How to create a ransomware incident response plan 17 ransomware removal tools to protect enterprise networks

20 companies affected by major ransomware attacks in 2021

Between hefty ransom demands, major disruptions and leaked data, 2021 saw major ransomware activity across companies and industries.

The world incurred record-setting ransomware attacks on critical infrastructures, schools and healthcare networks in 2021. Even organizations that offer products to recover from ransomware attacks, such as cyber insurance carriers and data backup vendors, were not safe. Massive ransom demands were reported just days apart. Many companies gave in to those demands despite having backups -- and even though ransom payment did not guarantee a full recovery of data. In many cases, the full extent of the attack was not disclosed. But the impact of exposed data, downtime and disruption was clear.

Here are the 20 biggest ransomware attacks of 2021 in chronological order.

1. Buffalo Public Schools

While many schools were hit by ransomware in 2021, the Buffalo Public School system in New York, which serves 34,000 students, was one of the biggest. The attack on March 12 shut down the entire school system, canceling both remote and in-person instruction for a few days.

Former Buffalo Schools superintendent Kriner Cash issued a statement on March 15 that said the school was "actively working with cybersecurity experts, as well as local, state and federal law enforcement to fully investigate this cybersecurity attack." The school system resumed operations on March 22.

2. Acer

An attack on Taiwan-based PC manufacturer Acer resulted in the highest ransom demand to date: $50 million. On March 18, we independently viewed a post on REvil's dark website, which contained a long list of financial records that allegedly came from the vendor. TechTarget sister publication LeMagIT subsequently found a REvil ransomware sample on malware analysis site Hatching Triage. It contained a link to a REvil ransomware demand for $50 million in Monero cryptocurrency.

Acer provided a statement to TechTarget: "Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries." It's unclear if the PC manufacturer paid the ransom.

3. CNA Financial

One of the biggest insurance carriers in the U.S. was hit by a ransomware attack on March 21, causing a network disruption. In a statement posted to its website, CNA referred to it as a "sophisticated cyber attack" and said that out of an abundance of caution, it took "immediate action by proactively disconnecting [its] systems" from the CNA network. Restoration was not fully complete until May 12.

CNA said the investigation "identified the scope of impacted data in the incident as well as the servers on which the data resided." The insurance carrier said it did not believe claims and underwriting systems, where most policyholder data is stored, were affected in the attack. Bloomberg reported CNA paid a $40 million ransom to the threat actors; CNA has not confirmed the payment.

4. Applus Technologies

At the end of March, Applus Technologies, which provides testing equipment to state vehicle inspection stations, suffered a ransomware attack that disrupted its systems for weeks and knocked inspection services offline across several states. In Massachusetts alone, where Applus is used at thousands of inspection sites, the state's Registry of Motor Vehicles (RMV) was forced to extend deadlines for vehicle inspection stickers indefinitely.

An Applus statement referred to the service as only "temporarily interrupted," but weeks later, vehicle inspections were still postponed. The cause behind the long downtime is unclear. In its initial statement, Applus said it detected and stopped a malware attack on March 30. Further details on the attack and the type of ransomware used have not been revealed. The Massachusetts RMV resumed inspection sticker services at most locations on April 17, while services in other states resumed later that month.

5. Quanta Computer

REvil ransomware operators struck again on April 20 -- this time, against Apple laptop manufacturer Quanta Computer. In a statement from its website, Quanta confirmed it was attacked by threat actors who reportedly attempted to extort both Quanta and Apple. Response measures included cooperation with technical experts from several external security companies.

"Quanta Network attacks on a small number of servers have reported abnormal network conditions detected to relevant government law enforcement agencies and information security units and maintained closed contact. The company's daily operations are not affected," the company's statement said.

6. ExaGrid

ExaGrid, a backup storage vendor that aims to help enterprises recover after a ransomware attack suffered a ransomware attack of its own. On May 4, the Conti ransomware group breached the ExaGrid corporate network and stole internal documents.

LeMagIT discovered communications that showed ExaGrid paid a ransom of approximately $2.6 million to reclaim access to encrypted data, although the original demand was more than $7 million. ExaGrid has not confirmed or denied the attack, and no further details have been revealed.

7. Colonial Pipeline Company

On May 7, Colonial Pipeline Co. learned it was the victim of a ransomware attack, which disrupted fuel supply to much of the U.S. East Coast for several days. While the ransomware affected only IT systems, the company shut down its pipeline operations as a precautionary measure. It was later revealed that Colonial paid a $4.4 million demand, despite having backups, to get back online as soon as possible.

Joseph Blount, CEO, Colonial Pipeline
Colonial Pipeline Co. CEO Joseph Blount spoke about the attack on his company during a Senate hearing in May.

The FBI attributed the attack to the DarkSide ransomware gang, known to use double extortion tactics to persuade victims to pay. DarkSide didn't stay in possession of the full payment for long, however. Nearly one month later, the Department of Justice said the FBI seized a portion of the payment using a private key.

Even more information was revealed during a House Committee on Homeland Security senate hearing with Colonial CEO James Blount and witness Charles Carmakal, senior vice president and CTO at Mandiant. Carmakal said the VPN password, believed to be the earliest attack vector, may have been used on another compromised website. Though the significant hack highlighted the danger of an attack on a critical infrastructure, Colonial was commended for its prompt and continued communication with law enforcement.

8. Ireland's Health Service Executive

On May 14, the government organization that runs public health services in Ireland shut down IT systems in the wake of a significant ransomware attack. While Health Service Executive (HSE) systems were forced offline as a precautionary measure only and the National Ambulance Services were operating as normal, access to many health services was disrupted. Because systems were not operating as usual, patients experienced delays and, in some cases, cancellations.

It was not until June 30 that online registration for medical cards was restored. Additionally, healthcare centers asked patients to bring in paper documents since computer records were inaccessible. Despite the disruptions, Ireland's public health network said it would not pay the ransom and neither would the government.

Evidence suggests patient and staff information was accessed in the cyber attack and that some data was leaked. The organization has more than 100,000 employees in addition to all patients it serves. Leaked personal data could include names, addresses, contact phone numbers and email addresses. Medical information could include medical records, notes and treatment histories.

"A small amount of HSE data has appeared on the 'dark web', a part of the internet which can only be accessed using special programmes. Action is being taken to assist the people affected by this," HSE wrote in a statement on its website. HSE issued a cybersecurity incident update on July 5 that stated healthcare services were still severely affected by the cyber attack.

9. AXA S.A.

One week after cyber insurer AXA France announced it changed its cyber insurance policy to stop coverage for ransom payments, the company's Asia Assistance division was hit by a ransomware attack.

In a statement on May 18, AXA said the branch was the victim of a targeted ransomware attack that affected operations in Thailand, Malaysia, Hong Kong and the Philippines. "As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed. At present, there is no evidence that any further data was accessed beyond IPA in Thailand," the company's statement said. AXA said a dedicated task force with external forensic experts was investigating the situation and regulators and business partners were informed. Further details, such as the type of attack and any further impact, have not been released.


Days after Colonial Pipeline Co. disclosed paying a hefty ransom, JBS USA confirmed the REvil ransomware group hit the global beef manufacturer on May 30, forcing the company to shut down operations.

On June 3, JBS issued a statement that its global facilities were "fully operational after resolving the criminal cyberattack." It cited its own "swift response, robust IT systems and encrypted backup servers" for the rapid recovery.

One week later, the subsidiary of the world's largest beef producer confirmed it paid an $11 million ransom. Operators behind REvil are known to use data exfiltration with threats to leak stolen data if victims do not pay. One reason JBS said it paid was to ensure no data was exfiltrated. But a vast majority of the company's facilities were operational at the time of payment. In a press release from June 9, JBS said "preliminary investigation results confirm that no company, customer or employee data was compromised."

Graphic timeline of ransomware attacks in 2021
Ransomware attacks spanned all of 2021, with attackers targeting large victims and requesting large ransom demands.

11. Kaseya

On July 2, Kaseya suffered a supply chain attack when REvil operators hit the vendor that provides remote management software for managed service providers (MSPs). In a statement on its website, Kaseya attributed the attack to the exploitation of zero-day vulnerabilities in the on-premises version of its VSA product. The flaws allowed attackers to bypass authentication and use VSA to remotely send arbitrary commands, leading to the deployment of ransomware on MSPs' clients. The broad nature of the incident garnered the attention of the FBI, which issued an incident response guide.

As of July 2021, Kaseya said it was "aware of fewer than 60 customers" affected by the attack, but the fallout reached "1,500 downstream businesses." In an incident update on July 22, Kaseya said it "obtained a universal decryptor key" from a third party and that it was working to remediate affected customers. It turned out the third party was not REvil, as Kaseya confirmed it did not negotiate with the attackers and "in no uncertain terms" did not pay a ransom to obtain the tool.

Fred Voccola, CEO, Kaseya
In a video statement, Kaseya CEO Fred Voccola discussed his company's response to the supply chain attack and resulting ransomware infections that took place just before the July 4th weekend 2021.

12. Accenture

Global consulting firm Accenture confirmed it suffered a ransomware attack in August, though at the time, the company said there was "no impact" on operations or on clients' systems.

LockBit operators claimed responsibility for the attack and set a countdown to leak the stolen data to their public leak site if a ransom was not paid. In a statement to SearchSecurity, Accenture said it "immediately contained the matter and isolated the affected servers" and fully restored affected systems from backups. In an SEC filing in October, however, Accenture disclosed that some client systems were breached, and attackers stole and leaked proprietary company data.

13. Ferrara Candy Company

This attack made the list for its unfortunate timing, as the candy corn manufacturer was hit right before Halloween. Ferrara disclosed to media outlets that it was hit by a ransomware attack on Oct. 9 and was working with law enforcement in an investigation as well as with a technical team to "restore impacted systems." While productivity was impacted, as of Oct. 22, work had resumed in "select manufacturing facilities," and shipping operations were almost back to normal, according to the company.

Ferrara did not disclose the type of ransomware or reveal if a ransom was paid.

14. Sinclair Broadcast Group

On Oct. 16, an investigation into a potential security incident against Sinclair Broadcast Group revealed the media conglomerate had suffered a ransomware attack and data breach. Sinclair subsequently contacted a cybersecurity forensic firm and notified law enforcement and other government agencies. While the type of ransomware, the extent of stolen data and whether a ransom was paid remain unclear, the attack caused disruptions to "certain office and operational networks." That disruption included some Sinclair-owned broadcast networks that experienced technical difficulties related to the ransomware attack and were temporarily unable to broadcast.

As of a statement on October 18, Sinclair said it "cannot determine" the attack's "material impact on its business, operations or financial results."

15. Eberspächer Group

A ransomware attack against the international automotive supplier caused extended downtime at production plants and, according to reports, forced paid time off for the some of the factory workforce.

In a statement to its website, Eberspächer Group, which operates 50 plants, said it was the victim of a ransomware attack on Oct. 24 that impacted part of its IT infrastructure. Authorities were contacted, and precautionary measures were taken to shut down all IT systems and disconnect the network. Updates posted to Twitter showed Eberspächer's website was offline through Nov. 29, more than one month later. "Most plants worldwide" were delivering as of Nov. 5, when Eberspaecher tweeted that it was "on the right track."

16. National Rifle Association

At the end of October, reports surfaced that the National Rifle Association (NRA) was the victim of a ransomware attack after Grief ransomware operators posted alleged confidential data to its public leak site. While the NRA did not confirm the ransomware attack or issue a public statement, it did respond on Twitter. Andrew Arulanandam, managing director of NRA public affairs, said the "NRA does not discuss matters relating to its physical or electronic security." It's unclear what the ransom demand was or whether the nonprofit organization paid it.

17. BTC-Alpha

In a statement to SearchSecurity, cryptocurrency platform BTC-Alpha confirmed it was the victim of a ransomware attack at the beginning of November, right around its five-year anniversary. While it appears no funds were impacted, the attack took down BTC-Alpha's website as well as its app, which remained out of commission through Nov. 20.

A screenshot posted to Twitter by threat intelligence firm DarkTracer initially sparked rumors of an attack against the cryptocurrency exchange. According to the screenshot, LockBit claimed to have encrypted BTC-Alpha's data, a common tactic employed by ransomware gangs to pressure victims into paying. BTC-Alpha founder and CEO Vitalii Bodnar has since attributed the attack to a competitor and said he "doubts the attack was related to LockBit." But he could not share more information as the investigation was still underway.

18. MediaMarkt

MediaMarkt made the list for both its size -- more than 1,000 electronic retail stores in Europe and more than 50,000 employees -- and the significant amount of the alleged ransom demand. A report by Bleeping Computer on Nov. 8 said the demand was $240 million and attributed it to the Hive ransomware group. Cybersecurity company Group-IB detailed Hive's activity and found the ransomware-as-a-service group claimed hundreds of victims in just six months. According to Group-IB, it took Hive less than six months to break the record for highest ransom demand. While MediaMarkt confirmed to Bleeping Computer that a cyber attack took place, it's unclear when the company's operations were fully restored and whether a ransom payment was made.

19. Superior Plus

Natural gas supplier Superior Plus Corp. confirmed it was the victim of a ransomware attack that occurred on Dec. 12. In a statement on Dec. 14, the Canada-based corporation said it "temporarily disabled certain computer systems and applications" in the wake of an investigation and "is in the process of bringing these systems back online." Independent cybersecurity experts were hired to assist in the investigation. At the time of the statement, Superior Plus said it had "no evidence that the safety or security of any customer or other personal data had been compromised."

20. Kronos Incorporated

On Dec. 11, Kronos Incorporated spotted unusual activity in its private cloud that included encrypted servers. Two days later, the workforce management provider notified customers that it was the victim of a ransomware attack. In fairly detailed updates provided to its website, Kronos said that in response, it shut down more than "18,000 physical and virtual systems, reset passwords and disabled VPN site-to-site connections on the UKG side." The incident impacted Kronos Private Cloud, Workforce Central, Telestaff, Healthcare Extensions, and UKG scheduling and workforce management for banks. One significant concern was the ransomware attack's impact on employee paychecks, since the HR systems provider is widely known for its payroll and time management systems. Fallout of the attack continued into 2022.

Next Steps

Best practices for reporting ransomware attacks

3 ransomware distribution methods popular with attackers

Ransomware attack case study: Recovery can be painful

Ransomware negotiations: An inside look at the process

Malware vs. ransomware: What's the difference?

This was last published in December 2022

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing