Ransomware Note Database 2026

For a cybersecurity incident responder, there is no image more chilling than a server screen displaying a ransom note. It is the definitive sign that defenses have failed and the crisis has begun.

Ransom notes are not simply demands for money — they are carefully engineered psychological weapons. They have evolved from crude, poorly written text files into sophisticated, multi-channel extortion campaigns with professional negotiation portals, leak site pressure, and client-facing communications that would not look out of place in a legitimate business.

This database catalogues the most significant ransom notes from 2020 to 2026, analyzing each for the psychological manipulation techniques employed and what they reveal about the threat actor's strategy.

1. The Pioneer of Scale: WannaCry (2017, Resurgent Variants Through 2026)

Though originating in 2017, WannaCry variants continue to be detected and its visual language set the template for ransomware UI that persists today. The bright red background and countdown timers became the visual shorthand for ransomware.

The Note:

"Ooops, your files have been encrypted!"

"What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted.

Payment will be raised on: [Date] Your files will be lost on: [Date]"

Psychological Analysis: WannaCry's primary manipulation technique is urgency scarcity. The countdown timers and escalating payment amounts induce acute stress, forcing victims to make financial decisions under extreme time pressure before consulting legal or technical experts. The bright red color scheme is deliberate — red triggers threat responses in human psychology.

Operator Attribution: North Korea's Lazarus Group (attributed by US, UK, Australia).

2. The Professional: LockBit (2022–2024, Variants Through 2026)

LockBit revolutionized the ransomware-as-a-service model and became the most prolific ransomware operator in history, with hundreds of confirmed victims. Their notes adopted a remarkably corporate tone.

The Note:

"ALL YOUR IMPORTANT FILES ARE STOLEN AND ENCRYPTED"

"We are LockBit 3.0. We steal your data and encrypt it. If you do not pay, we will publish your data on our TOR blog.

What happens if you do not pay? We are business people. We care about our reputation. If we do not do our work, no one will pay us. You can trust us.

Post-payment penetration test service included."

Psychological Analysis: LockBit employs reputation framing — positioning themselves as trustworthy businesspeople to overcome victim resistance to paying. The "post-payment penetration test" offer is particularly sophisticated: it reframes extortion as a business transaction with value-added services, normalizing payment and reducing the psychological barrier. The tone contrasts sharply with aggressive predecessors, removing fear as a factor that might cause victims to seek law enforcement help.

Operator Attribution: LockBit core developers identified by international law enforcement coalition (2024 Operation Cronos).

3. The Double Extortionist: REvil / Sodinokibi (2020–2022)

REvil was among the first to widely popularize "double extortion" — stealing data before encrypting it, then threatening to publish it if the ransom was not paid. This fundamentally changed the calculus for victims with functional backups.

The Note:

"!!! ALL YOUR FILES ARE ENCRYPTED !!!

DO NOT PLAY GAMES WITH US. If you try to restore data from backups, we will publish your private data. If you contact the police, we will delete the decryption key.

Go to this URL: [Onion Link]"

Psychological Analysis: REvil's note is designed to eliminate perceived escape routes. Mentioning that backups are irrelevant (because data has been stolen) directly addresses the target's most likely recovery plan. The threat to destroy the decryption key if law enforcement is contacted creates a forced choice: comply secretly or lose the data permanently. The aggressive, threatening tone targets decision-makers who might otherwise engage law enforcement.

Notable Victims: Kaseya (affecting 1,500+ downstream organizations), JBS Foods, Acer. Operator Attribution: Russian cybercriminal organization, members arrested by Russian FSB in January 2022 (subsequently released after the Ukraine invasion).

4. The Corporate Machine: Conti (2020–2022)

Conti operated like a professional organization — with HR processes, management hierarchies, and a dedicated negotiation team. Their ransom notes reflected this corporate structure.

The Note:

"All your files are currently encrypted by CONTI ransomware.

If you want to restore them, please contact us. We suggest you do not waste time. After 3 days the ransom will be doubled. After 7 days we will delete the decryption key.

Only the members of Conti team can decrypt your files.

Please follow the link: [Negotiation Portal]"

Psychological Analysis: Conti used time-based escalation combined with professional detachment. The structured timeline creates urgency while the calm, business-like tone reduces panic — a panicking victim is harder to negotiate with. Directing victims to a negotiation portal (with customer service-style communication) normalized the extortion process and facilitated larger payments. Internal Conti documents leaked in early 2022 revealed their operation had dedicated negotiators trained in psychological tactics.

Notable Victims: Irish Health Service Executive (HSE), Costa Rican Government.

5. The Modern Operator: BlackCat / ALPHV (2023–2025)

BlackCat built ransomware in Rust (unusual at the time), hosted publicly searchable leak sites, and filed SEC reports against their own victims to increase regulatory pressure.

The Note:

"Your network has been penetrated. All sensitive data (financials, employee records, customer info) has been exfiltrated.

We recommend you contact us to negotiate the price of deleting your data. Silence == Leak."

Psychological Analysis: BlackCat's minimalist note is calculated. The absence of technical details about encryption signals that the data theft — not the encryption — is the primary threat. By 2023–2024, many organizations had adequate backup procedures; BlackCat correctly identified that GDPR notification obligations, regulatory fines, and reputational damage from a data leak were often more costly than the ransom itself. The "Silence == Leak" phrasing is a simple, memorable ultimatum that triggers a decision.

Notable Innovation: In November 2023, BlackCat/ALPHV filed an SEC complaint against their own victim (MeridianLink) for failing to disclose the breach within the SEC's required 4-day window, escalating regulatory pressure as an extortion mechanism.

6. The Blue-Collar Gang: Black Basta (2022–2026)

Black Basta targets mid-market organizations (50–500 employees) rather than large enterprises, pragmatically reasoning that smaller organizations have less sophisticated incident response and pay faster.

The Note:

"Your data was encrypted and stolen. If you are seeing this, your company has been fully compromised.

Do not try to recover your files on your own. You may damage them permanently.

All your data will be published publicly if you do not contact us within 12 hours. Contact us through the TOR browser: [Link]"

Psychological Analysis: The 12-hour window is extremely aggressive — designed to force hasty decision-making before the victim can properly engage legal counsel, cybersecurity professionals, or law enforcement. The warning against self-recovery creates dependency on the attacker. This note targets under-resourced organizations that lack an incident response retainer and must make decisions without expert guidance.

7. The 2026 Generation: Ransomware AI Integration

Current-generation ransomware operations are beginning to integrate AI for:

Generating custom ransom notes tailored to the victim's industry, size, and public financial information
Adjusting ransom amounts based on analysis of the victim's revenue, insurance coverage, and publicly reported willingness to pay
Negotiating via AI-assisted chatbots that maintain consistent pressure without requiring human operators around the clock

Notes from 2025–2026 incidents increasingly reference specific financial figures ("Based on your FY2024 revenue of $47M, we require...") sourced from public filings, suggesting automated target profiling.

The Psychological Toolkit: What Every Note Has in Common

Across all variants and eras, ransom notes employ a consistent set of psychological tactics:

Technique	Implementation	Counter
Urgency	Countdown timers, escalating fees	Do not make decisions under artificial time pressure
Authority	Professional language, negotiation portals	Engage IR professionals — they negotiate daily
Escape route elimination	"Backups won't save you," "Police will delete your key"	These are bluffs; engage law enforcement anyway
Social proof	"Thousands of companies have paid us"	Paying funds further attacks; consult IR first
Loss framing	Focus on what will be lost, not what might be recovered	Assess recovery options before any payment discussion

If You See One of These Notes on Your Screen

The first minutes matter enormously:

Do not shut down the affected system — memory may contain encryption keys recoverable by forensic analysis
Disconnect the affected device from the network immediately — do not turn it off
Do not pay until you have assessed all recovery options with professional guidance
Preserve the ransom note, encrypted file examples, and any network logs
Contact a professional incident response team immediately

Paying the ransom funds criminal operations, does not guarantee decryption (10–30% of paying victims still cannot recover all files), and marks your organization as a "payer" — a designation that often leads to repeat targeting.

Don't want to end up in this database? Secure your organization before an attack occurs. Schedule a penetration test with Cyberlord to identify the entry points ransomware operators exploit.

Frequently Asked Questions

Should I pay a ransomware demand? Law enforcement agencies (FBI, CISA, NCA, Europol) universally advise against paying. Engage an incident response firm first to assess recovery options, check for free decryptors (NoMoreRansom.org), and evaluate the actual scope of data theft. Many organizations recover without paying.

What percentage of ransomware victims get their data back after paying? Industry data suggests 70–80% of paying victims receive a working decryptor, but only 60–65% successfully recover all data. Paying does not guarantee recovery and does not address the data theft component of double extortion.

Are there free ransomware decryptors available? For older or disrupted ransomware variants, yes. The No More Ransom project (nomoreransom.org), operated by Europol and law enforcement partners, aggregates free decryptors. Check here before considering payment.