Ransomware Isn't Slowing Down — It's Shapeshifting
In February 2024, Change Healthcare suffered what became one of the most devastating ransomware attacks in U.S. history. The ALPHV/BlackCat ransomware group crippled the nation's largest health care payment processor, disrupting pharmacies, hospitals, and insurance claims for weeks. UnitedHealth Group eventually confirmed the breach affected approximately 100 million individuals. If you're searching for ransomware examples to understand how these attacks actually work, you won't find more instructive — or more alarming — cases than the ones from the past 18 months.
This post breaks down real ransomware examples from 2025 and recent years, explains how each attack unfolded, and gives you specific steps to harden your organization against the same tactics. No hypotheticals, no fluff — just the attacks that matter and the lessons they teach.
Why Studying Ransomware Examples Matters Right Now
The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints increased again in their 2023 annual report, with critical infrastructure sectors bearing the brunt. According to the Verizon 2024 Data Breach Investigations Report (DBIR), ransomware and extortion together accounted for 32% of all breaches — making them the single most common breach pattern.
In my experience, organizations that study real ransomware incidents are significantly better at spotting early warning signs. Reading about abstract "threats" doesn't change behavior. Reading about how a specific phishing email led to a $22 million ransom payment does.
Change Healthcare: The Attack That Rewrote the Playbook
What Happened
The ALPHV/BlackCat group gained access to Change Healthcare's systems using stolen credentials — reportedly through a Citrix remote access portal that lacked multi-factor authentication. Once inside, they moved laterally, exfiltrated approximately 6 terabytes of data, and deployed ransomware that brought billing operations across the U.S. healthcare system to a standstill.
What Made It So Devastating
Change Healthcare processes roughly 15 billion transactions per year. When it went dark, pharmacies couldn't verify insurance, providers couldn't submit claims, and patients couldn't get prescriptions filled. UnitedHealth Group disclosed paying a $22 million ransom to the attackers. Then, in a twist that surprises no one who's watched these groups operate, a second threat actor group called RansomHub claimed to have the stolen data and attempted a second extortion.
The Lesson
A single point of entry — one portal without multi-factor authentication — led to a breach affecting 100 million people. If your organization still has any remote access points without MFA enforced, fix that today. Not next quarter. Today.
MOVEit Transfer: When Your Software Supply Chain Becomes the Attack Vector
What Happened
In mid-2023, the Cl0p ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer application. They didn't deploy traditional ransomware — they mass-exfiltrated data from hundreds of organizations simultaneously, then threatened to publish it.
The Scope
Over 2,600 organizations and more than 77 million individuals were affected. Victims included the U.S. Department of Energy, Shell, British Airways, and the BBC. The attack demonstrated a terrifying efficiency: one vulnerability, one exploitation campaign, thousands of victims.
The Lesson
Your security is only as strong as the software you depend on. This was a supply chain attack in its purest form. Organizations that had robust vulnerability management programs and network segmentation limited their exposure. Those that didn't were left waiting for Cl0p to post their data on leak sites.
LockBit: The Ransomware-as-a-Service Empire
What Happened
LockBit dominated the ransomware landscape from 2022 through early 2024. Operating as a ransomware-as-a-service (RaaS) platform, LockBit's operators provided the malware while affiliates — essentially freelance threat actors — carried out the attacks. The group hit Boeing, the Industrial and Commercial Bank of China (ICBC), and the UK's Royal Mail, among many others.
The Disruption
In February 2024, a joint operation by the FBI, UK National Crime Agency, and Europol called "Operation Cronos" seized LockBit's infrastructure, took down leak sites, and obtained decryption keys. It was a significant blow. But LockBit attempted to reconstitute itself within days, launching a new leak site and claiming fresh victims — a stark reminder that taking down ransomware groups is more like mowing weeds than pulling them out by the root.
The Lesson
RaaS has industrialized cybercrime. You don't need to be a skilled hacker to deploy ransomware anymore. The barrier to entry is almost nonexistent, which means the volume of attacks keeps rising. Your defenses need to assume attackers will get more numerous, not less.
Scattered Spider: Social Engineering That Bypasses Every Firewall
What Happened
Scattered Spider, a loosely organized threat actor group largely composed of young, English-speaking hackers, gained notoriety for attacks on MGM Resorts and Caesars Entertainment in September 2023. Their primary tactic wasn't a sophisticated exploit — it was social engineering. They called IT help desks, impersonated employees, and convinced staff to reset credentials or provide MFA bypass codes.
The Impact
MGM Resorts estimated the attack cost them approximately $100 million. Hotel check-ins reverted to manual processes, slot machines went dark, and reservation systems were down for days. Caesars reportedly paid a $15 million ransom to avoid similar disruption.
The Lesson
This is the ransomware example I point to when someone tells me their technical controls are solid. Scattered Spider didn't hack a firewall. They hacked a person. Social engineering remains the most effective initial access technique, and your employees are either your first line of defense or your biggest vulnerability. That's why I recommend every organization invest in cybersecurity awareness training — specifically training that addresses real-world social engineering scenarios, not just checkbox compliance modules.
What Do These Ransomware Examples Have in Common?
After analyzing dozens of major ransomware incidents, patterns emerge that should guide your defensive strategy:
- Credential theft is the top initial access vector. Stolen or weak credentials were the entry point in the majority of these attacks. The Verizon DBIR consistently ranks credentials as the most compromised data type.
- Multi-factor authentication failures are epidemic. Either MFA wasn't deployed, was poorly configured, or was bypassed through social engineering.
- Phishing remains the gateway. Whether it's a credential-harvesting email or a phone call to a help desk, social engineering starts the chain in most ransomware incidents.
- Double and triple extortion is standard. Threat actors encrypt data, exfiltrate it, and then threaten to publish it — sometimes hitting victims with multiple demands.
- Lateral movement takes time. In almost every case, attackers spent days or weeks inside networks before deploying ransomware. Detection during this phase is your best opportunity to prevent catastrophic damage.
How Do You Protect Your Organization From Ransomware?
This is the question that matters most. Based on what these ransomware examples teach us, here are the specific steps I recommend:
1. Enforce Multi-Factor Authentication Everywhere
Not just on email. On every remote access point, every admin console, every cloud service. Phishing-resistant MFA — like FIDO2 security keys — is the gold standard. SMS-based MFA is better than nothing, but it's increasingly vulnerable to SIM swapping and social engineering.
2. Train Employees Against Phishing and Social Engineering
Your people need to recognize phishing emails, pretexting phone calls, and credential-harvesting pages. Phishing simulation programs are one of the most effective tools I've seen. If you're looking for a place to start, phishing awareness training built for organizations can give your team practical, repeatable exposure to real-world attack scenarios.
3. Implement Zero Trust Architecture
Zero trust means never trusting a connection just because it originates from inside your network. Every access request gets verified. This approach limits lateral movement — the phase where ransomware operators do their most damaging work. CISA's Zero Trust Maturity Model is an excellent starting framework.
4. Segment Your Network
If one compromised workstation can reach your backup servers, your domain controllers, and your financial systems, you have a segmentation problem. Ransomware spreads through flat networks like fire through dry grass. Segment aggressively.
5. Maintain Offline, Tested Backups
I've seen organizations with "backups" that hadn't been tested in two years. When they needed to restore after a ransomware attack, the backups were corrupted. Test your restores quarterly at minimum. Keep at least one backup set offline and air-gapped.
6. Patch Ruthlessly
The MOVEit attack exploited a zero-day, but the vast majority of ransomware attacks exploit known vulnerabilities with available patches. Prioritize patching internet-facing systems and anything with a CISA Known Exploited Vulnerabilities (KEV) catalog entry.
7. Develop and Practice Your Incident Response Plan
When ransomware hits, the first 60 minutes determine whether you contain the blast radius or watch it spread across your entire domain. Your team needs a documented, rehearsed incident response plan. Tabletop exercises twice a year are a baseline — not a luxury.
The Ransomware Threat in 2025: What's Changed
Several trends are making ransomware even more dangerous this year. Threat actors are increasingly using legitimate remote management tools — like AnyDesk, ScreenConnect, and Atera — to maintain persistence after initial compromise. These tools blend in with normal IT activity, making detection harder.
AI-assisted phishing has also matured. Phishing emails in 2025 are more polished, more personalized, and harder to distinguish from legitimate communications. The days of spotting an attack by its broken grammar are behind us.
Data extortion without encryption is becoming more common. Some groups skip the ransomware payload entirely and go straight to stealing data and threatening publication. This means traditional "ransomware defenses" focused only on backup and recovery miss half the threat.
What Is the Most Common Way Ransomware Gets In?
Phishing and stolen credentials. According to the Verizon DBIR, the human element is involved in the vast majority of breaches. A well-crafted phishing email that harvests an employee's credentials gives a threat actor everything they need to begin a ransomware attack. That's why security awareness training isn't optional — it's a core technical control. Organizations that run regular phishing simulations and follow up with targeted training reduce their click rates dramatically over time.
Stop Studying Ransomware in the Abstract
Every ransomware example I've covered in this post started with something preventable — an unpatched vulnerability, a missing MFA configuration, an employee who fell for a social engineering call. The threat actors were skilled, yes. But they exploited gaps that defenders could have closed.
Your organization doesn't need a seven-figure security budget to address these gaps. Start with what the data tells you matters most: enforce MFA, train your people, segment your network, patch your systems, and test your backups. If you haven't started building a security awareness culture yet, comprehensive cybersecurity awareness training is the highest-ROI investment you can make.
The ransomware groups aren't waiting. Neither should you.