Blog > Threat Intelligence Reviewing 2021’s Biggest Ransomware Attacks

Tuesday, Dec 21, 2021

BY: Team Nuspire

Ransomware remains today’s most significant cybersecurity threat, and attacks continue to hit organizations of all sizes and in all sectors. The costliest and most destructive ransomware incidents understandably attract the most media attention. Going beyond the media scrutiny, our review of 2021’s biggest ransomware attacks outlines some crucial security lessons learned from these incidents and recommendations going into 2022.

Top Ransomware Attacks 2021

Analyzing the biggest ransomware attacks in 2021 is a valuable security exercise that can help your business avoid similar security compromises.

The Colonial Pipeline

Where else to start but with an attack on U.S. critical infrastructure that gripped the nation? The Colonial Pipeline transports gasoline, diesel and jet fuel along a 5,500-mile journey from Houston to New York. In May 2021, the DarkSide ransomware gang managed to infiltrate The Colonial Pipeline Company’s IT billing system, which led to a complete pipeline shutdown.

Operators halted the pipeline in an attempt to prevent the network infiltration of IT systems from extending to operational technology systems. The shutdown lasted five days, and the supply shock led to a demand surge from worried motorists. DarkSide managed to exfiltrate over 100 gigabytes of data from The Colonial Pipeline’s IT network and encrypt an unspecified number of endpoints with ransomware.

The initial entry vector into the Colonial Pipeline’s network was an old VPN account that DarkSide threat actors accessed using stolen credentials. Within hours of the attack occurring, the Colonial Pipeline paid a $4 million ransom to the threat actors in return for a decryption tool and to avoid stolen data being published online. The FBI subsequently managed to retrieve a proportion of this payment.

Key Lessons Learned:

  • Despite the complex tactics deployed to evade detection once inside your network, threat actors still exploit basic security errors to gain initial access.
  • Poor password hygiene, including reusing the same password across multiple accounts, remains a big problem in cybersecurity.

2022 Recommendations:

  • Secure logins to applications and services with multifactor authentication so that compromised credentials don’t necessarily result in access to your network.
  • Promote continued cybersecurity awareness about basic password hygiene in your organization.

JBS

JBS Foods is the world’s biggest meat processing company, but its colossal multinational enterprise stature didn’t spare the company from becoming a ransomware victim. In May 2021, the prolific REvil ransomware gang managed to get a foothold in JBS’ IT systems and install ransomware.

JBS promptly issued a statement disclosing the fact that a cyber attack had affected its North American and Australian IT systems. The company decided to halt operations at nine of its U.S. plants in addition to several others abroad.

Even though JBS responded quickly and managed to restore affected systems from backups, the company still paid an $11 million ransom to REvil. This ransom payout indicates that sensitive data exfiltration probably occurred, and JBS felt it was necessary to pay up and avoid the public disclosure of confidential data.

Key Lessons Learned:

  • It’s critical to act fast in the wake of a ransomware attack ⁠— operational disruptions may have been far worse if the company didn’t quickly respond and contain the spread of ransomware.
  • Despite government advisories warning ransomware victims not to pay the ransom, many companies still ignore this advice.

2022 Recommendations:

  • If you don’t have robust detection and response capabilities in place, turn to a managed security provider for assistance because time is of the essence when it comes to ransomware.
  • If your business becomes a ransomware victim, it’s best to be transparent with customers and disclose the incident quickly, particularly if threat actors compromise sensitive customer data.

CNA Financial

CNA Financial is one of the world’s largest insurance companies. In March 2021, a sophisticated ransomware attack on the company’s IT network encrypted up to 15,000 devices. Threat actors tied to the Russian Evil Corp gang used the Phoenix CryptoLocker ransomware strain to lock down systems.

The widespread network disruption caused by this incident led to CNA Financial paying a whopping $40 million ransom. This payment immediately smashed the records for the largest ransomware payout in history.

The attack started with a fake web browser update installed on a single employee’s workstation. This malicious update provided remote access, and the threat actors managed to move laterally through the network while evading detection for up to 14 days. Additional malicious activity resulted in privilege escalation and final execution of the ransomware payload.

Key Lessons Learned:

  • Perimeter-based security controls are important, but they aren’t enough to deal with ransomware attacks.
  • Threat actors still regard employees as cybersecurity weak links.

2022 Recommendations:

  • Make sure your endpoint security strategy includes the ability to block and remediate threats, such as malicious software updates, in real-time.
  • Along with investing in tools that guard the entry points to your network, invest some of your company’s cybersecurity budget in incident readiness and response.

HSE Ireland

The Health Service Executive (HSE) provides public health services to Irish citizens in 4,000 locations and 54 acute hospitals. In May 2021, as Ireland’s health system still reeled from a third wave of the COVID pandemic, the HSE fell victim to a serious ransomware attack conducted by the Conti gang. Threat actors managed to compromise up to 80 percent of the HSE’s entire IT infrastructure.

The immediate consequence of the attack was a severe disruption to the provision of critical health services. Many hospitals postponed the vast majority of outpatient appointments, which included treatments for serious illnesses, such as cancer. Conti managed to exfiltrate sensitive data about Irish patients, some of which ended up on the dark web.

A thorough incident investigation concluded that the attack started when an employee opened a malicious Microsoft Excel file attached to a phishing email. From this initial entry point, classic ransomware reconnaissance took place over the course of eight weeks.

Key Lessons Learned:

  • Morals don’t enter the equation in the minds of threat actors — every industry is a target for cyber attacks.
  • Phishing campaigns provide a low-hanging fruit opportunity for hackers to gain remote access to IT networks

2022 Recommendations:

  • Get an anti-phishing email security solution in place to help filter out malicious emails before they arrive in user inboxes.
  • Promote greater awareness of phishing threats among employees and conduct simulated attacks to help educate people on what these attacks look like.

Learning lessons from the top ransomware attacks of 2021 better places your business to avoid similar pitfalls. A common thread running through these attacks is that even the largest enterprises suffer from security lapses. Consider bolstering your security posture and knowledge with managed security services or consulting.

Contact Nuspire today to find out how we help businesses defend against ransomware threats.