Analyzing 5 ransomware attacks that shook the world

Data is every organization's lifeline. Businesses thrive because of efficient management of their data. However, it's not just businesses that understand the value of data. Threat actors have long considered data as currency. They realize that business owners will go to extreme lengths to ensure the safe preservation of data. To monetize this, cybercriminals across the globe find ways to hold data as ransom and extract money or cause chaos in a business's systems. This has been costing businesses dearly, and it's only expected to go up in the next few years. 

According to one report, the average cost of a ransomware attack is expected to go up to $276 billion by 2031. This is an astounding increase from the $57 billion in 2025. This makes it more vital than ever before for organizations to set up defenses. In this article, we'll explore five high-impact ransomware attacks: WannaCry, Petya/NotPetya, Ryuk, REvil, and DarkSide. Through these attacks, we'll guide you through a few key security strategies you can implement for your organization. 

What is ransomware?

Ransomware refers to the cyberattack technique in which threat actors disperse malicious software with the intent to encrypt documents, files, or even the entire system, then demand a ransom to be paid to decrypt the data and render it accessible again. Threat actors usually use email as the medium to spread these malicious files or links to unassuming email recipients under the guise of a legitimate identity. Once threat actors lock down the system, they display a ransom note. Cybercriminals often demand the ransom in Bitcoin to ensure that the money can't be traced back to them. 

WannaCry ransomware attack

In May 2017, Windows computers across the globe were affected by a ransomware attack called WannaCry. The perpetrators of the attack exploited a weakness in Microsoft Windows' operating systems called EternalBlue that was created by the United States National Security Agency. A hacker group called Shadow Brokers made this attack public. 

Microsoft issued a security patch for users to protect their system from this vulnerability being exploited two months before the attack. However, failing to understand the importance of this update, many users didn't install the patch. Seeing this opportunity, the perpetrators of the WannaCry attack launched a malware known as a worm. 

A worm is a type of malicious program designed to spread on its own. Unlike other malware that often relies on user interaction, worms exploit weaknesses in operating systems to move from one device to another across a network. Once inside, they replicate themselves automatically, infecting new machines without needing any action from the user. Using this technique, threat actors encrypted users' files in unpatched Windows systems and demanded a ransom to unlock them. 

Impact caused

Threat actors demanded $300 to $600 worth of Bitcoin to release their data. But most victims didn't pay the ransom, following the advisory based on government entities. This proved to be right because the threat actors couldn't associate the payments made with a specific system. They couldn't decrypt the files, and most files remained irrecoverable. 

The WannaCry ransomware outbreak quickly spiraled into a global crisis, infecting more than 200,000 systems across 150+ countries. High-profile organizations like FedEx, Honda, and Nissan were hit, while the UK’s National Health Service (NHS) faced severe disruption. This led to serious consequences in the healthcare sector, with several of their ambulances being redirected to other hospitals.

Learnings

Quick patching: WannaCry had a fix, but many organizations couldn’t roll it out fast enough. Automated patching, clear priorities, and the ability to push emergency updates are essential during active threats.

The need for network segmentation: Flat networks let the worm spread unchecked. Strong segmentation and tighter controls can contain malware and limit its reach.

Updating legacy systems: Outdated Windows machines, medical devices, and lab gear were difficult to patch. These need isolation and strict allow lists, along with a long-term plan to phase them out.

Petya/NotPetya ransomware attack

A new ransomware strain called Petya was first identified in 2016. Similar to WannaCry, Petya also targeted only Windows machines. Like many ransomware families, Petya works by encrypting data on the victim’s machine and demanding payment in Bitcoin in exchange for restoring access. Petya primarily spreads through malicious email attachments. Attackers often target HR teams with fake job applications, where the attachments either contain a Dropbox link leading to malware or are executable files disguised as PDFs.

What set Petya apart from earlier strains was its scope. Instead of targeting only select files, it went after the entire hard drive. By encrypting the system’s Master File Table (MFT), Petya effectively made every file on the disk inaccessible, locking the victim out of their computer altogether. 

In June 2017, a variant of Petya called NotPetya was identified. Similar to Petya, NotPetya crippled entire systems by targeting the whole hard disk. But instead of just encrypting the MFT, it encrypted the disk itself. It spread at lightning speed, jumping across networks through exploited vulnerabilities and stolen credentials, quickly overwhelming organizations.

Impact caused

The original Petya ransomware caused widespread disruption by locking victims out of their entire systems rather than just encrypting files. Businesses faced downtime, data loss, and costly recovery efforts. Its unique method of encrypting the MFT made restoration especially difficult without backups, and ransom payments didn't always guarantee file recovery.

NotPetya proved far more destructive, spreading rapidly throughout global networks and hitting major corporations like Maersk, Merck, and FedEx. Unlike typical ransomware, it acted more like a wiper, making data recovery nearly impossible. The estimated damages reached billions of dollars, cementing NotPetya as one of the most devastating cyberattacks in history.

Learnings

Strengthening email security: Both Petya and NotPetya spread initially through malicious attachments or compromised software updates. Organizations need robust email filtering, phishing awareness training, and stricter attachment controls to stop threats at the entry point.

Prioritize patching vulnerabilities: These attacks exploited unpatched flaws to move rapidly across networks. Fast, risk-based patch management and vulnerability scanning are critical to minimize exposure.

Plan for destructive scenarios: Not all ransomware seeks ransom; some aim to wipe out data. Use an archiving solution, a backup solution, and segment networks for business continuity when decryption isn’t an option.

Ryuk ransomware attack

In 2018, a group called Wizard Spider launched a new strain of ransomware called Ryuk. The Ryuk ransomware typically targeted enterprises with stable profits to extract heftier ransoms from their victims. For this reason, the ransomware group invested a lot of time in recon and research of their targets. 

Typically, the Ryuk ransomware spreads through a TrickBot infection. TrickBots can enter an organization's ecosystem in various ways. One of the simplest ways is by including an attachment containing the malware with a spam email. At times, TrickBot also leveraged the Emotet botnet to spread, using malicious emails with infected Word documents to compromise computers.

Wizard Spider spreads Ryuk inside networks using a mix of techniques designed to stay under the radar. In some cases, operators move manually by running malicious PowerShell scripts. Once deployed, Ryuk encrypts files across local machines, network drives, and shared resources. It uses a public key encryption algorithm, with the attackers holding the private key, leaving victims unable to decrypt their data without paying. Unlike most ransomware, Ryuk encrypts system and even boot files, which can destabilize or crash entire machines if rebooted.

Impact caused

Ryuk ransomware has been linked to hundreds of high-profile attacks worldwide, with an estimated $150 million extorted between 2018 and 2021. Victims include major organizations like Tribune Publishing, causing newspaper printing disruptions, and multiple U.S. hospitals being forced to delay surgeries and patient care. Municipalities such as Lake City, Florida, and Riviera Beach, Florida, paid ransoms of $460,000 and $600,000 respectively to regain access to their systems. 

The financial and operational toll was severe. By encrypting not only data but also system and boot files, Ryuk amplified downtime, making recovery complex and often incomplete.

Learnings

Prioritize strong access controls: Many Ryuk intrusions began with compromised RDP credentials or phishing emails. Enforcing MFA and limiting remote access are critical defenses.

Improve detection and response speed: Ryuk often lingered in networks before launching encryption, giving defenders a window to act. Advanced monitoring, threat hunting, and faster incident response can prevent widespread damage.

Plan for full recovery: Ryuk’s ability to encrypt system and boot files shows the need for tested, offline backups and rapid rebuild procedures.

REvil ransomware attack

In April 2019, a new type of ransomware called REvil/Sodinokibi was released across Asia and Europe. REvil (also known as Ransomware Evil) was predominantly active from 2019 to 2021. Believed to be linked to the Russia-based cybercriminal group Gold Southfield, REvil operated as a franchise model. Core developers maintained the malware and rented it out to affiliates, who carried out attacks and shared ransom profits. 

The attack vectors included phishing emails carrying malicious attachments, exploit kits targeting unpatched software, and brute-force attacks on exposed Remote Desktop Protocol (RDP) services. Once inside, attackers escalated privileges, disabled security tools, and deployed the ransomware across endpoints.

REvil was known for its double-extortion tactics. They encrypted a victim’s files while also stealing sensitive data to pressure payment under the threat of public leaks. Targets ranged from small businesses to multinational corporations, with ransom demands often reaching tens of millions of dollars. The ransomware itself used robust encryption methods, making recovery without the attacker’s private keys impossible.

Impact caused

REvil caused significant global disruption through carefully chosen high-value targets. In 2021, JBS Foods was forced to shut down meat processing facilities across North America and Australia, ultimately paying an $11 million ransom to restore operations. That same year, the Kaseya VSA supply-chain attack compromised hundreds of managed service providers and thousands of businesses.

Beyond operational outages, REvil’s strategy of stealing and leaking sensitive data exposed victims to lawsuits, regulatory fines, and reputational harm. With ransom demands sometimes exceeding $70 million, REvil set a new precedent for the extent of financial gains from ransomware attacks.

Learnings

Harden vendor and supply-chain security: The Kaseya breach showed how a single compromised vendor can cripple hundreds of businesses. Vet supplier security practices, require regular audits, and limit the privileges of third-party software within your network.

Mitigate double-extortion risks: Encrypting backups is not enough. REvil stole sensitive data before locking systems. Implement strong data loss prevention (DLP), monitor outbound traffic for anomalies, and enforce strict access controls on confidential files.

Prepare for ransomware scenarios: Develop and test incident response, including offline backups, legal protocols, and communication strategies to minimize downtime and reputational harm.

DarkSide ransomware attack

DarkSide was a ransomware group that surfaced in August 2020. It gained popularity for its “professional” operations and targeting of large, financially strong organizations. Affiliates commonly gained access through phishing emails, stolen credentials, or by exploiting exposed Remote Desktop Protocol (RDP) endpoints and unpatched vulnerabilities. Once inside a network, DarkSide actors conducted reconnaissance, moved laterally, and exfiltrated sensitive data before deploying the ransomware payload.

The ransomware itself used strong encryption algorithms (RSA and AES) to lock systems, and its operators demanded cryptocurrency payments for decryption keys. Like REvil, DarkSide also adopted the double extortion model, threatening to publish stolen data on a leak site if ransoms were not paid. Uniquely, the group branded itself as having a “code of conduct,” claiming it would not target hospitals, schools, or nonprofits—though it ultimately struck critical infrastructure.

Impact caused

The most infamous DarkSide incident came in May 2021, when the group targeted Colonial Pipeline, the largest fuel pipeline in the U.S. Attackers gained entry through a compromised VPN account that lacked MFA. To contain the threat, Colonial shut its entire pipeline system down, disrupting nearly half of the East Coast’s fuel supply. The shutdown triggered widespread panic buying, fuel shortages, and price spikes, causing ripple effects beyond its immediate victim.

Colonial Pipeline paid a ransom of $4.4 million in Bitcoin to obtain a decryption key, though recovery was slow and costly. While the FBI later recovered a portion of the ransom, the attack’s impact on national security and critical infrastructure was unprecedented. DarkSide’s operations drew intense scrutiny, leading to law enforcement crackdowns and eventually pushing the group offline.

Learnings

Enforce strong authentication: Colonial’s breach began with a single compromised VPN account without MFA. Every remote access point must be protected with multi-factor authentication and regular credential hygiene.

Segment and monitor critical systems: Flat networks make it easy for ransomware to spread. Isolate operational technology (OT) from IT networks and monitor lateral movement to detect early intrusions.

Plan for resilience, not ransom: Paying millions doesn’t guarantee a fast recovery. Organizations should maintain tested offline backups, simulate ransomware attacks, and establish rapid-response playbooks that cover technical, legal, and communication workflows.

10 practical tips to alleviate ransomware

1. Mandate phish-resistant MFA for all admins and remote access.
2. Eliminate legacy protocols and enforce modern TLS.
3. Continuously patch externally exposed assets within days.
4. Adopt application allow-listing on servers and high-value endpoints.
5. Segment networks to ensure that malware doesn't spread laterally.
6. Plan for early detection (EDR/XDR with ransomware behavior analytics).
7. Plan your backups efficiently. They should be immutable, offline, and tested periodically.
8. Constrain third-party access by issuing per-vendor identities, scoped tokens, just-in-time access, and kill switches.
9. Encrypt and monitor egress to stop bulk exfiltration and flag abnormal transfers.
10. Plan an incident response strategy, accounting for ransom criteria, law-enforcement contacts, and regulatory notification templates.

Wrapping up

Most ransomware attacks start with a single malicious email, whether it’s a phishing link, an infected attachment, or stolen login credentials. Modern email security solutions detect and block threats with real-time scanning, sandboxing, and impersonation checks, stopping attacks before they reach an inbox.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.