Ransomware Attack Examples and the Psychology Behind Ransomware

The purpose of publishing a page dedicated to ransomware examples is not only to highlight the consequences of successful ransomware attacks or companies affected by ransomware. We aim to elaborate on the different ways ransomware programs are deployed, why they are so successful, and how your business can use a phishing awareness course to help defend itself against becoming a victim of ransomware – or mitigate the consequences should your defenses fail.

The first thing to point out is that, over time, the ransomware examples listed will date. What will not date is the psychology behind ransomware attacks, nor the weaknesses that result in ransomware attacks being successful. It is therefore viable to suggest that the measures recommended defending against ransomware – or mitigate its consequences – will also remain current.

What is Ransomware

The first recorded example of ransomware was in 1989, when evolutionary biologist Dr. Joseph Popp sent floppy discs containing the PC Cyborg Trojan to hundreds of recipients under the heading “AIDS Information Introductory Diskette”. The Trojan encrypted file names on the C drive before displaying a message demanding money was sent to a P.O. Box in Panama for “license renewal”.

The concept of demanding a ransom for data kidnapping expanded during the 1990s, as did the anonymous methods for collecting ransoms. Until the development of Bitcoin, ransoms payments were demanded via prepaid cash services, Western Union wire transfers, and Amazon or iTunes gift cards. One ransomware attack demanded texts were sent to a premium-rate SMS messaging service.

The nature of ransomware also evolved. Whereas the majority of recent ransomware examples below focus on the encryption of data and servers´ web directories, there are many examples of non-encrypting ransomware that lock users´ systems or that threaten to publish stolen data from victims´ systems – rather than deny victims access to the data – if a ransom is not paid.

Ransomware Examples from Recent Years

The development of Bitcoin and the availability of ransomware-as-a-service on the Dark Web led to substantial growth in ransomware attacks. Although the actual number of attacks and victims is hard to quantify due to underreporting, the scale of the recent attacks is greater than has been seen before. Some ransomware examples from recent years include:

  • From September 2013 to May 2014, the CryptoLocker ransomware attack is estimated to have affected between 250,000 and 500,000 computers. The ransomware was deployed via a Trojan hidden within a ZIP file attached to spam emails.
  • In September 2014, a similar attack evaded detection by email filters by requesting recipients visit a rogue website (via a link) in order to address a failed parcel delivery notice. The rogue website would then download the ransomware payload.
  • Also in September 2014, the CrypoWall ransomware spread wildly due to users downloading executable files disguised as images on spam emails. This attack deleted backup copies, installed spyware to obtain passwords and steal Bitcoin wallets.
  • The Petya ransomware variant discovered in 2016, was the first ransomware to be allegedly used for a politically-motivated attack. The malware spread rapidly via a hacked tax preparation program in Ukraine and affected major business partners across the globe.
  • In May 2017, the WannaCry ransomware, the biggest ransomware attack in history, exploited vulnerabilities in unpatched and older versions of Windows operating systems. WannaCry is estimated to have affected 200,000 computers, but could have been much worse had a security expert not discovered a kill switch.

This list of ransomware examples from recent years indicates that ransomware attacks are becoming more sophisticated in nature, with potentially more devastating consequences, especially for companies affected by ransomware. However, a common theme is that they could all have been avoided with better security awareness and due diligence – an important consideration bearing in mind where ransomware attacks seem to be heading.

Ransomware Examples: Mobile Devices and the Cloud

As technology has evolved, the sophistication of ransomware attacks has kept pace. Device blocking ransomware loaded into applications made available in the Google Store has infected devices on the Android platform, while attackers have exploited iCloud accounts and vulnerabilities on the Find My iPhone system to lock access to devices on the Apple platform.

Although it is believed developments in machine learning and artificial intelligence in the cloud will be able to detect and correct vulnerabilities and suspicious behaviors in the future, some security experts have warned attackers will also use these technologies to learn from defensive responses and disrupt detection models in order to exploit newly discovered vulnerabilities before defenders patch them up.

Concerns have also been raised that machine learning technology will be better at generating convincing phishing emails, and be able to do it at scale. Therefore, it is essential businesses implement measures to counter the threat from ransomware – and not just technological measures. In order to be better defended against ransomware, end users must understand the psychology behind ransomware attacks.

The Psychology Behind Ransomware Attacks

When the first phishing emails harboring ransomware circulated, they were very simplistic. “Click on the image to see the cute cat” or “Look what tricks my doggy can do” were typical hooks used to prey on a victim´s curiosity and get them to open an attachment or click on a link. As awareness of ransomware increased, so did the sophistication of ransomware attacks and the psychology behind them.

Phishing emails evolved to trigger other emotions – for example, urgency, sympathy, fear and greed. Victims now received phishing emails appearing to be from technical support departments, charitable organizations and law enforcement agencies demanding action, or from bogus lottery companies with “click to win” offers.

Social engineering became the next development in ransomware psychology. Cybercriminals used freely available personal information to make emails look like they came from a legitimate source. In these ransomware examples, victims believed they were replying to an email from their bank or medical provider. Or, in a business environment, somebody from their own company.

Psychology of Ransomware Demands

Ransomware distributors know how to use psychology in their ransom demands as well. In many successful ransomware attacks, there are examples of urgency (“Pay within 72 hours or the ransom doubles”), and fear (“Pay within 72 hours or the recovery key will be destroyed and your data will remain encrypted forever”). Other ransomware examples of psychological manipulation include fake FBI warnings and fake accusations that the target has been viewing pornography.

Ransomware examples even extend to sympathy – or purport to. One variant of the CtyptoWall4 ransomware distributed in 2016 promised to forward ransoms to a children’s charity. Just in case victims debated whether the promise was genuine, they were only given twenty-four hours to make their “donation” before the five Bitcoin ransom was doubled.

The charitable angle has been around for more than twenty years. Indeed, when Dr. Joseph Popp was detained following the PC Cyborg Trojan scam in 1989, he claimed in his defense the purpose of his scam was to support AIDS research. Authorities were not so charitable and charged him with eleven counts of blackmail. He was subsequently declared mentally unfit to stand trial.

Google Docs Scam Raises Concerns for Future Attacks

Most ransomware attacks are one-off events in which an attack is carried out deployed and the consequences resolved – either with the payment of a ransom or a technological solution. The Google Docs scam is different, and raises concerns as it doesn’t follow previous patterns but rather raises the possibility of future sizable, carefully-crafted, and socially engineered ransomware attacks.

In the Google Docs scam, targets received an email from a known source, claiming they were sharing a Google Doc. The email contained what appeared to be a link to the Google Doc file. When recipients clicked on it, they were taken to a legitimate Google.com page. On the page, the mystery attacker had uploaded a rogue web app asking the recipient to allow “Google Docs” to access their Gmail account.

When permission was granted, the app gained control over the webmail account and sent the same spam message to targets´ contact lists (explaining why the emails appeared to have come from a known source). Google acted quickly to prevent the email spreading, but the contact lists of more than one million email accounts were accessed and compromised before the attack was stopped.

What’s concerning about this scam is that there was no apparent negative outcome. Every target is still able to access their contacts list and nobody has been asked to send a ransom. Somebody, somewhere, is sitting on the contact lists of more than one million email accounts, with the potential the information could be used to generate convincing phishing emails harboring ransomware.

Use a Phishing Awareness Course to Prepare against Future Ransomware Threats

Nobody knows if, when or how the email data extracted from the Google Docs scam will be used to deliver ransomware, but it’s very likely to happen and may be the biggest ransomware attack in history. The phishing email will appear to originate from somebody known to the target (and therefore bypass spam filters), will likely involve an uncomplicated action (like sharing a Google Doc) and will have a psychological hook (urgency, sympathy, fear or greed).

Various solutions have been suggested to mitigate a ransomware attack on the scale of our ransomware examples above. These vary from ensuring systems and software are up-to-date with relevant patches, to using object storage versioning to maintain critical data in the cloud (which doesn´t help if networks are infected with system-locking ransomware or your business is threatened with data exposure).

A better way to prepare against the future ransomware attack is to raise the awareness of end users -and the best way to do that is to use past ransomware examples as part of a comprehensive phishing awareness course. This is how Cofense operates, providing simulation exercises based on real examples of ransomware attacks. We can reduce employee susceptibility to phishing emails by up to 95%. 

Cofense also provides end-to-end phishing mitigation for when a phishing email avoids detection by trained end users. Our Human Phishing Defense solutions condition end users to recognize and report phishing attacks in progress in order that security operation center teams can respond quickly and address the issue with minimal disruption to business continuity.

To learn from ransomware examples through phishing simulation, get in touch with Cofense now and request a free demonstration. Our intelligence-driven solution is proven to protect businesses from ransomware threats. Our team will be glad to provide you with examples of ransomware attacks that have been prevented by raising employees´ awareness of ransomware psychology.

Frequently Asked Questions

Ransomware attack emails are email messages that contain, or lead to, malware. This malware is capable of encrypting files and documents. Once encrypted, ransomware attackers require payment for recovery of the locked material.

Yes, you can get ransomware from an email. The email recipient will usually see a compelling email subject line, then be enticed by the email message to click on a link or open an attachment. When the attacker’s desired action is taken, the ransomware virus executes and encrypts files on the user’s computer. If that computer is attached to a network, documents and data system-wide may also be encrypted.

To many email users, particularly those unfamiliar with specific threat tactics, ransomware in email can be very difficult to detect. Effective ransomware detection requires a blend of advanced email-security software and automation, as well as users conditioned to spot email red flags. Detecting ransomware is complicated by the fact that many threat actors evade standard filters by hiding or disguising their malware in a variety of hard-to-spot ways .

Interested in learning more about phishing detection and response?

Explore our Resource Center for our latest content

Explore our database of phish found in environments protected by SEGs, updated weekly

Download our latest Phishing Review to learn about threat landscape trends.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.