Ransomware Trends: Six Notable Ransomware Attacks from 2021

The security community witnessed triple-digit growth in the number of publicly disclosed ransomware incidents in 2020. As noted in a previous blog post on Five Things You Need to Know About Ransomware Attacks, ransomware attacks grew 715% in H1 2020 compared to the first half of the previous year. Ransomware incidents for 2020 overall increased by more than 150%.

Acknowledging those findings, it’s not surprising that several ransomware incidents made headlines in 2021. Here are six events that stood out among the rest:


In February, Accellion identified UNC2546 as the malicious actor behind a series of attacks against the American technology company’s File Transfer Appliance (FTA) product. Multiple customers of that product received extortion emails from the Clop ransomware gang. 

In its messages, the group threatened to publish information stolen from its victims on its data leaks site unless those Accellion customers agreed to pay the ransom, a tactic known as double extortion that has become increasingly popular in ransomware campaigns as an effort to increase the likelihood of payment.

The American technology company said that fewer than 100 FTA clients were victims of the attack. It went on to say that fewer than 25 of those customers “suffered significant data theft.”

Sierra Wireless

Sierra Wireless stated that its internal IT systems weathered a ransomware infection on March 20. The attack disrupted its website and other internal operations, as the IoT solutions provider confirmed in a statement posted to Business Wire

In response to the ransomware attack, the company said that it had temporarily halted production at its manufacturing sites. Sierra Wireless also disclosed that its IT and operations teams had implemented measures to counter the infection. That effort helped the company to begin bringing some of its systems affected by the infection back online.


HAFNIUM wasn’t the only threat actor that misused multiple vulnerabilities collectively known as “ProxyLogon” in Microsoft’s Exchange Server software. Days after the world learned about HAFNIUM, users began submitting attack reports to ID-Ransomware. 

Bleeping Computer examined those attacks and determined that the nefarious individuals had misused webshells left over from the HAFNIUM attacks to deploy a new ransomware strain called DearCry. It wasn’t long after that when Bleeping Computer disclosed the efforts of another ransomware operation known as “Black Kingdom” to target ProxyLogon. 


Near the end of March, the Sodinokibi ransomware gang published images of banking communications and other files that it had reportedly stolen from Acer. A representative of the ransomware gang reached out to the Taiwanese multinational electronics corporation and demanded a ransom payment of $50 million. At the time of the attack, that was the largest ransom ask made by any ransomware gang to date.

Even so, the attackers said that they would reduce the ransom demand by 20%, provide a decryptor, send a vulnerability report to Acer and delete all its victim’s stolen files if the computer corporation agreed to pay the ransom demand early.


It was about a month later when a user on the XSS digital crime forum revealed that the Sodinokibi gang was preparing to announce its “largest attack ever.” Two days later, the attackers announced that they had infected Quanta Computer, a laptop manufacturer and business partner of Apple. 

The operators of Sodinokibi attempted to extort Quanta Computer for $50 million. When the company refused, the ransomware attackers pivoted to Apple and published blueprints for several new Apple devices during the tech giant’s “Spring Loaded” event on April 20.

DC Police

At the end of April, the Metropolitan Police Department for the District of Columbia confirmed that it had suffered a digital attack at the hands of the Babuk ransomware gang. The announcement came after the attackers allegedly compromised the police department’s networks and stole 250 GB of unencrypted files, wrote Bleeping Computer. It also followed the attackers’ decision to post screenshots of several of those stolen files online.

Not long thereafter, Bleeping Computer noted how Babuk’s creators had disclosed their decision to shift away from extortion-based attacks to “do something like Open Source RaaS….”

The Cybereason Advantage

Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response to prevent ransomware infections and data exfiltration that can put organizations at risk from double extortion.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed