What is the most common ransomware in history?

Ransomware is a form of malware that encrypts a victim’s files and demands payment to restore access. Some of the most damaging ransomware attacks in history have affected businesses, governments, hospitals and everyday internet users. Understanding the most common strains can help organizations defend against future attacks.

What is Ransomware?

Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until ransom is paid. It works by encrypting files or locking the system, making them inaccessible until the ransom demand is fulfilled.

Ransom demands are typically in cryptocurrency, such as Bitcoin, that offer more anonymity compared to traditional payments. Once the ransom is paid, the hackers will decrypt the files or unlock the infected system. However, there is no guarantee the hackers will restore everything, even if the ransom is paid.

How Does Ransomware Infect a System?

Most ransomware is distributed through phishing emails containing malicious attachments or links. The attachments often appear as normal files like PDFs or Word documents, but they contain embedded malicious code. Other distribution methods include:

– Compromised websites that download malware onto visitors’ devices
– Software or app vulnerabilities that allow ransomware to be installed
– Removable drives like USB sticks containing malware that infects a system when plugged in

Once installed, the ransomware encrypts files and displays a ransom payment demand. It may also lock system functions, making the computer unusable.

Most Common Ransomware Families


First observed: 2013

CryptoLocker was one of the earliest and most profitable ransomware strains. It used RSA public key encryption to lock files, and the private key to decrypt them was only available to the hackers. CryptoLocker was distributed via exploit kits and phishing emails.

At its peak, a single CryptoLocker operation was thought to have extorted over $3 million in just 100 days. It was shut down in 2014, but the malware code has been reused and modified by other ransomware creators since.


First observed: 2014

The CryptoWall ransomware family has gone through several major versions, including CryptoWall, CryptoWall 2.0, CryptoWall 3.0 and CryptoWall 4.0. It uses complex encryption algorithms to encrypt documents, photos, databases and other files.

Like CryptoLocker, CryptoWall was spread through exploit kits and spam. Security researchers estimate CryptoWall infected over 600,000 systems and caused over $325 million in damages.


First observed: 2016

Locky rose to prominence after a massive spam campaign in early 2016. The emails came with Microsoft Word doc attachments containing malicious macros. When enabled, the macros installed the Locky ransomware code.

Locky encrypts a wide range of file types using AES and RSA encryption algorithms. At its peak, the Locky botnet sent out millions of spam emails per day across 167 countries.


First observed: 2016

Cerber encrypts files and renames them to contain the .CERBER extension. It emerged in early 2016 and was advertised on dark web forums. Cerber operators offered it via ransomware-as-a-service, allowing partners to use the code for a cut of the profits.

Cerber was distributed via exploit kits planted on compromised websites. Security experts regard it as one of the first ransomware strains to effectively incorporate offline encryption capabilities.


First observed: 2017

WannaCry was a worldwide ransomware attack that affected over 200,000 computers across 150 countries in May 2017. It exploited a Windows vulnerability leaked from the NSA to spread ransomware that encrypted files and shared decryption keys to a Bitcoin wallet.

Despite moderate technical capabilities, WannaCry had a massive impact by spreading quickly across out-of-date Windows systems. It caused major disruptions, including cancelling medical procedures and shutting down assembly lines.


First observed: 2016

NotPetya initially posed as ransomware called Petya, but was designed to be destructive while appearing as ransomware. It encrypted the master boot record, permanently locking the system instead of decrypting files after payment.

NotPetya first spread via tax software in Ukraine in 2017, but went on to infect major global businesses. Damages exceeded $10 billion, making it the costliest ransomware attack in history.

Recent Trends in Ransomware

Ransomware-as-a-Service (RaaS)

Many modern ransomware operations work via a Ransomware-as-a-Service (RaaS) model. Underground cybercriminals develop the malware and sell or lease it to other attackers.

The RaaS model allows novice hackers to launch attacks for a share of the profits with very little technical knowledge. This has led to an explosion in ransomware strains as the barrier to entry is low.

Double Extortion

Recent ransomware gangs like Maze, DoppelPaymer and Sodinokibi pioneered a technique called “double extortion.” Before encrypting files, they are copied and stolen.

The hackers threaten to publish the stolen data online unless the ransom is paid. Even if the victim can restore encrypted files from backups, refusing the ransom means sensitive data gets leaked.

Anonymous Cryptocurrency Ransoms

Most ransomware demands payments in cryptocurrency, especially Monero. Unlike Bitcoin, Monero uses ring signatures and stealth addresses to obfuscate the source of funds.

This makes Monero much harder to track. Ransomware hackers favor it to preserve their anonymity when receiving ransom payments.

Targeted Ransomware

Older ransomware was blast malware that infected any vulnerable system. Modern ransomware is increasingly using spear phishing to target organizations rather than individuals.

With prior research into a company’s people and technologies, ransomware hackers can craft a customized attack to inflict maximum damage. Targeted ransomware aims for high-value victims with sensitive data.

Ransomware Targeting Critical Infrastructure

Recent attacks have shown ransomware presents a major risk to hospitals, transportation networks, emergency services and other critical infrastructure.

Successful attacks on targets like hospitals and city governments have emboldened hackers. More ransomware is now aimed at critical infrastructure to extort higher ransoms due to the severe impacts of disruption.

Major Ransomware Attacks

Attack Date Impact
Hollywood Presbyterian Medical Center Feb 2016 Hospital paid $17,000 ransom in Bitcoin
San Francisco MTA Nov 2016 Fare systems disabled, ransom paid
WannaCry May 2017 200,000+ computers infected in 150 countries
NotPetya Jun 2017 $10 billion in damages, major firms affected
Atlanta Government Mar 2018 Over 1/3 of 424 programs affected, $17 million recovery cost
Baltimore Government May 2019 Services disabled 2+ weeks, $18 million recovery cost

How to Protect Against Ransomware

While new ransomware strains and variants appear frequently, following cybersecurity best practices is key to avoiding infection:

– Maintain up-to-date anti-virus software on all devices
– Be vigilant against phishing emails – don’t open attachments or click links from unknown senders
– Backup critical data regularly and keep a copy offline and disconnected
– Patch and update software, network devices, and operating systems promptly
– Use firewalls to limit access between network segments
– Disable macros in Microsoft Office files received from outside your organization
– Educate employees on ransomware tactics and what to watch out for
– Develop an incident response plan for security events like ransomware infections

Implementing layers of cybersecurity defenses makes organizations far more resilient against ransomware outbreaks. But no single method is 100% effective, so combining prudent technology and smart user awareness offers the best protection.

Should You Pay the Ransom?

There is no one-size-fits-all answer to whether an organization should pay the ransom demand. Factors to consider include:

– Cost of the ransom versus cost of recovery. The ransom may be cheaper than rebuilding systems and restoring data.
– Importance of the encrypted data. For critical data that can’t be recreated, paying the ransom might be the only viable option.
– Likelihood of restoring access. Most ransomware groups decrypt files after payment, but not always.
– Risk of repeat infections if the root cause isn’t addressed.
– Legal and ethical ramifications of paying cybercriminals. This could run afoul of policies or regulations.

In most cases, experts advise against paying the ransom. There are no guarantees files will be restored, and it encourages further ransomware attacks. A more prudent option is improving backups and recovery plans to increase resilience against future attacks.

However, for high-value or irreplaceable data, the business case for paying the ransom may make sense if all other recovery options have been exhausted. But this decision should not be made lightly.


Ransomware remains a serious threat to businesses, governments and individuals worldwide. Understanding the most common strains and recent evolution in tactics allows organizations to implement the right defenses.

Staying vigilant against suspicious emails and outdated software, maintaining reliable backups, and developing an incident response plan are key best practices against ransomware. With the right preparations, the impact of ransomware outbreaks can be minimized.

Though new variants constantly emerge, ransomware fundamentally exploits basic security weaknesses like human error and technical flaws. By cultivating a strong cybersecurity posture, organizations can protect their critical systems and data against attacks.