October 19, 2021
10 Recent Ransomware Attacks: Facts, Figures and Lessons
Major cyber attacks took place in 2021. Recent cyberattacks hit medium and large businesses and government agencies around the world. According to Statista, 68% of organizations were affected by ransomware to some extent. So far, 2021 has seen the highest number of attacks compared to previous years. This blog briefly explains what a ransomware attack is and covers the top 10 (+1) ransomware attacks in 2021.
What Is a Ransomware Attack?
A ransomware attack involves gaining unauthorized access to electronic records and encrypting/locking data with the purpose of monetary extortion. The negative consequences of a ransomware attack can range from mild to severe. The attackers can delete valuable data to prove to their victims that they are serious about the threat. Sometimes, hackers also leak confidential documents to put even more pressure on organizations to comply with their demands.
Attackers can bring great turmoil to a company by bringing down production and leaking sensitive data. As a result, a company may experience financial and reputational losses. To launch a successful attack, hackers usually explore vulnerabilities in the company’s networks and servers. Once cybercriminals find a vulnerability, they insert a payload to compromise the system. A payload is a piece of code that can be attached to some files. Once a user activates those files, the malicious code is executed and starts serving its purpose. As a result, some of the data becomes inaccessible and requires decryption.
Major Ransomware Attacks in 2021
The first six months of the year 2021 turned out to be unfortunate for some businesses as they fell victim to a ransomware attack. We are about to discuss 10 recent instances of ransomware invasion. Who are these cyber gangs and why do they target organizations? Let’s find it out.
1. CD Projekt Red: February 9, 2021
In February 2021, an unknown malicious actor invaded the internal network of CD Projekt Red, a well-known Polish web development company. According to CD Projekt Red, cybercriminals stole company data and demanded a ransom in return for not releasing the source code and other critical records in their possession to the public. The attackers claimed that they had the full source code for the company’s top video games such as Witcher 3, CyberPunk 2077, and Gwent, to name a few. The cybercriminals stated in the message that they also had information pertinent to all areas of the company, including administrative and legal files.
CD Projekt Red did not disclose any details about the route or methods of the cyber invasion. In other words, it remains unclear how cybercriminals managed to access the data. According to CD Project Red, customers’ personal information remained unexposed at the time of the attack. However, further investigation revealed that multiple data sets along with customers' personal data had flooded the internet. CD Projekt Red concluded that anyone can fall victim to a ransomware attack. Thus, companies should anticipate a potential invasion and develop a solid protection and recovery plan to face the attack to the best of their ability.
Despite the huge data leak, CD Projekt Red responded to the threat like a real hero. The company did not agree to pay the ransom to the malicious actors. Instead, they recovered the company data from backups.
2. Acer: March 20, 2021
The computer giant Acer was attacked by a mysterious ransomware gang known as REvil or Sodinukai. Supposedly, REvil is a Russian-speaking and Russian-based group that targets businesses of all sizes around the globe, except those located on the territory of the former Soviet states. However, the exact origin and location of REvil remain a mystery. REvil works by compromising the victim’s files and demanding a ransom for not disclosing the company’s data to the public by posting it on their Happy Blog.
In early March, REvil hackers compromised Acer’s systems. They exfiltrated financial information and customer data from the network and posted it on the dark web. Some of the stolen data became part of an online auction. The ransom message from the hackers demanded a ridiculous $50 million in return for not disclosing the rest of the data and providing the decryption keys — at that time, the highest amount ever demanded in the entire history of ransomware attacks. In addition, the hackers stated that this was a discounted price. If Acer failed to pay during the following eight days, the amount would jump to $100 million! It remains unclear whether Acer gave in to the hackers’ demands and paid the requested amount. All that is known is that the hackers managed to compromise Acer’s Exchange Server. You may think that a high-tech company like Acer is invulnerable to a cyber attack. The truth is that if a company fails to protect some of its data, attackers can quickly take advantage of the vulnerabilities and use them to compromise the system.
3. CNA Financial: Late March, 2021
CNA, a top U.S. insurance company, was attacked by ransomware and paid $40 million. It was the highest ransomware payoff in history. Presumably, the company was hacked by Phoenix Cryptolocker, a ransomware gang associated with the Russian organization Evil Corp.
Phoenix Cryptolocker is a type of ransomware that can enter the victim’s system through a Remote Desktop Protocol or exploit stolen or compromised credentials to enter Virtual Private Servers (VPS). The ransomware behaves like legitimate software, tricking the user into activating it. Once the user runs the malicious code, ransomware gets into the system. It enumerates the chosen files and puts a lock on them.
Further investigations of this ransomware attack revealed that the hackers managed to get into the system by presenting an employee with a corrupted browser update through a legitimate website. At this point, the malicious actors obtained administrator privileges, encrypted a large amount of the company’s data and disabled the backups. Due to the large-scale attack, CNA had to shut down its operations for three days. CNA responded to the attack promptly by informing law enforcement and involving forensic services. According to CNA, sensitive customer information, such as social security numbers, medical information, benefits, etc., was not disclosed or sold to other parties.
4. Quanta: Mid-April 2021
Quanta, a Taiwan producer of Apple products, was attacked by REvil. The gang asked for a $50 million ransom in return for stolen data that included schemas for future and current Apple projects, such as the iMac design (not yet released) and MacBook Air (old and new schemas).
Quanta refused to pay the ransom, which prompted the cybercriminals to go after Apple. They threatened to publish Apple’s product schemas on the web. Since Apple also refused to pay, REvil started publishing pieces of information and imagery related to Apple products and new inventions and threatened to publish more unless paid. The goal was to get Apple to pay the ransom by the beginning of May. Despite the ongoing pressure, Apple did not succumb to the hackers’ demands. Then, unexpectedly, REvil removed Apple’s data from the web. The reasoning behind REvil’s behavior in relation to Apple remains unknown.
5. Brenntag: April 28, 2021
Brenntag, a global chemical manufacturer, became the subject of a cyber attack. DarkSide is responsible for the attack. It gained access to Brenntag’s network using stolen credentials and stole critical files, including chemical formulas, projects, accounting, contacts, etc. Darkside threatened to disclose sensitive data unless $7.5 million was paid.
DarkSide is a Russian gang that is similar to other groups. DarkSide pursues purely financial goals without a political agenda. However, DarkSide does not target entities that offer social and health services, such as hospitals, educational institutions, non-profits, etc. As a rule, DarkSide targets large corporations.
Brenntag involved forensic and cybersecurity services for a smoother recovery, but eventually negotiated with the attacker and lowered the ransom to $4.4 million. After Brenntag paid the ransom, Darkside revealed how it managed to hack the network. According to the hackers, the stolen credentials scheme worked because there was no multi-step or multi-factor authentication in place.
6. Colonial Pipeline: May 6, 2021
The U.S. oil supplier Colonial Pipeline fell victim to a ransomware hack in early May. A ransomware virus affected the electronic equipment used to run the pipeline’s operations. Ransomware hit the company’s billing system, preventing Colonial Pipeline from charging its customers. In addition, the hackers stole the company’s critical data and demanded a ransom for not making it public.
Colonial Pipeline involved the FBI to help to negotiate with the attackers efficiently. The company paid $4.4 million in bitcoin to the hackers shortly after the attack. After the attackers harvested the ransom, they provided decryption software to revive the system. However, the software was pretty slow, and Colonial Pipeline didn’t manage to restore its workflow as fast as they had hoped. Temporary fuel shortages negatively impacted some customers. American Airlines had to reschedule some flights at Charlotte Douglas International Airport and some gas stations ran out of fuel in South Carolina and Virginia. Later, the FBI managed to retrieve $2.3 million in bitcoin from the perpetrators. The Russian cyber gang group DarkSide is most likely responsible for the Colonial Pipeline Cyber Attack.
7. Ireland’s Health Service Executive (HSE): May 14, 2021
Conti ransomware caused mayhem in the Irish public health system by disrupting hospital workflow. Conti ransomware is associated with the Russian gang Wizard Spider. Conti is different from other intruders because it works by installing trojans, such as TrickBot and BazarLoader, to access the infected computer remotely. After establishing access, Conti sizes the whole network, exfiltrating unprotected data from devices and servers.
HSE had to temporarily stop its IT operations to prevent the ransomware from spreading further. The unavailability of computerized resources caused issues with scheduling and accessing patient records. As a result, there were surgery delays and patients failed to get timely care. Because internal IT channels were compromised, healthcare professionals could not share radiology images, tests, and other information between departments. In addition, medical staff had to switch to pen-and-paper to take patient histories and do notations.
At the beginning of the attack, the malicious actors requested $20 million in bitcoin. However, HSE refused point-blank. Instead, HSE initiated a natural but slow recovery process with the help of FireEye and McAfee. At this point, Conti offered decryption keys but still threatened to release sensitive data unless the ransom was paid. HSE ignored Conti’s last request and continued with the recovery process. HSE informed all potential victims about the data leakage and possible disclosure of sensitive data.
8. JBS Ransomware Attack: May 30, 2021
Global meat supplier JBS was attacked by REvil in late May. The company’s production ceased for a while, and its website and online resources went temporarily offline. During the first days of the attack, the company didn’t mention anything about paying a ransom. JBS informed the proper authorities about the incident and the company used its backup files to recover from the attack.
JBS stated that their customers and partners were not affected by the invasion. Later, it became clear that JBS did pay a ransom of $11 million in bitcoin. JBS said they had to pay the amount because ransomware did not allow them to continue their daily tasks at meat processing plants. Thus, JBS complied with the hackers’ demands and paid a ransom to avoid information disclosure.
9. ExaGrid: June 1, 2021
ExaGrid offers specially-designed backup and recovery services to protect companies affected by ransomware. Unfortunately, ExaGrid itself fell victim to a ransomware attack in early June.
Conti ransomware encrypted ExaGrid’s critical data such as source code, client information, and administrative records. In addition, Conti exfiltrated the company’s confidential data and promised to publish it unless ExaGrid paid the ransom amount.
Initially, the hackers asked ExaGrid to pay $7.5 million. Conti claimed to have sensitive information about ExaGrid’s clients and employees, such as names, social security numbers, home addresses, tax records, bank statements, settlements, etc. ExaGrid negotiated with the hackers and lowered the ransom amount to $2.6 million. ExaGrid paid the amount in bitcoin.
10. Kaseya VSA: July 2, 2021
Kaseya, a Florida-based company that develops software for managing networks and IT infrastructures, was attacked by REvil. The ransomware got into Kaseya’s system via a compromised Virtual System Administrator (VSA). A VSA is Kaseya software that can be used for monitoring and managing the systems of multiple companies.
The cybercriminals distributed the payload via the hosts managed by this software. As a result, many businesses across the world were compromised. The Norwegian Managed Service Provider (MSP) Visma was hit, along with Coop, a Swedish supermarket. As a result, Coop closed down around 800 stores for an entire week. And, this is just one example!
During the attack on Kaseya, REvil claimed to have encrypted more than 1 million systems! The initial sum for decryption keys was a whopping $70 million. The whole incident blew out of proportion, becoming a matter of politics. U.S. President Joe Biden had a conversation with Russian President Putin and requested stopping the REvil gang’s activity. Shortly after, the REvil website, along with Happy Blog, went offline. Eventually, Kaseya and other victims managed to decrypt their files with a universal decryption key without paying a ransom. How they acquired the key remains unknown.
Facts, Figures, and Lessons
Latest Cyber Attack 2021
Major cyber attacks have been taking place every month since February 2021. The attackers are demanding millions of dollars from their victims, with ransom demands breaking records. The latest ransomware attack took place in August. Accenture, a technology consulting firm, fell victim to LockBit, Russian-based ransomware. LockBit, or ABCD virus, has the unique ability to automatically spread across systems and networks after the first host becomes infected. As the attack was progressing, Accenture noticed suspicious activity on several servers. The company immediately disconnected the affected servers and reinstated production from backups. However, cybercriminals stole critical data and asked for $50 million to not make it public on the dark web. At this point, it’s not clear if Accenture plans to pay the ransom.
List of ransomware used
Different ransomware groups are responsible for cyberattacks in 2021. However, nobody knows the exact origin or location of these groups. Often the attackers identify themselves in the ransom message or self-disclose after their victim pays the ransom. Sometimes the attacker remains unknown. CD Projekt Red identified its hacker later on. It turned out to be the HelloKitty gang. Here is the list of recent ransomware victims and their attackers:
- CD Projekt Red: HelloKitty
- Acer: REvil
- CNA financial: Phoenix Cryptolocker
- Quanta: REvil
- Brenntag: DarkSide
- Colonial Pipeline: DarkSide
- Ireland's Health Service Executive: Conti
- JBS: Conti
- ExaGrid: REvil
- Kaseya VSA supply chain attack: REvil
- Accenture: Lock Bit
Ransomware attacks occur because companies fail to protect passwords and credentials or neglect native data protection features, such as multi-step and multi-level authentication. Some ransomware can quickly find vulnerabilities in system architecture or system security. Weak, unprotected spots allow attackers to enter a system and spy on it for months before launching an actual attack.
A common misconception is that a software development company cannot get hacked. Unfortunately, this is not the case because cybersecurity vulnerabilities cannot be completely eliminated. If a ransomware attack does occur, ransomware removal can take a lot of time and resources. Therefore, companies are advised to back up their data to speed up the ransomware recovery process, avoid downtime and prevent data loss.
For more information about how to recover from ransomware, watch this NAKIVO webinar about top data protection and recovery strategies.