22 Examples of Ransomware Attacks and Their Impacts

Every year, ransomware inflicts significant financial losses on both individuals and organizations. In this discussion, we highlight several noteworthy instances of ransomware and the resulting impact they had. Continue reading to gain insight into the extent of actual ransomware attacks and their operational mechanisms.


What is ransomware?

Ransomware, a form of malicious software employed by cybercriminals, operates by either blocking access to a computer or network or encrypting its data upon infection. Subsequently, the cybercriminals demand a ransom from the affected individuals or organizations in exchange for the restoration of access to the compromised data. Safeguarding against ransomware entails vigilance and the use of security software. Following a malware infection, victims are presented with three choices: paying the ransom, attempting to eliminate the malware, or initiating a device restart. Extortion Trojans, the culprits behind many ransomware attacks, commonly exploit avenues such as the Remote Desktop Protocol, phishing emails, and software vulnerabilities. Consequently, both individuals and companies are susceptible to ransomware attacks.

Identifying ransomware – a basic distinction must be made

Two prominent categories of ransomware have gained widespread popularity:

  1. Locker Ransomware: This form of malicious software disrupts fundamental computer operations, limiting access to the desktop and partially disabling the mouse and keyboard. While it renders the computer inoperable, users can still interact with the window displaying the ransom demand to facilitate payment. Fortunately, Locker malware typically focuses on restricting access rather than destroying critical files. As a result, the complete loss of data is improbable.
  2. Crypto Ransomware: Crypto ransomware aims to encrypt crucial data, such as documents, images, and videos, without affecting basic computer functions. This instills panic as users can visualize their files but are unable to access them. Crypto developers often incorporate a countdown in their ransom demands, threatening the deletion of all files if the ransom is not paid by the deadline. Given that many users lack awareness about the importance of backups in the cloud or on external storage devices, the impact of crypto ransomware can be severe. Consequently, numerous victims opt to pay the ransom simply to recover their files.

Below are some notable instances of ransomware from recent years:

Rorschach (2023)


Unearthed following an assault on a US-based company in 2023, Rorschach, identified as a variant of BabLock ransomware, demonstrated rapid encryption capabilities compared to other ransomware types. Its propagation occurred through security vulnerabilities, phishing emails, malvertising, and malicious software downloads. The primary targets of Rorschach are large businesses and industrial entities, with ransom demands ranging from a few thousand to several million US dollars. In October 2023, Rorschach targeted Grupo GTD, a major Chilean telecommunications provider operating in Latin America, causing disruptions in data centers, Voice-over-IP services, and internet access. Noteworthy is Rorschach’s partial autonomy and self-propagation, utilizing Active Directory (AD) Domain Group Policy Objects (GPO) to swiftly spread across networks and execute ransomware on all endpoints. Unlike most locker ransomware, Rorschach employs hybrid cryptography to expedite the encryption process by encrypting only a portion of the files.

LockBit 3.0 (2022)

LockBit 3.0, also recognized as LockBit Black, gained prominence as one of the most utilized ransomware variants worldwide in 2022. It primarily targets large organizations and government entities, exploiting their network security vulnerabilities. The ransom demands from LockBit 3.0 vary but often reach millions of US dollars. In October 2023, LockBit infiltrated Boeing’s internal data. Despite Boeing’s refusal to pay the ransom, LockBit leaked the data. LockBit also targeted the US Cybersecurity and Infrastructure Security Agency (CISA) and around 1,700 other US organizations. Notably, LockBit 3.0 introduced a bug bounty program, offering substantial sums to individuals identifying flaws in their ransomware code.

Black Basta (2022)

1 2

Discovered in 2022, Black Basta breached the cybersecurity of nearly 100 organizations, including the American Dental Association, Swiss electrification, and automation company ABB, Yellow Pages Canada, German wind farm operator Deutsche Windtechnik, French aerospace and security giant Thales, and British outsourcing company Capita. The estimated impact of Black Basta is significant due to its widespread targeting of various organizations.

Black Basta employs a dual extortion strategy by encrypting crucial data and essential servers of their targets. They then issue threats to expose sensitive information on a public leak site.


active since September 2022, has focused its ransomware attacks on more than 350 organizations globally, including critical infrastructure. The cybercriminals demanded ransom amounts ranging from 1 to 11 million US dollars in Bitcoin, successfully extorting approximately 275 million dollars in total. The primary targets of Royal are US-based companies in the services, wholesale, and technology sectors.

Known for its efficiency and evasive techniques, Royal spreads through phishing emails and utilizes a specific partial encryption method to encrypt small data portions, avoiding detection by anti-malware and other threat detection software. Before encryption, Royal exfiltrates and extorts the victim’s data, threatening to publish it on a leak site if the ransom is not paid.


In 2021, Lapsus$ gained attention by attacking the website of the Brazilian Ministry of Health and disrupting several systems. The group is recognized for employing a blend of social engineering and various hacking tactics, rather than relying on a specific type of malware. Since its inception, Lapsus$ has successfully stolen data or disrupted services from companies such as Nvidia, Samsung, Microsoft, Vodafone, and Ubisoft.


Also known as ALPHV, made headlines in 2021 as the first ransomware strain developed in the Rust programming language. Exploiting vulnerabilities in Exchange Server, SonicWall, and Windows, BlackCat can encrypt both Windows and Linux devices, along with VMWare instances. The group and its affiliates have compromised over 1,000 entities, predominantly in the US, demanding over 500 million US dollars in total and receiving nearly 300 million in blackmail payments. Notable victims include Oiltanking GmbH, Swissport, Western Digital, and the Austrian state of Carinthia.


Notorious since 2021, gained prominence after attacking the Costa Rican Social Security Fund. Infiltrating systems through RDP, remote network connection protocols, phishing scams, and exploiting security vulnerabilities, Hive employs triple extortion techniques. The group has breached the cybersecurity of over 1,300 companies worldwide, collecting approximately 100 million US dollars in ransom payments. Hive targets a diverse range of businesses, with a focus on the IT and critical infrastructure sectors, especially healthcare.


Active in 2020, notably targeted the Colonial Pipeline in early May 2021, causing severe disruptions to fuel supply on the US East Coast. Company executives decided to pay the 4.4 million dollar ransom. DarkSide typically targets large, high-revenue organizations such as Toshiba and Brenntag, encrypting and stealing sensitive data, and demanding multimillion-dollar ransoms. In mid-2021, the ransomware gang declared a suspension of operations after facing pressure from the US government.

Egregor (2020)

Egregor, a type of ransomware that engages in double extortion, was deployed in cyber-attacks against various entities, including Barnes & Noble, Kmart, and video game developers such as Ubisoft and Crytek. The malware propagated through methods like using stolen credentials, exploiting remote access technologies, and executing spear-phishing scams. The demanded ransom amounts ranged from 100,000 to 35 million US dollars. Fortunately, in 2021, several affiliates associated with Egregor were apprehended, leading to the shutdown of the gang’s infrastructure.

Nvidia’s Attempt to Counter Ransomware After Source Code Theft

After falling victim to ransomware in late February 2022, Nvidia, a prominent semiconductor company, took proactive measures in response. The ransomware attack, attributed to the group Lapus$, resulted in the theft of Nvidia’s source code, including a proprietary hash rate limiter crucial for cryptocurrency mining. In an effort to protect its intellectual property, Nvidia enlisted security experts to identify the attackers’ infrastructure and launched a retaliatory ransomware strike.

While the counterattack successfully infected Lapus$’ computers, prompting the group to label Nvidia as “criminals,” the company failed to recover its data, as the group had backed it up. To keep Nvidia’s data confidential, Lapus$ demanded the publication of GPU drivers as open source, along with the payment of a cryptocurrency ransom.

Oil Pipeline Ransomware Attack Alters Supply Routes

The BlackCat ransomware group executed an attack affecting 233 German gas stations on Jan. 29, 2022, leading to disruptions that compelled Shell to reroute supplies to alternative depots. Exploiting vulnerabilities in Microsoft Exchange and Zoho AdShelf Service Plus1, the attackers exfiltrated “business secrets and intellectual property,” as reported by German intelligence services.

Concerns were raised about potential infiltration into the networks of customers or service providers. Besides rerouting supplies to bypass affected fuel depots, Shell indicated the possibility of reverting to manual operation of previously automated processes. The BlackCat group, primarily known for targeting US organizations, expanded its operations into Europe.

Ransomware Disrupts Flights at Swiss Airport Swissport

An airport operator, faced a ransomware attack on Feb 3, 2022, leading to grounded planes and flight delays at Zurich International Airport. Providing air cargo operations and ground services, Swissport managed to swiftly contain the ransomware threat, with most critical systems appearing unaffected.

Given the proximity of the Swissport attack to the series of ransomware incidents affecting European oil services, researchers suspect a coordinated effort to destabilize European infrastructure.


The renowned sportswear company, encountered a significant data breach in February 2022, where nearly half of its workforce’s personal information was compromised. This breach occurred due to a ransomware attack on Puma’s cloud provider, Kronos Private Cloud (KPC). The company had to inform affected employees and various Attorney General offices across states about the incident. Approximately 6,632 individuals were affected by the theft of their data. Puma clarified that no customer data was leaked, but the attack compelled the company to resort to manual methods, such as using “pencil and paper,” for certain business operations.

In another incident during the same month, KP Snacks, a UK food company, fell victim to a ransomware attack, raising concerns about potential shortages of popular crisps and roasted nuts in the country. The company warned stores of significant disruptions to supplies, anticipating delays and cancellations until at least the end of March. Cybercrime group Conti, which claimed responsibility for the attack, showcased stolen sensitive documents, including credit card statements, birth certificates, and employee information, on its “data leak page.”


Ukraine experienced a series of cyberattacks leading up to Russia’s invasion in February 2022. These attacks included massive distributed-denial-of-service (DDoS), data wiping, and ransomware incidents. Wiper attacks affected Ukrainian and possibly Lithuanian servers just before the Russian military intervention. Symantec researchers detected ransomware attacks as well, suggesting that ransomware might have served as a distraction from other cyber threats. The disruptive nature of ransomware made it an effective diversion from the larger cyberattacks that preceded Russia’s invasion.

Ransomware on candy manufacturer spoils Halloween

In a separate ransomware event in October 2021, Ferrara, a candy manufacturer known for products like SweeTarts and Nerds, disclosed a ransomware attack that could potentially cause delays in production and impact Halloween deliveries. While the extent of the damage was not disclosed, Ferrara expressed appreciation for its customers’ patience and understanding. Considering the prevalence of ransomware attacks on critical infrastructure, Ferrara’s situation may seem relatively minor, unless it affects the joy of America’s trick-or-treaters returning home with empty baskets.

Sinclair Broadcast Group: Ransomware shuts down TV stations

Sinclair Broadcast Group faced a ransomware attack in October 2021, impacting its extensive network of over 600 channels. The cyber incident disrupted both internal and external operations, causing chaos by disabling email and phone systems. This resulted in the inability to broadcast specific advertisements and TV shows, contributing to a 3% drop in Sinclair’s share price upon announcing the attack. Even days later, the company struggled to regain control, with an insider source expressing concern about the attacker’s effectiveness, either intentional or accidental.

actaid shortage driven by a ransomware attack

In March 2022, HD Hood Dairy, responsible for manufacturing Lactaid, experienced a likely ransomware attack, leading the company to temporarily shut down its plants to prevent further damage. Although the plants have been restored to operational status, the attack resulted in a shortage of Lactaid, posing challenges for consumers seeking the product on store shelves.

Snap-on Tools targeted by Conti ransomware in separate attacks

Snap-on Tools, based in Wisconsin, fell victim to the Conti ransomware group in March 2022. The attackers stole 1 GB of sensitive data, including names, Social Security numbers, and employee identification information. Threatening to disclose the data unless a ransom was paid, the group later published the stolen information on the Conti website, suggesting successful negotiation and payment.

Stormous ransomware steals 161 GB of Coca-Cola data

In early 2022, a Russia-linked hacking group using Stormous ransomware claimed to have pilfered 161 GB of data from Coca-Cola, which included commercial accounts, passwords, and financial information. The group offered the stolen data for sale on the dark web, demanding 1.65 bitcoins (valued at about $64,000) for its return.

Ransomware attack on AGCO disrupts tractor sales

A ransomware attack on U.S. agricultural equipment manufacturer AGCO in May 2022 disrupted production facilities, impacting tractor sales during the crucial planting season. The attack compounded challenges already faced by the industry, such as supply chain disruptions and labor strikes, affecting dealers’ ability to access AGCO’s website for parts and orders.

Campaign finance firm’s web hosting provider hit by ransomware

Campaign finance firm C&E Systems encountered a ransomware attack just a week before the state’s primary election, targeting its web hosting provider, Opus Interactive. While compromising C&E’s database, including login credentials for the state campaign finance reporting system, ORESTAR, the attack did not compromise the Oregon Secretary of State’s systems or sensitive data related to election administration.

Ransomware as a Service

Ransomware as a Service provides cybercriminals with limited technical capabilities the opportunity to execute ransomware attacks. This model, offering malware to buyers, minimizes risk for the attackers and maximizes gains for the software programmers.


In conclusion, ransomware attacks manifest in various forms and sizes, with the attack vector influencing the types employed. Considering the potential consequences and data at risk is crucial to assessing the severity of an attack. Regardless of the ransomware type, proactive measures such as data backups and robust security software implementation can significantly mitigate the impact of an attack.

Privacy Hints

PrivacyHints is a team built up of computer security experts, tech reporters, lawyers, and strong privacy supporters from all over the world working together.

As digital leaders, we strongly believe in the importance of personal privacy and the huge potential that comes from having a free but safe internet. We’re not just interested in listing risks; we’re also strongly committed to revealing the hidden threats that threaten our right to privacy and freedom online as a whole.

Related Articles

View All

Pin It on Pinterest