10 Ransomware Examples from Recent High-Impact Attacks

Ransomware has emerged as one of the most persistent and devastating threats facing businesses across all industries. As digital transformation accelerates and companies become increasingly dependent on critical infrastructure and interconnected systems, cyber attackers have refined their methods to exploit vulnerabilities in everything from email attachments to enterprise software platforms. 

The sophisticated evolution of these threats, from simple encryption trojan attacks to complex operations targeting the National Health Service and critical infrastructure like the Colonial Pipeline, provides clear examples of ransomware demonstrating why comprehensive cybersecurity strategies have become essential for organizational survival.

Below, we examine key ransomware attack vectors you should understand as you build out organization-wide security strategies and monitor your cybersecurity posture.

What is a ransomware attack?

Ransomware is malicious code designed to gain access to a network and implement file encryption on target systems. From there, cyber adversaries will hold the encrypted files hostage until a ransom is paid, often demanding payment through a TOR-based payment portal to maintain anonymity. Given the lucrative nature of these attacks, with operations like those targeting Costa Rica’s government systems generating millions in demands, cybercriminals are constantly creating and testing new variants of this encryption trojan technology.

This has given rise to a new age of ransomware attacks that leverage advanced deployment techniques to avoid detection altogether. As sophisticated ransomware kits become cheaper and easier to obtain, staying protected remains a top concern for businesses looking to grow their digital capabilities while maintaining security against increasingly capable threat actors.

Types of ransomware vectors

Understanding the vectors cyber attackers use to gain access to systems is critical in better protecting against ransomware attacks. Modern threat actors employ multiple sophisticated approaches beyond traditional methods.

Remote desktop protocol (RDP)

RDP is a protocol designed by Microsoft that allows users to connect to and carry out commands on a system remotely. The effectiveness of RDP implementations is heavily dependent on strong password hygiene, which users often ignore. This weakness means that cybercriminals can easily crack RDP credentials and gain access to systems. These credentials are readily available for purchase on dark web marketplaces for those who prefer not to conduct the attacks themselves.

Email phishing and malicious attachments

Email phishing remains one of the most popular ransomware delivery vectors. Using social engineering tactics, cyber attackers send emails containing malicious attachments to employees that appear to come from trusted sources. Once opened, these email attachments can deploy various file types designed to execute malware, harvest employee credentials, or download additional payloads onto the system.

The key to mitigating phishing risk lies in working with employees to ensure they understand how to spot illegitimate messages across all communication platforms and implement robust endpoint detection and response solutions to detect and block suspicious email attachments before they execute.

Software vulnerabilities and exploitation

Exploiting software vulnerabilities represents another common ransomware delivery method that has grown in sophistication. Unpatched software creates security gaps that open doors to malware intrusions. Recent attacks have demonstrated how cybercriminals exploit vulnerabilities in enterprise systems, from SQL injection attacks against web applications to sophisticated exploits targeting file transfer solutions.

This exposes organizations to increased cyber threat activity and makes them easier targets for attackers since attackers can access unpatched systems without harvesting credentials. Modern threat actors often use frameworks like Cobalt Strike to maintain persistence and move laterally through compromised networks once initial access is gained.

10 ransomware examples

With the average cost of a ransomware attack having grown significantly in recent years, it is important to understand the different variants that may be used to target your organization. Below is a list of ten of the most significant ransomware attacks from recent years, including historical cases and emerging threats.

1. Black Basta

Unlike other Trojan horses that focus on specific file extensions, Black Basta doesn’t skip files based on their extensions but avoids encrypting critical folders that would make systems inoperable. The ransomware deletes all Volume Shadow Copies, creates a new JPG image set as the Desktop Wallpaper, and uses an ICO file representing the encrypted files.

The malware uses the ChaCha20 encryption algorithm, with keys encrypted using RSA public keys hard-coded in samples. Black Basta can fully or partially encrypt files depending on their size, changing encrypted file extensions to .basta. In recent threat intelligence reports, this ransomware has been responsible for seven major breaches, making it one of the more active contemporary threats.

2. RansomHub

RansomHub has emerged as the most dominant non-C10p ransomware group in 2024, likely filling the vacuum left by AlphV/BlackCat’s disbanding and law enforcement actions against LockBit. This group represents the new generation of ransomware operators that have adapted quickly to law enforcement pressure and market dynamics.

In recent analysis, RansomHub has been responsible for 15 significant breaches, positioning it as a major threat to organizations worldwide. The group demonstrates sophisticated operational security and can target diverse sectors through multiple attack vectors.

3. BlackSuit

According to recent threat attribution data, BlackSuit ransomware has gained prominence as a significant threat actor, responsible for 10 major breaches. This group has demonstrated sophistication in its “Black suit” tactics—highly coordinated, multi-stage attacks combining reconnaissance, privilege escalation, and lateral movement before deploying encryption payloads.

BlackSuit operations typically involve extensive reconnaissance phases where attackers map target networks and identify high-value systems before launching their final encryption phase. This methodical approach makes their attacks particularly devastating for targeted organizations.

4. Hunters International

Hunters International ransomware emerged as a significant threat in 2024, responsible for eight major breaches according to recent threat attribution data. This group represents the new generation of ransomware operators that have adapted sophisticated techniques for targeting enterprise environments and maintaining persistence within compromised networks.

The Hunters International group demonstrates advanced capabilities in reconnaissance and lateral movement, often spending considerable time mapping target networks before deploying their encryption payloads. It has shown particular effectiveness in exploiting vulnerabilities in enterprise software and leveraging legitimate administrative tools to avoid detection during the initial stages of their attacks.

5. WannaCry ransomware

WannaCry ransomware is unique because once it infects a system, it can duplicate itself without changing files or affecting the computer’s boot sector. Due to its duplicative nature, WannaCry was responsible for a worldwide cyber attack in May 2017, infecting over 230,000 computers in less than a day.

WannaCry targets computers running outdated versions of Microsoft Windows, exploiting the EternalBlue vulnerability. Much of its success can be attributed to poor patching hygiene, highlighting the importance of regular patching. The attack had an unprecedented impact on critical infrastructure, with the National Health Service in the UK severely affected—hospitals were forced to cancel thousands of appointments and surgeries as their systems became locked by file encryption.

6. Cerber

The Cerber ransomware highlights the growing complexity of ransomware threats. It is distributed using the Ransomware-as-a-Service model. Cerber is easily accessible; anyone can use it if they share forty percent of profits with the distributors.

Cerber is primarily distributed using phishing tactics. Once downloaded, it begins to encrypt files while running in the background to avoid detection. Once the encryption is complete, users will find ransom notes with instructions for payment through a TOR-based payment portal.

7. Akira ransomware

Akira ransomware has emerged as a significant threat in recent years, particularly targeting VMware ESXi servers and virtual infrastructure environments. This variant demonstrates how cybercriminals adapt their tactics to target virtualized environments that many organizations rely on for their critical operations. According to recent threat attribution data, Akira has been responsible for nine major breaches, making it one of the more active contemporary ransomware families.

Akira often spreads through compromised networks using server message block (SMB) protocols and can cause devastating disruption to virtualized server farms. The group’s focus on VMware ESXi infrastructure represents a strategic shift toward targeting the backbone systems that support multiple virtual machines, allowing attackers to maximize impact with a single successful compromise.

8. Reveton

Sometimes referred to as the “Police Trojan,” Reveton uses social engineering to trick users into thinking they have committed a crime. Victims receive a message claiming a law enforcement agency has locked their computer and that they must pay a fine through a TOR-based payment portal to regain access. This represents an early example of cryptoviral extortion techniques that paved the way for more sophisticated ransomware operations.

9. SamSam

Unlike most ransomware variants, SamSam uses remote desktop protocol exploits and brute-force tactics to steal credentials. SamSam only targets specific server types, making it particularly high-risk for organizations running vulnerable systems. SamSam is particularly dangerous because it assumes administrator rights before downloading the malware onto a system, making it extremely difficult to track.

10. Colonial Pipeline attack

The May 2021 cyber attack on Colonial Pipeline represents a watershed moment in understanding how ransomware can disrupt critical infrastructure. The DarkSide ransomware group targeted the company’s IT systems, forcing the shutdown of the largest fuel pipeline system in the United States for six days.

This attack demonstrated that cyber attackers don’t necessarily need to compromise operational technology systems directly—disrupting IT infrastructure can be sufficient to force critical infrastructure operators to halt operations. The incident led to widespread fuel shortages across the Eastern United States and highlighted the interconnected nature of modern infrastructure systems.

Additional recent threats

Modern ransomware operations continue to evolve with new variants targeting specific technologies and infrastructure components that organizations depend on daily.

Bad Rabbit

Bad Rabbit emerged in October 2017 as another example of ransomware targeting critical infrastructure and public services. This attack primarily affected organizations in Russia and Ukraine, including metro systems and airports. Unlike other ransomware families, Bad Rabbit used a “drive-by” attack method, spreading through compromised websites that prompted visitors to install fake Adobe Flash updates.

Water Bakunawa

Water Bakunawa represents one of the more sophisticated threat groups that has emerged in the Asia-Pacific region. It utilizes advanced techniques to target organizations across multiple sectors. This group has demonstrated capabilities in exploiting vulnerabilities in enterprise systems and maintaining persistence through complex attack chains that often involve computer worms and other self-propagating malware.

Dark Angels

Dark Angels ransomware group has gained notoriety for targeting high-value organizations and demanding some of the largest ransom payments on record. This group often employs what security researchers call “Black suit” tactics – highly coordinated, multi-stage attacks that combine reconnaissance, privilege escalation, and lateral movement before deploying their encryption payloads.

MOVEit Transfer exploitation

The MOVEit Transfer vulnerability (CVE-2023-34362) became one of the most significant supply chain attack vectors in 2023. Multiple ransomware groups exploited this file transfer software to compromise hundreds of organizations worldwide. This third-party software vulnerability affected companies like Western Union and numerous government agencies.

Fulton County and the British Library

Fulton County, Georgia, experienced a significant ransomware attack in January 2023 that disrupted court operations, while the British Library suffered a major cyber attack in October 2023 that affected its website and catalog services. These incidents demonstrate how government and cultural institutions have become targets for ransomware operators.

Enhanced attack techniques and tools

Modern ransomware operations have evolved significantly in their sophistication, incorporating advanced tools and techniques that make detection and mitigation increasingly challenging for security teams worldwide.

Cobalt Strike and advanced persistent threats

Modern ransomware operations increasingly rely on legitimate security tools like Cobalt Strike to maintain persistence and conduct reconnaissance within compromised networks. However, cyber attackers have weaponized this legitimate penetration testing framework to blend in with normal network traffic while conducting malicious activities.

Threat actors use Cobalt Strike to establish command and control communications, move laterally through networks, and deploy additional payloads, including ransomware. The tool’s legitimate nature makes detection challenging for traditional security solutions, requiring advanced endpoint detection and response capabilities.

Microsoft SharePoint and enterprise targeting

Attackers have increasingly focused on enterprise platforms like Microsoft SharePoint as entry points into corporate networks, recognizing these systems as high-value targets for third-party risk management considerations. Once compromised, these platforms often contain sensitive business data and provide access to broader network resources.

Vulnerabilities in SharePoint and similar enterprise platforms can allow attackers to access vast amounts of corporate data, user credentials, and network infrastructure. Organizations using these platforms must implement comprehensive patching programs and monitor suspicious activity, as attacks can range from SQL injection attempts to more sophisticated exploitation techniques.

File type and encryption evolution

Modern ransomware has evolved beyond simple file encryption to target specific file types most critical to business operations, reflecting advancements in vulnerability detection and response methodologies. Attackers now analyze target environments to identify the most valuable data before implementing encryption strategies to maximize disruption.

Some ransomware variants now use partial encryption techniques to speed up the attack process while rendering files unusable. This evolution allows attackers to encrypt larger volumes of data faster, reducing the time for security teams to respond and implement backup solution recovery procedures. Additionally, attackers have begun targeting encryption software and security tools, attempting to disable protective mechanisms before deploying their payloads.

Protection strategies and solutions

Organizations must implement comprehensive defense strategies that address traditional and emerging ransomware threats while maintaining visibility across their entire attack surface management perimeter.

Comprehensive backup solutions

Implementing robust backup solution strategies remains one of the most effective defenses against ransomware attacks. Businesses should maintain multiple copies of critical data, including offline backups that ransomware cannot access or encrypt.

Modern backup solutions should include automated testing and recovery procedures to ensure data can be quickly restored following an attack. Regular backup testing helps organizations understand their recovery capabilities and identify potential gaps in their protection strategies.

Endpoint detection and response

Advanced endpoint detection and response systems provide real-time monitoring and threat detection capabilities to identify ransomware activity before significant damage occurs. These solutions can detect suspicious file encryption activity, unusual network communications, and other indicators of ransomware deployment.

Network segmentation and access controls

Implementing proper network segmentation can limit the spread of ransomware once it gains initial access to an organization’s systems. Organizations can contain attacks and reduce their potential impact by restricting lateral movement capabilities.

Access controls should follow the least privilege guidelines, ensuring that users and systems only have access to resources necessary for their functions. This approach limits the potential damage from compromised credentials or insider threats.

How SecurityScorecard can help defend against ransomware attacks

To protect against ransomware threats, you need complete visibility into your internal and third-party network environments. SecurityScorecard provides comprehensive security monitoring that delivers real-time vulnerability alerts, allowing you to address ransomware vectors as they emerge actively. Our platform offers continuous visibility across your entire attack surface, helping you quickly identify security gaps and prioritize threat remediation based on actual risk exposure.

Ransomware attacks are not going away anytime soon, so organizations must take steps to defend against them. With SecurityScorecard, you can access the tools you need to continuously monitor for and stay ahead of ransomware threats as your business embraces digital innovation.