Last Updated on March 2, 2022
From ransomware attacks spawning supply chain disruptions to ongoing fallout from the SolarWinds/SUNSPOT attack, 2021 was a banner year for cyber foul play across the board.
As bad as the news about SolarWinds has been, you would think that nothing could be worse. But 2021’s biggest ransomware attacks gained top billing for causing widespread panic among the general population (not just the cybersecurity pros).
Colonial Pipeline ransomware attack
The Colonial Pipeline attack started making headlines on May 7, 2021, when ransomware infiltrated the company’s systems. The company responded by shutting down pipeline operations in hopes of containing the attack, though it was mainly the billing system that was compromised.
Within just a few hours, Colonial also paid the ransom (75 bitcoin, roughly $4.4 million), making this the largest cyber attack on an oil industry target in US history. The pipeline shutdown led to widespread fuel shortages and panic buying at gas stations along the US east coast, forcing President Biden to declare a state of emergency on May 9. Almost 50% of all the transport fuel consumed on the US east coast moves through the Colonial Pipeline system.
As an adjunct to the ransomware attack itself, the attackers had also exfiltrated approximately 100Gb of data from the company’s servers the day before encrypting their data. The hackers threatened to release the data on the internet if the ransom wasn’t paid, an increasingly common “double extortion” tactic among sophisticated ransomware fans. Even after paying the ransom, Colonial was frustrated by the slow pace of decryption using the hacker-provided software, and ended up restoring its systems from its own backups.
A bright spot in the Colonial attack trajectory came on June 7 when the US Department of Justice announced that it had recovered a large percentage of the bitcoin payment from the ransom (63.7 bitcoins or about $2.3 million).
In the political fallout from the fuel “supply crunch,” President Biden signed the “cybersecurity executive order” on May 12, which includes multiple directives intended to improve threat detection and incident response, as well as increase the government’s ability to prosecute overseas hackers like the Russia-based DarkSide group responsible for the Colonial attack. The State Department announced a $10 million reward for information related to the attack on November 4.
JBS S.A. ransomware attack
In the same month as the Colonial Pipeline attack, Brazil-based meat processing giant JBS S.A., the world’s largest producer of beef, chicken and pork, suffered a ransomware attack that impacted its facilities in the US, Canada and Australia. It was the largest successful attack on a food production company in world history, and one of over 40 similar attacks against food and beverage companies in the prior 12 months.
In the US, all JBS-owned beef slaughterhouses were temporarily shut down. This led to immediate shortfalls in meat production and corresponding price increases, while highlighting the food supply chain’s vulnerability to production shortages caused by consolidation within the US meatpacking industry, which is now dominated by just four producers.
JBS, like Colonial, quickly paid the $11 million ransom in Bitcoin. And, once again, a Russian group was blamed for the attacks. President Biden called Russian President Putin on July 9 to try to get some satisfaction. So far, no such luck.
Kaseya “supply chain” ransomware attack
No rundown of the 2021 ransomware roster would be complete without a mention of the Kaseya attack in early July. Using a zero-day “authentication bypass” vulnerability in the on-prem version of Kaseya’s VSA software, the hackers were able to breach multiple managed service providers (MSPs) and their customers, leading to ransomware compromises for up to 1,500 SMBs, local government offices, schools and other organizations around the world. Ransomware was pushed to its victims as a malicious software update from Kaseya VSA called “Kaseya VSA Agent Hot-fix.” Fortunately, the vast majority of vulnerable servers were quickly patched, or the damage could have been much worse.
Not wanting to be outdone, other hacker groups immediately began looking for ways to hack other MSPs. Interestingly, a Dutch research group had warned Kaseya about the vulnerabilities prior to the attack, according to former employees. In November, the DoJ announced indictments against a 22-year-old Ukrainian man for the Kaseya attack, among others.
The overall ransomware picture for 2021 and beyond
While the Colonial, JBS and Kaseya attacks caused the most collateral damage, some other 2021 ransomware attacks involved even bigger ransoms. These include a $20 million attack on Kia Motors (which Kia says it didn’t pay), a $50 million ransom demanded from tech giant Acer, and the embarrassing leak of sensitive criminal data exfiltrated from the Washington DC police department following their failure to pay a $4 million ransom. Also subjected to leaked data from a ransomware attack was Accenture, which didn’t pay the $50 million demanded to recover 6TB of exfiltrated data that didn’t turn out to be worth much. One huge ransomware payout that did occur was $40 million by insurance giant CNA Financial Corporation in March.
Overall, ransomware attacks increased every month in 2021 over the corresponding month in 2020, with the 2021 attack total doubling over 2020. The availability of Ransomware as a Service (RaaS) malware suites now make it easier than ever to get into the ransomware game. But even as ransomware actors become more sophisticated, they continue to target the low-hanging fruit presented by known vulnerabilities on unpatched systems, as well as the ever-popular phishing email.
And let’s not forget good old-fashioned data breaches
Ransomware is so prevalent and effective, why would cyber crooks use anything else? Yet according to the Identity Theft Resource Center, reported data breaches for 2021 also far exceeded those in 2020.
Sensitive—and thus lucrative—customer or employee data was exfiltrated from numerous businesses this year, including Neiman Marcus (personal data from 4.6 million customers stolen in a breach that took over a year to surface), McDonald’s (employee and customer data from several countries exfiltrated) and California Pizza Kitchen (social security numbers of 100,000 employees exposed).
Probably the worst of the bunch, the massive T-Mobile breach compromised over 54 million current, former and prospective customers’ most sensitive personal data, including social security numbers, names, addresses, driver’s license numbers, account PINs and more—leaving a huge swath of the American public at risk for identity theft. The hacker claiming responsibility was a 21-year-old American living in Turkey. I’m sure everyone feels better now knowing that T-Mobile later announced it’s working on a strategic plan to boost its cybersecurity posture, which the kid says he knocked over just to prove a point.
And then there’s the data of 533 million Facebook users from over 100 different countries that was found posted in an online hacking forum in April 2021, including names, birthdays, phone numbers, addresses and email addresses—perfect for phishing scams or account takeovers. Facebook says it’s fixed the associated vulnerability and downplayed responsibility.
What’s to be done
There are lots more scary and devastating breaches one could enumerate, not even counting SolarWinds, which is still playing out. But I think you get the point… Most companies’ servers are about has hard to access as a jar of peanut butter.
What can you do to avoid making the hit list? I’d love to offer you a revelation or a cure-all, but security starts with the basics:
- Always have backups of your systems and data stored in a secure, separate location (not on your main network) that won’t be detected and crypto-locked by ransomware. Cloud storage services are a favorite option.
- Use security event management software, anti-malware tools, etc. to detect ransomware and other malware files before they can execute. These applications will hopefully notify you if suspicious behavior (like renaming a bunch of your files all at once) is detected.
- Make sure all your internet-connected systems and services are up-to-date on patches. Otherwise, you’re a sitting duck for hackers targeting known vulnerabilities.
- Use encryption of data at rest and in transit to protect your most sensitive data, so that it’s of no value to the hackers. Cost-effective tools now make this easier than ever.
- Implement two-factor authentication on all your internet-facing systems, especially email. Credential harvesting is perhaps the most common way that networks are breached, and 2FA makes those credentials a whole lot less useful.
- Conduct security awareness training! Phishing works so well because people are not alert to it.
- Wake up to web app security testing, before it’s too late. A huge percentage of web apps are wide open to common vulnerabilities leading to account takeovers, data exfiltration and more. The OWASP Application Security Verification Standard (ASVS) is a great place to start.
- If you think your personal data’s been stolen (and guess what, it has) consider freezing your credit. Definitely change your passwords, hopefully after installing a password manager so you’re never again tempted to reuse passwords. And try using a credit monitoring service so you’ll be alerted to changes in your credit report.
With that, I’ll sign off on the 2021 “cyber incident year in review.” Here’s to taking security seriously in 2022!