Select Page

Ransomware Attacks Report 2021

Ransomware attacks report 2021

In this blog, we’ll compile a list of publicized ransomware attacks in each quarter 2021. With the total cost of ransomware expected to exceed $1 billion in 2021, the number of ransomware attacks will grow in addition to the sophistication and the method of delivery. This blog will help you stay up-to-date with ransomware incidents and help you avoid mistakes which led to them.

Ransomware Attack Statistics – Q1 2021

  • The top 5 most active ransomware in Q1 2021 were REvil, Clop, Conti (Ryuk), Babuk Locker, and Doppel Paymer.
  • New ransomware that appeared in Q1 2021: Cring, Vovalex, Babuk Locker, Phoenix CryptoLocker, Hog and Humble.
  • The number of ransomware attacks in Q1 2021 increased by 17% as compared to Q1 2020.
  • The most frequently attacked sectors were industrial, and scientific and educational organizations. The two sectors amounted to 30% of the total ransomware attacks in Q1 2021.
  • 61% of malware was distributed using emails while 35% were delivered from direct attacks on computers, servers, and network equipment.
  • REvil operators broke all ransom records by demanding $50 million USD from the computer giant: Acer.
  • REvil improves their malware by adding the ability to run the encryption process in Windows Safe Mode allowing the ransomware to bypass security measures.
  • Conti (Ryuk) added the ability to spread to other devices within the domain. The malware creates copies that are spread over the network using shared network resources. The Windows task scheduler is then used to launch the files by creating tasks.

(Q1 2021 Statistics Source: ptsecurity)

Ransomware Attacks in Q1 2021

  • The New York based at-home laboratory service provider Apex Laboratory had its systems encrypted and patient data stolen in a ransomware attack and went public with that information in the beginning of Q1 2021 . The hackers stole Personally Identifiable Information (PII), Personal Healthcare Information (PHI), Medicare, Medicaid, and insurance information for an estimated 10,000 clients.
  • The UK-based construction company Amey was targeted by Mount Locker ransomware in mid-December 2020, leading to a data breach that compromised contracts, financial documents, confidential partnership agreements, and non-disclosure agreements (NDAs).
  • The Hackney Council in London was attacked by Pysa ransomware (or Mespinoza), the group started publishing the stolen data on the dark web as part of a double-extortion attack. According to Computer Weekly, the hackers stole a significant amount of PII, passport data, scans of tenancy audit documents for public housing tenants, staff data, and information about community safety.
  • The Norwegian base of AKVA group, a global supplier of aquaculture industry, was attacked by ransomware in January, 2021. A number of key systems were disrupted as a result. Commenting on the ransomware attack, the CEO of AKVA group, Knut Nesse, said: “Those who have attacked us have obtained our production data (ERP system). It has been blocked and so-called ransomware virus has now been introduced. We have operations in ten countries, and various services. Some of the services are working normally, others are partially working and some are completely down.”
  • Cyber criminals stole and published 4000 files belonging to the Scottish Environment Protection Agency (SEPA). As a result of the ransomware, the Scottish regulator experienced a “significant systems outage”. “..we’ve lost access to most of our systems, including things as basic as our email system” said Terry A’Hearn, the chief executive for SEPA.
  • Palfinger, the Austrian crane and lifting manufacturer, was victim to a ransomware attack which disrupted their IT and business operations. The company’s Enterprise Resource Planning (ERP) system went down and a “large proportion of the group’s worldwide locations were affected”.
  • Babuk group targeted the outsourcing giant Serco, attacking parts of their infrastructure in mainland Europe in a double extortion attack. In the ransom note, Babuk’s operators claimed to have had access to Serco’s systems for three weeks, and to have already exfiltrated a terabyte of data.

Ransomware Attack Statistics – Q2 2021

  • The most active ransomware in Q2 2021 were REvil, Avaddon, DoppelPaymer (later operating under the name: “PayOrGrief”), and Conti (Ryuk).
  • New players in the ransomware market in Q2 2021: Lorenz, Epsilon Red, Prometheus, and Xing team.
  • In Q2 2021, a large number of attacks targeted QNAP network drives. One ransomware campaign encrypted and stored user files in password-protected 7zip archives. The ransomware Qlocker began targeting Qnap devices in April, 2021. While the files are being locked, the QNAP Resource Monitor displays ‘7z’ processes which are 7z command-line executables. The infected files are archived in password-protected 7zip archives with .7z extension. Other ransomware attacks targeting QNAP devices include AgeLocker and eCh0raix.
  • Cyber-criminals continue to exploit vulnerabilities in the Microsoft Exchange Server (ProxyLogon) in Q2 2021, using them to distribute ransomware such as Epsilon Red, and Monero
  • In Q2 2021, 22% ransomware attacks targeted government departments, 14% attacked healthcare, and 13% focused on manufacturing and industry.
  • Emails and compromise of computers, servers, and network equipment continue to be the popular method of deliver for malware attacks. The former being at 58% and the latter at 33% this quarter.

(Q2 2021 Statistics Source: ptsecurity)

Ransomware Attacks in Q2 2021

  • Home Hardware, the Canadian hardware store chain, was attacked the DarkSide ransomware group. The cyber criminals stole confidential financial reports and information pertaining to an acquisition deal threatening to make the information public if the ransom was not paid.
  • The City of Lawrence experienced a major systems outage in a ransomware attack that took control of fire and police department IT infrastructure.
  • A third-party software provider was attacked by the Clop ransomware gang, leading to an outage for the Regional Municipality of Durham which provides regional services to 8 municipalities including the City of Oshawa. Clop is known to attack vulnerable Accellion FTA file transfer platform. The region’s communications department didn’t respond to an emailed question on whether the cyberattack was the result of an Accellion FTA compromise.
  • The Washington DC Metropolitan Police department had 250GB of unencrypted files stolen by the Babuk Locker gang. The stolen data was related to operations, disciplinary records, and files related to gang members and ‘crews’ operating in DC.
  • The “Astro” hacker group targeted the Santa Clara Valley Transportation Authority (VTA) paralyzing their IT systems. The group claimed to have stolen 150GBs of data. In order to contain the cyber incident, the agency decided to shutdown IT infrastructure which affected operations such as real-time arrival information and VTA employee emails.
  • UnitingCare Queensland, the Australian healthcare service provider, was hit by a ransomware attack disrupting all operational infrastructure including internal staff emailing and booking of patient operation, forcing the staff to revert to pen and paper.
  • The DopplePaymer ransomware stole and published a large number of files from the Illinois Attorney General Office. The published files contained PII of state prisoners, their grievances, and details about their cases.
  • Scripps, the San Diego-based non-profit healthcare provider, was attacked by ransomware forcing the organization to suspend user access to their online portal and switch alternative methods for patients’ care. As a result of the cyber incident, the patient care systems were offline and critical patients had to be redirected to other hospitals.
  • DarkSide ransomware gang attacked Colonial Pipeline, the largest fuel pipeline in the US, leading to a shutdown of operations. DarkSide’s usual mode of operation involves gaining access to the corporate network and using Windows Domain access to spread the ransomware to all connected devices.
  • Waikato district health board in New Zealand was victim to a ransomware attack delivered via an email attachment. The cyber attack affected the majority of their IT systems including computers, phones, at Waikato, Thames, Tokoroa, Te Kuiti and Taumaranui hospitals. Several hundred patient appointments had to be cancelled, surgeries had to be postponed, and a large number of elective procedures had to be cancelled.
  • Exagrid, backup appliance vendor, was hit by Conti ransomware in May 2021 and ended up paying $2.6 million to the cyber criminals. The attackers claimed to have infiltrated the company network, stayed in it for a month, and encrypted the company’s file servers and SQL servers, and downloaded 800GB of information including personal data of clients and employees, commercial contracts, NDA forms, financial data, tax returns, and source code. The embarrassing situation worsened for the backup ‘specialist’ when they accidentally deleted the decryption tool and had to ask for it again.
  • FujiFilm, Japanese multinational conglomerate and manufacturer of optical film, cameras, pharmaceuticals, storage devices, photocopiers, and printers (Xerox), was attacked by a ransomware leading to partial shutdown of their network to contain the spread. Bleepingcomputer reported that the company was infected by Qbot trojan.

Ransomware Attack Statistics in Q3 2021

  • The most commonly reported ransomware of Q3 2021 were STOP (Djvu), Zeppelin, Phobos, Makop, Magniber, Dharma (.cezar family), REvil (Sodinokibi), Lockbit, eCH0raix/QNAPcrypt, and GlobeImposter. ‘
  • The number of reported ransomware attacks in Q3 increased by 31.64% compared to Q2, 2021. (Note: These are submissions by ransomware victims. The real number of attacks is expected to be significantly higher)
  • In Q3, a new ransomware, named ‘0XXX’, began targeting NAS devices. Reportedly exploiting a vulnerability in Samba to replace original files with encrypted versions with ‘.0xxx’ extension. On Bleepingcomputer forum, Western Digital, Buffalo, and UNRAID NAS device owners reported to have experienced the ransomware attack.

(Q3 2021 Statistics Source: Emsisoft)

Ransomware Attacks in Q3 2021

  • Kaseya, the company that offers Unitrend backup appliances with ‘anti-ransomware’ capabilities, was attacked by REvil ransomware group in a large-scale supply chain attack akin to the SolarWinds attack last year. Kaseya’s VSA management tool was used to inject ransomware into the IT systems of their end-customers and managed services providers (MSPs). The attack disguised as a software update for the cloud-based and on-prem VSA servers affected 1000 business servers and workstations and a large number of small businesses as well.
  • Leanoardtown Maryland, had “everything shutdown” as explained by the town administrator Ms. Laschelle Mckay as a result of the Kaseya ransomware attack. JustTech, the IT management company for the town, stated: “servers nor your network were directly hacked or breached. The intrusion came through the remote monitoring and security software we utilise from an industry leading provider”.
  • Guess, the American fashion brand, experienced a data breach by DarkSide ransomware which was able to infiltrate the corporate network and allegedly stealing social security numbers, drivers’ license numbers, passport numbers and/or financial account numbers.
  • The district council of Anhalt-Bitterfeld in Germany declared a ‘cyber catastrophe’ when a ransomware attack completely paralyzed their computer systems. The council, responsible for a population of 157000, had its offices offline and was unable to pay welfare benefits.
  • Cloudstar, a privately owned cloud-hosting service provider, had the majority of their systems shutdown because of a ransomware attack affecting the US real-estate industry. IdentityIQ reports that as of November 2021, the CSP has yet to recover from the cyber incident.
  • AvosLocker attacked and stole files from the servers of the City of Ohio. The AvosLocker site published a sample of the stolen data which included file directories, court documents, and tax returns which included social security numbers.
  • Venture capital firm, Advanced Technology Ventures (ATV), was attacked by an unnamed ransomware resulting in data theft of the personal information of approx. 300 individual investors. The stolen information included email addresses, social security numbers, and phone numbers.
  • Gigabyte, the Taiwanese motherboard and computer component manufacturer, confirmed that they had to shut down a part of their IT infrastructure and ‘handful’ of servers affected by a ransomware attack from the RansomEXX gang. According to Bleepingcomputer, the cyber criminals stole confidential documents including a debug document, an Intel “Potential Issues” document, an “Ice Lake D SKU stack update schedule”, and an AMD revision guide.
  • Lockbit 2.0 ransomware gang attacked Accenture, the global IT consultancy giant, and claimed to have stolen 6TBs of files. The threat actors claim to have gotten access to Accenture’s network via a corporate “insider”.
  • Memorial Health System, which represents 64 clinics and hospitals in West Virginia and Ohio, had to cancel surgeries and divert ambulances as a result of a ransomware attack. All IT systems and servers were affected and staff access was affected.
  • Threat actors exploited the Accelion File Transfer Application (FTA) vulnerability to attack Beaumont Health, stealing personal data of over 1500 patients. The healthcare service provider used the FTA to transfer large files which were intercepted and downloaded by the attackers.

Ransomware Attack Statistics in Q4 2021

  • New ransomware gangs in Q4 2021: Everest, BlackByte gang, and Desorden.

Ransomware Attacks in Q4 2021

  • Fimmik, a Hong Kong marketing firm, was attacked REvil ransomware gang claiming to have stolen customer data of notable brands such as Coca-Cola, Cetaphil, and Kate Spade by breaching their database.
  • One of the largest Korean-American community banking service providers, Pacific City Bank (PCB), was the victim to a ransomware attack claimed by AvosLocker. The cyber criminals were able to steal confidential information such as loan application forms, tax return documents, W-2 information of client firms, Payroll records of client firms, full names, addresses, social security numbers, and wage and tax details.
  • Approximately 350,000 patients have been notified by ReproSource Fertility Diagnostics, a subsidiary of Quest Diagnostics, that their PHI data was potentially stolen by a ransomware attack. The investigation is ongoing but the officials have determined that the stolen information varies by patient and includes names, contacts, date of birth, CPT and diagnoses codes, test requisitions and results, test reports, medical histories, health insurance plan identification names or numbers, other data provided to the physician, and further information tied to billing and health.
  • Ecuador’s largest private bank, Banco Pichincha, was forced to take down portions of their network in the wake of a ransomware attack. This resulted in disrupted operations, an offline banking portal, and ATMs that didn’t work. Bleepingcomputer reports that threat actors gained access to the bank’s network by installing a Cobalt Strike beacon.
  • The Sinclair Broadcast Group, owner of 185 television stations affiliated with channels including Fox, ABC, CBS, and NBS, was attacked by a ransomware encrypting their servers, and disrupting certain operational networks. The attackers were also able to attack other TV stations using Sinclair’s Active Directory domain. As a result of which, the company was forced to shut down their Active directory causing disruption throughout the organization and for their affiliates. Several corporate assets were taken down in the incident, including the email servers, broadcasting, and newsroom systems.
  • Disorder ransomware group claims to have stolen the data of millions of customers who stayed at the luxury hotel chain Centara Hotels in Thailand between 2003 and 2021. The cyber criminals claim to have stolen 400GB data of files and databases containing information such as PII, financial information, email, date of birth, full names, passport numbers, and corporate information of Centara Hotels.
  • Electronics retail giant MediaMarkt was victim to a ransomware attack which caused IT systems shut down and disrupted operations for stores in Germany and Netherlands. The ransomware targeted servers and workstations, also preventing cash registers from accepting credit cards and printing out receipts. The IT systems outage is also preventing the ability to look up previous purchases. Bleepingcomputer reports that the Hive Ransomware operation is behind the attack.

Stop Ransomware Attacks and Prevent Data Loss with Air-Gapping and Immutability

StoneFly is the trusted vendor of government departments and market leaders worldwide and boasts a zero-ransomware record.

Our storage, hyperconverged, backup and disaster recovery (DR), and cloud solutions have built-in data protection features, such as air-gapped backup, immutable storage, S3 object lockdown, snapshots, encryption, and more, which ensure that our customers can brush off ransomware seamlessly and continue operating with near-zero downtime.

Whether you’re looking for a SAN, NAS, S3 storage, backup and DR, or a cloud air-gapped storage solution, we can help. Contact our experts at to discuss your projects today.

The Spear Phishing Survival Guide

The Spear Phishing Survival Guide

Spear phishing stands as the favored gateway for ransomware delivery and infiltrating corporate networks. Shockingly, 36% of data breaches in 2022 involved phishing, with 25% utilizing email as the ransomware attack vector. Guarding against cyber threats and...

Understanding Detection and Response: EDR vs MDR vs XDR vs NDR

Understanding Detection and Response: EDR vs MDR vs XDR vs NDR

In a digitally transformed landscape fraught with ever-evolving cyber threats, the acronyms EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), MDR (Managed Detection and Response), and NDR (Network Detection and Response) have become...

Trigona Ransomware: What is it and How to Defend Against it

Trigona Ransomware: What is it and How to Defend Against it

In an ever-evolving digital landscape, the specter of ransomware looms large, and Trigona stands as a significant player in the realm of cyber threats. This blog delves into the multifaceted world of Trigona ransomware, unraveling its origins, unique characteristics,...

Lockbit Ransomware: Inside the Cyberthreat and Defense Strategies

Lockbit Ransomware: Inside the Cyberthreat and Defense Strategies

In the constantly evolving arena of cybersecurity, the digital landscape is fraught with adversaries lurking in the shadows, ready to exploit vulnerabilities and disrupt the operations of organizations. Among these threats, LockBit ransomware has emerged as a...

What Defending Against Ransomware-as-a-Service (RaaS) Entails

What Defending Against Ransomware-as-a-Service (RaaS) Entails

Ransomware has evolved, becoming a thriving business model for cybercriminals. Ransomware-as-a-Service (RaaS) exemplifies this transformation—a lethal alliance between the creators and distributors of ransomware. It’s no longer a threat relegated to tech...

You May Also Like

WordPress PopUp Plugin

Subscribe To Our Newsletter

Join our mailing list to receive the latest news, updates, and promotions from StoneFly.

Please Confirm your subscription from the email