Ransomware has evolved into one of the most damaging forms of cybercrime in modern history. Organizations, governments, healthcare providers, educational institutions, and individuals have all fallen victim to ransomware attacks that encrypt files, disrupt operations, and demand payment in exchange for data recovery.
Over the past decade, cybersecurity researchers have identified hundreds of ransomware variants. Many belong to broader ransomware families that share similar code, techniques, infrastructure, or development origins. Some ransomware families have disappeared after law enforcement actions, while others continue to evolve into more sophisticated threats.
This article explores the major ransomware families that have shaped the cybersecurity landscape and continue to influence modern ransomware operations.
What Is a Ransomware Family?
A ransomware family refers to a group of ransomware variants that share common characteristics, source code, encryption methods, command-and-control infrastructure, or development lineage.
For example, multiple ransomware strains may be developed by the same threat group and receive periodic updates, creating an entire ransomware family rather than a single malware sample.
Understanding ransomware families helps security professionals identify attack patterns, attribution indicators, and effective defense strategies.
Early Ransomware Families
AIDS Trojan
The AIDS Trojan, also known as PC Cyborg, is widely considered the first known ransomware. Discovered in 1989, it hid file names and demanded payment through postal mail.
Although primitive by modern standards, it established the basic concept of extortion through malware.
Archiveus
Archiveus emerged in the mid-2000s and encrypted files before demanding purchases from specific online pharmacies instead of direct ransom payments.
It demonstrated how cybercriminals could monetize encrypted data.
GPCode
GPCode became one of the first ransomware families to employ stronger encryption techniques. Early variants were eventually defeated by security researchers, but GPCode helped pave the way for future encryption-based ransomware.
Major Modern Ransomware Families
CryptoLocker
Discovered in 2013, CryptoLocker transformed the ransomware landscape.
It introduced strong public-key cryptography, making file recovery nearly impossible without backups or decryption keys. CryptoLocker infected hundreds of thousands of systems worldwide and inspired numerous imitators.
CryptoWall
CryptoWall emerged shortly after CryptoLocker and became one of the most widespread ransomware families.
Several generations of CryptoWall were released, each improving evasion techniques and encryption capabilities.
TeslaCrypt
TeslaCrypt initially targeted gamers by encrypting game-related files and saved game data. Later versions expanded to encrypt general user files.
The operators eventually released the master decryption key and shut down operations.
CTB-Locker
CTB-Locker gained attention for using the Tor anonymity network and advanced cryptographic methods.
It was among the first ransomware families to aggressively target small businesses.
Enterprise-Focused Ransomware Families
Ryuk
Ryuk became notorious for targeting large organizations, hospitals, municipalities, and enterprises.
The ransomware was often deployed after attackers gained extensive access to victim networks, maximizing operational disruption and ransom demands.
Conti
Conti emerged as one of the most active ransomware operations in the world.
Known for fast encryption speeds and double-extortion tactics, Conti operators stole data before encrypting systems and threatened public disclosure if victims refused to pay.
LockBit
LockBit has become one of the most dominant ransomware families globally.
The group operates a Ransomware-as-a-Service (RaaS) model, allowing affiliates to conduct attacks while sharing profits with developers.
Multiple versions including LockBit 2.0 and LockBit 3.0 have been observed.
Black Basta
Black Basta appeared in 2022 and rapidly became a major threat to enterprises.
The group uses double-extortion techniques and sophisticated intrusion methods targeting corporate networks.
BlackCat (ALPHV)
BlackCat, also known as ALPHV, was notable for being written in the Rust programming language.
Its operators targeted organizations worldwide and leveraged advanced data theft and extortion techniques.
Notorious Global Ransomware Families
WannaCry
WannaCry became one of the most famous ransomware outbreaks in history.
In 2017, it spread globally using a Windows vulnerability known as EternalBlue. The attack affected hundreds of thousands of computers across more than 150 countries.
Hospitals, businesses, and government agencies experienced significant disruptions.
NotPetya
Although often categorized as ransomware, NotPetya functioned more like a destructive cyberweapon.
The malware spread rapidly through corporate networks and caused billions of dollars in damages worldwide.
Unlike traditional ransomware, recovery was generally impossible even if victims paid.
Bad Rabbit
Bad Rabbit primarily targeted organizations in Eastern Europe and spread through compromised websites disguised as software updates.
The malware demonstrated worm-like propagation capabilities similar to WannaCry.
Ransomware-as-a-Service Families
REvil (Sodinokibi)
REvil became one of the most successful Ransomware-as-a-Service operations.
The group targeted major corporations and demanded multimillion-dollar ransoms. High-profile incidents brought significant attention from international law enforcement agencies.
DarkSide
DarkSide gained global attention after attacking critical infrastructure.
The group operated a professional affiliate model and focused on large organizations capable of paying substantial ransoms.
Avaddon
Avaddon operated under the RaaS model and targeted businesses worldwide before shutting down and releasing decryption keys.
Hive
Hive ransomware became known for attacks against healthcare organizations and public institutions.
The operation was eventually disrupted through coordinated international law enforcement efforts.
Emerging and Active Ransomware Families
Akira
Akira has emerged as a significant ransomware threat targeting organizations across multiple industries.
The group combines encryption with data theft to increase pressure on victims.
Clop
Clop has been linked to large-scale attacks exploiting vulnerabilities in file transfer and enterprise software platforms.
The group frequently conducts mass data-theft campaigns.
Medusa
Medusa ransomware has targeted businesses, educational institutions, and healthcare providers.
The operators employ double-extortion tactics and public leak sites.
RansomHub
RansomHub is among the newer ransomware operations that gained prominence following disruptions to other ransomware groups.
The operation has attracted affiliates from previously dismantled ransomware programs.
Play
Play ransomware has become increasingly active against enterprises and critical infrastructure organizations.
The group is known for rapid deployment following network compromise.
Other Notable Ransomware Families
Numerous additional ransomware families have been observed over the years, including:
- Dharma (CrySiS)
- Phobos
- Cerber
- Maze
- Egregor
- Ragnar Locker
- Zeppelin
- MountLocker
- SunCrypt
- Cuba
- Vice Society
- HelloKitty
- Royal
- Nokoyawa
- Babuk
- Mespinoza
- Lorenz
- Quantum
- Yanluowang
- Pysa
- BianLian
- Qilin
- Hunters International
- INC Ransom
- DragonForce
- 8Base
- Rhysida
- Everest
Many of these families use double-extortion strategies involving both file encryption and data theft.
Common Characteristics of Modern Ransomware
While ransomware families differ technically, most modern operations share several characteristics:
- Data encryption
- Data exfiltration
- Double extortion
- Ransomware-as-a-Service business models
- Cryptocurrency payments
- Targeted enterprise attacks
- Lateral network movement
- Credential theft
- Remote access exploitation
- Public leak sites
Modern ransomware groups increasingly operate like professional businesses with customer support portals, affiliate programs, negotiation teams, and revenue-sharing arrangements.
Protecting Against Ransomware
Organizations can significantly reduce ransomware risk by implementing layered cybersecurity measures:
- Regular offline backups
- Multi-factor authentication
- Vulnerability management
- Security awareness training
- Network segmentation
- Endpoint detection and response solutions
- Email security controls
- Privileged access management
- Continuous monitoring
- Incident response planning
No single security control can completely prevent ransomware, but a defense-in-depth strategy greatly improves resilience.
The Continuing Evolution of Ransomware
Ransomware continues to evolve as cybercriminals adapt to changing technologies, law enforcement actions, and defensive measures. New ransomware families emerge regularly, while existing groups modify their tactics to increase profitability and evade detection.
The shift from opportunistic attacks against individuals to highly targeted operations against enterprises has transformed ransomware into a major global cybersecurity challenge. Understanding the major ransomware families and their methods is essential for security professionals, business leaders, and organizations seeking to protect their systems, data, and operations from one of the most persistent threats in the digital world.