated, and educate employees about cybersecurity best practices. By understanding the above examples of ransomware attacks, organizations can better prepare themselves and stand firmer against such incidences in the future.

This evolution in the frequency and severity of ransomware threats urges all businesses to seek more intense cybersecurity solutions. Among the available solutions to counter ransomware threats, you can consider solutions like the SentinelOne Singularity™ Platform, which addresses all of these challenges with a unified solution. Such platforms provide the required level of tools and intelligence needed to protect against even the most sophisticated ransomware attacks. Protect your organization with the SentinelOne and ensure seamless business operations without any interruptions.

Frequently Asked Questions

1. What are the best-known ransomware attacks?

Popular ransomware examples include CryptoLocker, which emerged in 2007. It infected about 500,000 computers; the WannaCry attack in 2017 is famous too and brought widespread disruption due to Windows vulnerabilities. Other prominent strains include GandCrab, which launches aggressive attacks, and Ryuk, which often targets large organizations.

2. How does CryptoLocker work?

It locks up files on infected computers and demands a ransom payment for the decryption key. Initially spread through the unwitting cooperation of people through infected email attachments, it quickly spread and gained notoriety for launching rapid attacks before law enforcement could get in its way and dismantle it. They had a tough time offering recovery options to victims when dealing with it.

3. What did the global cybersecurity world endure during the WannaCry incident?

WannaCry was a huge mess as it spread rapidly across many networks in May 2017, affecting hundreds of thousands of computers in over 150 countries. It mapped out vulnerabilities within much older systems, and organizations became focused on taking their cybersecurity and patch management more seriously.

4. What role did GandCrab play in ransomware history?

GandCrab is an important part of ransomware history, with rapid evolution and advanced extortion tactics, involving threats to leak sensitive information. It first appeared in 2018, then became one of the most prolific ransomware families before its operators made an unexpected announcement: retirement, in mid-2019.

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform harnesses the power of data and AI to protect your organization now and into the future.