Ransomware is a present danger these days, and it’s globally considered one of the principal threats to organizations. Although we’ve been only halfway through 2021, ransomware attacks have hit since the beginning of the year and show no sign of slowing down. Across the world, cybercriminals are exploiting security vulnerabilities and holding sensitive information of organizations, government, and healthcare organizations hostage, sometimes demanding payments of millions of dollars!
What is ransomware?
Ransomware is a form of malware that encrypts a company’s data. The threat actor then demands a ransom from the victim to restore access to the locked information. Usually, victims are given specific instructions for how to pay the ransom for the decryption key. Costs can range from a few hundred dollars to millions, usually payable in Bitcoins.
How does it work?
One of the most common ways bad actors distribute ransomware attacks is by phishing; emails claiming to come from trustworthy companies could contain infected attachments.
The instance a user downloads and opens the infected attachment, they can take over the victim’s device, and the whole network. After gaining access to the victim’s computer, the most common action is to encrypt some or all of the user’s files.
As we mentioned earlier, the company is asked to pay a considerable ransom for getting a decryption key known only by the attacker!
Who are usually the targets of ransomware?
There are different ways attackers choose the organizations they target with ransomware. Sometimes it’s only about the opportunity. For example, hackers might find it easier to target universities, as they tend to have smaller security teams and a disparate users base that does a lot of file sharing, which makes it easier to gain acces to their devices.
However, some companies are attracting attacks by reliance on their computing network. This happens usually because they seem more likely to pay a ransom quickly. For example, medical systems or government agencies often need immediate access to their files. In addition, law firms and other enterprises with sensitive information may be willing to pay avoid the story from reaching the news.
Although there are some patterns in choosing the target, don’t feel like your safe just because you don’t fit these categories. Some ransomware spreads automatically and indiscriminately across the internet, which makes everyone a target.
What were the most notable attacks this year?
Over the past few months and years, we have seen increased ransomware attacks, most of them being high-profile attacks. However, only six ransomware groups are responsible for breaching the cybersecurity defenses of 292 organizations. In addition, these cybercriminals have so far taken more than $45 million in ransom from their attacks.
1. Colonial Pipeline
Of all of the cyber and ransomware attacks in 2021, the breach of Colonial Pipeline in May had the most news coverage. According to Joe Giordano, a director at Touro College Illinois Cybersecurity Program: “The Colonial Pipeline attack made such an impact because the pipeline is an important part of the national critical infrastructure system. Taking the system down disrupted gas supplies all along the East Coast of the United States, causing chaos and panic.”
Behind the attack was the DarkSide gang that targeted the company’s billing system and internal business network, leading to widespread shortages in multiple states. Colonial Pipeline eventually paid the group demands of $4.4 million in bitcoin to avoid further damages.
This attack was hazardous because consumers started to panic and ignored the safety precautions. Some residents from East Coast tried to hoard gasoline in inflammable plastic bags and bins, and one car even caught on fire. After the chaos passed, government officials confirmed that Colonial Pipeline’s cybersecurity measures were not good enough and might have been prevented if stronger protection was in place.
Fortunately, US law enforcement was able to recover much of the $4.4 million ransom paid. The FBI could trace the money by monitoring digital wallets and cryptocurrency movement, although finding the actual attackers will prove a lot harder.
Even though most of the money was recovered, Giordano doesn’t see hacker groups slowing down or stopping soon.
“I think bad actors will be increasing their efforts in terms of ransomware attacks. Because of the type of attack that it is and the anonymity of the Internet and dark web, it makes ransomware attacks a low-risk endeavor for attackers looking to make some quick money. So many companies and institutions still have weak security, and strong security requires constant vigilance and updates, not a one-time upgrade. When more organizations start to take cybersecurity seriously and invest the time and resources to combat threats, we’ll start to see these threats diminish.”Joe Giordano
Around the same time, in early May this year, the same famous hacker group DarkSide, that targeted the Colonial Pipeline also targeted Brenntag, a chemical distribution business. DarkSide demanded roughly $7.5 million in bitcoin after stealing 150 GB worth of data.
Eventually, Brenntag gave in to the demands and ended up paying $4.4 million. Even though it was a little more than a half of the original demand, it still stands as one of the highest ransomware payments in history.
Also, in May 2021, the computer manufacturer Acer became a victim of ransomware attacks, after being targeted by the REvil hacker group, the same group responsible for the attack on Travelex, the foreign exchange company. The $50 million ransom stood out as the biggest known to date. REvil hackers misused a vulnerability in a Microsoft Exchange server to gain access to Acer’s files and leaked images of sensitive financial documents and spreadsheets.
4. JBS Foods
As we all know, the Spring of 2021 gave us a bit of hope that the pandemic will end. Unfortunately, the increasing trend of cyberattacks that also began in 2020 showed no sign of slowing down. Another high-profile ransomware attack occurred in May on JBS Foods, one of the largest meat processing companies in the world. Behind the attack, it is believed to be the same Russia-based hacking group REvil.
There weren’t any major food shortages after the attack; however, government officials told consumers not to panic-buy meat in response. This June, it was confirmed that JSB paid the $11 million ransom demand after consulting with cybersecurity experts. This solid payment in bitcoin is one of the biggest ransomware payments of all time.
The REvil hacker gang was very busy in 2021, attacking also the computer manufacturer Quanta back in April, and demanding a $50 million ransom. Quanta is one of Apple’s major business partners. After the company refused to negotiate with the hacker group, REvil targeted Apple instead. After leaking Apple product blueprints obtained from Quanta, they threatened to publish more sensitive information and documents.
6. NBA (national basketball association)
As we said before, different kinds of industries and businesses are targeted by ransomware attacks. Therefore, one of the most surprising things this year was the National Basketball Association (NBA). This year, the hacker group named Babuk claimed to have stolen 500 GB of confidential data about the Houston Rockets in mid-April. The hacker group warned that the confidential documents, including financial info and contracts, will be revealed to the public if their demands are not paid. However, no ransom payments have been made yet.
The European insurance company called AXA was attacked in May by the Avaddon gang. The attack occurred soon after the organization announced important changes to its insurance policy. AXA said that they would stop refunding many of their clients for ransomware payments. This unique and somehow ironic attack on a cyber-insurance firm made headlines, and the hackers gained access to a huge 3 TB of data.
Earlier in March 2021, another large insurance company fell victim to ransomware attacks. CAN’s network was hacked on March 21, and the attackers encrypted 15.000 devices, including many computers of employees working remotely. The hacker group Evil Corp is believed to be behind the attack that uses a new type of malware named PhoenixCryptoLocker.
9. KIA motors
In February 2021, Kia motors, a Hyundai branch, was reportedly hacked with ransomware. Even though Kia reported a widespread IT and systems outage, they did not confirm the attack. However, many experts believe the claims by the DoppelPaymer gang demanding a $20 million ransom. The hacker group released some stolen data, but updates on the attack have not surfaced in the news for the past few months.
Two key components are needed to solve this problem. One is that companies need to take network security seriously and invest sufficient resources. Second, more highly educated cybersecurity experts are needed to deal with the scourge of ransomware attacks we are currently facing.
Make sure you invest enough time and money in cybersecurity training, as it is the easiest way to protect yourself and your business against these more and more frequent attacks!