10 Famous Ransomware Attacks: Real-World Case Studies Every Business Should Know

In this article:

• WannaCry (2017): The Attack That Put Ransomware on Every Board Agenda
• SamSam and Ryuk: How Ransomware Learned to Pick Its Targets
• Maze Ransomware and the Birth of Double Extortion
• REvil Takes Aim at JBS Foods and the Kaseya Supply Chain
• DarkSide and the Colonial Pipeline Shutdown
• Conti: The Ransomware-as-a-Service Enterprise
• LockBit, BlackCat, and the 2024 Ransomware Wave
• What These 10 Attacks Mean for Your Business

According to Chainalysis’s 2024 Crypto Crime Report, ransomware payments exceeded $1 billion in 2023, the first year on record to reach that level. That figure captures only what investigators traced on-chain. When system downtime, IT recovery costs, regulatory penalties, and lost revenue are included, the real damage per attack multiplies substantially.

The organizations behind those numbers were not exclusively large enterprises. Hospitals, city governments, food processors, professional services firms, and school districts appear throughout the case files. The common thread is not company size or industry. It is an exploitable gap that already existed before the attacker arrived.

This article walks through 10 of the most consequential ransomware attacks on record, covering how each gained entry, what it cost, and the lessons every business should act on today.

WannaCry (2017): The Attack That Put Ransomware on Every Board Agenda

WannaCry arrived in May 2017 and spread faster than most security teams could respond. The malware exploited EternalBlue, a Windows SMB vulnerability, allowing it to self-propagate to any reachable unpatched system without requiring user interaction. Within four days, according to Europol, an estimated 200,000 systems across 150 countries were compromised.

The UK’s National Health Service absorbed some of the most severe damage. Patient appointments were cancelled and ambulances were diverted. The resulting disruption contributed to an estimated $100 million in damages for the NHS alone, per the UK National Audit Office. A security researcher discovered an embedded kill switch that halted the spread, but unpatched systems remained vulnerable long after the headlines faded.

WannaCry established that ransomware causes collateral damage at scale. Organizations with no direct connection to the attackers’ intended targets were compromised simply because they ran unpatched software. For a full WannaCry breakdown and what it cost global businesses, including the propagation timeline and response decisions, see our detailed analysis.

SamSam and Ryuk: How Ransomware Learned to Pick Its Targets

SamSam changed the model starting around 2016. Rather than distributing malware broadly and waiting for infections, SamSam operators manually infiltrated specific high-value organizations: hospitals, city governments, and universities. The shift from mass distribution to targeted precision made each attack significantly more destructive.

The City of Atlanta experienced this directly in 2018. The city faced a roughly $51,000 ransom demand but declined to pay, then spent an estimated $17 million rebuilding its systems. That asymmetry, a $51,000 demand producing $17 million in recovery costs, became one of the defining financial patterns of the ransomware era.

Ryuk (2018 through 2021) refined the targeted approach further:

• Operators used Emotet and TrickBot malware loaders to establish persistent access weeks before deploying the ransomware payload
• Manual reconnaissance allowed attackers to locate and encrypt backup systems alongside primary data
• During the COVID-19 pandemic, Ryuk operators deliberately targeted hospitals, calculating that healthcare organizations under surge conditions could not absorb extended downtime

SamSam and Ryuk proved that the most damaging ransomware attacks are not accidents. They are deliberate operations.

Maze Ransomware and the Birth of Double Extortion

Before Maze, a solid backup strategy provided a credible defense against ransomware. Restore from backup, decline the ransom, and resume operations. Maze eliminated that logic entirely.

Active from 2019 through late 2020, Maze pioneered double extortion: encrypting victims’ data while simultaneously exfiltrating it. If the ransom went unpaid, stolen files would be published on a public leak site.

• Backups became insufficient on their own. A clean restore does not address the risk that stolen data has already been exfiltrated and can be published whether or not the victim pays.
• Maze targeted major organizations including IT services firm Cognizant, Canon, and defense contractor Westech International before announcing its shutdown in late 2020.
• Nearly every major group that followed adopted the model. REvil, Conti, LockBit, and BlackCat all incorporated double extortion as standard operating procedure after Maze proved it worked.

The group shut down. The tactic it invented did not.

REvil Takes Aim at JBS Foods and the Kaseya Supply Chain

REvil compressed two landmark attacks into less than two months during the summer of 2021.

1. JBS Foods (May 2021). REvil struck JBS Foods, the world’s largest beef supplier, forcing temporary plant shutdowns across the US, Canada, and Australia. JBS paid an $11 million ransom to restore operations rather than sustain extended production losses.
2. Kaseya VSA (July 2021). REvil exploited a zero-day vulnerability in Kaseya’s VSA remote management software. Using managed service providers as an unwitting delivery channel, attackers pushed ransomware to approximately 1,500 downstream businesses simultaneously. Those businesses had no direct relationship with REvil and no direct exposure to the compromised platform.
3. Supply-chain exposure. The Kaseya attack demonstrated that one compromised vendor platform can cascade into hundreds of client environments. Trust in a vendor’s remote management tools became an attack surface.
4. Aftermath. International law enforcement led to the arrest of REvil operators in early 2022. Splinter groups carrying adapted REvil code continued operating under different names in the years that followed.

DarkSide and the Colonial Pipeline Shutdown

In May 2021, DarkSide ransomware struck Colonial Pipeline, which supplies roughly 45% of the fuel consumed on the US East Coast. The shutdown lasted six days and triggered fuel shortages across multiple southeastern states.

Colonial paid approximately $4.4 million in cryptocurrency. The US Department of Justice later recovered roughly $2.3 million of that payment through a coordinated law enforcement operation targeting the attackers’ wallet.

The entry point was a single compromised VPN account that lacked multi-factor authentication. One missing control opened access to critical national infrastructure.

DarkSide operated as a ransomware-as-a-service (RaaS) affiliate program, meaning an independent criminal operator carried out the Colonial attack using licensed DarkSide malware. Disrupting the core developer group would not have prevented this specific incident.

Colonial’s six-day halt makes clear why disaster recovery planning must account for complete operational shutdowns, not only the restoration of individual IT systems. The pipeline’s operational technology ran on separate infrastructure, but leadership shut down preemptively out of concern for the broader network.

Conti: The Ransomware-as-a-Service Enterprise

Conti operated from approximately 2020 through mid-2022 with the internal structure of a functioning company. The group maintained HR onboarding materials for new affiliates, tiered technical training programs, and a help desk supporting operators executing attacks. Conti was not a loose collective of hackers. It ran like a business.

According to CISA, the organization attacked more than 1,000 entities during its operational period. Ireland’s Health Service Executive was struck in May 2021, disrupting nationwide patient care for months. Recovery and remediation cost the Irish government an estimated $100 million or more.

In early 2022, a Ukrainian researcher leaked Conti’s internal chat logs following the group’s public declaration of support for the Russian invasion of Ukraine. The leak exposed their organizational hierarchy, affiliate compensation structures, and tool development pipelines in detail that intelligence agencies rarely obtain from an active criminal operation.

Conti formally disbanded in mid-2022. Former members dispersed into Black Basta, BlackByte, and other successor operations that remained active through 2025.

LockBit, BlackCat, and the 2024 Ransomware Wave

Two groups defined the ransomware threat from 2022 through 2024 and produced some of the most disruptive attacks on record.

• LockBit became the most prolific ransomware operation between 2022 and 2024, responsible for more publicly reported attacks than any other single group during that period, targeting manufacturers, law firms, healthcare systems, and government agencies across dozens of countries.
• Operation Cronos (February 2024) was a 10-country law enforcement action that seized LockBit’s infrastructure and arrested key affiliates. Attacks under the LockBit brand resumed within weeks, demonstrating how difficult it is to fully dismantle a distributed affiliate network even after central infrastructure is taken down.
• BlackCat (ALPHV) struck Change Healthcare in February 2024, taking down prescription processing and payment systems for over a month in one of the most disruptive healthcare cyberattacks in US history. UnitedHealth Group disclosed total cyberattack-related costs exceeding $870 million by mid-2024.
• Healthcare providers operating entirely on on-premises infrastructure faced the worst disruptions during the Change Healthcare outage. Organizations that had migrated critical communications to cloud-based phone systems and other hosted platforms maintained better operational continuity when the network went dark.
• LockBit affiliates and BlackCat successor groups remained active through 2025, continuing to target healthcare, financial services, and manufacturing.

What These 10 Attacks Mean for Your Business

Every attack in this list traces back to a gap that already existed before the attacker arrived. The pattern holds across industries, company sizes, and attack years.

1. Unpatched systems create open doors. WannaCry compromised an estimated 200,000 systems through a vulnerability that had an available patch before the attack launched. Delayed patching is a direct and measurable risk.
2. Backups are necessary but no longer sufficient. The double-extortion model Maze introduced means data theft runs parallel to encryption. A clean restore does not eliminate the risk that exfiltrated files will be published.
3. Recovery costs far exceed ransom demands. Atlanta spent an estimated $17 million recovering from a $51,000 demand. The ransom payment is not the real financial exposure. Recovery is.
4. SMBs are not protected by obscurity. Ryuk, REvil, and LockBit all attacked organizations with fewer than 500 employees, often precisely because smaller businesses carry fewer detection and response capabilities than larger enterprises.
5. A single missing control can enable a catastrophic incident. Colonial Pipeline’s entry point was one VPN account without multi-factor authentication. One gap, six days of operational shutdown, and fuel shortages across an entire region.

The specific controls and configurations that address each of these patterns are covered in steps to reduce your organization’s ransomware risk. If these case studies raised questions about your current environment, that is the right place to start.

When proactive defenses are in place before an attack arrives, operations look fundamentally different. Threats are caught at the endpoint before encryption begins. Patch cycles close vulnerabilities in days rather than months.

Documented incident response procedures tell your team exactly what to do in the first 15 minutes of an incident. Recovery is measured in hours, not weeks.

LeadingIT provides managed IT and cybersecurity services to businesses across the Chicagoland area, including endpoint protection, patch management, and incident response support. We work with organizations between 25 and 250 employees that need professional-grade protection without building a dedicated in-house security team.

When ransomware becomes a managed risk rather than a recurring crisis, your team can focus on the work that actually moves the business forward.

Contact our Chicagoland IT support team or call 815-788-6041 to schedule a free assessment.