Chris Swagler | January 6th, 2022

In 2021, enterprises were frequently victims of data theft and forced to shut down operations as ransomware attacks. Ransomware attacks impacted critical infrastructure companies and government agencies resulting in significant fallout during 2021. Ransomware groups targeted larger companies with higher ransom demands. These trends persisted throughout the year, leaving no sector unaffected. The main tactic for ransomware groups was extortion and data leak websites drew attention to attacks, in many cases before companies disclosed the incidents. Operators carried out many of those threats and exposed sensitive files. Now that 2021 has concluded, here were the 5 most significant ransomware attacks of the year.

Kaseya

On July 2, REvil operators launched a supply chain attack on Kaseya, a vendor that provides remote management software for managed service providers (MSPs). The exploitation of zero-day vulnerabilities in the on-premises version of the VSA product contributed to the attack on Kaseya. The operators exploited the flaws to bypass authentication and use the VSA to send arbitrary commands remotely, resulting in the development of ransomware on MSPs’ clients. The broad nature of the incident drew Federal Bureau of Investigation (FBI) attention who, in cooperation with the Cybersecurity Infrastructure Security Agency (CISA) issued an incident response guide.

Fewer than 60 customers were impacted by the attack, however, the fallout reached 1,500 downstream businesses. On July 22, Kaseya issued an incident update stating that they obtained a universal decryptor key from a third party and were working to remediate impacted customers. It was confirmed that the third party was not REvil as Kaseya never negotiated with the threat actors and never paid a ransom to obtain the tool.

Colonial Pipeline

On May 7, Colonial Pipeline suffered a ransomware attack, forcing the company to shut down operations and freeze IT systems. The pipeline network supplies about 45% of the East Coast’s fuel, including gasoline, diesel, military supplies, and other useful resources and transports over 100 million gallons of fuel per day across the Eastern United States. DarkSide operators were found responsible for the attack, claiming they did not intend to disrupt pipeline operations and only wanted to achieve financial gain. However, they gained operational control of the company through compromised VPN credentials, stole 100GBs of data, encrypted the environment, and threatened to disclose information.

The ransomware attack caused gas prices to skyrocket because of the operational impact on Colonial Pipeline and the inability to distribute gasoline. This resulted in mass hysteria with people feeling compelled to buy more gas for fear of a shortage.

Hafnium

Microsoft discovered multiple zero-day exploits being used to target on-premises versions of Microsoft Exchange Server in limited and focused attacks. The threat actors used the vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to access on-premises Exchange servers enabling access to email accounts and allowing installation of additional malware for long-term access to the victims’ environments. Microsoft Threat Intelligence Center (MSTIC) believes Hafnium, a Chinese state-sponsored group and operation, was behind the campaign based on the victimology tactics and procedures.

Hafnium targeted companies in numerous industry sectors across the United States including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Furthermore, Hafnium exploited vulnerabilities in internet-facing servers to compromise victims using legitimate open-source frameworks for command and control. Hafnium exfiltrated data to file sharing sites once they obtained access to victims’ networks and primarily operated from leased virtual private sectors (VPS).

JBS

The world’s biggest meat processor, JBS, suffered a cyberattack by a still unknown operation (though threat researchers blame REvil), forcing the company to shut down operations in Australia, Canada, and the United States. JBS provides more than 32 billion pounds of meat product every year to markets in the United States, Mexico, Canada, Europe, the Middle East, Africa, and Asia. The Brazilian-headquartered company paid an $11 million Bitcoin to restore operations and prevent any potential security risk including data theft. The cyberattack forced the meat producer to shut down all production at its United States plants, which threatened to disrupt food supply chains causing food price inflation in the United States. The threat actors exfiltrated more than 45 GB of data to their file-sharing site, Mega. The cyberattack did not affect JBS’ backup servers as they worked with an incident response company to restore their affected systems.

Washington Police Department

The ransomware group Babuk breached the Washington, D.C. Police Department’s network, stealing 250 GB of data including a “gang database” and personal information of police personnel and informers. Babuk threatened to publish the stolen data on their leak website if the police department did not pay the ransom demand. On top of pledging to continue attacking the FBI and CISA, Babuk threatened to release the stolen information, including the identity of police informants and criminal suspects, officer disciplinary files, internal finances, and files reporting sexual abuse allegations. The group’s threat to release the identities of confidential informants could endanger their lives and bring devastating consequences to ongoing operations and investigations.

As 2022 commences, expect prolific ransomware groups to continue targeting large and critical organizations and demand larger ransoms. That’s why it’s important for companies to ring in the year on a positive note by staying current with latest threat landscape and improve overall network security posture. At SpearTip, our advisory services focus on real and imminent threats, identify vulnerabilities within a network, and offer remediation steps to immediately improve your company’s security posture. Our certified engineers at our Security Operations Centers continuously monitor your network for potential threats, like the ransomware attacks mention above, and are ready to respond to any incident at a moment’s notice. SpearTip’s ShadowSpear Platform, our detection and response tool, optimizes visibility and immediately prevents ransomware from exploiting your network’s security by blocking their attack.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.