Ransomware attacks have become the most lucrative cybercrimes of the digital era. As cybercriminal groups grow more sophisticated, ransom demands — and payments — continue to reach record-breaking levels.
This article lists the top 10 ransomware incidents ranked by the highest confirmed ransom payments, updated to 2025. The listing is based on media reports.
1. Fortune 50 Company – $75 Million (2024, Dark Angels)
In 2024, cybersecurity researchers confirmed that an unnamed Fortune 50 enterprise paid $75 million ransom to the Dark Angels ransomware group. This remains the largest confirmed ransomware payment in history. The attackers exfiltrated sensitive corporate data before encrypting critical systems, forcing the company to pay to avoid public exposure and operational collapse, Techopedia reports.
2. CNA Financial – $40 Million (2021, Phoenix Locker)
Insurance giant CNA Financial paid a $40 million ransom in Bitcoin to regain access to its network after being hit by the Phoenix Locker ransomware, believed to be linked to the Evil Corp cybercrime group. The attack disrupted operations for weeks and affected thousands of employees and clients.
3. CDK Global – $25 Million (2024, BlackSuit)
CDK Global, a major software provider for car dealerships, suffered a large-scale ransomware attack in 2024 that halted operations across the United States. The company reportedly paid $25 million to the BlackSuit ransomware gang to restore services and prevent customer data exposure.
4. Change Healthcare (UnitedHealth Group) – $22 Million (2024, BlackCat/ALPHV)
In early 2024, Change Healthcare, a subsidiary of UnitedHealth Group, was hit by ALPHV (BlackCat) ransomware. The attack disrupted pharmacy billing and prescription services nationwide. Blockchain analysis confirmed a $22 million ransom payment made to the hackers, Wired reports.
5. JBS Foods – $11 Million (2021, REvil/Sodinokibi)
JBS Foods, the world’s largest meat processing company, paid $11 million to REvil hackers after a ransomware attack disrupted meat supply chains in the U.S., Canada, and Australia. The company said the payment was made to protect customer data and resume production quickly.
6. Blackbaud – $10 Million (2020, Unknown Variant)
In 2020, software provider Blackbaud suffered a ransomware attack affecting hundreds of universities and charities. The company admitted to paying a ransom exceeding $10 million to prevent stolen data from being published online.
7. Garmin – $10 Million (2020, WastedLocker Suspected)
GPS and fitness technology firm Garmin reportedly paid around $10 million to decrypt files locked by WastedLocker, a ransomware linked to the Evil Corp group. The attack disrupted Garmin Connect services, aviation navigation, and production systems globally.
8. Brenntag – $4.4 Million (2021, DarkSide)
German chemical distributor Brenntag paid $4.4 million to DarkSide, the same group behind the Colonial Pipeline attack. Hackers had stolen 150GB of sensitive data, which they threatened to leak online if the ransom was not paid.
9. Colonial Pipeline – $4.4 Million (2021, DarkSide)
Colonial Pipeline ransomware attack in May 2021 was one of the most disruptive in U.S. history. The company paid $4.4 million in Bitcoin to DarkSide to restore operations. Although the U.S. Department of Justice later recovered part of the payment, the incident exposed the vulnerability of critical infrastructure.
10. CWT Global – $4.5 Million (2020, Ragnar Locker)
CWT Global, a corporate travel management firm, reportedly paid $4.5 million to the Ragnar Locker ransomware group after hackers stole sensitive corporate and client data. The attackers initially demanded $10 million but accepted a negotiated payment.
Other Notable Ransomware Demands
While the above list includes confirmed payments, several major ransomware demands were even higher but not verified as paid:
Walmart (2022, Yanluowang) – Demand: ~$55 million
Continental (2022, LockBit) – Demand: ~$50 million
From global insurers to critical infrastructure providers, several organizations have paid millions of dollars to regain access to their systems or prevent data leaks.
Rajani Baburajan
