A Brief History of Ransomware Evolution
There have been over 200 ransomware attacks that have made headlines in 2021 so far - to understand how we got here, let's look at how the ransomware threat has evolved over the years...
Anthony M. Freed
There were nearly 500 million ransomware attacks in the first half of 2021. As reported by Help Net Security, security researchers detected 190.4 million ransomware attempts in Q3 2021 alone, which brought the total volume of attacks up to 470 million at the beginning of October. The researchers went on to predict that there would be a total of 714 million ransomware attacks by the end of the year, constituting a 134% year-over-year increase from 2020.
Let’s take a moment now to examine ten of the biggest ransomware attacks that made news over the course of 2021. The following attacks are listed alphabetically based on the names of the victims, and are not ranked based on size or impact of attack:
The IT consultancy firm said that it identified irregular activity involving one of its environments in the fourth quarter of fiscal 2021, reported Bleeping Computer. This activity included the exfiltration and subsequent publication of proprietary information by a third-party entity.
The computer self-help website shared that the LockBit ransomware gang ultimately claimed responsibility for the attack and said that they had stolen six terabytes of data from Accenture’s network. The group also allegedly demanded a $50 million ransom, per the news report.
Back in March 2021, the REvil/Sodinokibi ransomware gang took to their data leaks website to announce that they had breached the Taiwanese multinational electronics corporation Acer. Those responsible for the attack published images of financial statements and other documents allegedly stolen from the company as a means of claiming responsibility for the attack. They also demanded $50 million from Acer, an amount which was the largest ransom ask made of any victim at that time.
About a month after the Acer attack, someone using the moniker “Unknown” wrote in a thread for digital crime forum XSS that the REvil/Sodinokibi gang was about to disclose their “largest attack ever.” It was two days later when the ransomware group revealed that they had attacked a business partner of Apple.
The attackers attempted to pressure the company into paying a ransom. When that didn’t work, they turned their attention to Apple by publicly releasing proprietary blueprints for new Apple devices that they had stolen from the tech giant’s business partner. They vowed to continue publishing files stolen from Apple unless the company agreed to a ransom demand of $50 million by May 1st.
In the beginning of May, the Colonial Pipeline Company announced that they had fallen victim to a ransomware attack. The company responded by suspending its affected IT assets as well as its main pipeline responsible for transporting 100 million gallons of fuel every day between Texas and New York. Over the course of assisting the Colonial Pipeline Company with its recovery efforts, the FBI confirmed that the DarkSide ransomware gang had been responsible for the attack.
A month later, CNN reported that meat supplier JBS USA had paid a ransom of $11 million following an attack involving its IT systems in North America and Australia. (The U.S. government attributed the attack to REvil/Sodinokibi.) The ransom payment came after JBS USA suspended and then resumed its beef processing operations in the United States.
It was in the middle of July when the REvil/Sodinokibi gang made headlines once again. This time, the attackers leveraged a vulnerability in the Kaseya VSA software to execute a supply chain attack and distribute malware to the IT management software provider’s MSP clients and their downstream clients.
Later, REvil/Sodinokibi claimed responsibility for the attack and initially demanded $70 million in exchange for a universal decryptor. Kaseya later announced that it had acquired this utility and was offering it to customers to help them recover their systems, as reported by the U.S. Office of the Director of National Intelligence (ODNI).
In mid-November, software solution provider Kisters AG in Germany suffered a ransomware attack. The company wrote in an update on November 21 that there were “no indications that the software products we have delivered have been compromised,” as quoted by DataBreaches.net.
The company went on to say that it was in the process of redesigning its systems to ensure the security of its customers going forward. Later, the Conti ransomware group allegedly added Kisters.de to its data leaks site and published what it claimed to be 5% of the data they had exfiltrated over the course of its attack.
According to NBC News, ransomware actors struck U.S. workforce management company Kronos in December 2021. The company said that its programs that rely on cloud services—including those leveraged by Whole Foods, Honda, and local governments to pay their employees—would be unavailable for several weeks. A spokesperson for the company declined to provide details about which ransomware group was responsible for the attack.
Back in October, Planned Parenthood Los Angeles (PPLA) suffered a ransomware attack that exposed the protected health information (PHI) of 409,759 patients. One of the patients decided to take legal action over the incident, as reported by the HIPAA Journal. Subsequently, they filed a class-action lawsuit in the U.S. District Court of Central California two months later. The lawsuit alleged that the incident and the theft of their sensitive health data had put them at imminent risk of harm.
Finally, someone told Bleeping Computer on December 24 that Shutterfly had suffered a ransomware infection two weeks prior at the hands of the Conti ransomware gang. The ransomware group created a private data leak page containing information stolen from the company. The attackers then threatened to make the page public if Shutterfly didn’t pay the ransom.
These 10 attacks were the biggest, but it’s also important to reiterate that these are only 10 out of an estimated 700 million plus attacks–a rate that averages to more than 22 ransomware attacks every second of every day. With this in mind, organizations need to take adequate measures to defend themselves against ransomware. It’s nearly impossible to control the impact of a ransomware attack once it’s successful. The best way to minimize the potential impact from ransomware attacks is to detect and block them earlier in the attack sequence.
The actual ransomware payload is the very tail end of a ransomware attack, so there are weeks or even months of detectable activity prior to the payload delivery where an attack can be intercepted before there is any serious impact to the targeted organization.
Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting every customer from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture, as well as every other ransomware family.
Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.
All Posts by Anthony M. FreedThere have been over 200 ransomware attacks that have made headlines in 2021 so far - to understand how we got here, let's look at how the ransomware threat has evolved over the years...
Join us for an examination of what a modern ransomware attack chain looks like and how an XDR solution can be leveraged to detect and stop complex ransomware attacks at the earliest stages, long before the actual ransomware payload is delivered...
There have been over 200 ransomware attacks that have made headlines in 2021 so far - to understand how we got here, let's look at how the ransomware threat has evolved over the years...
Join us for an examination of what a modern ransomware attack chain looks like and how an XDR solution can be leveraged to detect and stop complex ransomware attacks at the earliest stages, long before the actual ransomware payload is delivered...
Get the latest research, expert insights, and security industry news.
Subscribe