In 2021, the world had seen unprecedented ransomware attacks on healthcare networks, colleges, and critical infrastructure.
Ransomware is malicious software that blocks access to a network or computer until a ransom is paid. To regain access to the system, one must pay the demanded ransom to hackers or cyber-criminals.
If the ransom is not paid, ransomware actors frequently threaten to leak or sell authentication information or exfiltrated data.
Once you’ve paid the ransom, these hackers will return (or at least that’s what they promise) your files or give you the key to access your system.
In this investigative piece, we’ll take a look at the 15 biggest ransomware attacks in 2021.
Update November 2022: Much has changed in 2022. Check out our report on the biggest ransomware attacks in 2022 for an updated list.
|Affected||Ransom Requested / Paid|
|1. Kaseya||$70 million|
|2. Acer||$50 million|
|3. Quanta||$50 million|
|4. Accenture||$50 million|
|5. Grubman Shire Meiselas & Sacks||$42 million|
|6. CNA Financial||$40 million|
|7. Ireland’s Health Service Executive (HSE)||$20 million|
|8. KIA Motors||$20 million|
|9. JBS Foods||$11 million|
|10. ExaGrid||$7 million|
|11. CWT||$4.5 million|
|12. Colonial Pipeline||$4.4 million|
|13. Brenntag||$4.4 million|
|14. DC Police Department||$4 million|
|15. The University of California at San Francisco||$3 million|
Ransom Requested: $70m
Over the July 4 holiday weekend in 2021, Kaseya, an IT services firm that serves business clients and MSP, became another victim of the REvil ransomware group.
Although only 0.1% of Kaseya’s clients were affected by this security breach, its MSP affected an estimated 800 to 1,500 SMBs. These businesses included 800 Coop supermarkets in Sweden, which were forced to close temporarily due to the inability to open their checkouts.
The attackers identified a chain of vulnerabilities in Kaseya’s on-premises VSA software, which most groups run in their DMZs, alternating from incorrect authentication validation to SQL injection.
REvil then used MSP’s Management (RMM) and Remote Monitoring tools to push out the attack to all associated agents.
Ransom Requested: $50m
Computer maker Acer became a victim of a ransomware attack by the REvil hacking group, which was also responsible for an attack on London-based foreign exchange company Travelex in May 2021. The hackers requested a ransom of $50 million.
Using a Microsoft Exchange server vulnerability, REvil hackers gained access to Acer data and leaked images of personal spreadsheets and financial documents. However, Acer has never confirmed whether the ransom was paid or not.
Ransom Requested: $50m
On April 20, 2021, Quanta, an Apple hardware producer, suffered from a ransomware attack by the REvil ransomware attackers. Although Quanta is not a household name, it is one of Apple’s key business partners.
The hackers demanded a $50 million ransom from Quanta. REvil group decided to target Apple after Quanta refused to negotiate with the hackers.
The REvil gang threatened to expose more confidential documents, information, and papers after leaking Apple’s product plans. REvil appears to have abandoned the attack in May, and Apple has made no more announcements about the cyberattack.
However, on its website, Quanta revealed that it had been targeted by cybercriminals attempting to pose a substantial danger and allegedly attempting to blackmail both Apple and Quanta.
Ransom Requested: $50m
In August 2021, the ransomware gang LockBit attacked Accenture, a major tech company, which leaked over 2,000 stolen files. However, Accenture said it did not pay the $50 million ransom.
According to CyberScoop, Accenture was aware of the attack on July 30 but did not confirm it until August 11. CRN criticized the company for its lack of transparency regarding the attack, calling it a “lost opportunity by an IT heavyweight” to help disseminate ransomware awareness.
Ransom Requested: $42m
Grubman Shire Meiselas & Sacks, a New York-based media and entertainment law company, was attacked by the REvil ransomware in May 2020. This law firm represents some of the most famous public figures and prominent companies in the United States.
The ransomware operators seized all the data they deemed important before encrypting it, which is typical of a double extortion attack. The hacked data comprised sensitive private information of Barbara Streisand, Mariah Carey, Bruce Springsteen, Elton John, Madonna, Lady Gaga, and others, with a total size of 756GB.
Although Donald Trump was never a client of this company, the attackers claimed to have stolen sensitive data about him.
The attackers demanded $21 million at first, and to prove their claims; they posted 2.4GB of Lady Gaga’s data online. The ransom demand was raised to $42 million after a week of unsuccessful negotiations.
The attackers utilized an approach never seen before as the law company refused to pay. The stolen data was auctioned off, with Madonna’s data sold at a base price of $1 million. The legal firm’s reputation was severely harmed due to this incident.
Ransom Requested: Unknown, possibly $40 million
CNA Financial, the seventh largest commercial insurer in the United States, announced on March 23, 2021, that it had “experienced a sophisticated cybersecurity attack.” The hacker group called Phoenix was behind this attack, and they had used ransomware known as Phoenix Locker.
In May, CNA Financial allegedly paid $40 million as ransom to regain access to their data. While CNA has been tight-lipped about the specifics of the transaction and negotiation, it claims that all of its systems have been fully restored since then.
Ransom Requested: $20m
Because of a ransomware attack on May 14, the government entity in charge of all public health services in Ireland shut down IT networks, and services have yet to return to normal.
Every healthcare service in Ireland was impacted by this attack, including the diagnosis of blood tests and processing. Even though the HSE systems were disconnected as a precaution, the National Ambulance Services were unaffected. However, several health services were disrupted.
However, even after restoring 2,000 ransomware-affected IT systems, the Irish healthcare system remained severely disrupted for months. The online record of health insurance certificates was not restored until June 30. Despite the interruptions, HSE declined to pay the $20 million ransom in Bitcoin, claiming that the ransomware group Conti had given away the software’s decryption key for free.
HSE issued an official statement on its website stating that a tiny amount of HSE data has appeared on the darknet and that steps are being taken to assist those affected.
There was confirmation, however, that the cyberattack accessed both staff and patient information and that some data was revealed and leaked personal details, including names, 4,444 addresses, phone numbers, and addresses.
Ransom Requested: $20m
Kia Motors, a Hyundai subsidiary, became a victim of a ransomware attack in February 2021. According to Kia Motors, the subsequent ‘IT outage’ impacted Kia Motors America’s internal sites, phone services, owner’s portal, payment systems, and mobile UVO Link apps.
A $20 million ransom was requested by the DoppelPaymer gang behind the ransomware attack. The group also released a few pieces of stolen data, but no reports on the attack have come up since then.
Ransom Requested: $11 million
On May 30, 2021, JBS, the global beef producer, claimed that the REvil ransomware group attacked them, forcing the company to slam into the wall, knock it off, and suspend operations. REvil, the same Russian hacker group that targeted Acer, is suspected of being behind this attack.
Although there was no serious food shortage due to the ransomware attack, government officials warned customers not to panic when purchasing meat. After consulting with cybersecurity specialists, it was revealed on June 10 that JSB had allegedly paid an $11 million ransom in Bitcoin.
Ransom Requested: $7m
ExaGrid, a backup storage vendor that intends to assist businesses in recovering from ransomware attacks, recently experienced its ransomware attack. The Conti ransomware group was behind this attack, and they had stolen internal documents and breached the ExaGrid corporate network on May 4, 2021.
According to conversations discovered by LeMagIT, ExaGrid paid a ransom of around $2.6 million to reclaim access to encrypted data, despite the original demand being over $7 million. ExaGrid has not denied or confirmed the attack, and no further information has been released.
Ransom Paid: $4.5 million
On July 31, 2020, CWT, a US business travel management company, announced that a ransomware attack had infected its systems and had paid the ransom. The attackers claimed to have knocked 30,000 firm computers offline and stolen important corporate files using ransomware known as Ragnar Locker.
The data release might have been disastrous for CWT, which serves one-third of S&P 500 firms. As a result, on July 28, 2020, a few days before Reuters published the incident, the company paid the hackers $4.5 million as ransom.
Ransom Paid: $4.4m
On May 7th of, 2021, Colonial Pipeline Co., the largest fuel pipeline in the US, suffered a ransomware attack. Because the pipeline was an important part of the national critical infrastructure system, this attack hugely impacted fuel supplies all over the United States East Coast (in 12 US states) for several days, which caused confusion and panic. Despite having backups, Colonial Pipeline paid $4.4 million as ransom to be back online as soon as possible.
Many people considered this strike to be very personal because most Americans are directly affected by gasoline shortages. This attack was masterminded by the DarkSide organization, which targeted the firm’s internal operations and billing system.
According to the Department of Justice, the FBI confiscated a portion of the cash roughly a month after payment used a private key.
Ransom Paid: $4.4m
Brenntag, a German chemical wholesaler, learned on April 28, 2021, that it had been the victim of a cyberattack by Darkside, which had stolen 150GB of data and threatened to disclose it if ransom demands were not paid.
Brenntag reduced the original ransom of $7.5 million to $4.4 million after negotiating with the criminals, and they paid it on May 11. Despite being less than half of the original demand, it remains one of the largest ransomware payments in history.
Ransom Requested: $4 million
In April 2021, the Metropolitan Police Department in Washington, D.C., suffered from a ransomware attack by a Russian ransomware gang known as the Babuk group. The police department refused to pay the $4 million demanded by the group in exchange for not releasing the agency’s data.
The attack resulted in a massive leak of internal data amounting to 250GB, which included police officer intelligence reports and disciplinary files. According to experts, this was the worst ransomware attack on a U.S. police department.
Ransom Requested: $3m
The University of California at San Francisco announced on June 3, 2020, that the UCSF School of Medicine’s IT systems had been attacked on June 1 by a hacking collective known as Netwalker. UCSF School of Medicine had been researching a cure for COVID 19.
Netwalker has researched UCSF to learn more about its finances. Netwalker sought a $3 million ransom payment, citing UCSF’s annual earnings of billions of dollars.
After negotiations, UCSF agreed to pay Netwalker $1,140,895 in bitcoin to end the cyberattack. According to the BBC, Netwalker was also linked to at least two more ransomware attacks on universities in 2020.
Ransomware is frequently spread through drive-by downloading or phishing emails with malicious attachments. Drive-by downloading happens if someone accesses an infected website unknowingly, and malware is downloaded and installed without the user’s awareness.
Crypto ransomware, a file-encrypting malware variation, is spread in similar ways and has also been spread via social media, such as Web-based instant messaging services.
In addition, new ransomware infection mechanisms have been discovered. Vulnerable Web servers, for example, have been used as an entry point to obtain access to a company’s network.
Ransomware isn’t just for businesses; it can also infect home users, resulting in a slew of problems, including:
The ransom payment does not guarantee the release of the encrypted files; it just ensures that the malicious actors obtain the victim’s money and, in certain situations, their banking details. Furthermore, decrypting files does not imply that the malware infection has been eradicated.
Most of the time, data stolen through ransomware ends up being sold on various dark web forums. Our research into dark web prices has uncovered that such forums are very active.
In almost every case, the attackers demand virtual currency for the ransomware attack to be stopped. Because Bitcoin is the most well-known virtual currency, attackers frequently choose it.
Reclaiming money once it’s been paid is nearly impossible because you can’t trace bitcoin back to its owner.