10 of the biggest ransomware attacks in the second half of 2021
Extortion, increasingly loftier ransom demands and sensitive data leaks continued in the second half of 2021, impacting organizations such as Kaseya and MediaMarkt.
Ransomware attacks showed no sign of slowing down in 2021 as enterprises continued to fall victim to data theft and the forced shutdown of operations.
During the kickoff one-half of 2021, attacks struck critical infrastructure organizations and authorities agencies, causing significant fallout. Ransomware gangs targeted larger organizations with increasingly large ransom demands.
Those trends continued, and no sector was left unturned in the second half of 2021, including cryptocurrency exchanges. Extortion remained a cardinal tactic for ransomware groups and in many cases, data leak sites called attention to attacks even earlier companies disclosed the incidents. Attackers appeared to follow through on many of those threats past exposing sensitive files.
Here are 10 of the biggest ransomware attacks for the second half of the year equally 2021 comes to a shut.
On July 2, Kaseya suffered a supply chain attack when REvil operators hitting the vendor that provides remote direction software for managed service providers (MSPs). In a argument to its website, Kaseya attributed the attack to the exploitation of zilch-solar day vulnerabilities in the on-premises version of its VSA production. The flaws immune attackers to bypass authentication and use VSA to remotely transport arbitrary commands, leading to the deployment of ransomware on MSPs’ clients. The wide nature of the incident garnered the attention of the FBI, which issued an incident response guide.
Every bit of July, Kaseya said it was “aware of fewer than 60 customers” impacted by the attack, but the fallout reached “ane,500 downstream businesses.” In an incident update on July 22, Kaseya said it “obtained a universal decryptor key” from a third party and that it was working to remediate impacted customers. It turned out the tertiary party was not REvil, equally Kaseya confirmed it did non negotiate with the attackers and “in no uncertain terms” did not pay a ransom to obtain the tool.
Global consulting firm Accenture confirmed information technology suffered a ransomware assail in August, though at the fourth dimension the company said there was “no affect” on operations or on clients’ systems. LockBit operators claimed responsibility for the attack and set a countdown to leak the stolen data to their public leak site if a ransom was not paid. In the argument to SearchSecurity, Accenture said it “immediately independent the affair and isolated the affected servers” and fully restored affected systems from backups. Yet, in an SEC filing in October, Accenture disclosed that some client systems were breached, and attackers stole and leaked proprietary company data.
3. Ferrara Candy Company
This assail made the list for its unfortunate timing, equally the candy corn manufacturer was hitting right earlier Halloween. Ferrara disclosed to media outlets that it was hit by a ransomware assault on Oct. 9 and was working with law enforcement in an investigation, likewise as with a technical team to “restore impacted systems.” While productivity was impacted, as of October. 22 piece of work had resumed in “select manufacturing facilities” and shipping operations were virtually back to normal, according to the visitor. Ferrara did non disclose the type of ransomware or reveal if a ransom was paid in order to resume operations.
iv. Sinclair Circulate Grouping
On October 16, an investigation into a potential security incident against Sinclair Broadcast Group revealed the media conglomerate had suffered a ransomware assault and data breach. After, Sinclair contacted a cybersecurity forensic business firm and notified law enforcement along with other government agencies. While the blazon of ransomware, the extent of stolen data and whether a ransom was paid remain unclear, the attack acquired disruptions to “certain office and operational networks.” That disruption included some Sinclair-owned broadcast networks that experienced technical difficulties related to the ransomware set on and were temporarily unable to circulate. As of a statement on Oct xviii, Sinclair said it “cannot determine” the assault’s “material touch on its business, operations or financial results.”
A ransomware attack against the international automotive supplier caused extended downtime at production plants and, according to reports, forced paid time off for the some of the factory workforce. In a statement to its website, Eberspächer Group, which operates l plants, said it was the victim of a ransomware set on on October. 24 that impacted part of its Information technology infrastructure. Regime were contacted and precautionary measures were taken to shut down all IT systems and disconnect the network. Updates posted to Twitter showed Eberspächer’s website was offline through November. 29, more than one month subsequently. All the same, “nigh plants worldwide” were delivering as of Nov. 5, when Eberspaecher tweeted that information technology was “on the correct track.”
6. National Rifle Association
At the end of October, reports surfaced that the National Rifle Association (NRA) was the victim of a ransomware attack after Grief ransomware operators posted alleged confidential information to its public leak site. While the NRA did not ostend the ransomware assault or issue a public statement, it did respond on Twitter. Andrew Arulanandam, managing director of NRA public affairs, said the “NRA does not discuss matters relating to its concrete or electronic security.” Information technology’s unclear what the ransom need was, or whether the nonprofit organization paid information technology.
In a statement to SearchSecurity, cryptocurrency platform BTC-Alpha confirmed it was the victim of a ransomware assault at the beginning of November, right around its five-year ceremony. While it appears no funds were impacted, the attack did have down BTC-Blastoff’s website, as well as its app, which remained out of commission through November. twenty. Initially, a screenshot posted to Twitter by threat intelligence firm DarkTracer sparked rumors of an assail against the cryptocurrency substitution. Co-ordinate to the screenshot, LockBit claimed to have encrypted BTC-Alpha’due south data, a common tactic employed past ransomware gangs to pressure victims into paying. BTC-Alpha founder and CEO Vitalii Bodnar has since attributed the attack to a competitor and said he “doubts the attack was related to LockBit,” just could not share more information as the investigation was still underway.
[Warning] LockBit ransomware gang has announced “Cryptocurrency Exchange” on the victim list. pic.twitter.com/pA2bh1Vmte
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) November 17, 2021
MediaMarkt made the list for both its size — over ane,000 electronic retail stores in Europe and over 50,000 employees — as well every bit the significant amount of the declared demand made in this ransomware attack. A report past Bleeping Computer on Nov. 8 said the demand was $240 meg and attributed it to the Hive ransomware group. Cybersecurity company Group-IB detailed Hive’due south activeness and found the ransomware-as-a-service grouping claimed hundreds of victims in but six months. Co-ordinate to Grouping-IB, information technology took Hive less than half a yr to interruption the tape for highest ransom demand. While MediaMarkt confirmed to Bleeping Computer that a cyber attack took place, it’s unclear when the company’due south operations were fully restored and whether a ransom payment was fabricated.
9. Superior Plus
Natural gas supplier Superior Plus Corp. confirmed it was the victim of a ransomware attack that occurred on Dec. 12. In a statement on December. 14, the Canada-based corporation said information technology “temporarily disabled certain computer systems and applications” in the wake of an investigation and “is in the process of bringing these systems back online.” Independent cybersecurity experts were hired to assist in the investigation. At the time of the statement, Superior Plus said it had “no evidence that the safety or security of any customer or other personal data had been compromised.” Superior Plus became the latest energy company to suffer a ransomware attacks, post-obit the high-profile and disruptive set on on Colonial Pipeline Company before this year.
On Dec. eleven, Kronos Incorporated spotted unusual activity in its individual cloud that included encrypted servers. 2 days later, the workforce management provider notified customers that it was the victim of a ransomware attack. In fairly detailed updates provided to its website, Kronos said in response it shut downward more than “eighteen,000 physical and virtual systems, reset passwords and disabled VPN site-to-site connections on the UKG side.” The incident impacted Kronos Private Cloud, Workforce Key, Telestaff, Healthcare Extensions and UKG scheduling and workforce management for banks. One pregnant concern was the ransomware assail’s bear on on employee paychecks, since the Hr systems provider is widely known for its payroll and time management systems. Last updated on Monday, Kronos said “due to the nature of the incident, it may take up to several weeks to fully restore system availability.”
Side by side Steps
Malware vs. ransomware: What’s the deviation?
Dig Deeper on Threats and vulnerabilities
Corvus: Ransomware costs, ransom payments declining
Top 10 cyber offense stories of 2021
Cryptocurrency exchange BTC-Alpha confirms ransomware attack
DOJ charges REvil ransomware members, seizes $6.1M