Ransomware Trends: Six Notable Ransomware Attacks from 2021

May 26, 2021 | 3 minute read

The security community witnessed triple-digit growth in the number of publicly disclosed ransomware incidents in 2020. As noted in a previous blog post on Five Things You Need to Know About Ransomware Attacks, ransomware attacks grew 715% in H1 2020 compared to the first half of the previous year. Ransomware incidents for 2020 overall increased by more than 150%.

Acknowledging those findings, it’s not surprising that several ransomware incidents made headlines in 2021. Here are six events that stood out among the rest:

Accellion

In February, Accellion identified UNC2546 as the malicious actor behind a series of attacks against the American technology company’s File Transfer Appliance (FTA) product. Multiple customers of that product received extortion emails from the Clop ransomware gang. 

In its messages, the group threatened to publish information stolen from its victims on its data leaks site unless those Accellion customers agreed to pay the ransom, a tactic known as double extortion that has become increasingly popular in ransomware campaigns as an effort to increase the likelihood of payment.

The American technology company said that fewer than 100 FTA clients were victims of the attack. It went on to say that fewer than 25 of those customers “suffered significant data theft.”

Sierra Wireless

Sierra Wireless stated that its internal IT systems weathered a ransomware infection on March 20. The attack disrupted its website and other internal operations, as the IoT solutions provider confirmed in a statement posted to Business Wire

In response to the ransomware attack, the company said that it had temporarily halted production at its manufacturing sites. Sierra Wireless also disclosed that its IT and operations teams had implemented measures to counter the infection. That effort helped the company to begin bringing some of its systems affected by the infection back online.

ProxyLogon

HAFNIUM wasn’t the only threat actor that misused multiple vulnerabilities collectively known as “ProxyLogon” in Microsoft’s Exchange Server software. Days after the world learned about HAFNIUM, users began submitting attack reports to ID-Ransomware. 

Bleeping Computer examined those attacks and determined that the nefarious individuals had misused webshells left over from the HAFNIUM attacks to deploy a new ransomware strain called DearCry. It wasn’t long after that when Bleeping Computer disclosed the efforts of another ransomware operation known as “Black Kingdom” to target ProxyLogon. 

Acer

Near the end of March, the Sodinokibi ransomware gang published images of banking communications and other files that it had reportedly stolen from Acer. A representative of the ransomware gang reached out to the Taiwanese multinational electronics corporation and demanded a ransom payment of $50 million. At the time of the attack, that was the largest ransom ask made by any ransomware gang to date.

Even so, the attackers said that they would reduce the ransom demand by 20%, provide a decryptor, send a vulnerability report to Acer and delete all its victim’s stolen files if the computer corporation agreed to pay the ransom demand early.

Apple

It was about a month later when a user on the XSS digital crime forum revealed that the Sodinokibi gang was preparing to announce its “largest attack ever.” Two days later, the attackers announced that they had infected Quanta Computer, a laptop manufacturer and business partner of Apple. 

The operators of Sodinokibi attempted to extort Quanta Computer for $50 million. When the company refused, the ransomware attackers pivoted to Apple and published blueprints for several new Apple devices during the tech giant’s “Spring Loaded” event on April 20.

DC Police

At the end of April, the Metropolitan Police Department for the District of Columbia confirmed that it had suffered a digital attack at the hands of the Babuk ransomware gang. The announcement came after the attackers allegedly compromised the police department’s networks and stole 250 GB of unencrypted files, wrote Bleeping Computer. It also followed the attackers’ decision to post screenshots of several of those stolen files online.

Not long thereafter, Bleeping Computer noted how Babuk’s creators had disclosed their decision to shift away from extortion-based attacks to “do something like Open Source RaaS….”

The Cybereason Advantage

Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response to prevent ransomware infections and data exfiltration that can put organizations at risk from double extortion, including:

  • Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.
  • Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.
  • NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.
  • Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.
  • Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.
  • Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team