---
title: "8 Most Nefarious Ransomware Attacks from 2017 to Mid 2023 | DuoCircle"
description: "Cyber actors have been exploiting different online means to trick people and demand hefty ransom."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/"
---

Quick Answer

Eight major ransomware incidents from 2017 to mid-2023: Colonial Pipeline (May 2021, $4.4M paid to DarkSide), WannaCry (May 2017, 200,000+ machines across 150+ countries), Ryuk against Universal Health Services (Sept 2020, $67M loss), the 2022 Costa Rican government attack, plus NotPetya, Kaseya, JBS Foods, and the Conti campaigns.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fdata-privacy%2F8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=8%20Most%20Nefarious%20Ransomware%20Attacks%20from%202017%20to%20Mid%202023&url=undefined%2Fblog%2Fdata-privacy%2F8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fdata-privacy%2F8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fdata-privacy%2F8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023%2F&title=8%20Most%20Nefarious%20Ransomware%20Attacks%20from%202017%20to%20Mid%202023 "Share on Reddit") [ ](mailto:?subject=8%20Most%20Nefarious%20Ransomware%20Attacks%20from%202017%20to%20Mid%202023&body=Check out this article: undefined%2Fblog%2Fdata-privacy%2F8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023%2F "Share via Email") 

![Ransomware Attacks](https://media.mailhop.org/duocircle/images/2023/10/email-smtp-service-5674.jpg) 

Cyber actors have been exploiting different online means to trick people and demand hefty ransom. They gain unauthorized access to systems and then steal, encrypt, or intercept sensitive information to **blackmail reputed companies**.

Here, we have gathered the 8 most nefarious ransomware attacks so that you can **learn from the mistakes** and solidify your [cybersecurity](/) systems.

## Colonial Pipeline

On May 7, 2021, [Colonial Pipeline](https://en.wikipedia.org/wiki/Colonial%5FPipeline%5Fransomware%5Fattack), an American oil pipeline giant, experienced a ransomware attack emerging from stolen passwords and data from the company’s server. The attack impacted digital operations and alarmed a condition of **regional emergency in 17 states** and Washington, DC.

Colonial Pipeline paid off DarkSide, a [ransomware-as-a-service group](https://www.sdxcentral.com/articles/news/crowdstrike-finds-new-ransomware-as-a-service-group-targeting-vmware-esxi-servers-5-tips-to-fight-back/2023/05/), 75 Bitcoins that were equivalent to 4.4 million USD in exchange for **system restoration** through a tool provided by the hackers. However, a month later, the Department of Justice announced the recovery of 63.7 Bitcoins, equivalent to 2.3 million USD. Their operations resumed on May 12, with partial services affected for a few more days. 

## WannaCry

On May 12, 2017, the [WannaCry ransomware attack](https://en.wikipedia.org/wiki/WannaCry%5Fransomware%5Fattack) hit more than **200,000 computers** spanning across 150+ countries, impacting reputed firms like FedEx, Honda, Nissan, and the UK’s National Health Service. The threat was soon contained when a security blogger cum researcher identified a ‘**kill switch**.’

Apparently, the worm involved in this [mass cyberattack](https://www.bbc.com/news/technology-65877210) was efficient in targeting only **old and unpatched computer devices**, and many of them were affected. These devices remained encrypted and inoperable until victims paid ransom. The accumulated ransom collection was in millions, although no specific amount came to light.

The WannaCry worm emerged by exploiting the [‘EternalBlue’ vulnerability](https://nordvpn.com/blog/what-is-eternalblue/#:~:text=EternalBlue%20is%20a%20Microsoft%20exploit,Windows%20XP%20and%20Windows%207.) developed by the US National Security Agency that was **later made public** by the Shadow Brokers. 

[![ransomware attack](https://media.mailhop.org/duocircle/images/2023/10/buy-smtp.jpg)](https://media.mailhop.org/duocircle/images/2023/10/buy-smtp.jpg)

## Universal Health Services

[Universal Health Services](https://www.bleepingcomputer.com/news/security/universal-health-services-lost-67-million-due-to-ryuk-ransomware-attack/) declared being victim to the infamous **Ryuk ransomware attack** in September 2020, in which business operations, primarily driven by their technical system, were halted for almost a month. The one of the Fortune 500 hospital and healthcare service providers lost almost $67 million to this attack. 

[Ryuk](https://en.wikipedia.org/wiki/Ryuk%5F%28ransomware%29) is an ill-famed ransomware that attacks sizeable Microsoft Windows cybersystems linked with public entities. It works by getting unauthorized access to data, followed by its encryption until a ransom is paid in **untraceable Bitcoins**. Many factors have indicated its origin in Russia, although nothing has been confirmed yet. 

## Costa Rican Government

[Several government departments of Costa Rica](https://en.wikipedia.org/wiki/2022%5FCosta%5FRican%5Fransomware%5Fattack), including the Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications, the National Meteorological Institute, and the Ministry of Labor and Social Security, amongst others, were victims of an extensive **online assault** that started on April 17, 2022\. It began with the implantation of [malware](/data-privacy/new-zero-click-hack-with-stealthy-root-privilege-malware-targets-ios-users/) into the system of the Finance Ministry, which subsequently extended to other departments. 

The attack costed a daily loss of 30 million USD as the former president, Carlos Alvarado, initially denied paying the demanded ransom of 10 million USD. This triggered the [Conti ransomware group](https://www.scmagazine.com/news/blockchain-conti-akira-ransomware) to **release nearly all 672 GB of the pilfered data**. Restoration of systems took several months, during which the newly elected president, Rodrigo Chaves Robles, declared a state of emergency.

## Glenn County Office of Education

On May 10, 2022, the [GCOE](https://www.actionnewsnow.com/news/crime/sheriff-glenn-county-school-district-ransomware-attack-referred-to-fbi/article%5F7fa9d182-d24e-11ec-9b50-8780ed702460.html) paid a $400,000 ransom to Quantum cyberactors in exchange for the decryption key for 160GB of stolen data. The breach led to a **shutdown of the phones and internet** services of GCOE.

## JBS, USA

On May 30, 2021, [JBS S.A](https://en.wikipedia.org/wiki/JBS%5FS.A.%5Fransomware%5Fattack)., a Brazilian **meat processing giant**, became the victim of a ransomware attack that halted its beef and pork slaughterhouses in the USA, Canada, and Australia. There was a temporary shutdown of services across Utah, Texas, Wisconsin, and Nebraska, which had a major impact observed in Pennsylvania. _Not just this, the company has to stand down almost 7,000 Australian employees on June 2._ 

The attack halted USDA’s wholesale beef and pork price reporting on June 1, prompting concerns about meat production shortfalls and price increases. JBS aimed to resume most of its operations on June 2\. The incident shed light on **industry consolidation vulnerabilities**, emphasizing potential repercussions on production if one of the major meat producers reduces output.

In response to the [cyberattack](https://www.wsj.com/tech/cybersecurity/mgm-resorts-refused-to-pay-ransom-in-cyberattack-on-casinos-3a53fa6d), JBS paid hackers an $11 million **ransom in Bitcoins**.

## Maersk

In August 2017, a Danish shipping company, [A.P. Moller-Maersk](https://porteconomicsmanagement.org/pemp/contents/part2/digital-transformation/petya-ransomware-cyber-attack-maersk/), was hit by a giant cyberattack induced by a Russian hacking group in the form of Petya ransomware. It emerged with the **installation of an accounting software patch** that was maliciously infected and spread across the whole network. _The company contained its spread and harm but had to **temporarily pause** multiple systems and lost business in addition to a hefty ransom of 300 million USD._ 

The attack wasn’t restricted to just Maersk but was extended to [other shipping giants](https://therecord.media/royal-dirkzwager-ransomware-attack-dutch-shipping) in the industry, like FedEx and TNT. The accumulated damage summed up to 10 billion USD. 

Petya aimed not only to encrypt the files on the infected devices but also to completely erase or overwrite them, which made the **recovery process impossible**. After the attack, Maersk faced a two-week recovery period to restore its computer operations.

[![cyberattack](https://media.mailhop.org/duocircle/images/2023/10/email-sending-services-5647.jpg)](https://media.mailhop.org/duocircle/images/2023/10/email-sending-services-5647.jpg)

## Minneapolis Public Schools

In March 2023, Medusa, an infamous hacking group, demanded **1 million USD** from [Minneapolis Public Schools](https://www.bleepingcomputer.com/news/security/ransomware-gang-posts-video-of-data-stolen-from-minneapolis-schools/) for not disclosing the information they stole earlier by gaining unauthorized access to their system through [social engineering](/phishing-protection/social-engineering-is-a-growing-threat/). The cyber actors offered a 1-day extension to the data publication deadline in exchange for an additional 50,000 USD. 

However, MPS refused to pay off the ransom and rather **focused on restoring** the [data encrypted by hackers](https://economictimes.indiatimes.com/news/india/five-aiims-servers-hacked-1-3tb-data-encrypted-in-cyber-attack-govt-to-parliament/articleshow/96287193.cms?from=mdr) using internal backups. This triggered them to make the data public, which included sexual assault case folios, medical records, discrimination complaints, SSNs, and contact details of district employees. 

## What’s the Overall Take?

Anyone and everyone can fall victim to ransomware attacks if proper [ransomware protection](/resources/locky-ransomware) and **cybersecurity mechanisms** aren’t deployed and monitored. Moreover, it’s extremely important to have a [backup email](/content/backup-email) of your data to avoid paying off a hefty ransom and reduce downtime in case a cyber menace succeeds. **Regularly backing up** your critical information can be a lifesaver in the event of a ransomware attack. This way, they would be partially successful!

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Privacy 6m  AI Models Are Stealing Your Passwords By Listening To Your Keyboard  Oct 20, 2023 ](/blog/data-privacy/ai-models-are-stealing-your-passwords-by-listening-to-your-keyboard/)[  Privacy 5m  Are MortalKombat Ransomware and Tengyun Snake Attacks Emerging Email Threats?  Jul 20, 2023 ](/blog/data-privacy/are-mortalkombat-ransomware-and-tengyun-snake-attacks-emerging-email-threats/)[  Privacy 3m  Check Point Research Q1 2024 Results- Microsoft, Google, and Linkedin Topped the List; Airbnb is a New Entry  Apr 18, 2024 ](/blog/data-privacy/check-point-research-q1-2024-microsoft-google-linkedin-lead-airbnb-joins/)[  Privacy 5m  Cutting Block Rates With Measurable Scraping Habits: Data, Proxies, and Proof  Mar 5, 2026 ](/blog/data-privacy/cutting-block-rates-measurable-scraping-habits-data-proxies-proof-strategies/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"8 Most Nefarious Ransomware Attacks from 2017 to Mid 2023","description":"Cyber actors have been exploiting different online means to trick people and demand hefty ransom.","url":"https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/","datePublished":"2023-10-06T17:39:13.000Z","dateModified":"2025-05-08T20:32:20.000Z","dateCreated":"2023-10-06T17:39:13.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/"},"articleSection":"data-privacy","keywords":"","wordCount":1020,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/10/email-smtp-service-5674.jpg","caption":"Ransomware Attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Privacy"},{"@type":"ListItem","position":3,"name":"8 Most Nefarious Ransomware Attacks from 2017 to Mid 2023","item":"https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Privacy","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"8 Most Nefarious Ransomware Attacks from 2017 to Mid 2023","item":"https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"8 Most Nefarious Ransomware Attacks from 2017 to Mid 2023","description":"Cyber actors have been exploiting different online means to trick people and demand hefty ransom.","url":"https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/","datePublished":"2023-10-06T17:39:13.000Z","dateModified":"2025-05-08T20:32:20.000Z","dateCreated":"2023-10-06T17:39:13.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/"},"articleSection":"data-privacy","keywords":"","wordCount":1020,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2023/10/email-smtp-service-5674.jpg","caption":"Ransomware Attacks","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```