Let’s explore why 2021 has been a year of frequent and high-profile ransomware attacks, and how those attacks have played out.
Why Is Ransomware Increasing In 2021?
The recent spike can partially be attributed to ransomware-as-a-service, an underground market in which ransomware developers outsource their operations to affiliates who then execute the attack. Ransomware affiliates don’t need to have as much technical expertise, which significantly lowers the barriers to entry.
While ransomware actors are experiencing lower barriers to entry, the financial impact for ransomware victims is higher. In 2020, 32% of ransomware victims needed to pay the criminals to decrypt their data, which was a 23% increase compared to the previous year (Sophos). And the average ransomware payment in 2021 is higher — specifically, 82% higher year over year (PurpleSec).
All of this points to the idea that ransomware is an increasingly profitable industry. Not only that, but it is becoming a professionalized and sophisticated business. DarkSide — the ransomware gang that brought in at least $60 million before it announced it was shuttering its operations — offered a full customer service department complete with real-time chat support. Success breeds success, and this profitability enables ransomware gangs to pour money into efforts like research and development, which will fuel the ransomware industry even further.
Top 10 Ransomware Attacks of 2021
In just the first half of 2021, we saw a variety of high-profile ransomware attacks that have impacted supply chains and even incited the Biden administration to take action against cybercriminals.
Here’s an overview of 10 major ransomware attacks, in the order of when they occurred.
1. Kia Motors
In February, car manufacturer Kia Motors America (KMA) was the victim of a ransomware attack that impacted both internal and customer-facing systems, including mobile apps, payment services, phone services, and dealerships’ systems. The attack also affected IT systems that customers needed to take delivery of new vehicles.
DoppelPaymer was believed to be the ransomware family that targeted Kia, and the threat actors claimed to have also attacked Hyundai Motors America, Kia’s parent company. Hyundai also experienced similar system outages.
However, both Kia and Hyundai denied being attacked — a common tactic that victims use in an attempt to preserve reputation and customer loyalty.
2. CD Projekt Red
In February, CD Projekt Red, a video game company based in Poland, suffered from a ransomware attack that caused severe disruptions in the development of their highly-contested upcoming release, Cyberpunk 2077. The threat actors reportedly stole source codes for several of the company’s video games, including Cyberpunk 2077, Gwent, The Witcher 3, and the unreleased version of The Witcher 3.
— CD PROJEKT RED (@CDPROJEKTRED) June 10, 2021
According to CD Projekt Red, the illegally obtained data is now being circulated online. The company also said that it implemented several security measures after the attack, including new firewalls with anti-malware protection, a new remote-access solution and a redesign of core IT infrastructure.
In March, Taiwanese computer manufacturer Acer was a victim of a REvil ransomware attack. This attack was particularly noteworthy due to its demand of $50,000,000 — the largest known ransom to date.
Prior to the attack, the REvil gang targeted a Microsoft Exchange server on Acer’s domain, according to Advanced Intelligence, which points to a possible weaponization of the Microsoft Exchange vulnerability.
4. DC Police Department
In April, the Metropolitan Police Department in D.C. experienced a ransomware attack by a Russian ransomware syndicate known as the Babuk group. The police department refused to comply with the group’s $4 million demand in exchange for not leaking the agency’s data.
The attack resulted in a massive leak of internal information — amounting to 250GB in data — that included police officer disciplinary files and intelligence reports. Experts said that it was the worst ransomware to hit a U.S. police department.
5. Colonial Pipeline
Colonial Pipeline was arguably the most high-profile ransomware attack of 2021. Colonial Pipeline is responsible for transporting nearly half of the East Coast’s fuel. The ransomware attack was the largest cyberattack to target an oil infrastructure in the United States’ history.
On May 7, the DarkSide group deployed ransomware on the organization’s computerized equipment that manages the pipeline. Colonial Pipeline’s CEO revealed DarkSide’s attack vector as a single compromised password to an active VPN account that was no longer in use. Since Colonial Pipeline didn’t use multi-factor authentication, the attackers were more easily able to access the company’s IT network and data.
While the attack didn’t affect operational technology systems, it did compromise the company’s billing system, which forced Colonial Pipeline to temporarily halt operations. President Biden declared a state of emergency in an effort to alleviate potential gas shortages. However, the attack resulted in fuel shortages in multiple airports, causing American Airlines to temporarily change flight schedules. It also resulted in panic buying and fuel shortages, and the average fuel price rose to the highest price since 2014 at over $3 per gallon.
Within several hours of the attack, Colonial Pipeline paid the requested ransom of $4.4 million with the assistance of the FBI. On June 7, the Department of Justice announced that it had recovered approximately $2.3 million of the ransom payment.
Brenntag, a chemical distribution company headquartered in Germany, was also hit with a DarkSide ransomware attack around the same time as Colonial Pipeline in May. The attack, which impacted the company’s North America division, resulted in 150 GB of stolen sensitive data, according to DarkSide. According to DarkSide affiliates, they gained access through purchasing stolen credentials. Threat actors often purchase stolen credentials — such as Remote Desktop credentials — via a dark web marketplace, which is why it’s important to deploy multi-factor authentication and detect risky RDP connections.
DarkSide’s initial demand was 133.65 Bitcoin, or about $7.5 million — which would have been the largest ever payment. Through negotiations, Brenntag was able to lower the ransom to $4.4 million, which they paid.
7. Ireland’s Health Service Executive (HSE)
Ireland’s HSE, which provides healthcare and social services, was hit by a variant of Conti ransomware in May. Following the attack, the organization shut down all of its IT systems. This affected many health services in Ireland, such as processing blood tests and diagnostics.
The organization refused to pay the ransom of $20 million in Bitcoin and avoided paying because the Conti ransomware group handed over the software decryption key for free. However, the health service in Ireland still faced months of significant disruption as it restored 2,000 IT systems affected by the ransomware.
Also in May, JBS, the world’s largest meat processing plant, was hit with a ransomware attack that forced the company to stop operation of all its beef plants in the U.S., and to slow production for pork and poultry. The cyberattack significantly impacted the food supply chain and highlighted the manufacturing and agricultural sectors’ vulnerability to disruptions of this nature.
The FBI identified the threat actors as the REvil ransomware-as-a-service operation. According to JBS, the threat actors targeted servers that supported their North American and Australian IT systems. The company ultimately paid a ransom of $11 million to the Russian-based ransomware gang to prevent further disruption.
Kaseya, an IT services company for MSP and enterprise clients, was another victim of REvil ransomware — this time during the July 4th holiday weekend. Although only .1% of Kaseya’s customers were breached, an estimated 800 to 1500 small to mid-sized businesses were affected through their MSP. One of those businesses included 800 Coop stores, a Sweden-based supermarket chain, that were forced to temporarily close due to an inability to open their cash registers.
The attackers identified a chain of vulnerabilities — ranging from improper authentication validation to SQL injection — in Kaseya’s on-premises VSA software, which organizations typically run in their DMZs. REvil was then able to use MSP’s Remote Monitoring and Management (RMM) tools to push out the attack to all connected agents.
The ransomware gang LockBit hit Accenture, the global tech consultancy, with an attack in August that resulted in a leak of over 2,000 stolen files. The slow leak suggests that Accenture did not pay the $50 million ransom.
According to CyberScoop, Accenture knew about the attack on July 30, but did not confirm the breach until August 11, after a CNBC reporter tweeted about it. CRN criticized the firm for its lack of transparency about the attack, saying that the incident was a “missed opportunity by an IT heavyweight” to help spread awareness about ransomware.
How Blumira Helps Prevent Ransomware Attacks
A threat detection and response solution like Blumira quickly detects and alerts IT and security teams about indicators of compromise, giving remediation guidance to stop a threat actor early in the stages of a ransomware attack. Blumira detects a variety of suspicious behavior, including the creation of new admin accounts, password spraying, and open RDP ports.
Although the top ransomware attacks of 2021 were high-profile attacks on large organizations, small to medium-sized businesses are a frequent target due to limited resources and knowledge. Blumira makes it easy for smaller IT and security teams to secure their environment through simple deployment and an intuitive interface. Blumira also provides security playbooks and automated workflows to guide IT teams through security practices that help reduce the overall attack surface.
To learn more about how to defend against ransomware attacks, download our on-demand webinar. Whether you’re an IT admin with directives from leadership to prevent ransomware or you’re a small business owner that wants to get started with security, we’ve got your back.