Famous Ransomware Incidents: A Timeline of Devastating Attacks

Steven Jul 09, 2026

Ransomware, a type of malware that encrypts a victim's files and demands payment in exchange for the decryption key, has become a significant threat in the digital landscape. These attacks have targeted individuals, businesses, and even critical infrastructure, causing substantial financial losses and disruption. Let's delve into some of the most notorious ransomware incidents that have made headlines and shaped the cybersecurity landscape.

Explains the phishing email vector of ransomware
Explains the phishing email vector of ransomware

These high-profile incidents serve as stark reminders of the potential impact of ransomware and underscore the importance of robust cybersecurity measures. They also highlight the evolving nature of these threats, with attackers continually refining their tactics and tools.

the world's most dangerous attacks infographic poster by @ dymantic
the world's most dangerous attacks infographic poster by @ dymantic

Notable Ransomware Incidents in Recent Years

This section explores some of the most impactful ransomware incidents in recent years, providing context and detailing the events as they unfolded.

an image of a world map that has red lights on it and the words coronacry ransomware attack first 24 hours
an image of a world map that has red lights on it and the words coronacry ransomware attack first 24 hours

Each incident offers valuable insights into the tactics, techniques, and procedures (TTPs) employed by ransomware operators, as well as the responses from affected organizations and the cybersecurity community.

WannaCry (2017)

The 14 Most Insane Things Happening Right Now (6/14)
The 14 Most Insane Things Happening Right Now (6/14)

WannaCry, a global ransomware attack that occurred in May 2017, is one of the most widespread and devastating ransomware incidents to date. The malware exploited a vulnerability in Windows operating systems, known as EternalBlue, which was leaked by a group of hackers known as The Shadow Brokers.

WannaCry infected hundreds of thousands of computers in over 150 countries, crippling businesses, hospitals, and other critical infrastructure. The attack's scale and impact highlighted the interconnected nature of modern societies and the potential for cyber threats to cause widespread disruption.

NotPetya (2017)

What is Ransomware? Definition, Prevention & Removal | KnowBe4
What is Ransomware? Definition, Prevention & Removal | KnowBe4

NotPetya, another major ransomware incident that occurred just a few months after WannaCry, targeted businesses in Ukraine before spreading globally. Unlike WannaCry, NotPetya was not primarily motivated by financial gain but rather appeared to be a wiper malware designed to destroy data.

NotPetya exploited the same EternalBlue vulnerability as WannaCry and also leveraged a compromised software update from a Ukrainian accounting software company called M.E.Doc. The attack resulted in billions of dollars in damages, with many affected organizations struggling to recover for months or even years.

Ransomware-as-a-Service (RaaS) and Affiliate Programs

Paying the WannaCry ransom will probably get you nothing. Here’s why.
Paying the WannaCry ransom will probably get you nothing. Here’s why.

Ransomware-as-a-Service (RaaS) and affiliate programs have emerged as a significant trend in the ransomware landscape, enabling less technical individuals to launch ransomware attacks. These models allow attackers to rent ransomware tools or earn a commission for each successful attack they facilitate.

RaaS and affiliate programs have democratized ransomware, making it more accessible to a broader range of threat actors. This has led to an increase in the number and variety of ransomware attacks, as well as the emergence of new ransomware families and techniques.

Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull them off
Inside a ransomware attack: how dark webs of cybercriminals collaborate to pull them off
In the Bitcoin Era, Ransomware Attacks Surge
In the Bitcoin Era, Ransomware Attacks Surge
Wanna Cry ransomware (Wanna Decryptor) Finding Yourself
Wanna Cry ransomware (Wanna Decryptor) Finding Yourself
⛽ Colonial Pipeline Attack (2021) Explained | The Ransomware Attack That Shook America
⛽ Colonial Pipeline Attack (2021) Explained | The Ransomware Attack That Shook America
Infographic: Ransomware By The Numbers - InfographicBee.com
Infographic: Ransomware By The Numbers - InfographicBee.com
the computer has been locked and it is now on its own page, with an official seal
the computer has been locked and it is now on its own page, with an official seal
Wannacry Wallpaper, What Is Wannacry Ransomware, How To Recover From Ransomware, Ransomware Warning Message, What Is Ransomware Used For, Ransomware Attack Warning, Dark Radiation Ransomware, Understanding Bitcoin Security, Reverse Linked List Python Hackerrank
Wannacry Wallpaper, What Is Wannacry Ransomware, How To Recover From Ransomware, Ransomware Warning Message, What Is Ransomware Used For, Ransomware Attack Warning, Dark Radiation Ransomware, Understanding Bitcoin Security, Reverse Linked List Python Hackerrank
The World's Biggest Real Cyber Attack That Ever Happened! | Wannacry case study
The World's Biggest Real Cyber Attack That Ever Happened! | Wannacry case study
HelloXD: il nuovo ransomware per Linux e Windows
HelloXD: il nuovo ransomware per Linux e Windows
New WannaCrypt ransomware variant discovered in the wild
New WannaCrypt ransomware variant discovered in the wild
How Ransomware Spreads Inside Companies ⚠️
How Ransomware Spreads Inside Companies ⚠️
Part 25: nvidia #fyp #ransomware #ransom #payout #cybersecurity #lockbit #malware #hacker #hacked
Part 25: nvidia #fyp #ransomware #ransom #payout #cybersecurity #lockbit #malware #hacker #hacked
At small and rural hospitals, ransomware attacks are causing unprecedented crises
At small and rural hospitals, ransomware attacks are causing unprecedented crises
Inside a Ransomware Attack: How It Happens – Step-by-Step Cyberattack Breakdown
Inside a Ransomware Attack: How It Happens – Step-by-Step Cyberattack Breakdown
Android Malware: WannaCry Ransomware picture collection from infected countries around the world Freedomland U.s.a. Photos, Ransomware Screenshot Collection, Picture Collection
Android Malware: WannaCry Ransomware picture collection from infected countries around the world Freedomland U.s.a. Photos, Ransomware Screenshot Collection, Picture Collection
AnyTech365 IoT Security Solutions
AnyTech365 IoT Security Solutions
Why You Shouldn't Handle a Ransomware Incident Response Alone
Why You Shouldn't Handle a Ransomware Incident Response Alone
Ransomware 3.0 in 2026: Double Extortion and RaaS Targeting Your Business
Ransomware 3.0 in 2026: Double Extortion and RaaS Targeting Your Business
Battling Ransomware: How To Respond To A Ransomware Incident
Battling Ransomware: How To Respond To A Ransomware Incident
an error screen for the computer program, which appears to have been blocked by someone's email
an error screen for the computer program, which appears to have been blocked by someone's email

REvil (2019-Present)

REvil, also known as Sodinokibi, is a ransomware-as-a-service (RaaS) group that has been active since 2019. REvil is known for its sophisticated tactics, techniques, and procedures (TTPs), as well as its high-profile targets. The group has targeted numerous organizations, including prominent technology and manufacturing companies.

REvil operates a double extortion model, exfiltrating sensitive data from targeted organizations and threatening to leak it if a ransom is not paid. This approach increases the pressure on victims to pay the ransom, as they face the potential loss of proprietary information or customer data.

DarkSide (2020-2021)

DarkSide, another prominent RaaS group, operated from 2020 until its takedown in 2021. DarkSide was known for its focus on targeting critical infrastructure, including energy, manufacturing, and transportation sectors. The group's attacks often resulted in significant disruptions to affected organizations and their customers.

DarkSide's takedown by law enforcement in 2021 marked a significant victory in the fight against ransomware. However, the group's affiliates and other RaaS operators have continued to pose a threat, demonstrating the ongoing nature of the ransomware challenge.

As ransomware continues to evolve and pose a significant threat, it is crucial for individuals and organizations to remain vigilant and implement robust cybersecurity measures. By staying informed about emerging threats and trends, and investing in strong defenses, we can better protect ourselves and our data from the ever-present danger of ransomware.