Updated: August 1, 2025. We decided to revisit this list a year later and have added several massive new payments, including a record-breaking new #1. The updated rankings removed FatFace ($2M), UCSF ($1.14M), Judson Independent School District ($547K), and Glenn County Office of Education ($400K) to make room for much larger payouts.
Step into the high-stakes world of 21st-century cyber warfare, where ransomware attacks have evolved into a digital menace haunting organizations across the spectrum. Picture this: your valuable data held hostage, encrypted into a digital puzzle, and the only way out is a hefty ransom. Uncover the 10 biggest ransomware payouts of our time.
The Ones that Got Away: Where Payouts were Avoided
Here are the names of some big ransomware attacks you may have heard of where Ransomware payment was avoided:
Kaseya (2021)
The Kaseya ransomware attack made waves as hackers demanded a historic $70 million ransom to restore data for 1,500 affected businesses.
Maesrk (2017)
The NotPetya ransomware dealt a heavy blow to shipping giant Maersk, infecting 50,000 endpoints across 130 countries in an unintended attack, triggering a 10-day manual recovery and causing an estimated $300 million in losses.
UK National Health Service (2017)
A ransomware strike on the UK National Health Service (NHS), targeting software provider Advanced, disrupted crucial healthcare services like patient referrals and emergency prescriptions.
Costa Rica (2022)
The Conti ransomware gang, believed to operate from Russia, plunged Costa Rica into chaos by infiltrating 27 government institutions and demanding an escalating ransom, reaching a staggering $20 million.
Ukraine (2017 and 2022)
In 2017, Ukraine battled a widespread cyber onslaught with Petya malware, striking globally from a Ukrainian tax software. Fast forward to 2022, cyberattacks intensified during the Russian invasion’s buildup, prompting the arrest of a Ukrainian ransomware gang leader accused of extracting “several hundred millions of euros” across 71 countries.
10 Biggest Ransomware Payouts
#1: Dark Angels – $75 Million (2024)
In the biggest ransomware payday ever recorded, an unnamed Fortune 50 company forked over a staggering $75 million to the Dark Angels gang in early 2024. The victim’s identity remains under wraps.
Dark Angels snatched roughly 100TB of data while playing the long game. Unlike ransomware gangs that spray and pray, these hunters focus on one major company at a time, often skipping the encryption to keep businesses running while they twist the knife with pure data extortion.
#2: CNA Financial – $40 Million (2021)
In March 2021, CNA Financial, a major U.S. insurance company, faced a record-breaking ransomware attack. The Phoenix ransomware crew, linked to the notorious Evil Corp, locked them out for two weeks before CNA paid $40 million to regain control.
CNA played it by the book, consulting with the FBI and Treasury Department before making the payment. For three years, this held the crown as the largest confirmed ransom payment until Dark Angels shattered the record.
#3: CDK Global – $25 Million (2024)
June 2024 turned into a nightmare for American car sales when BlackSuit ransomware crippled CDK Global, the software backbone for 15,000 dealerships. Suddenly, salespeople across the continent were back to pen and paper like it was 1985.
CDK paid 387 Bitcoin (worth $25 million at the time) to end the chaos, but the damage was done. Dealerships lost over $1 billion in the two-week shutdown. Adding insult to injury, BlackSuit hit them twice, striking again just as CDK thought they were recovering from the first attack.
#4: Change Healthcare – $22 Million (2024)
UnitedHealth paid $22 million to ALPHV/BlackCat ransomware after the group breached Change Healthcare in March 2024. The payment was confirmed by UnitedHealth’s CEO during congressional testimony. Change Healthcare processes prescription data for pharmacies nationwide.
The attack disrupted prescription processing across the U.S., affecting patients’ ability to fill medications and causing widespread pharmacy outages. This was one of the largest healthcare breaches in history, demonstrating how attacks on critical infrastructure providers can have nationwide impacts.
#5: Caesars Entertainment – $15 Million (2023)
In September 2023, Caesars Entertainment fell victim to a sophisticated social engineering attack by Scattered Spider and ALPHV. The cybercriminals didn’t need to hack anything: they simply called up employees, impersonated IT staff, and tricked them into handing over the keys to the kingdom.
Caesars paid $15 million rather than risk operational chaos during peak business periods. The attack once again showed how human psychology, not just technology, remains the weakest link in cybersecurity.
#6: JBS – $11 Million (2021)
In a May 2021 cyber showdown, meat mogul JBS S.A. faced a ransomware blitz that mirrored the chaos of the Colonial Pipeline saga. From disrupted U.S. beef hubs to Aussie beef woes, the attack cost JBS a cool $11 million in Bitcoin.
JBS publicly confirmed the payment to REvil ransomware. The Brazilian giant said disclosure was necessary given their role in global food supply chains and the potential impact on consumers.
#7: CWT – $4.5 Million (2020)
In July 2020, CWT, a major player in corporate travel, faced a ransomware attack using the notorious Ragnar Locker. The hackers demanded a hefty $4.5 million ransom in Bitcoin, threatening to expose sensitive data from Fortune 500 clients.
With 30,000 computers at risk and the travel industry already hammered by COVID-19, CWT chose to pay up.
#8: Colonial Pipeline – $4.4 Million (2021)
May 2021 saw a ransomware attack on the Colonial Pipeline, which triggered panic buying and fuel shortages along the East Coast. The DarkSide group orchestrated the attack on America’s largest fuel pipeline, leading to a $4.4 million ransom payment in Bitcoin.
CEO Joseph Blount later confirmed the payment in a Wall Street Journal interview. The FBI managed to recover $2.3 million by seizing DarkSide’s Bitcoin wallet.
#9: Brenntag – $4.4 Million (2021)
Global chemical distributor Brenntag’s North America division got hit by the DarkSide ransomware group in April 2021. The attackers encrypted devices and stole 150GB of sensitive data, then demanded payment to prevent a public data dump.
After negotiating, Brenntag paid a $4.4 million ransom in Bitcoin to prevent a data leak. Fortunately, the stolen data wasn’t misused.
#10: Travelex – $2.3 Million (2019)
On New Year’s Eve, Travelex faced a $6 million ransom demand from the Sodinokibi gang. The foreign exchange company managed to negotiate the price down to $2.3 million, but not before shutting down sites across 30 countries for nearly a month.
The hackers claimed they had six months of sensitive data and threatened to auction it unless paid promptly. Travelex’s payment was one of the first major confirmed ransoms to receive widespread media coverage.
Honorable Mentions
WannaCry
In the WannaCry ransomware saga of May 2017, villains demanded Bitcoin ransoms from $300 to $600 to unlock files on global computers. Using the leaked NSA’s EternalBlue exploit, they carried out a successful ransomware attack, striking over 300,000 systems across 150 countries. The chaos subsided when cybersecurity hero Marcus Hutchins found a kill switch. The blame landed on North Korea, who denied involvement in the digital thriller.
Costa Rica
In 2022, Costa Rica faced a severe ransomware attack by the Conti ransomware gang, which targeted multiple government institutions. The attack disrupted essential services and highlighted the growing threat of ransomware gangs on national infrastructure.
It’s important to note that Ransomware attacks continue to this day, 2023 having seen over $1 billion in ransomware payments altogether. Not every attack has been well documented, and most attacks targeted small organizations and individuals.
What We’ve Learned
These massive ransom payments show the serious financial and operational damage ransomware attacks cause, making cybersecurity a top priority. While paying ransoms might seem like a quick fix, it just feeds the ransomware ecosystem and encourages more attacks.
Strong ransomware protection is essential. Organizations need robust security measures, regular backups, and proper employee training to stay protected. When companies do get hit, many feel pressured to pay up, but this can create new problems like failed decryption and potential legal issues.
Admin By Request: Your Defense Against Ransomware
Admin By Request provides robust Privileged Access Management (PAM) solutions that help protect organizations from ransomware threats. With features like granular access controls and real-time threat detection, they strengthen your cybersecurity defenses, ensure secure privileged access, and reduce the risk of data breaches.
Our platform protects against multiple ransomware variants, adapting to new tactics and attack methods to provide comprehensive security coverage.
If you’re interested in seeing our solutions in action, book a demo today or download our Lifetime Free Plan to try them on up to 25 endpoints (all features included).
