Blog.

Top Ransomware Attacks 2021

Cover Image for Top Ransomware Attacks 2021
Arpit Agarwal
Arpit Agarwal

Top Ransomware Attacks in 2021

According to the 2022 Cyber Threat Report published by SonicWall, ransomware attacks increased by 1,885% across all government bodies globally in 2021, and by 755% in the healthcare industry. The survey found that ransomware was up globally by 105%, with North America seeing a spike of 104%.

Impact and Protection from Ransomware Attacks

Since ransomware attacks are performed with the intention of rendering individuals or organizations unable to function unless a ransom is paid, the cost of these attacks amounts to the combination of ransom, and remedying the damage caused to systems/networks and reputation. They cause a variety of problems for businesses including:

  • Threat to a company's reputation
  • Costs associated with data recovery and restoring IT infrastructure
  • Disruption of daily tasks and unplanned downtime
  • Disclosure of classified or sensitive data

Paying a ransom doesn’t imply that the encrypted files will be decrypted… all it does is ensure that the cyber criminals will receive the victim's money and in some cases, their payment details. It might also encourage them to demand more payment and incentivize them to continue ransomware attacks.

Another point to note is that restoring encrypted files does not necessarily mean that the malware presence has been removed. The best bet is to protect your organization from ransomware attacks by partnering with a data recovery provider and following tips to secure your corporate network.

The Biggest Ransomware Attacks of 2021

Here are the top ten ransomware attacks that made headlines in 2021 (in chronological order):

KIA Motors – February 2021 ($20 mill.)

In February of 2021, Hyundai subsidiary Kia Motors was hit by a ransomware attack. Kia Motors claims that the resulting IT outage disrupted the company's internal sites, phone lines, owner's portal, banking systems, and mobile UVO Link apps in the Americas.

The DoppelPaymer ransomware hacker group demanded a ransom of $20 million in exchange for the decryption keys. Some of the stolen data were also made public by the group, but there have been no further reports of an attack since then.

CNA Financial – March 2021 ($40 mill.)

On March 23, 2021, CNA Financial, the seventh-largest corporate insurer in the United States, revealed that it had 'experienced a devastating cybersecurity attack.' This attack was carried out by the hacking collective Phoenix, using the Phoenix Locker ransomware.

In May, there was news that the corporation paid a $40 million ransom to get their data back. CNA has been silent on the details of the deal and negotiations but says it has fully restored all of its systems.

Acer – March 2021 ($50 mill.)

Russian ransomware group REvil (that later targeted Kaseya in July 2021), also targeted computer and electronics giant Acer previously in March. The hackers demanded a ransom of $50 million.

REvil broke into Acer's system using a Microsoft Exchange server flaw and released photos of users' personal data and financial records. The status of the ransom payment has not been confirmed by Acer.

Brenntag – April 2021 ($7.5 mill.)

In April 2021, German chemical distributor Brenntag discovered that it had been the target of a ransomware attack by Darkside. The hacker group had encrypted 150GB of data and threatened to publish it in the public domain unless their demands for ransom were met.

Following negotiations with the attackers, Brenntag was able to lower the ransom from $7.5 million to $4.4 million, which was paid in full on May 11.

Quanta – April 2021 ($50 mill.)

REvil struck again in 2021, this time targeting Apple component manufacturer Quanta on April 20, 2021. The attackers demanded a ransom of $50 million. When Quanta declined to negotiate with the attackers, the group decided to go after Apple.

Following the disclosure of Apple's product plans, REvil threatened to reveal other classified documents, data, and papers. However, since May 2021, neither REvil nor Apple and Quanta have made any further statements regarding the cyberattack or ransom payment.

Colonial Pipeline – May 2021 ($4.4 mill.)

Colonial Pipeline Co. (the biggest fuel pipeline in the United States), was hit by a ransomware attack in May 2021, by the DarkSide group. The company’s billing and operational infrastructure were targeted. As a result, fuel supply chains along the entire East Coast of the United States (12 states) were severely disrupted for several days after the attack on the pipeline, causing widespread confusion and panic.

Though it had backups, Colonial Pipeline still paid a ransom of $4.4 million to get its services restored. The DarkSide group planned and executed this ransomware attack against the company's billing and operational infrastructure.

ExaGrid – May 2021 ($7 mill.)

ExaGrid, a data backup provider that aims to help businesses recover from ransomware attacks, was recently the victim of a ransomware attack as well. In May 2021, Conti, a ransomware group, compromised the ExaGrid business network and stole sensitive data.

LeMagIT reports that ExaGrid paid almost $2.6 million ransom to regain access to encrypted data.

JBS Foods – May 2021 ($11 mill.)

JBS, a major meat producer worldwide, stated they were targeted by ransomware in May 2021, forcing them to suspend operations temporarily. This attack has been linked to the REvil, who earlier the same year, also attacked Acer and Kaseya among other companies.

Even though the ransomware attack did not cause a food shortage, government officials urged citizens not to panic and stock up on meat. Experts in the field of cyber security confirmed on June 10 that JBS paid a ransom of $11 million in cryptocurrency.

Kaseya – July 2021 ($70 mill.)

Kaseya, an MSP and IT support provider was attacked by the REvil/Sodinokibi ransomware group on July 4th, 2021. Initial demands from the group for a universal decrypter were set at $70 million.

The breach affected 1,500 small and medium-sized businesses (SMBs), and as a result, 800 co-op supermarkets in Sweden were among the businesses affected – they could not access their registers and were forced to close temporarily.

Kaseya's on-premises VSA software, which most organizations run in their DMZs, had a chain of vulnerabilities, including improper authentication validation and SQL injection.

Accenture – August 2021 ($50 mill.)

LockBit, a ransomware group, breached the systems of IT giant Accenture in August 2021, resulting in the release of more than 2,000 compromised records. Accenture, though, denied paying the $50 million demand.

According to a report by BleepingComputer, the LockBit group confirmed executing the attack and stealing six terabytes of data from Accenture's network. It was alleged that Accenture knew about the attack on July 30 but didn't disclose it until August 11. News outlet CRN slammed Accenture for being secretive about the attack, calling it a 'missed chance by an IT heavyweight' to spread awareness about ransomware.