Cofense - Security Awareness Training & Email Threat Detection

How to Identify & Respond to Ransomware Attacks

The purpose of publishing a page dedicated to ransomware examples is not only to highlight the consequences of successful ransomware attacks or companies affected by ransomware. We aim to elaborate on the different ways ransomware programs are deployed, why they are so successful, and how your business can use a phishing awareness course to help defend itself against becoming a victim of ransomware – or mitigate the consequences should your defenses fail.

The first thing to point out is that, over time, the ransomware examples listed will date. What will not date is the psychology behind ransomware attacks, nor the weaknesses that result in ransomware attacks being successful. It is more viable to suggest that the measures recommended for defending against ransomware – or to mitigate its consequences – will also remain current.

What is a Ransomware Attack?

The first recorded ransomware example was in 1989, when evolutionary biologist Dr. Joseph Popp sent floppy discs containing the PC Cyborg Trojan to hundreds of recipients under the heading “AIDS Information Introductory Diskette”. The Trojan encrypted file names on the C drive before displaying a message demanding money was sent to a P.O. Box in Panama for “license renewal”.

The concept of demanding a ransom for data kidnapping expanded during the 1990s, as did the anonymous methods for collecting ransoms. Until the development of Bitcoin, ransom payments were demanded via prepaid cash services, Western Union wire transfers, and Amazon or iTunes gift cards. One ransomware attack demanded texts were sent to a premium-rate SMS messaging service.

The nature of ransomware also evolved. Whereas the majority of recent ransomware examples below focus on the encryption of data and servers´ web directories, there are many examples of non-encrypting ransomware that lock users´ systems or that threaten to publish stolen data from victims´ systems – rather than deny victims access to the data – if a ransom is not paid.

Ransomware Examples: Mobile Devices and the Cloud

As technology has evolved, the sophistication of ransomware attacks has kept pace. Device-blocking ransomware loaded into applications made available in the Google Store has infected devices on the Android platform, while attackers have exploited iCloud accounts and vulnerabilities on the Find My iPhone system to lock access to devices on the Apple platform.

Although it is believed developments in machine learning and artificial intelligence in the cloud will be able to detect and correct vulnerabilities and suspicious behaviors in the future, some security experts have warned attackers will also use these technologies to learn from defensive responses and disrupt detection models in order to exploit newly discovered vulnerabilities before defenders patch them up.

Concerns have also been raised that machine learning technology will be better at generating convincing phishing emails, and be able to do it at scale. Therefore, it is essential businesses implement measures to counter the threat from ransomware – and not just technological measures. In order to be better defended against ransomware, end users must understand the psychology behind ransomware attacks.

The Psychology Behind Ransomware Attacks

When the first phishing emails harboring ransomware circulated, they were very simplistic. “Click on the image to see the cute cat” or “Look what tricks my doggy can do” were typical hooks used to prey on a victim´s curiosity and get them to open an attachment or click on a link. As awareness of ransomware increased, so did the sophistication of ransomware attacks and the psychology behind them.

Phishing emails evolved to trigger other emotions – for example, urgency, sympathy, fear and greed. Victims now received phishing emails appearing to be from technical support departments, charitable organizations and law enforcement agencies demanding action, or from bogus lottery companies with “click to win” offers.

Social engineering became the next development in ransomware psychology. Cybercriminals used freely available personal information to make emails look like they came from a legitimate source. In these ransomware examples, victims believed they were replying to an email from their bank or medical provider. Or, in a business environment, somebody from their own company.

Psychology of Ransomware Demands

Ransomware distributors know how to use psychology in their ransom demands as well. In many successful ransomware attacks, there are examples of urgency (“Pay within 72 hours or the ransom doubles”) and fear (“Pay within 72 hours or the recovery key will be destroyed and your data will remain encrypted forever”). Other ransomware examples of psychological manipulation include fake FBI warnings and fake accusations that the target has been viewing pornography.

Ransomware examples even extend to sympathy – or purport to. One variant of the CtyptoWall4 ransomware distributed in 2016 promised to forward ransoms to a children’s charity. Just in case victims debated whether the promise was genuine, they were only given twenty-four hours to make their “donation” before the five Bitcoin ransom was doubled.

The charitable angle has been around for more than twenty years. Indeed, when Dr. Joseph Popp was detained following the PC Cyborg Trojan scam in 1989, he claimed in his defense the purpose of his scam was to support AIDS research. Authorities were not so charitable and charged him with eleven counts of blackmail. He was subsequently declared mentally unfit to stand trial.

Use a Phishing Awareness Course to Prepare against Future Ransomware Threats

Nobody knows if, when, or how the email data extracted from scams will be used to deliver ransomware, but it’s very likely to happen and could be the biggest ransomware attack in history. The phishing email will appear to originate from somebody known to the target (and therefore bypass spam filters), will likely involve an uncomplicated action and will have a psychological hook (urgency, sympathy, fear or greed).

Various solutions have been suggested to mitigate a ransomware attack on the scale of our ransomware examples above. These vary from ensuring systems and software are up-to-date with relevant patches, to using object storage versioning to maintain critical data in the cloud (which doesn´t help if networks are infected with system-locking ransomware or your business is threatened with data exposure).

A better way to prepare against a future ransomware attack is to raise the awareness of end users -and the best way to do that is to use past ransomware examples as part of a comprehensive phishing awareness course. This is how Cofense operates, providing simulation exercises based on real examples of ransomware attacks. We can reduce employee susceptibility to phishing emails by up to 95%. 

Cofense also provides end-to-end phishing mitigation for when a phishing email avoids detection by trained end users. Our Human Phishing Defense solutions condition end users to recognize and report phishing attacks in progress in order that security operation center teams can respond quickly and address the issue with minimal disruption to business continuity.

To learn from ransomware examples through phishing simulation, get in touch with Cofense now and request a free demonstration. Our intelligence-driven solution is proven to protect businesses from ransomware threats. Our team will be glad to provide you with examples of ransomware attacks that have been prevented by raising employees´ awareness of ransomware psychology.

Frequently Asked Questions

Ransomware attack emails are email messages that contain, or lead to, malware. This malware is capable of encrypting files and documents. Once encrypted, ransomware attackers require payment for recovery of the locked material.

Yes, you can get ransomware from an email. The email recipient will usually see a compelling email subject line, then be enticed by the email message to click on a link or open an attachment. When the attacker’s desired action is taken, the ransomware virus executes and encrypts files on the user’s computer. If that computer is attached to a network, documents and data system-wide may also be encrypted.

To many email users, particularly those unfamiliar with specific threat tactics, ransomware in email can be very difficult to detect. Effective ransomware detection requires a blend of advanced email-security software and automation, as well as users conditioned to spot email red flags. Detecting ransomware is complicated by the fact that many threat actors evade standard filters by hiding or disguising their malware in a variety of hard-to-spot ways .

Interested in learning more about phishing detection and response?

Explore our Resource Center for our latest content

Explore our database of phish found in environments protected by SEGs, updated weekly

Download our latest Phishing Review to learn about threat landscape trends.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.