The five most important ransomware attacks of 2021

Ransomware attacks are surging and businesses are paying the price. What lessons can CIOs learn from five of the biggest attacks this year?


A survey of more than 3,500 global technology leaders has confirmed what many already suspected: ransomware attacks are spiraling out of control. 

The threat analysis unit involved identified a 900% rise in ransomware attacks compared to the first six months of 2020. This ties in with an analysis of all security incidents reported to the UK Information Commissioner’s Office in the first six months of 2021, compiled by cyber security awareness and data analytics company CybSafe, which revealed that 22% were ransomware. That’s double the number for the same period in 2020. 

Businesses either pay a smaller amount up front by investing properly in security or much more later dealing with the effects of an attack

Things have certainly changed since the idea of ransomware first emerged as long ago as 1989 when the AIDS Trojan demanded $189 from consumers to decrypt their locked-down documents. Consumers are no longer in the crosshairs and ransomware is the most lucrative of cybercrime endeavours. The gangs behind the attacks are highly organised criminal operations, employing affiliates who infiltrate corporate networks to earn a percentage of any successful ransom demand.

With those ransoms regularly in the millions – one victim reportedly paid $40m this year – it’s hardly surprising that attacks continue to rise. Here are five of the most important attacks so far in 2021, along with the lessons to be learned from each.

1. Colonial Pipeline

Date: 7 May 2021

Perpetrator: DarkSide

Ransom Demanded: $5m

Ransom Paid: $4.4m (75 bitcoin at time of payment although $2.3m was later recovered)

Attack vector: According to a Bloomberg investigation the attack was facilitated by a single compromised virtual private network (VPN) account password.

Noteworthiness: This attack showed how even critical national infrastructures like the largest oil supply pipeline in the US are not immune to ransomware threats. Fuel shortages led to panic buying and higher prices across many days; the average consumer was as much a victim as Colonial Pipeline.

CIO takeaway: No matter what industry, what sector or vertical, you are in the crosshairs of ransomware threat actors. Ransomware is no longer a niche technical issue – it’s a core business security concern. 

“Multifactor authentication on all remote access services would have guarded against the successful attack vector used in this instance,” says Chris Sedgwick, director of security operations at Talion. 

Another mitigation would have been implementing strong network segregation to reduce the potential for an attacker to pivot from IT to OT infrastructure. “This includes making use of segmentation of environments as well as adopting a zero-trust network architecture which only allows users access to the networks they need,” Sedgwick says.

2. Kaseya

Date: 2 July 2021

Perpetrator: REvil

Ransom Demanded: $70m

Ransom Paid: None: universal decryption key was obtained on 22 July through a “trusted third party”, apparently without charge.

Attack vector: Previously unknown “zero-day” vulnerabilities in Kaseya’s Virtual System Administrator (VSA) software

Noteworthiness: This was the very definition of a supply chain attack. The VSA remote software used by at least 50 direct customers of managed service provider Kaseya led to as many as 1,500 of their customers falling victim to the ransomware. 

CIO takeaway: First of all, take ownership of an incident promptly. Kaseya alerted all customers on 2 July and advised them to shut down administrative access to VSA. It then took its own servers and data centres offline. A patch was released on 11 July. 

“Remote monitoring and management (RMM) software access should be restricted and not available over the internet,” advises Martin Riley, director of managed security services at Bridewell Consulting. “More focus needs to be given to the supply chain, with suppliers regularly reviewed to prevent outsourcing a security incident,” he adds. Finally, applying appropriate privileges to users and updates can mitigate the impact of vulnerabilities in software that has admin rights on customer systems.

3. Ireland’s Health Service Executive (HSE)

Date: 14 May 2021

Perpetrator: Conti (Wizard Spider)

Ransom Demanded: $20m 

Ransom Paid: None

Attack vector: Unconfirmed. A Cyjax threat intelligence report suggests TrickBot, IcedID or BazarLoader malware – usually executed through phishing attacks. 

Noteworthiness: This attack reminds us that these criminal gangs are only interested in money and not even a nation’s health service is off the table. The response to the attack, which caused health service disruption for many weeks, is also noteworthy: the HSE and Irish Government made clear that no ransom would be paid from the outset.

CIO takeaway: “Wizard Spider admitted to being in the HSE’s systems for nearly two weeks before launching their attack,” says Matthew Gracey-McMinn, head of threat research at malicious bot-mitigation specialists, Netacea. “It seems probable that unpatched systems were exploited.” The key takeaway, then, is that businesses need proper investment in security. 

The HSE may have boosted its reputation by not paying the ransom, but did not escape free of charge. Its CEO, Paul Reid, told an Irish government health committee that immediate costs were €100m, but could ultimately exceed €500m. “Businesses either pay a smaller amount up front by investing properly in security or much more later dealing with the effects of an attack,” Gracey-McMinn warns.

4. Brenntag

Date: 26 April 2021

Perpetrator: DarkSide

Ransom Demanded: $7.5m

Ransom Paid: $4.4m

Attack vector: Stolen credentials

Noteworthiness: The potential use of an initial access broker (IAB) to gain entry to the network and execute the ransomware attack illustrates one of the most exploited cyber-attack methodologies today. An IAB sells compromised credentials to the highest bidder, often ransomware gangs.

CIO takeaway: Brenntag, a German chemical distribution company operating in more than 70 countries, chose to pay the multimillion dollar ransom. 

However, the most important financial transaction from a CIO perspective was that used by the attackers: the purchase of stolen credentials. The attackers admitted to this on their “new customer” site on the dark web. Peter Yapp, a partner at cybersecurity and risk consultancy Schillings, notes that “they even helpfully recommended better anti-virus, two-factor authentication and backups kept on tape” as mitigation against future attacks. 

CIOs should ensure their organisations “do the fundamentals of cybersecurity to keep attackers out,” Yapp continues, including “good awareness training so users can spot most phishing attempts, strong passwords used and audited regularly, multi-factor authentication and scanning for vulnerabilities, as well as making sure all software is patched up to date”.

5. CNA Financial

Date: 21 March 2021

Perpetrator: Phoenix

Ransom Demanded: Unknown

Ransom Paid: Unconfirmed (reported to be $40m by people close to the incident)

Attack vector: Unknown

Noteworthiness: Two things stand out about this attack. First, the size of the ransom reportedly paid; while this has not been confirmed by CNA, it would be the largest known ransom payment to date. Second, the use of ransomware called PhoenixLocker developed by Evil Corp; the latter was made subject to US government sanctions in 2019, preventing legal payment of any ransom. CNA told a reporter at security publication BleepingComputer that the threat actor responsible was Phoenix and “not a sanctioned entity”.

CIO takeaway: Although the initial attack vector has not been officially confirmed, it is thought to have used a malicious browser update delivered via a legitimate website, according to David Carmiel, CEO at threat intelligence company KELA.

While it is not known how elevated privileges on the system were obtained in order to infect the whole network, Carmiel says this “often happens through the use of known vulnerabilities and further social engineering”. 

He advises CIOs to implement security policies to ensure all key stakeholders and employees do not download updates without verifying their authenticity.