The 5 Most Devastating Ransomware Attacks of 2021...So Far
The volume of ransomware attacks in 2021 has increased 150% over 2020 and, according to the FBI, 100 different types of ransomware were in circulation in mid-2021. Attack sizes run the gamut, from small and very focused, to massive and widespread. Senators Dick Durbin and Chuck Grassley informed the Senate in July of 2021 that 50-75% of all ransomware attacks are made against small businesses. Most go unreported, which is why we can learn more from larger attacks like the one against SolarWinds where hundreds of organizations were impacted.
Ransomware is software code designed to lock (or block access to) a computer system, network, files and/or data until the victim pays a specified sum of money – the ransom.
So far in 2021, there has been no shortage of large, devastating ransomware attacks. We captured the top 5 in terms of their significance – based on what they mean for societal security moving into 2022. On that note, just because an attack resulted in a massive ransom payment does not make that attack devastating or potentially devastating to society.
The 5 most devastating ransomware attacks in 2021 as of November 1st
1. DarkSide attack on Colonial Pipeline Company
Colonial Pipeline Company learned in early May that it had fallen victim to a ransomware attack, quickly disrupting fuel supply to a large swath of the U.S. Southeast with potential spread as far north as New York. The Colonial Pipeline ransomware attack has been, by far, the highest-profile attack of 2021. It’s no wonder – we are a motor vehicle society, and Americans need their fuel. Colonial delivers 50% of the East Coast’s fuel.
What made the attack particularly dangerous was the consumer reaction to it. People panicked and bought as much gasoline as they could store. In addition, some people stored it in unsafe containers, such as plastic bins and bags, which can burst into flames when they hold fuel.
It was shocking to read the stories about the attack method, which did not require a high degree of sophistication. Colonial had not put proper security measures in place, such as multi-factor authentication (MFA). Attackers were able to enter the company’s VPN quite easily. Hackers simply needed to try different passwords to get in.
Hacker groups are encouraged by the ease with which such a vital portion of national infrastructure was hacked. Now believing they may be able to take down additional critical infrastructure without much effort in 2022.
Ransom paid: $4.4 million
2. REvil attack on JBS USA
Later in May, JBS, the largest beef supplier in the world, was hit by a ransomware attack from the REvil ransomware group. The U.S. division, JBS USA, had to completely halt operations due to the hack. Needless to say, beef disappeared from many store shelves in the United States, as the hack impacted the supply chain that originated at JBS USA.
The REvil-JBS incident underscores just how vulnerable the U.S. food supply chain is to a much wider and more aggressive attack. One can see that a coordinated, government-sponsored, simultaneous hack of multiple large food suppliers could initiate massive food shortages nationwide.
While JBS stated that its “robust IT systems and encrypted backup servers” helped ensure a rapid recovery, that does not seem to be the entire cause of recovery. Later in June, it was revealed by JBS that they actually paid a significant ransom to avoid the compromise of company, customer and employee data.
Ransom paid: $11 million
3. Unknown ransomware attack on Buffalo Public Schools
On March 12th, a ransomware attack (by unknown criminals) hit the Buffalo Public School system in New York. The system currently serves 34,000 students. While the Buffalo Schools Superintendent downplayed the impact of the attack, an investigation determined that missing records included decades of teaching materials, student records and some 5,000 applications for admission to schools in September. Also, systems that are essential to the operation of the district, such as legal and accounting, had been crippled, according to published details and a video on the matter by WGRZ.
This incident points to a disturbing set of circumstances that applies to far too many schools nationwide. Schools are simply under-staffed in IT security—especially cybersecurity. They’ve become over half the volume of cyberattacks as of August, 2021.
Ransom paid: Unknown
4. Evil Corp attack on CNA Financial
On March 21st, CNA Financial, one of the U.S.’s largest insurance carriers, was hit by a ransomware attack that caused a major network disruption. After six weeks, the company’s network remained less than fully operational, even though company executives claimed in a statement that it took "immediate action by proactively disconnecting [its] systems" from the CNA network.
What’s most disturbing about this incident is that CNA had a security environment more sophisticated than most organizations'. Yet, they still got hacked. Ironically, the company offers cyber insurance. The incident also reveals a growing threat landscape – remote access operations. In this case, the hackers encrypted 15,000 devices, including the computers of many remote employees.
We are not 100% certain that Evil Corp was behind the attack. However, the hackers used malware called Phoenix Locker, which is Evil Corp’s ransomware, called ‘Hades.’ Based in Russia, Evil Corp is not subject to U.S. sanctions, and CNA stated that the hackers were not subject to U.S. sanctions.
Ransom paid: $40 million
5. Wizard Spider on Ireland’s Health Service Executive (HSE)
On May 14th, Ireland’s government-run health system for public health services had to shut down all their IT systems to avoid the spread of malware. Unfortunately, it had already infiltrated parts of their network during the ransomware attack. It took HSE until June 30th to restore systems for online medical card registration.
The hackers accessed patient and staff information and leaked data on HSE’s 100,000 employees and millions of patients. Critically, it seems that medical records, notes and treatment histories are part of the compromised data. A statement issued by HSE said that the Russian-speaking hackers had let some of the compromised data appear on the ‘dark web’ and that people were being affected by it. In their July cybersecurity incident update, HSE stated that healthcare services were still being severely impacted by the attack.
Needless to say, the societal impact of health system breaches is huge. Both in terms of compromised information and the national psyche. Who would want to believe that a hostile foreign group knows everything about their medical history and could publish it openly for all to see?
In spite of the gravity of the breach, HSE stated that it would NOT pay any ransom.
How Splashtop can help you avoid ransomware attacks
Many businesses turn to VPN and RDP to enable remote work, which can expose their businesses to expanding cyber threats. In recent years, Gartner and many security experts have recommended that businesses move away from network-level VPN access. They suggest a move towards application-level, identity-based remote access solutions that embrace a zero-trust framework.
Splashtop provides a cloud-native secure remote access solution that keeps your network safe from hackers. How is that? Our solution never lets people on your network in the first place. It’s our secret sauce.
Splashtop continually monitors the latest cyber threats. We are committed to protecting our customers. To do so, we’ve formed a Security Advisory Council and launched a Security Feed to help IT pros and MSPs stay on top of the latest vulnerabilities.