What is the most expensive malware?

Malware, short for “malicious software”, refers to software programs designed to cause damage to a computer, server, client, or computer network. Malware comes in many forms, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and more. Some of the most expensive and damaging malware outbreaks in history have cost companies and governments billions of dollars in cleanup and recovery costs.

What makes malware so expensive?

There are several factors that contribute to making certain malware infections extremely expensive:

  • Widespread infection – Malware that is able to spread rapidly and infect large numbers of systems across networks and the internet can multiply damages and costs.
  • Sensitive targets – Malware that targets critical infrastructure like power grids, hospitals, and other key systems can disrupt essential services.
  • Valuable data – Malware designed to steal valuable data, like credit card numbers, login credentials, trade secrets, etc. can result in massive costs from data breaches.
  • Ransom demands – Ransomware that encrypts files and demands large ransom payments from victims can accumulate huge total costs.
  • Recovery efforts – The costs of analyzing infections, remediating compromised systems, restoring from backups, security upgrades, and productivity losses add up.

Next we will look at some of the most notorious and expensive malware outbreaks to get an idea of the scale of damages the worst malware has caused.

The Most Expensive Malware Outbreaks

WannaCry – $4 billion

The WannaCry ransomware first struck in May 2017, infecting over 230,000 computers across 150 countries. It leveraged leaked NSA hacking tools to spread quickly across networks, encrypting files and demanding ransom payments in Bitcoin. Estimated damages reached $4 billion globally. Major impacted victims included the UK’s National Health Service, FedEx, Nissan, and other large organizations.

NotPetya – $10 billion

Petya was a piece of ransomware first discovered in 2016. A variant called NotPetya emerged in 2017, designed to look like ransomware but with the intent of being destructive. It caused over $10 billion in damages globally. Major victims included shipping giant Maersk, pharma company Merck, food company Mondelez, and infrastructure/utilities companies in Ukraine where it hit hardest.

CryptoLocker – $3 billion

One of the most prolific ransomware strains ever seen, CryptoLocker first appeared in 2013 and infected over 234,000 machines. It used RSA public key encryption to lock files and demand ransom payments. Damages reached an estimated $3 billion. CryptoLocker was shut down in a global law enforcement operation in 2014, but not before setting a blueprint for ransomware that persists today.

Sobig – $37 billion

In 2003 the Sobig worm spread rapidly through email attachments and other vectors, infecting millions of computers. It spawned many variants over the year, with Sobig.F alone infecting 1 in 17 emails at its peak. While the malware itself did not cause direct financial damages, the global cleanup and productivity costs from the outbreaks were estimated at $37 billion.

ILOVEYOU – $15 billion

This infamous computer worm spread via email and infected over 50 million Windows PCs worldwide within a day of its release in 2000. It overwrote image, music, and multimedia files with copies of itself on infected systems. The total global costs of cleanup and recovery from the outbreak were estimated at $15 billion. It remains one of the farthest reaching and most disruptive malware attacks of all time.

Code Red – $2 billion

Discovered in 2001, the Code Red worm exploited a vulnerability in Microsoft’s IIS web servers to spread. It defaced websites, launched denial of service attacks, and infected over 359,000 hosts globally. Damages between $1.2 – $2 billion were estimated. Despite a quick patch release from Microsoft, the worm caused significant disruption and cleanup costs worldwide.

Simda – $25 million

Simda was a botnet and click fraud operation that emerged around 2008. The malware built up networks of 60,000-90,000 infected computers that were used to fake clicks on online ads. Profits from click fraud were estimated to be $40,000 per day, accumulating to losses of $25 million for ad networks. The botnet was shut down in 2010.

CryptoWall – $325 million

CryptoWall was an infamous form of file-encrypting ransomware that first appeared in early 2014. The operators raked in an estimated $325 million in ransom payments over the years through various versions and campaigns, often charging victims in the range of $500 to $1,000. CryptoWall remained one of the largest ransomware players until it was decommissioned in 2016.

Zeus – $100 million

Zeus originated as a banking Trojan focused on stealing financial account credentials via phishing and drive-by downloads. First detected in 2007, Zeus evolved into a malware toolkit used to develop many new variants that infected millions of Windows computers.Losses attributed to Zeus-based malware were estimated at $100 million. The author behind Zeus reportedly agreed to end development in 2011.

Recent Major Malware Outbreaks

While the malware above covers some of the most damaging and expensive infections to date, major new outbreaks continue to occur. Here are some of the most significant recent malware attacks with high costs:

REvil Ransomware – $100 million+

The Russia-linked REvil ransomware group has extorted over $100 million from victims since emerging in 2019. Attacks in 2021 crippled meat supplier JBS Foods (11,000 infected systems) and IT software firm Kaseya (1,500 downstream businesses affected). Each paid ~$11 million in ransom.

Colonial Pipeline – $4.4 million

A May 2021 ransomware attack on major U.S. fuel pipeline operator Colonial Pipeline by the DarkSide group caused widespread gas shortages and emergency declarations. Colonial reportedly paid a $4.4 million ransom and suffered millions more in recovery costs.

SolarWinds Supply Chain Hack – $250 million+

Suspected Russian state hackers compromised the SolarWinds Orion software in 2020, using it as an attack vector to breach numerous U.S. government agencies, tech companies, and others. Damages and response costs are estimated to exceed $250 million from this sophisticated supply chain attack.

Log4J Vulnerabilities – $100s of millions

Vulnerabilities found in Log4j (utility used in countless applications and services) could enable remote code execution. The severe flaws reported in late 2021 will likely cost the software industry hundreds of millions to investigate and patch worldwide. Malicious exploitation continues.

Emotet Botnet Takedown – $500 million+

A global law enforcement effort dismantled the Emotet botnet in 2021, which specialized in spreading banking trojans, ransomware, spyware and other threats. Emotet caused over $500 million in damages since 2014, and infected nearly 2 million Windows machines at its peak.

The Most Common Malware Vectors

Malware operators use various distribution methods or “vectors” to spread infections. These include:

Email Attachments

Malware sent as attachments to spam, phishing, and targeted email continues to be a leading infection vector. Opening dangerous attachments or enabling macros infects the recipient’s system.

Web Downloads

The web remains a prime vector through malicious ads, downloads, JavaScript (drive-by attacks), and compromised websites. Users may be infected simply by visiting web pages seeded with malware.

External Devices

Malware can spread via infected external devices like USB drives, hard drives, CDs/DVDs. Autorun features make mounting drives a quick infection method.

Remote Desktop Access

Brute force attacks against internet-exposed RDP/remote desktop services are a common way for malware like ransomware to infiltrate business networks and servers.

Network Propagation

Worms and other malware often scan for nearby vulnerable systems and spread machine-to-machine once an initial infection occurs within a network.

Third Party Apps

Apps and third party software infected with malware is a growing vector. Everything from media players to cracked software can contain malware payloads.

Supply Chain Attacks

Injecting malware into software/hardware supply chains is an advanced vector that uses trusted vendor channels to bypass security. e.g. SolarWinds hack.

Worst Malware Types by Damage

Some of the most devastating and costly varieties of malware include:


File-encrypting ransomware that locks access to data and systems remains the costliest malware type for businesses, inflicting billions per year in damages through lost files, recovery efforts, and ransom payments.

Banking Trojans

Sophisticated malware that steals online banking credentials, redirects transactions, and siphons funds from accounts is an extremely lucrative criminal enterprise targeting consumers and businesses.

Cryptocurrency Miners

Malware designed to mine or steal cryptocurrency through unauthorized use of infected computers’ resources can significantly impair performance and drive up electricity costs.


Difficult to detect, spyware that logs keystrokes, tracks online activity, accesses webcams/mics and steals sensitive data for espionage or identity theft causes immense financial and privacy damages.


Botnets weaponize thousands of malware-infected machines to carry out flooding DDoS attacks, send spam, spread new infections, and fulfill other criminal goals.


Destructive malware designed to permanently delete or encrypt files, reset systems, corrupt Master Boot Records, and other “wiping” activity can lead to enormous recovery costs.

Supply Chain Malware

Compromising software/hardware update channels to distribute malware to customers is an advanced threat that can create a cascade of infections hard to control.

Defending Against Costly Malware

Preventing and minimizing malware outbreaks calls for securing systems and networks against common infection vectors and implementing best practices like:

  • Endpoint scanning and antivirus software
  • Email security and phishing avoidance training
  • Web content filtering and threat intelligence
  • Vulnerability and patch management
  • Least privilege and access controls
  • Strong passwords and multifactor authentication
  • User education on malware risks
  • IT policies prohibiting risky software/behaviors
  • Backups and disaster recovery provisions

For organizations, experts also recommend threat hunting, security analytics, micro-segmentation,whitelisting, and advanced endpoint protections to prevent costly malware infections before they occur and spread.

Individual users can employ comprehensive internet security suites, avoid clicking suspicious links/attachments, keep software updated, use ad/script blockers, and leverage anti-exploit technologies like EMET to make systems more malware resilient.

Staying vigilant and acting quickly when outbreaks do happen can significantly reduce overall damage and recovery costs.

The Future of Malware

Malware shows no signs of letting up, as attackers continue evolving techniques and devising new ways to monetize infections. Some emerging malware trends include:

  • Ransomware-as-a-service offerings lower barrier for fresh attacks
  • Targeting cloud environments and supply chain partners
  • Automated, wormable attacks exploit new vectors like IoT devices
  • Polymorphic malware able to evade defenses through rapid mutations
  • PowerShell and fileless attacks living purely in memory without installation
  • Leveraging AI to optimize social engineering and bypass human analysis

To match these innovations, the industry must persist in advancing threat detection, intelligence sharing, regulations, and proactive collaboration to thwart future malware risks.

The Cost of Malware In Summary

Malware has inflicted damages totaling into the billions of dollars when the most severe outbreaks strike governments, critical infrastructure, and large enterprises. The most expensive malware incidents include:

  • WannaCry – $4 billion
  • NotPetya – $10 billion
  • ILOVEYOU – $15 billion
  • Sobig – $37 billion
  • Recent REvil ransomware attacks – $100+ million

Ransomware currently leads as the costliest malware variety with estimated global losses up to $20 billion annually. Sophisticated banking Trojans and nation-state cyber espionage operations also rack up huge financial damages. As malware continues evolving, organizations must stay vigilant and invest in the latest defenses to avoid becoming the next massive, front-page malware statistic.


Malware is big business for cyber criminals, with the most impactful outbreaks inflicting damages in the billions. Ransomware currently takes the biggest toll, crippling businesses, infrastructure, and government agencies with file encrypting attacks paired with ransom demands. Other sneaky threats like banking trojans designed for financial theft also rank among the costliest malware when measured by total financial damages. While malware authors continue innovating and developing new infection techniques, organizations can try to stay a step ahead with layered defenses, education, rapid response capabilities, and back-to-basics security hygiene.