2021 has brought with it a record number of ransomware attacks. In this piece, we’ll discuss the most significant ransomware attacks 2021 has seen so far and how your organization can avoid being the next cyber-victim.
Many assume technology becomes more secure as it advances, but that’s an oversimplification. Cybercriminals have consistently kept pace with—and at times outpaced—advances in cybersecurity technologies. Fortunately, managed security service providers (MSSPs) can help you keep ransomware attacks at bay.
What Were the Largest Ransomware Attacks of 2021?
Ransomware is a specific kind of malware that locks users out of devices or accounts until they pay off the cybercriminals behind the attack. It’s a profitable form of cyberattack, which explains why industry leaders believe that ransomware attacks are only ever going to get worse.
The biggest, most damaging, and overall most significant recent ransomware attacks include:
- Ransomware attacks undertaken by DarkSide on infrastructure and tech companies
- Ransomware attacks leveraged by REvil on tech and food production companies
- A one-off attack executed by a single individual on the telecom giant T-Mobile
- A large-scale attack on an insurance provider by a group called Evil Corp.
DarkSide’s Ransomware Attack on Colonial Pipeline
Of all the new ransomware attacks 2021 has seen so far, the attack on the Colonial Pipeline (CP) has garnered the most attention, as it was the largest-ever attack on US oil infrastructure:
- Per Bloomberg’s report on the attack, in late April of 2021, a hacking group (known as DarkSide) uploaded malicious code into CP’s systems using a compromised password.
- On May 7th, CP staff found a ransom note, and the pipeline was shut down.
- Per CNN’s coverage of the attack, CP paid DarkSide 75 Bitcoin, roughly $4.4 million, to get back into their systems. The FBI was reportedly able to seize back $2.3 million.
The specific means by which the password was compromised are as yet unknown. There is speculation that it may have been purchased on the dark web and that a lack of multifactor authentication (MFA) facilitated the attack. A robust identity and access management (IAM) program, including MFA and other protections, is one way to defend against this threat.
DarkSide’s Lesser Ransomware Attack on Toshiba
Forbes estimates Japanese conglomerate Toshiba to be worth $19.2 billion. This is likely a reason they were another company targeted by DarkSide in 2021. In particular, Reuters reports that the European segment, Toshiba Tec Corp, was the primary target. The attack happened in May and is believed to have been facilitated by then-new and unsecure remote work protocols:
- DarkSide got into Toshiba’s systems and reportedly stole up to 740 gigabytes of information, including passports and other personally identifiable documents.
- However, per CNBC, Toshiba maintains that an insignificant sum of data was actually stolen, none of which has been leaked, and they have not paid any ransom (yet).
The Toshiba story illustrates how critical it is to maintain an incident response and incident management program. In many cases, refusing hackers’ demands is the best course of action.
The REvil Ransomware Attack Targeting ACER
Operating out of Xizhi, New Taipei City, Taiwan, Acer is a global leader in advanced electronics; nonetheless, in March 2021, they suffered one of the most expensive ransomware demands on record. According to CPO Magazine, the most critical known details about the attack include:
- On March 18, the cybercriminal group REvil released data stolen from Acer on a site it reportedly operates, Happy Blog. The data stolen included personal information on Acer clients, payment forms, and other financial documents critical to personnel and clientele.
- REvil demanded a ransom of 214,151 XMR cryptocurrency, roughly equivalent to $50 million, as first reported by Bleeping Computer. This sum would be the largest in history, if collected. However, Acer hasn’t yet disclosed whether or not they paid the ransom.
While specific causes for the attack are largely unknown, cybersecurity experts suspect that REvil accessed Acer through a weakness in the Microsoft Exchange ProxyLogon. These kinds of vulnerabilities are common in third-party software; so third-party risk management is critical.
REvil’s Later Ransomware Attack on JBS Foods
Based in Greeley, Colorado, JBS Foods is one of the largest food processors in America. On May 30th, 2021, they were victimized by REvil, much like Acer before them. Little is known about the specific ways in which REvil compromised JBS’s systems, other than that the attack forced nearly all of its systems offline. While they were reportedly able to regain access to their systems through backups, the Wall St. Journal reports that JBS paid $11 million to the attackers.
Vox reports that JBS refused to characterize the attack as ransomware until June 9th, although the White House had characterized it as such as early as June 1st. Irrespective of origin, the severity of this attack cannot be overstated: the meat industry is critical to food suppliers (not to mention consumers) across the US, which may have played a role in JBS ultimately paying.
The One-Off Ransomware Attack On T-Mobile
In August 2021, a hacker later identified as John Binns attacked T-Mobile, leaking information on over 50 million customers. As the attacker would later report in an exclusive interview with the Wall Street Journal, the attack could be blamed almost entirely on T-Mobile’s poor security.
Notably, Binns’ attack began with a brute force entry, aided by an unprotected router that gave him access to over 100 servers, per the Verge. Binns, the 21-year-old cofounder of cybercrime intelligence firm Hudson Rock, reportedly had unfettered access to customer data, including:
- Social Security Numbers and drivers’ licenses
- Names, addresses, and birthdates
Binns claims to have engaged in this attack to bring attention to his supposed 2019 kidnapping by the FBI. However, the Washington Post reported that a potentially affiliated hacker was trying to sell the stolen information on the dark web for a sum of 6 bitcoin (approximately $270,000). A robust penetration testing program can help prevent threats like these for your organization.
Evil Corp.’s Ransomware Attack on CNA Financial
CNA Financial Corporation is one of the largest commercial insurers in the United States. On March 21, 2021, hackers cracked their systems and successfully acquired one of the largest disclosed cyber ransoms in history. Bloomberg reported that CNA paid a $40 million ransom.
CNA issued a memo on July 9, 2021, addressing the most critical details about the attack, such as the primary information targeted (names, SSN, health benefit information). The hackers are believed to have used the Phoenix CryptoLocker to breach CNA’s systems and encrypt files, making them impossible to open or access until the ransom was paid. This has lead experts (i.e. Bleeping Computer) to believe that the group known as Evil Corp. may be behind the attacks.
Preventing attacks like these requires training to identify signs of ransomware before a tell-tale splash screen image confirms that an attack is present. Training and education are essential.
Lessons Learned From Ransomware Attacks in 2021
The size, industry, and global position of an organization have little bearing on the likelihood and potential impact of a ransomware attack. As the biggest ransomware attacks 2021 has seen so far illustrate, any company can fall victim to a hack or other scheme, then need to pay exorbitant fees to restore its business functions. To prevent these kinds of attacks from befalling your organization, an external security advisor can help you build and maintain appropriate security architecture. RSI Security is dedicated to helping organizations rethink their cyberdefenses, making attacks less likely and reducing their impact if they do occur. Get in touch to get started!