Following on from our State of Ransomware 2020 blog, we’ll be tracking the 2021 publicized ransomware attacks each month to share with you via this blog. With damages from cybercrime expected to hit $6 trillion this year (up from $3 trillion in 2015), we expect the number of ransomware attacks to increase and newer forms to become more sophisticated and disruptive. To keep informed of what’s happening every month, follow this blog and register for our free monthly ransomware report.
Table of Contents:
Ransomware Attacks by Industry
Ransomware Attacks by Country
Ransomware Attacks by Month
Let’s begin with January and look at the 19 attacks we uncovered during the month.
1. We start the month with an attack on new York based Apex Laboratory. The company were forced to disclose the attack which happened earlier in 2020 after data stolen during the attack showed up online. A notice posted on Dec 31st revealed that they were the victim of a cyberattack and that certain systems in its environment were encrypted and inaccessible.
2. Next up is UK-based infrastructure support service provider Amey. The company was targeted by the Mount Locker ransomware gang in mid-December. Documents including correspondence with government departments was posted online in late December.
3. In October 2020 Hackney Council in London reported that they had been the victim of a very sophisticated cyberattack. The attack drew immediate speculation from experts that ransomware was involved, however, this wasn’t confirmed until January when the PYSA ransomware gang leaked council data online in a double extortion style attack. The data appears to contain a significant amount of personally identifiable information.
4. The Northern Territory Government in Australia was next to reveal an attack that forced its systems offline for 3 weeks. The attack involved a supplier of one its cloud-based IT systems and they insisted government data was not compromised during the attack.
5. Colorado-based rail operator and logistics provider OmniTRAX was hit by a ransomware attack that targeted its corporate parent company, Broe Group. The Conti gang were behind the attack which posted exfiltrated data on its leak site. The leak suggests that Broe Group, who is headquartered at the same location refused to pay the ransom.
6. Norway based AKVA Group, a global supplier of technology to the aquaculture industry revealed that they had been hit by a ransomware attack and that hackers were demanding a ransom. In a statement to the Stock Market in Oslo the company disclosed that they were working with the relevant Norwegian authorities to limit damage and get a full assessment of the situation. The incident resulted in a drop in the share price.
7. Dassault Falcon Jet Corp, the US subsidiary of Dassault Aviation, suffered a ransomware attack at the hands of the Ragnar Locker gang. According to media reports and the dates of breach reported by the company it seems the attackers maintained access to company systems for roughly six months, between June and December. Compromised data included information belonging to employees such as name, personal and company email address, home address, driver’s license number, passport information, data of birth, etc.
8. Wentworth Golf and Country Club, one of the most exclusive clubs in England was forced to send an email of apology to its 4000 members who include, high profile celebrities, sports stars, and top business people, after its members’ list was accessed by cybercriminals. According to The Telegraph, club members discovered the incident earlier when an unauthorized message appeared on the Wentworth website claiming “your personal files are encrypted!” with a Bitcoin cryptocurrency payment demand for decryption.
9. City of Angers in France indicated on its social networks that the city had suffered a ransomware cyberattack over the weekend of January 15th. The attack targeted the information system of the city and the metropolis which caused the closure of certain municipal services.
10. The Conti ransomware group claimed an attack on the Scottish Environment Protection Agency (SEPA) which saw around 1.2GB of data stolen from its digital systems including databases, contracts, and strategy documents. The hackers published over 4000 files after the organization refused to pay the ransom.
11. Center Hospitalier de Wallonie Picarde (CHwapi) in Tournai, Belgium became the first healthcare reported attack of the year. The hospital was forced to redirect incoming patients to other facilities after the attack crippled its systems. According to the investigators no ransom demands were made by the hackers which could indicate that the hospital was targeted by mistake.
12. WestRock, one of the world’s largest paper and packaging companies suffered an attack which affected some of its operational and information technology systems. WestRock is working with security experts on system recovery efforts to minimize the impact on its customers. In a press release the company described the incident as likely leading to a loss of revenue and incremental costs that could affect its bottom line.
13. Palfinger, an Austria-based Hydraulics Engineering company experienced a global cyberattack that took down their e-mail system and disrupted business operations. A security notice titled ‘Cyberattack’ stated that their Enterprise resource planning (ERP) systems were down and that “a large proportion of the group’s worldwide locations were affected.” The company that operates in almost 30 countries has made it official that its email systems were the worst hit in the file encrypting malware related attack.
14. Tennessee Wesleyan University (TWU) revealed in a press release that all of the university’s networks were closed after staff and campus officials became aware of a ransomware attack. Online learning was unaffected but staff and students were asked not to use the university systems.
15. Pan-Asian retail giant Dairy Farm were hit by a REvil ransomware attack with the attackers allegedly demanding a $30 million ransom. The group operates over 10,000 outlets across grocery, convenience store, health and beauty, home furnishing, and restaurants in Asia. Dairy Farm stated that they were not aware of any data being stolen during the attack, however, screenshots seen by BleepingComputer showed that the threat actors continued to have access to email and computers after the attack.
16. UK Research and Innovation (UKRI) disclosed that a ransomware attack had disrupted services and may have led to data theft. The incident impacted two of the group’s services including a portal used by the Brussels-based UK Research Office and an extranet utilized by UKRI councils.
17. Illinois based DSC Logistics, a third-party logistics provider and supply chain management company disclosed they had been victims of a cyberattack after a ransomware gang threatened to expose their exfiltrated data on a leak site. Egregor is suspected to be behind the attack.
18. Georgia based Crisp Regional Health Services discovered they had been a victim of ransomware when nurses working at the facility started seeing ‘files encrypted’ on some of its computer systems. Phone systems were affected, however, the facility disclosed that workflow and patient care was not compromised. The organization is working with external cybersecurity and forensic professionals to determine if patient data was accessed or exfiltrated during the attack.
19. The last reported attack of the month involved Serco, a global government outsourcer responsible for running part of the UK’s COVID-19 Test and Trace system. The British business which employs 50,000 people confirmed the attack and disclosed that only its mainland European operations had been impacted. Sky News became aware of the incident after spotting a sample of the Babuk ransomware uploaded to VirusTotal. Apparently included was the ransom note addressed to Serco the attackers claimed: “We’ve been surfing inside your network for about three weeks and copied more than 1TB of your data.”
February saw a total of 23 attacks, up from 16 in 2020. South America reported some large attacks including two major utility companies, the Ministry of Finance and Ecuador’s largest bank. The apparent attack on Kia made a lot of headlines during the month as the company continues to dispute the attack, despite the cybercriminals posting their data on the dark web. Here’s a look at what we uncovered for the month.
1. The first reported attack of the month involved Brazilian state-owned energy company Companhia Paranaense de Energia (Copel). The attack was the work of the Darkside gang who claimed to have stolen more than 1000 GB of sensitive data. The organization was one of two major electric utilities companies in Brazil to suffer a ransomware attack in the same week.
2. An attack on the Victor Central School District in New York encrypted its systems and data, locking out users and forcing the closure of all district schools.
3. Automatic Funds Transfer Services (AFTS), a Seattle based payment processor used by many cities government agencies across the US suffered an attack from a gang known as Cuba. The attack caused significant disruption to their business operations and affected customers such as California’s Department of Motor Vehicles who recently warned of a potential data breach following the attack. The hackers began selling the stolen data on their leak site and claim to have exfiltrated sensitive financial documents.
4. Eletrobras the largest power utility company in Latin America was the second major utility company in Brazil to suffer an attack in early February. Electronuclear suspended some of its systems to protect the integrity of the network once the attack was discovered.
5. A widely reported data breach at Foxtons Group, a British estate agents’ company was due to a ransomware attack by the Egregor Group. Foxtons made headlines this month when reports revealed that a large quantity of personal and financial information belonging to its customers had been discovered on the dark web. The data reportedly included over 16,000 credit card details even though a statement from the company had previously stated that the data was considered old and of no threat to customers
6. Mortgage loan servicing company SN Servicing Corporation was hit by a ransomware attack in 2020. In February, California and Vermont state attorneys were notified of the incident. According to the documents filed, the affected systems were shut down and forensic experts were engaged to determine the impact upon discovering the attack. A preliminary investigation uncovered data related to 2018 billing statements and reimbursement notifications to customers, including names, address, loan numbers, balance information and billing information such as estimated, owed, or paid charges. The Egregor gang has been linked to the attack.
7. British Columbia-based real estate agency Remax Kelowna was hit with an attack by the Conti ransomware gang who listed them as a victim on their leaks website. According to the firm, the attack occurred at the same time as they were overseeing a software update. They reported that the ransomware was not launched and while some files has been copied, the data was allegedly non-personal in nature.
8. Ness Digital Engineering Company, an Israeli-based U.S. IT provider was hit by Ragnar Locker ransomware affecting its computer networks in India, the U.S. and Israel. The company said that their clients who include government ministries, hospitals, and local municipalities were not compromised in the attack. A screenshot of the ransom note read “Hello ness-digital-engineering! If you (sic) reading this message, it means your network was PENETRATED and all of your files and data has (sic) been ENCRYPTED by RAGNAR LOCKER!” The text then directed the company to get in touch via live chat to make a deal.
9. Polish video game company CD Projekt was hit by the HelloKitty ransomware gang. The company disclosed that the attackers had managed to access the network, encrypt some devices and exfiltrate some data. In a tweet disclosing the attack the company shared the ransom note which claimed to have accessed the source code for popular games including Cyberpunk 2077. The company confirmed they did not plan to give into the gangs ransom demands.
10. French health insurance company Mutuelle Nationale des Hospitaliers (MNH) suffered a ransomware attack that had significant impact on the company’s operations. An independent security researcher shared a Tor web page acting as a ransom negotiation page with media outlet BleepingComputer. RansomExx was behind the attack.
11. Dax-Côte d’Argent Hospital Center in France was the next reported incident. The attack by the Egregor gang caused major disruptions across their network and forced the hospital to only accept major emergencies. A spokesperson from the hospital administration commented that everything from reading a medical file to the catering system had been affected and the facility was back to pen and paper following the attack.
12. The second education incident of the month goes to Central Piedmont Community College in North Carolina. The school tweeted that they had experienced a ransomware attack, but it’s not known what gang was responsible. It has so far been reported that no employee or student data was compromised.
13. Discount Car and Truck Rental, part of the Enterprise group and one of Canada’s biggest rental agencies, was hit by the Darkside ransomware gang. Darkside posted a notice on its leak site stating they had copied 120 GB of corporate, banking and franchise data from the firm. A spokesperson for the company commented that the investigation was ongoing when questioned about how the attack started and whether customer or employee information has been exfiltrated.
14. International law firm Jones Day were the victims of a ransomware attack carried out by the Clop gang. The law firm claimed that its network had not been compromised and that the theft of data involved a file-sharing company that it used to store files. The gang however claimed that they had obtained 100 gigabytes of files from servers belonging to the firm and that they had begun publishing the exfiltrated data as proof of their successful attack.
15. The attack on Kia Motors America is probably the most interesting of the month. The incident became known when it was reported that the company was suffering a major IT outage across the U.S., affecting the internal sites used by dealers, mobile apps, and phone and payment systems. It later transpired that the DoppelPaymer gang has claimed the attack and they had demanded a ransom of $20 million for a decryptor and not to leak the stolen data. The Tor victim page stated that a “huge amount” of data had been exfiltrated and would be released in 2-3 weeks if the company refused to negotiate with the hackers. Kia denied they were under attack. The gang then released data belonging to parent organization Hyundai Motor Company but interesting both are denying the attack. In an official statement Kia described the unavailability of its services, including remote start and heating as an “extended systems outage” that began on February 13th. They continued by saying, “we are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.” It’s hard to imagine that this is a hoax on the part of the cybercriminals and experts say it’s possible but not probable.
16. Yuba County in California was the victim of a ransomware cyberattack which infected some of the county’s computer systems with malware. The malware encrypted the affected systems and the attacker demanded payment from the county in order to obtain a decryption key. It’s not known what criminal gang was behind the attack and according to a spokesperson no ransom payment was made.
17. Underwriters Laboratories, the world’s leading safety testing authority suffered IT outages after a ransomware attack. In a statement they confirmed that a breach had been detected and that a cybersecurity firm had been brought in to assist with the investigation. It is not yet known who was behind the attack and what type of data may have been compromised. The investigation continues, but at this point the company do not wish to engage with the cybercriminals and instead plan to reinstate any lost data from backups.
18. TietoEVRY, a major Finnish IT provider were the victim of an attack which caused issues across the services they deliver to customers in the retail, manufacturing, and service-related industries. A company spokesperson confirmed that 25 customers were impacted and at this time it does not seem that any critical or personal data was accessed or stolen by the attackers. It’s not yet known what gang was behind the attack or if any ransom demands have been made.
19. A recent cyberattack that forced the Dutch Research Council (NWO) to take its servers offline has been confirmed as a ransomware attack by the DoppelPaymer gang. The hackers exfiltrated data from the organization and published proof of the attack on their leak site. The NWO does not cooperate with cybercriminals and they are currently working on restoring their network.
20. An attack on Ecuador’s Ministry of Finance was reported with a new hacking group known as Hotarus Corp behind the incident. Soon after the attack the gang released a text file containing 6,632 login names and hashed password combinations on a hacker forum. The ransomware gang told media outlet BleepingComputer that they had exfiltrated sensitive ministry data.
21. Banco Pichincha, Ecuador’s largest private bank was the next victim of the Hotarus Corp gang. Following the attack the bank published an official statement stating that a marketing partner had been hacked and not their internal systems. They confirmed that fraudulent (phishing) emails were sent on behalf of the bank to clients in order to carry out illegitimate transactions. However, in an interview with BleepingComputer, the hacking group disputed the banks statement and said they used the marketing company’s attack as a launchpad into the banks internal systems. They claim to have stolen “31,636,026 Million customer records and 58,456 sensitive system records,” including credit card numbers.
22. Saginaw Township Community Schools in Michigan became the victim of a ransomware attack and the gang behind the attack is unknown. The FBI and Michigan State Police who are investigating the incident are said to be in regular communication with the attackers to try and resolve the situation. Systems have been mostly restored but the investigation continues and at this time it is not known if any personal data was compromised in the attack.
23. In the last reported attack of the month, Staring College in the Netherlands reported that had been attacked and that they had paid the ransom. It is not known who was behind the attack or how much the ransom was. When employees noticed that their data had been encrypted and their files weren’t accessible the college made the decision to pay the ransom so education and exams could continue without further disruption.
In March we recorded 25 attacks, the highest month of the year so far. An attack on computer giant Acer became the largest ransom demand in history at $50 million, while ransomware attacks halted production at IoT manufacturer Sierra Wireless and beer maker Molson Coors. Here’s a look at what else we uncovered during the month.
1. We start the month with payroll giant Prism HR. The business services company which counts over 80,000 organizations as customers and has over 2 million employees was reportedly attacked by the Darkside ransomware gang. According employees and their clients, PrismHR told them that they had suffered suspicious activity leading them immediately shut down their servers and network to protect the integrity of their systems.
2. Up next is Arizona based clinic Cochise Eye and Laser who were infected with ransomware which encrypted its scheduling and billing software. The attack affected up to 100,000 patients. Although there has been no evidence of data exfiltration the incident is still considered a breach of protected health information and patients were notified of the incident.
3. Healthcare provider Allergy Partners suffered an attack lasting eight days with hackers demanding a ransom of 1.75 million, according to a report filed with the Asheville Police Department. The North Carolina based organization which has clinics across 20 states, informed its patients that those affected by the incident will be updated once it finishes its investigation. It is unclear whether Allergy Partners paid the ransom.
4. US bank and mortgage lender Flagstar disclosed a data breach following the Accellion cyberattack at the hands of the Clop ransomware gang earlier in the year. BleepingComputer was told that Flagstar received a ransom note demanding a payment in bitcoin or the exfiltrated data would be released. Other victims of the Accellion attack include Bombardier, Royal Dutch Shell, and New Zealand Reserve Bank.
5. Oklahoma based Managed Service Provider (MSP) Standley Systems were attacked by the REvil gang who claimed to have obtained sensitive data including more than 1,000 social security numbers. The REvil gang is known for leaking data on its Dark Web site and in addition to the social security numbers they claim to have medical documents, personal client data, passport details, etc. On their leak site they posted links to data from six customers as well as backups. The Standley customers mentioned on the REvil leak site were Chaparral Energy, Crawley Petroleum, Ellis Clinic, EverQuest, the Oklahoma Medical Board, and structural steel fabricator W&W Steel.
6. The systems of SEPE, the Spanish government agency for labour were disrupted when a ransomware attack affected more than 700 agency offices across Spain. The agency confirmed that confidential data was safe and the RYUK ransomware gang were behind the attack.
7. The Clop ransomware gang claimed to have stolen data from cloud security company Qualys. The gang shared screenshots of stolen files including invoices, tax documents and purchase orders on its data leak site as proof of the hack. The company said the attack had no operational impact but unauthorized access had be obtained to a Accellion server used by the company.
8. Up next is the Oloron-Sainte-Marie Hospital in France. The attack managed to paralyze the hospital’s IT systems and the attackers demanded $50,000 in Bitcoin to release the data. Staff had to go back to pen and paper as digital patient information was unavailable.
9. Beer maker Molson Coors disclosed that they suffered a cyberattack which caused significant disruption to their operations, including the production and shipment of beer. The Company is working with a forensic information technology firm alongside legal counsel to investigate the incident and restore systems. Multiple sources in the cybersecurity industry told BleepingComputer that it was a ransomware attack but could not share what gang was involved.
10. Buffalo Public Schools was forced to abandon in classroom learning for thousands of students when a ransomware attack shut down technology across the district. It’s unclear whether personal data was stolen and a criminal investigation is underway.
11. The next attack on education took place at South and City College in Birmingham, UK. The college which has 8 sites across the city tweeted: “The college has suffered a major ransomware attack on our IT system, which has disabled many of our core systems.” It’s not yet known who was behind the attack.
12. Servers of the Pimpri-Chinchwad Smart City project in India were infected with ransomware with attackers encrypting data and demanding payment in Bitcoin for decrypting the lost information.
13. The Castle School Education Trust (CSET) in Bristol suffered a highly sophisticated ransomware attack which left 23 schools without access to their IT systems. CSET and South Gloucestershire Council are working together with external partners and agencies to investigate the attack and restore the systems, it’s not yet known who was behind the attack.
14. The next reported attack on computer giant Acer made headlines this month as the $50 million ransom is the largest known to date. The REvil gang were behind the attack. The attackers share some exfiltrated data on their leak site as proof of the attack. The images shown included financial spreadsheets, bank balances, and bank communications.
15. Cambridge Meridian Academies Trust which runs schools in the UK was hit by an unknown gang. The trust was able to mitigate the attack to some extent and encryption occurred on only some systems. The trust said there was no evidence of a data breach but the Information Commissioner’s Office was notified.
16. Sierra Wireless, a manufacturer of IoT devices was forced to halt production after a ransomware attack. It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network and the company said the attack was limited to internal systems and customer facing products had not been affected.
17. US based insurance giant CNA were victim of a ransomware attack using a new variant called Phoenix CryptoLocker, possibly linked to the Evil Corp hacking group. Sources familiar with the attack have told BleepingComputer that over 15,000 devices on their network were encrypted and remote employees logged into the VPN were also affected.
18. Clothing retailer FatFace paid $2m to the Conti gang when their data was held to ransom. The security incident occurred in January but only became public knowledge in March when the company emailed customers to let them know that their data had been accessed by “an unauthorised third party”. The retailer has faced criticism for failing to disclose the incident in a timely matter and for attempting to insist that affected customers keep the matter quiet.
19. Sydney-headquartered Nine Network, Australia’s top-rated network was taken off-air for over 24 hours by suspected state-backed attackers in what has been described as the largest attack on a media company in the history of the country. It was claimed that the attack was ransomware but no ransom has yet been demanded.
20. London-based non-profit multi-academy trust Harris Federation suffered a ransomware attack that affected 50 schools. The attack caused the outage of phone, IT and email systems. The education charity runs 50 Harris primary and secondary academies and has 37,000 students from London and surrounding areas.
21. Royal Dutch Shell became the next victim of the Clop ransomware gang. The gang exfiltrated sensitive data from a Accellion file transfer service used by the oil giant and later leaked the stolen data online to prompt them to pay a ransom. Some of the leaked data included employee visa and passport information.
22. The next attack on the education sector hit the University of Maryland. The Clop ransomware gang was behind the attack which saw sensitive information including photos and names of individuals, home addresses, Social Security numbers, immigration status, dates of birth, and passport number leaked online.
23. The University of California was also attacked by the Clop gang which saw sensitive and personal information leaked online following the attack.
24. The Maharashtra Industrial Development Corporation (MIDC) in India revealed a ransomware attack had affected its IT systems. Maharashtra is one of the most industrialised states in Mumbai, no ransom demand was made in the ransom note. Ransomware known as SYNack was responsible for the attack.
25. The last attack of the month takes us to Milan Italy where menswear brand Boggi Milano became victims of the Ragnarok ransomware gang. The hackers claimed to have stolen 40 GBs of data from the company. Founded in 1939, Boggi Milano operated around 200 shops in 38 countries and is among the best known premium Italian menswear brands.
In April we uncovered a whopping 31 ransomware attacks, the busiest month of the year so far and up from just 12 in April 2020. The NBA made headlines when the Babuk gang revealed they had exfiltrated 500GBs of sensitive player data, while the REvil gang demanded $25 million from leading French pharmaceutical company Pierre Fabre and an attack on a Dutch logistics company caused a shortage of cheese in supermarkets in the Netherlands. Here’s a summary of what else we tracked during the month.
1. The first reported attack of the month was on Asteelflash, a leading French electronics manufacturing services company. While the company has not formally disclosed the attack, the hackers negotiation page showed that the REvil gang had initially demanded a $12 million ransom but as the deadline passed the amount rose to $24 million.
2. Attacks on education continue to increase in frequency, and this time it was the turn of Broward County School District in Florida. The Conti ransomware gang encrypted the systems and threatened to release sensitive student and teacher data unless a ransom of $40 million was paid.
3. Applus Technologies, a vehicle inspection services provider were hit by an attack that caused havoc across vehicle inspection sites in 8 states across the US. Following the attack the company was forced to disconnect its IT systems to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems but experts speculate the attack was ransomware.
4. Hardware chain Home Hardware , one of Canada’s largest dealer owned hardware retailers became a victim of the DarkSide ransomware group. Following the attack the cybercriminals posted a sample of corporate data and threatened to release more if the ransom was not paid.
5. Attacks on education continued with an attack on the Technological University in Dublin Ireland. The University commented that there was no indication that any data, including personal data, has been “exfiltrated, downloaded, copied or edited”.
6. The National College of Ireland was next report an attack on the same day. The attack resulted in the Dublin college suspending access to all its IT systems, including Moodle and the Library Service. The college has said that no ransom has been paid.
7. The next attack on education occurred at Haverhill Public Schools in Massachusetts. Schools were forced to close after the computer systems were hit. The IT department noticed issues with the system and were able to shut down the network before “large scale corruption of the system occurred”.
8. An attack on global wholesale distributor JBI shut down online systems causing shipping delays and backlogged orders. JBI has 11 warehouses which were impacted by the attack. The attack is still being investigated but JBI has said then that no customer data has been impacted.