Ransomware Examples: 15 Famous Attacks and How They Happened

Learn how ransomware attacks work and what you can do to prevent them.

Ransom payments are just the start. Add recovery costs, lost revenue, and legal fees, and a single attack can cost tens of millions. The 15 cases below show what that looks like.

Every attack in this guide started the same way: with an entry point that could have been closed.

This guide covers 15 famous ransomware examples and breaks down how each attack happened. You’ll learn the common patterns attackers use and how to protect yourself.

Whether you’re a security professional or business leader trying to understand the threat, these real-world examples show what ransomware looks like in practice.

What Is Ransomware?

The ransomware business model has changed completely. Early ransomware just encrypted files. Today’s operations run like businesses with customer support and negotiation teams.

Ransomware-as-a-Service (RaaS) dominates the landscape. Developers create and maintain the malware. Affiliates handle the actual attacks. They split ransoms, typically 70-80% to affiliates and 20-30% to developers.

According to Chainalysis, ransomware payments exceeded $1.1 billion in 2024. That’s just what victims paid. The total economic impact including downtime and recovery costs reaches far higher. Having a tested ransomware response plan is what separates companies that recover quickly from those that don’t. Our ransomware reports track how these numbers shift month to month.

How Does Ransomware Work?

Ransomware attacks follow a predictable pattern. Each stage gives you a chance to catch the attack before encryption starts.

Stage 1: Initial Access. Attackers need a way in. Stolen credentials are the most common method. Phishing emails come second. Stolen credentials are preferred because they’re quiet and don’t trigger security alerts.

Stage 2: Persistence and Reconnaissance. Once inside, attackers establish persistence so they can return if discovered. They map your network and identify valuable systems. They also locate your backups. This stage can last days or weeks.

Stage 3: Privilege Escalation. Attackers move from their initial foothold to higher-privilege accounts. Domain admin access is the goal. With those credentials, they control your entire environment.

Stage 4: Data Exfiltration. Before encrypting anything, attackers steal sensitive data. Customer records and financial information are common targets. This gives them pressure even if you have backups.

Stage 5: Encryption and Ransom. Finally, attackers deploy ransomware across your network. Systems lock up simultaneously. A ransom note appears demanding payment in cryptocurrency.

The entire process from initial access to encryption typically takes 1-3 weeks. That’s your window to detect and stop the attack.

What Are the Main Types of Ransomware?

Ransomware comes in several forms. Each type works differently and requires different responses.

Crypto Ransomware encrypts files using strong encryption algorithms. Without the decryption key, files are unrecoverable. This is the most common type. LockBit and BlackCat/ALPHV are prominent examples.

Locker Ransomware locks users out of their devices entirely. The files aren’t encrypted, but you can’t access them because you can’t log in. This type is less common now because it’s easier to bypass.

Data Theft + Encryption (Double Extortion) is now the standard approach. Attackers steal your data first, then encrypt your systems. If you don’t pay, they leak your data publicly. Backups won’t save you from the exposure.

Data-Only Extortion is the newest trend. Groups like Cl0p skip encryption entirely and just steal data. No encryption means backup-based detection won’t catch it. This approach is growing fast because it’s simpler to execute and still generates ransom payments. For more on how these trends are evolving, see our ransomware trends analysis.

What Are the Most Famous Ransomware Attacks?

These 15 attacks shaped the ransomware landscape. We’ve ordered them newest first since the recent cases are most relevant to your current risk.

1. Ascension Health (2025)

One of the largest hospital systems in the US was hit, forcing ambulance diversions and manual record-keeping across 140 hospitals.

How it worked: Black Basta ransomware disrupted Ascension’s electronic health records, pharmacy systems, and clinical workflows. Staff reverted to paper records. Some facilities couldn’t access patient histories.

Impact: Ambulances were diverted from affected hospitals. Nurses reported unsafe conditions working without electronic systems. The attack affected 140 hospitals and dozens of senior care facilities across 19 states.

Key lesson: Healthcare remains the highest-value target for ransomware. Hospitals can’t go offline without putting patients at risk, which gives attackers maximum pressure.

2. Change Healthcare (2024)

The Change Healthcare attack disrupted the entire US healthcare payment system. It’s one of the most consequential ransomware attacks ever.

How it worked: ALPHV/BlackCat accessed Change Healthcare through stolen credentials. The targeted Citrix portal lacked multi-factor authentication. Attackers stole 4TB of data before encrypting systems.

Impact: Pharmacies couldn’t process prescriptions. Hospitals couldn’t verify insurance. Healthcare providers went weeks without payment. UnitedHealth Group reported $872 million in direct costs.

Key lesson: Credential hygiene is critical. MFA on all remote access could have prevented this attack entirely.

3. CDK Global (2024)

A software vendor that serves 15,000+ auto dealerships was taken offline, freezing car sales across North America.

How it worked: BlackSuit ransomware hit CDK Global’s dealer management systems. Since CDK handles everything from inventory to financing for thousands of dealerships, the blast radius was enormous.

Impact: Dealerships couldn’t sell cars, process loans, or manage inventory for weeks. CDK reportedly paid a $25 million ransom to restore operations.

Key lesson: Vendor concentration risk is real. If your entire industry depends on one software platform, that platform is a single point of failure.

4. London Hospitals / Synnovis (2024)

A ransomware attack on a blood testing vendor forced London hospitals to cancel thousands of surgeries and appointments.

How it worked: Qilin ransomware group attacked Synnovis, a pathology services provider used by NHS hospitals across southeast London. The attack disrupted blood testing, blood transfusions, and lab results.

Impact: Multiple hospitals declared critical incidents. Over 1,100 surgeries and 2,100 outpatient appointments were cancelled. Patients were diverted to other hospitals. The disruption lasted months.

Key lesson: Healthcare supply chain attacks don’t just steal data. They can directly affect patient care. A vendor that handles blood testing is as critical as the hospital itself.

5. MGM Resorts (2023)

The MGM attack showed how social engineering combined with credential theft can bypass strong security controls.

How it worked: Scattered Spider called MGM’s IT help desk pretending to be an employee. They convinced the help desk to reset credentials. From there, they deployed ALPHV ransomware.

Impact: MGM’s Las Vegas properties went offline. Guests couldn’t use room keys or slot machines. The company lost an estimated $100 million.

Key lesson: Social engineering remains effective. Technical security means nothing if attackers can talk their way in.

6. Caesars Entertainment (2023)

Caesars was attacked by the same group as MGM but chose a different response.

How it worked: Scattered Spider used similar social engineering tactics to gain initial access. They threatened to release stolen customer data.

Impact: Caesars reportedly paid a $15 million ransom to prevent data disclosure. They disclosed the breach but avoided the operational disruption MGM experienced.

Key lesson: There’s no good option once attackers are in. Prevention is far cheaper than response.

7. MOVEit (2023)

The MOVEit campaign showed how a single zero-day vulnerability can affect thousands of organizations simultaneously.

How it worked: Cl0p exploited a SQL injection vulnerability in MOVEit file transfer software. They stole data from hundreds of organizations before anyone knew about the vulnerability.

Impact: Over 2,500 organizations were affected. Government agencies and universities were hit hard. Millions of individuals had personal data exposed.

Key lesson: File transfer systems are high-value targets. They often hold sensitive data from multiple parties.

8. Royal Mail (2023)

LockBit attacked the UK’s postal service, halting international mail deliveries for weeks.

How it worked: LockBit affiliates gained access and deployed ransomware across Royal Mail’s international dispatch systems. The attack specifically targeted the infrastructure that processes overseas parcels.

Impact: International mail was suspended for over a month. Royal Mail refused to pay the $80 million ransom demand. The disruption affected millions of packages and cost the company tens of millions in lost revenue.

Key lesson: Refusing to pay is viable if you can absorb the operational hit. Royal Mail recovered without paying, but the recovery took weeks.

9. Medibank (2022)

Australia’s largest health insurer was breached, and 9.7 million customer records were stolen and published.

How it worked: Attackers used stolen credentials from an employee to access Medibank’s internal systems. They spent weeks extracting customer data including medical claims, diagnoses, and treatment records.

Impact: 9.7 million current and former customers affected. Medibank refused to pay the ransom. The attackers published the data on the dark web, including sensitive mental health and drug treatment records. The breach cost Medibank over $400 million.

Key lesson: Even when you refuse to pay, the data still gets published. Prevention is the only way to avoid that outcome entirely.

10. Costa Rica Government (2022)

The Costa Rica attack marked the first time ransomware effectively crippled a national government.

How it worked: Conti gained access to government systems and encrypted critical infrastructure. When Costa Rica refused to pay, they published stolen data and demanded a larger ransom.

Impact: Costa Rica declared a national emergency. Tax collection stopped. Foreign trade was disrupted. The government estimated $30 million per day in losses.

Key lesson: Ransomware has become a national security threat. Critical infrastructure requires heightened protection.

11. Colonial Pipeline (2021)

The Colonial Pipeline attack showed how ransomware can threaten critical infrastructure. It triggered fuel shortages across the East Coast of the United States.

How it worked: Attackers accessed Colonial’s network through a compromised VPN account. The password had been exposed in a previous breach. There was no multi-factor authentication.

Impact: Colonial shut down 5,500 miles of pipeline that supplies 45% of fuel to the East Coast of the United States. Panic buying caused gas station shortages. Colonial paid a $4.4 million ransom (later partially recovered by the FBI).

Key lesson: Leaked credentials are dangerous. A single exposed password caused fuel shortages affecting millions of people. Credential monitoring could have detected the exposure before attackers exploited it.

12. Kaseya VSA (2021)

The Kaseya attack demonstrated how attacking a single vendor can compromise thousands of downstream customers simultaneously.

How it worked: REvil exploited vulnerabilities in Kaseya’s VSA remote management software. Managed service providers (MSPs) using the software pushed ransomware to all their clients unknowingly.

Impact: Between 800 and 1,500 businesses were affected globally. Swedish grocery chain Coop had to close 800 stores when their point-of-sale systems went down.

Key lesson: One compromised vendor can take down thousands of customers.

13. JBS Foods (2021)

The JBS attack threatened food supply chains and showed how ransomware can affect physical-world operations.

How it worked: REvil compromised JBS, the world’s largest meat processor. The attack forced the company to shut down operations across multiple countries.

Impact: JBS paid an $11 million ransom to restore operations quickly. The attack temporarily disrupted meat supply chains in the US and Australia.

Key lesson: Operational technology environments are increasingly targeted. Ransomware has moved beyond just data.

14. WannaCry (2017)

WannaCry remains the most famous ransomware attack in history. In May 2017, it infected over 200,000 computers across 150 countries in just a few days.

How it worked: WannaCry exploited EternalBlue, a Windows vulnerability leaked from the NSA. It spread automatically across networks without user interaction. One infected machine could compromise an entire network.

Impact: The UK’s National Health Service was hit hard. Hospitals turned away patients. Ambulances were diverted. Globally, damages reached an estimated $4-8 billion.

Key lesson: Patching matters. Microsoft had released a fix two months before the attack. Companies that patched were protected.

15. NotPetya (2017)

NotPetya caused more damage than any other cyberattack in history. It masqueraded as ransomware but was actually a destructive wiper designed to cause maximum harm.

How it worked: Attackers compromised a Ukrainian accounting software called M.E.Doc. A malicious update spread NotPetya to every company using the software. From there, it spread globally through corporate networks.

Impact: Maersk, the shipping giant, lost nearly all its IT infrastructure. FedEx subsidiary TNT Express suffered $400 million in damages. Total global damage exceeded $10 billion.

Key lesson: Supply chain attacks have far-reaching impact. One compromised vendor affected thousands of companies worldwide.

What Do Ransomware Emails Look Like?

Stolen credentials are the top entry point, but phishing is still how many of those credentials get stolen in the first place. Knowing what ransomware-related emails look like helps you spot them before clicking.

Fake invoice emails. The email claims you have an unpaid invoice attached as a PDF or Excel file. The attachment contains a macro that downloads malware. The sender spoofs a real vendor name. These target finance teams specifically.

Shipping notification emails. “Your package couldn’t be delivered.” The link goes to a fake tracking page that downloads an infostealer or ransomware dropper. These work because everyone orders things online.

HR and payroll emails. “Your benefits enrollment requires action” or “Updated direct deposit form attached.” These target employees who expect HR communications and are less likely to question them.

IT support emails. “Your password expires today. Click here to reset.” The link captures your credentials, which attackers use to log into your VPN or email. No malware needed. Just stolen credentials.

Shared document emails. “John shared a document with you on OneDrive.” The link goes to a convincing fake login page. Once you enter credentials, the attacker has them.

The common thread: urgency and a reason to click. If an email pressures you to act fast, that’s the red flag. For tools that catch these before they reach your inbox, see our guide on phishing protection software.

How Do Attackers Get Initial Access?

Knowing how attackers get in tells you where to focus your defenses. The methods have shifted in the last few years.

Stolen Credentials

Stolen credentials have become the primary initial access vector. The Verizon 2025 DBIR found credentials involved in the majority of breaches.

Attackers obtain credentials through:

Infostealer malware. Infostealers like RedLine and Vidar harvest credentials from infected devices. They capture browser passwords and session cookies. Session cookies are particularly dangerous because they let attackers bypass MFA entirely. These logs are sold on dark web markets and shared in Telegram channels.

Third-party breaches. Breaches at other companies expose credentials that end up on the dark web. If your employees reused those passwords at work, attackers can use the leaked credentials to access your systems.

The Colonial Pipeline attack started with a single VPN password that appeared in a previous breach. The Change Healthcare attack exploited credentials for a Citrix portal without MFA. These weren’t complex attacks. They were preventable.

Phishing

Phishing remains effective despite years of security awareness training. Attackers craft convincing emails that trick employees into revealing credentials or running malware.

Modern phishing often targets specific individuals (spear phishing). Attackers research their targets on LinkedIn and craft personalized messages. The MGM attack started with a phone call to the help desk, a form of voice phishing (vishing).

Exploiting Vulnerabilities

Some ransomware campaigns exploit unpatched vulnerabilities for initial access. The WannaCry attack exploited EternalBlue. The MOVEit attack used a zero-day SQL injection vulnerability.

However, vulnerability exploitation requires more skill than using stolen credentials. Most attackers prefer the easier path.

How Can You Prevent Ransomware Attacks?

Prevention starts with understanding how attackers get in. Since stolen credentials are the primary vector, credential security should be your priority.

Monitor for compromised credentials. Dark web monitoring detects when your employees’ credentials appear on criminal marketplaces. You can reset exposed passwords before attackers use them. This is your earliest warning of a potential attack.

Enforce multi-factor authentication. MFA stops most credential-based attacks. Even if attackers have valid passwords, they can’t authenticate without the second factor. MFA isn’t foolproof though. Stolen session tokens can bypass it. Still, prioritize MFA for remote access and privileged accounts.

Maintain offline backups. Backups won’t prevent attacks, but they enable recovery without paying ransom. Keep backups offline or immutable so ransomware can’t encrypt them too.

Patch critical vulnerabilities. WannaCry exploited a vulnerability patched two months earlier. Prioritize patches for internet-facing systems and known exploited vulnerabilities.

Segment your network. Network segmentation limits how far attackers can spread. If ransomware hits one segment, it shouldn’t reach your entire environment.

Train employees. Security awareness training reduces phishing success rates. Focus on recognizing suspicious emails and reporting unusual requests.

Monitor for attacker behavior. Ransomware attacks unfold over days or weeks. Detecting lateral movement or data exfiltration gives you time to respond before encryption.

Conclusion

Ransomware has evolved from simple encryption malware to organized criminal enterprises. The attacks covered here show the real-world impact: hospitals unable to treat patients and fuel shortages affecting millions.

But they also reveal patterns. Most attacks start with stolen credentials. Most victims lacked basic protections like MFA. Prevention is achievable with the right focus.

Start with credential monitoring. Know when your employees’ passwords appear on criminal marketplaces. Combine that with MFA and offline backups. Employee training helps too.

The companies that avoid ransomware aren’t lucky. They’re prepared. For a complete ransomware prevention strategy, pair credential monitoring with the detection and response capabilities covered in our ransomware detection guide.