Ransomware gangs were shockingly aggressive, targeting health care facilities, schools, and critical infrastructure at an alarming rate during this year of 2021. Hackers continued to launch supply chain attacks with extensive fallout. With the pandemic still haven’t disappeared, system administrators, incident responders, global law enforcement, and security practitioners of all sorts worked tirelessly to counter the barrage.
This post details the most prolific ransomware attacks / breaches that took place in 2021 in alphabetical order.
Firewall vendor Accellion released a patch in late December, and then more fixes in January, to address a group of vulnerabilities in one of its network equipment offerings. The patches didn’t come or get installed quickly enough for dozens of organizations worldwide, though. Many suffered data breaches and faced extortion attempts because of the vulnerabilities. The hackers behind the spree appeared to have connections to the financial crimes group FIN11 and the ransomware gang Clop. Victims included the Reserve Bank of New Zealand, the state of Washington, the Australian Securities and Investments Commission, cybersecurity firm Qualys, the Singapore telecom Singtel, the high-profile law firm Jones Day, the grocery store chain Kroger, and the University of Colorado.
The Accenture ransomware attack was publicly revealed Aug. 11 and allegedly provided the LockBit ransomware group with sufficient data to breach some clients of Dublin, Ireland-based Accenture, No. 1 on the 2021 CRN Solution Provider 500. LockBit demanded a $50 million ransom payment to stop the leak of six terabytes of data they had allegedly stolen from Accenture.
VX-Underground, which claims to have the internet’s largest collection of malware source code, said that the LockBit ransomware group released 2,384 Accenture files for a brief time Aug. 11. In addition, Q6 Cyber found that the LockBit ransomware operators published more than 2,000 Accenture files to the Dark Web, including PowerPoint presentations, case studies, quotes, and so on.
LockBit said they had taken advantage of credentials accessed during the Accenture attack to go after the consulting giant’s customers, compromising an airport that was using Accenture software and encrypting their systems. Accenture pushed back, telling CRN, “We have completed a thorough forensic review of documents on the attacked Accenture systems. This claim is false.”
In March 2021, REvil claimed that they had broken into and stolen unencrypted data from Taiwanese PC giant Acer. The notorious ransomware group posted alleged images from Acer’s financial spreadsheets, bank balances, and bank communications. Acer wouldn’t comment on if it was hit by ransomware, the amount of ransom demanded, or if its Microsoft Exchange servers were struck.
The attackers offered Acer a 20 percent discount if payment was made by March 17. In return, the REvil affiliate said they’d provide a decryptor, a vulnerability report, and the deletion of stolen files. But no payment was received, so the REvil affiliate behind the Acer attack demanded a $50 million ransom on March 19.
During May 2021, ransomware hit Colonial Pipeline, which operates a 5,500-mile pipeline that carries nearly half of the East Coast’s fuel gasoline, diesel, and natural gas from Texas all the way to New Jersey. As a result of the attack, the company shut down portions of the pipeline both to contain the malware and because the attack knocked its billing systems offline. As lines grew at gas stations through the south eastern US, the Department of Transportation released an emergency order to allow expanded fuel distribution by truck. The FBI also named the notorious Russia-linked ransomware gang DarkSide as the perpetrator of the attack.
Colonial Pipelines paid a 75-bitcoin ransom worth more than $4 million at the time—to resolve the incident. Law enforcement was later able to recover some of the funds, and DarkSide went underground to avoid scrutiny. The attack was one of the largest-ever disruptions of US critical infrastructure by hackers and was part of a series of alarming hacks in 2021 that finally seem to have served as a wakeup call for the US government and its allies about the need to comprehensively address and deter ransomware attacks.
Ireland’s Health Service Executive (HSE)
Ireland’s health service, the HSE, said they are refusing to pay a $20 million ransom demand from the Conti ransomware gang after the hackers encrypted computers and disrupted the country’s health care. Ireland‘s publicly funded healthcare system shut down all of their IT systems in May after suffering a Conti ransomware attack.
The Conti gang claims to have stolen 700 GB of unencrypted files from the HSE like patient information and employee information, contracts, financial statements, payroll, and more. The IT outage led to widespread disruption in Ireland’s healthcare, causing limited access to diagnostics and medical records, transcription errors due to handwritten notes, and slow response times to healthcare visits.
JBS SA, the world’s largest meat processing company, suffered a major ransomware attack during May 2021. Its subsidiary JBS USA said in a statement at the beginning of June that “it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” JBS is headquartered in Brazil and has roughly a quarter million employees around the world. Though its backups were intact, JBS USA was forced to take impacted systems offline and worked frantically with law enforcement and an outside incident response firm to right the ship. JBS facilities in Australia, the US, and Canada faced disruptions, and the attack caused a cascade of impacts across the meat industry leading to plant shutdowns, employees who were sent home, and livestock that had to be returned to farmers
The compromise of IT management software company Kaseya was another prominent addition to the supply chain attack for this year. In July, hackers associated with the Russia-based ransomware gang REvil exploited a flaw in Kaseya’s Virtual System Administrator tool. VSA is popular among managed service providers, companies that run IT infrastructure for organizations that don’t want to do it themselves. Attackers were able to exploit the flaw in VSA to infect as many as 1,500 organizations around the world with ransomware. REvil set ransoms of about $45,000 for many downstream victims and as much as $5 million for managed service providers themselves. The gang also offered to release a universal decryption tool for about $70 million. But then the ransomware gang disappeared, leaving everyone in the dark. At the end of July, Kaseya acquired a universal decryptor and began distributing it to targets. In November, the US Justice Department announced that it had arrested one of the key alleged perpetrators of the Kaseya attack, a Ukrainian national who was apprehended in October and is currently awaiting extradition from Poland.
In February 2021, Kia Motors America suffered a ransomware attack carried out by the DoppelPaymer gang, which demanded $20 million for a decryptor and not to leak stolen data. DoppelPaymer claimed that a “huge amount” of data was stolen, or exfiltrated, from Kia Motors America and that it would be released in two-to-three weeks if the company didn’t negotiate with the hackers.
Prior to the public ransom demand, Kia Motors America started experiencing a nationwide IT outage that affected their mobile UVO Link apps, phone services, payment systems, owner‘s portal, and internal sites used by dealerships. Similarly, Hyundai told Kia dealers that multiple systems were down including their internal dealer site, and services used by dealer technicians were affected as well.
Microsoft Exchange Hacking
The Chinese state-backed hacking group known as Hafnium went on a tear by exploiting a group of vulnerabilities in Microsoft’s Exchange Server software, they compromised targets’ email inboxes and their organizations more broadly. The attacks impacted tens of thousands of entities across the United States beginning in January and with intensity in the first days of March. The hacks hit an array of victims, including small businesses and local governments. And the campaign affected a significant number of organizations outside the US as well, like Norway’s Parliament and the European Banking Authority. Microsoft issued emergency patches in March to address the vulnerabilities, but the hacking spree was already in motion and many organizations took days or weeks to install the fixes.
Pegasus From NSO Group
The Israeli spyware developer NSO Group has increasingly become the face of the targeted surveillance industry, as its hacking tools are used by more and more autocratic customers around the world. Apple sued Pegasus makers, after a string of revelations that NSO created tools to infect iOS targets with its flagship Pegasus spyware by exploiting flaws in Apple’s iMessage communication platform. An international group of researchers and journalists from Amnesty International, Forbidden Stories, and more than a dozen other organizations published forensic evidence that several governments worldwide including Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates might be NSO customers. The researchers studied a leaked list of 50,000 phone numbers associated with activists, journalists, executives, and politicians who were all potential surveillance targets. NSO Group has refuted those claims. In December, Google researchers concluded that NSO malware’s sophistication was on par with elite nation state hackers.
In August 2021, Wireless carrier T-Mobile admitted that data from more than 48 million people had been compromised in a breach that month. Of those, more than 40 million victims weren’t even current T-Mobile subscribers, but rather former or prospective customers who had applied for credit with the company. The rest were mostly active “postpaid” customers who get billed at the end of each cycle instead of the beginning. Victims had their names, dates of birth, social security numbers, and driver’s license details stolen. Additionally, 850,000 customers on prepaid plans had their names, phone numbers, and PINs taken in the breach. The situation was particularly absurd, because T-Mobile had two breaches in 2020, one in 2019, and another in 2018.
In October 2021, the live-streaming service Twitch, which is owned by Amazon, confirmed that it had been breached after an unknown entity released 128 GB trove of proprietary data stolen from the company. The breach included Twitch’s complete source code. The company said at the time that the incident was the result of a “server configuration change that allowed improper access by an unauthorized third party.” Twitch denied that passwords were exposed in the breach but later acknowledged that information about individual streamers’ revenue was stolen. In addition to the source code itself and streamer payout data from as far back as 2019, the trove also contained information about internal Twitch Amazon Web Services systems and proprietary SDKs.