Ransomware Groups that Made the Biggest Attacks

In recent years ransomware attacks have been increasing rapidly. The summed value of the damage caused by their attacks reaches $20 billion.

This large volume of resources being moved by ransomware groups has sparked the interest of many criminals, starting a race to develop even more powerful malware.

Big Game Hunting”, as it is called, is more active than ever, and the projections for 2022 are worrying.
Let’s look at the groups that have made the biggest attacks in recent years.

Ransomware REvil Sodinokibi

Ransomware REvil Sodinokibi, one of the most notorious groups today, is listed for the highest charges in ransomware attacks.

The company Kaseya suffered the damage that reached $70 million, just by paying the ransom demanded by the group.

Ransomware WannaCry

The WannaCry Ransomware is a very old group, but it has left its mark. In May 2017 it began spreading in Europe.

After four days of expansion, the antivirus company Avast managed to capture more than 250,000 attacks from the ransomware, in more than 116 countries.

It estimated that the group received about $4 billion in ransomware. Large companies were among its victims, such as Nissan, FedEx and Renault.

Ragnar Locker

The Ragnar Locker ransomware is still active today. In April 2020, the group made an attack on Portuguese energy company Energias de Portugal (EDP), and charged $10 million for the ransom.

The group reported that over 10 TB were extracted, and would be leaked if the company did not pay the ransom in the time stipulated by the group.

Ransomware SamSam

The SamSam Ransomware emerged in late 2015, they made several invasions. Including in the attacks the Colorado Department of Transportation.

It has a peculiar feature, the group exploits holes in the ISS for FTP getting the RDP.

It was set up in Eastern Europe, and the courts managed to arrest two Iranians who confirmed participating in the attacks. The group caused damage of about 30 million dollars.

Ransomware CryptoLocker

The CryptoLocker ransomware emerged in 2013. The group made large-scale attacks, spreading through spam email campaigns.

The group used the RSA algorithm for encryption, so it charged a fee to release the decryption key. According to antivirus company Avast, more than 500,000 machines were infected by them.

However, they were taken down through an operation called Trovar, which was composed of American and European agencies.


These were the largest attacks ever identified both in mass and in value. There is current and updated ransomware as dangerous as these, or even more so.

Most of the groups mentioned above have ceased their activities, with the exception of Ragnar Locker, and there is evidence of a possible return of REvil Sodinokibi.

Big Game Hunting is still going on today, and is unlikely to end, so investment in cyber security is vitally important for businesses.

And faced with this haunting scenario of ransomware attacks, RansomHunter has emerged as a hope, being able to decrypt ransomware files on any storage device.

Frequently Asked Questions About Ransomware Recovery

Every day, ransomware attacks get
better and better. After a successful
attack attempt, ransomware quickly
maps the user’s most important files to
begin encryption. Microsoft Office files,
databases, PDFs and design are among
its main targets.

Yes, yet the ransomware is designed not to be identified by the firewall, so it can infiltrate the company’s internal system and disable defenses, move laterally, and alter backup routines. Get Expert Help to Decrypt Files › The user can identify the ransomware action, even if the system cannot identify it, the malware uses the system’s own resources for the encryption process, and may be slow to respond to user requests. The file extensions are changed, a specific extension is added that mentions the attacker group. Stay tuned for these signs.
Yes, it is possible. But there is a risk that some files will be corrupted. Once you identify the ransomware action on the system, disconnect the device from the internet, this will break the group communication with the malware, some ransomware can continue encryption even without internet access. You can also initiate antivirus countermeasures to isolate the malware and delete it, if the antivirus has not been disabled by the ransomware. Stopping the encryption is extremely difficult, the ransomware is designed to disable any system or user countermeasures, decreasing the chances of the process being interrupted. Get Expert Help to Decrypt Files ›
The attacks usually happen when there is a drop in the flow of users in the system, which happens on weekends and holidays, during the early hours of the morning, making these dates suitable for attacks. Get Expert Help to Decrypt Files ›
There are numerous encryption algorithms, but the most widely used are RSA [Rivest-Shamir-Adleman]-2048 and AES [Advanced Encryption Standard]. Get Expert Help to Decrypt Files ›
First of all, keep calm, criminals count on the victim’s desperation. Follow these tips:
  • Isolate the affected device – The ransomware can move laterally through the system and reach other devices, so it is important to isolate its field of action.
  • Verify backup – If the backup has not been reached by the ransomware, data can be quickly restored without major problems.
  • Avoid contact with criminals – Criminals use psychological tactics to extort as much money as possible in the shortest possible time, the fact that the victim is emotionally involved with the incident makes him an easy target.
  • Don’t negotiate with the criminals – The group gives no guarantee that the decryption key will be released after the ransom is paid, you have to take only the criminals’ word for it. Besides the payment will fund the group for further attacks.
  • Contact government authorities – The government has agencies that specialize in combating cyber attacks, which will investigate the case.
  • Contact a company that specializes in decrypting Ransomware files – RansomHunter is able to decrypt ransomware files without the need for the decryption key, their solutions are an option to paying the ransom.
Get Expert Help to Decrypt Files ›
After the first contact and sending of the data we will diagnose the files to check the extent of the damage caused by ransomware, with this we can project the duration of the process and provide the budget. After the client approves the budget, we start the decryption process, for this we have exclusive software that can, with the help of our specialists, reconstruct the data. After the end of the process we will do a double check so that the client can verify the integrity of the recovered files. Payment is only made after delivery of the files and validation of the same by the client. Get Expert Help to Decrypt Files ›

We Are Always Online

Fill in the form and we will make contact to you to start the decrypt of your files.
Always at your disposal, 24×7

The Latest Insights From Our Experts


Recover MySQL Database

MySQL is one of the best known databases in the world for its simplicity and effectiveness. But still, there are cases of data loss in MySQL, and if this happens you need to know how to proceed with data recovery.

Read More
To ensure a better experience on our site, by continuing browsing, you agree to the use of cookies in accordance with our privacy policy.