December 31, 2021

2021 in Review: Ransomware Attacks

Every 11 seconds an enterprise is the victim of ransomware. (Source: Cyber Security Ventures)

Over the past twelve months, we saw cyberattacks on gas pipelines, chemical distribution companies, KIA Motors, schools, computer manufacturers, and more—with no industry immune. It was a lucrative year for ransomware criminals, with six main gangs responsible for 292 attacks, generating $45 million between January and May 2021 alone. Let’s look at six of the major ransomware attacks that made headlines in 2021. 

Colonial Pipeline 

Colonial Pipeline was an easy victim with cybersecurity measures that were not up to par. In early May, the United State’s largest pipeline was the victim of a ransomware attack and held for approximately 75 bitcoin – almost $5 million. Following the attack, Colonial shut the pipeline off to contain it, resulting in airlines being forced to make fuel stops on long-haul flights, a sharp increase in gas prices, panic-buying at the pump, and emergency White House meetings. Following the attack, it was determined that Colonial Pipeline didn’t have strong enough security measures in place. Bloomberg reported that it was breached through a “leaked password to an old account that had access to the virtual private network (VPN) used to remotely access the company’s servers.”


Following the Colonial Pipeline attack, Brenntag, a chemical distribution company based in Germany, was also attacked. Darkside, the notorious hacker group, infiltrated the company with stolen credentials and held data for a ransom of $7.5 million in Bitcoin. Hackers got access to employee and client dates of birth, driver’s license numbers, medical records, and social security numbers. Brenntag ended up paying around $4.4 million—then the highest ransomware payment in history.


The computer manufacturer Acer suffered a ransomware attack in March 2021 by the REvil ransomware gang. Exploiting a vulnerability in a Microsoft Exchange server, the attackers gained access to the company’s file and leaked sensitive information, including financial documents. With a $50 million ransom, it was the highest request to date; Another attack by Desorden hit Acer in October. 

JBS Foods

REvil launched another attack on JBS Foods, the world’s largest meat producer, in late May—impacting JBS’ North American and Australian systems. By restoring backups, JBS avoided a prolonged shutdown that could have affected meat prices, given the company’s industry dominance. JBS Foods’ US division CEO Andre Nogueira said JBS paid over $11 million in bitcoin to prevent future attacks. 


With an eye for the potential to disrupt critical areas of the economy at scale, REvil attacked Kaseya in July—a company that manages IT infrastructure for major global companies. The ransomware gang issued a fake software update via Kaseya’s Virtual System Administrator, which infiltrated its direct clients and customers—around 50 clients and 1000 businesses were impacted. Following the attack, the FBI gained access to REvil’s servers and got the encryption keys to resolve the hack. Kaseya avoided paying the ransom was able to restore the IT infrastructure of its clients. 

KIA Motors

In February, KIA Motors in North America was the victim of an attack on KIA—a nationwide system outage affecting its Mobile UVO link apps, payment services, phone services, owner portal, and dealerships’ internal systems. The ransomware gang DoppelPaymer demanded a ransom of 404 Bitcoins (around 20 million USD), and if the initial payment wasn’t made within a specific timeframe, it would increase to 600 Bitcoins. DoppelPaymer threatened to leak the data. Kia Motors issued a statement: “We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack.” — and it is not known whether the ransom was paid.

While ransomware attacks appear to happen overnight, bad actors sit in networks undetected for weeks or even months before launching an attack. With security experts predicting that supply chain and software exploitations will not slow down in the year ahead, many businesses are struggling to put measures in place to defend against these attacks. 

To avoid becoming the next victim, businesses must adopt a posture of detection and response to help mitigate risks within their network environments. Discover how to block every step in the kill chain with our Network Detection & Response Solution. With complete visibility into the ‘attack surface,” you can start to fight back–and beat ransomware gangs at their own game. Learn more