How to create a ransomware incident response plan 17 ransomware removal tools to protect enterprise networks

10 of the biggest ransomware attacks of 2021 -- so far

Between hefty ransom demands, major disruptions and leaked data, 2021 has seen major ransomware activity during the first half of the year.

It's only halfway through 2021, and the world has incurred record-setting ransomware attacks on critical infrastructures, schools and healthcare networks.

Even organizations that offer products to help recover from ransomware attacks, like cyber insurance carriers and data backup vendors, were not safe. Massive ransom demands were reported just days apart, and one was unparalleled. Many companies gave into those demands, despite having backups and even though it did not guarantee a full recovery of data. In many cases, the full extent of the attack has not been disclosed, but the impact of exposed data, downtime and disruption is clear.

Even as this list was being compiled, another major attack occurred: Kaseya was breached; REvil ransomware actors used the software vendor to breach and infect hundreds of other organizations in one of the largest ransomware attacks ever. Here are 10 of the biggest ransomware attacks through the first half of 2021, in chronological order.

1. Buffalo Public Schools

In 2020, attacks on the education sector rose significantly. That activity has not ceased. While many schools have been hit by ransomware in 2021, the Buffalo Public School system in New York serves 34,000 students and contains highly sensitive information that may have been leaked. The ransomware attack on March 12 shut down the entire school system, canceling both remote and in-person instruction for one week. Buffalo Schools Superintendent Kriner Cash issued a statement on March 15 that said the school was "actively working with cybersecurity experts, as well as local, state, and federal law enforcement to fully investigate this cybersecurity attack." The school system resumed operations on March 22.

2. Acer

An attack on Taiwan-based PC manufacturer Acer resulted in the highest ransom demand ever: $50 million. On March 18, we independently viewed a post on REvil's dark website, which contained a long list of financial records that allegedly came from the vendor. Subsequently, TechTarget sister publication LeMagIT found a REvil ransomware sample on malware analysis site, Hatching Triage. It contained a link to a REvil ransomware demand for $50 million in Monero cryptocurrency. Acer provided a statement to us, which said,

"Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries." It's unclear if the PC manufacturer paid the ransom.

3. CNA Financial

One of the biggest insurance carriers in the U.S. was hit by a ransomware attack on March 21, causing a network disruption. In a statement posted to its website, CNA referred to it as a "sophisticated cyberattack" and said that out of an abundance of caution, it took "immediate action by proactively disconnecting [its] systems" from the CNA network. Restoration was not fully complete until May 12. CNA said the investigation "identified the scope of impacted data in the incident, as well as the servers on which the data resided." The insurance carrier said it does not believe claims and underwriting systems, where most policyholder data is stored, were impacted in the attack. However, Bloomberg reported CNA paid a $40 million ransom to the threat actors. CNA has not confirmed the payment.

4. Applus Technologies

At the end of March, Applus Technologies, which provides testing equipment to state vehicle inspection stations, suffered a ransomware attack that disrupted its systems for weeks. The attack knocked inspection services offline across a number of states. In Massachusetts alone, where Applus is used in thousands of inspection sites, the state's Registry of Motor Vehicles (RMV) was forced to extend deadlines for vehicle inspection stickers indefinitely. An Applus statement referred to the service as only "temporarily interrupted," but weeks later, vehicle inspections continued to be postponed. The cause behind the long downtime is unclear because in its initial statement, Applus said it detected and stopped a malware attack on March 30. Further details on the attack and the type of ransomware have not been revealed. The Massachusetts RMV resumed inspection sticker services at most locations on April 17, while services in other states resumed later that month.

5. Quanta Computer

REvil ransomware operators struck again on April 20 -- this time, against Apple laptop manufacturer Quanta Computer. In a statement from its website, Quanta confirmed it was attacked by threat actors, who reportedly attempted to extort both Quanta and Apple. Response measures included cooperation with technical experts from a number of external security companies. "Quanta Network attacks on a small number of servers have reported abnormal network conditions detected to relevant government law enforcement agencies and information security units and maintained closed contact. The company's daily operations are not affected," the company's statement said.

6. ExaGrid

ExaGrid, a backup storage vendor that aims to help enterprises recover after a ransomware attack, suffered a ransomware attack of its own. On May 4, the Conti ransomware group breached the ExaGrid corporate network and stole internal documents. LeMagIT discovered communications that showed ExaGrid paid a ransom of approximately $2.6 million in order to reclaim access to encrypted data, although the original demand was over $7 million. ExaGrid has not confirmed or denied the attack, and no further details have been revealed.

Colonial Pipeline Joseph Blount
Colonial Pipeline Co. CEO Joseph Blount spoke about the attack on his company during a Senate hearing in May.

7. Colonial Pipeline Company

On May 7, Colonial Pipeline Co. learned it was the victim of a ransomware attack, which disrupted fuel supply to much of the U.S. East Coast for several days. While the ransomware affected only IT systems, the company shut down its pipeline operations as a precautionary measure. It was later revealed that Colonial paid a $4.4 million demand, despite having backups, in an effort to get back online as soon as possible.

The FBI attributed the attack to the DarkSide ransomware gang, known to use double extortion tactics to persuade victims to pay. However, DarkSide didn't stay in possession of the full payment for long. Nearly one month later, the Department of Justice said the FBI seized a portion of the payment using a private key.

Even more information was revealed during a House Committee on Homeland Security senate hearing with Colonial CEO James Blount and witness Charles Carmakal, senior vice president and CTO at Mandiant. Carmakal said the VPN password, believed to be the earliest attack vector, may have been used on another compromised website. Though the significant hack highlighted the danger of an attack on a critical infrastructure, Colonial was commended for its prompt and continued communication with law enforcement.

8. Ireland's Health Service Executive (HSE)

On May 14, the government organization that runs all public health services in Ireland shut down IT systems in the wake of a significant ransomware attack, and operations have yet to return to normal. While HSE systems were forced offline as a precautionary measure only, and the National Ambulance Services were operating as normal, access to many health services was disrupted. Because systems were not operating as usual, patients experienced delays and, in some cases, cancellations.

It was not until June 30 that online registration for medical cards was restored. Additionally, healthcare centers asked patients to bring in paper documents since computer records were inaccessible. Despite the disruptions, Ireland's public health network said it would not pay the ransom and neither would the government.

However, there was evidence that patient and staff information was accessed in the cyber attack and that some of the data was leaked. The organization comprises over 100,000 employees, in addition to all patients it serves. Leaked personal data could include names, addresses, contact phone numbers and email addresses. Medical information could include medical records, notes and treatment histories.

"A small amount of HSE data has appeared on the 'dark web', a part of the internet which can only be accessed using special programmes. Action is being taken to assist the people affected by this," HSE wrote in a statement on its website. HSE issued a cybersecurity incident update on July 5, stating healthcare services continue to be severely affected by the cyber attack.

9. AXA S.A.

One week after cyber insurer AXA France announced it changed its cyber insurance policy to stop coverage for ransom payments, the company's Asia Assistance division was hit by a ransomware attack. In a statement on May 18, AXA said the branch was the victim of a targeted ransomware attack, which impacted its operations in Thailand, Malaysia, Hong Kong and the Philippines. "As a result, certain data processed by Inter Partners Asia (IPA) in Thailand has been accessed. At present, there is no evidence that any further data was accessed beyond IPA in Thailand," the statement said. AXA said a dedicated task force with external forensic experts was investigating the situation and regulators and business partners were informed. Further details, such as the type of attack and any further impact, have not been released.


Days after Colonial Pipeline Co. disclosed paying a hefty ransom, JBS USA confirmed the REvil ransomware group hit the global beef manufacturer on May 30, forcing the company to shut down operations. On June 3, JBS issued a statement that its global facilities were "fully operational after resolving the criminal cyberattack." It cited its own "swift response, robust IT systems and encrypted backup servers" for the rapid recovery.

However, one week later, the subsidiary of the world's largest beef producer confirmed it paid an $11 million demand. Operators behind REvil are known to use data exfiltration with threats to leak stolen data if victims do not pay. One reason JBS said it paid was to ensure no data was exfiltrated, but a vast majority of the company's facilities were operational at the time of payment. In the press release from June 9, JBS said "preliminary investigation results confirm that no company, customer or employee data was compromised."

Next Steps

Apple's M1 silicon brings new challenges for malware defenders

Best practices for reporting ransomware attacks

3 ransomware distribution methods popular with attackers

Ransomware attack case study: Recovery can be painful

Ransomware negotiations: An inside look at the process

This was last published in July 2021

Dig Deeper on Threats and vulnerabilities