As we look back on 2021, the U.S. will likely remember it for the insurrection, continuation of a global pandemic, rising inflation, and the surge of ransomware attacks being the biggest threat organizations faced throughout the year. Though this is a list of the biggest hacks of the year, it is almost entirely dominated by ransomware attacks as they have proven extraordinarily disastrous to ill-prepared organizations. With the global proliferation of the Lockbit 2.0 strain of ransomware and the rise of ransomware-for-hire gangs that lease their services in exchange for a cut of the ransom, it’s been the hot topic of the year. Keep in mind as we go through the biggest hacks of 2021 that while ransomware seems to have the highest potential impact on business operations, there is still plenty of room for other forms of attack to cause catastrophic damage to businesses and those threats should not be ignored or forgotten.
On May 6th, the largest US gas pipeline faced a disaster scenario as they found much of their infrastructure was locked up by ransomware. Over 100GB of data was stolen from Colonial Pipeline’s systems before being locked down by the ransomware’s encryption, which also demanded over $5 million in ransom according to Bloomberg. The attack caused Colonial Pipeline to temporarily shut down their main pipeline, resulting in temporary gasoline and diesel shortages for much of the east coast. The Russian ransomware gang DarkSide was publicly identified as responsible for the attack by the FBI. The attack was successful because of an unsecured legacy VPN client on Colonial’s network that had a weak password and no multifactor authentication, allowing the ransomware gang to waltz right on in. To date, the majority of the ransom has been recovered by the U.S. Government according to the Department of Justice.
The chemical distribution company Brenntag confirmed that they had been hit with ransomware at the beginning of May. According to BleepingComputer, the ransomware gang DarkSide was also attributed for this attack, having left a $7.5 million ransom in their wake and having made off with over 150GB of critical business data. In the end, Brenntag paid $4.4 million in ransom on May 11th. Similar to the Colonial Pipeline incident, DarkSide gained access though stolen credentials, though in this case they were purchased from a black-market seller.
CNA Financial is one of the largest insurance companies in the US, and in late March they disclosed that they had suffered a “sophisticated” cybersecurity attack. The cybercrime syndicate Phoenix claimed responsibility for the attack, having used their Phoenix Locker ransomware program to trick employees into installing a program by posing as a browser update. The extent of the attack was so significant that the ransomware operators demanded $60 million in ransom, and in the end CNA Financial paid over $40 million to decrypt their systems. Even still, CNA’s website was out of commission for over 2 weeks as their internal and external teams worked to mitigate the fallout of the attack.
Kaseya is a Florida-based software company that develops IT management software designed for Managed Service Providers (MSPs) to provide IT services to their clients, and when they suffered a ransomware attack conducted by REvil they also compromised all of their downstream clients. In early July, REvil exploited a critical flaw in Kaseya’s software to gain access to 50 MSPs that utilized the software allowing them to them to push their ransomware to all downstream clients. This small batch of compromises allowed REvil to efficiently deploy their ransomware upon as many as 1500 companies worldwide in one fell swoop. The security firm ESET has said they have identified victims in over 17 countries, and REvil announced that they would publicly release their decryption tool if they were paid $70 million in ransom.
Global consulting giant Accenture was hit with what was initially reported as a minor compromise of LockBit ransomware in August of 2021. Since then, it has come to light that the scope of the attack was far greater than initially understood, with the attackers claiming over 6TB of data had been exfiltrated and demanding a $50 million ransom. To date, Accenture has not acknowledged the extent of the data breach outside of mandatory SEC filings, which may indicate that no personally identifiable information has been stolen. Accenture has been swift to affirm that no client credentials were stolen, though there is skepticism amongst security researchers about this claim considering the next hack on our list.
Following the Accenture ransomware attack, LockBit claimed that they stole credentials belonging to Accenture customers, particularly in the aviation industry. Shortly following this statement, Bangkok Air was hit by Lockbit 2.0 ransomware, resulting in as much as 200GB of data being exfiltrated and subsequently released online. The data dump contained passenger information such as names, contact information, passport details, travel history, and even partial credit card numbers. Bangkok Airways emphasized that operational and aeronautical systems were not affected by the attack. While the timing is questionable, it is still unclear if there is any connection between the two incidents, but rumors continue unabated.
Wrapping up the year by focusing on the biggest hacks of the year may seem cynical, but there’s still room for optimism. While many big names were hit by ransomware this year, businesses are beginning to learn how to protect and respond to ransomware threats. Businesses are starting to realize the reality of needing to invest in practical cybersecurity processes rather than just buying fancy tools to add to an already overflowing tool stack, and some are even learning how important it is to have buy-in on cybersecurity responsibility from within the boardroom. So, while things may look bleak for cybersecurity teams, there is still much room of optimism on our ability to protect, detect, and respond to emerging cybersecurity threats that would seek to damage that which we hold dear.