More and More Companies Are Getting Hit with Ransomware [2021-2022]
The increasing frequency and size of ransomware attacks are becoming a huge concern for thousands of organizations globally. All over the world, threat actors take advantage of security vulnerabilities and encrypt data belonging to all sorts of organizations: from private businesses to healthcare facilities and governments.
What motivates the ransomware actors to become even more creative in their attacks and ask for tens of millions of dollars payments is the fact that there are companies that agree to pay the ransom and not disclose the attack. It usually happens because they are afraid of the severe social repercussions.
According to a study conducted by Cloudwards, in 2021, 37% of all businesses and organizations were hit by ransomware and out of all, 32% paid the ransom but recovered only 65% of their data.
A few months ago, we also published an article about a study showing that in the first five months of 2021 more than 290 companies have become victims of six ransomware groups, but let’s see what the current situation is.
Below You Can Find a List of Private and Public Companies Affected by Ransomware Attacks in 2021:
- Accenture – noticed the LockBit ransomware attack on its systems on July 30 but the incident was immediately contained;
- Acer – the organization became a victim of a REvil ransomware attack back in March. The threat actors demanded a $50,000,000 ransom;
- ADATA – the organization was hit by the Ragnar Locker ransomware gang last month, which led to the takedown of affected systems offline for the containment of the infection;
- Asteelflash – the company detected the REvil / Sodinokibi ransomware at the end of March. The attackers demanded Asteelflash to pay a whopping $24 million ransom after it was initially set to $12 million in Monero crypto;
- ATFS – the attack took place in February and it was organized by Cuba ransomware gang. The company experienced significant disruption to its business operations, the website has been unavailable for a while and payment processing was impacted;
- AXA – the French company revealed that one of its Asian subsidiaries was hit by an Avaddon ransomware attack in May, after dropping support for ransom payments;
- Bakker Logistiek – in April, Bakker Logistiek was the victim of a ransomware attack that encrypted their devices, therefore, disrupting food transportation and fulfillment operations;
- Bose Corporation (Bose) – Bose has confirmed that it suffered a ransomware attack and a data breach on 7 March 2021. Its U.S. systems have been impacted;
- Brazilian National Treasury – it was hit with a ransomware attack on August 17th but no damage has been done to the structuring systems of the agency;
- Brazil’s Tribunal de Justiça do Estado do Rio Grande do Sul – was impacted by a REvil ransomware attack in April that encrypted employee’s files and forced the courts to shut down their network;
- Brenntag – in May, the German chemical distribution company suffered a DarkSide Ransomware attack that led to the organization paying a $4.4 million ransom in Bitcoin;
- CD PROJEKT – on February 9th, the company disclosed it had suffered a ransomware attack stating that even if some devices in their network have been encrypted, their backups remain undamaged;
- Centrais Eletricas Brasileiras (Eletrobras) – suffered a ransomware attack in February. It affected some of the administrative network servers but had no impact on operations at nuclear power plants;
- Chicago-based subsidiary of Nokia – on June 16, the organization found that its system was breached by Conti ransomware operators only after deploying their payloads and encrypting SAC Wireless systems.
- CHwapi hospital – hit with BitLocker ransomware attack in January that forced the medical facility to send emergency patients to different emergency hospitals and postponed surgeries;
- City of Tulsa’s online services – the second-largest city in Oklahoma became the victim of a ransomware attack in May. Following the attack, it was forced to shut down all of its systems and disrupt all online services;
- CNA Financial – was affected by a Phoenix Locker ransomware attack on March 21st that interrupted the company’s employee and customer services for three days. The company had reportedly paid the $40 million ransom to restore access to its systems;
- Colonial Pipeline – company was forced to shut down after being hit by ransomware in May. The operator paid the hackers nearly $5 million in cryptocurrency in return for a decryption key to restore its systems;
- Companhia Paranaense de Energia (Copel) – impacted by the Darkside ransomware gang also in February. The hacker claims to have stolen roughly 1,000GB;
- Comparis – it had suffered a ransomware attack in July that blocked some of its information technology systems. The hackers asked for $400,000 (CHF370,000) in cryptocurrency;
- CompuCom – it had been affected by a DarkSide ransomware attack in March leading to service outages and users disconnecting from the MSP’s network;
- Corporación Nacional de Telecomunicación (CNT) – the organization disclosed in July that it had its business operations, the payment portal, and customer support service disrupted following a RansomEXX ransomware attack;
- Cox Media Group (CMG), an American media conglomerate, reported that it was attacked by a ransomware assault in June 2021, which knocked off live TV and radio broadcast feeds.
- Creos Luxembourg S.A. – BlackCat ransomware gang confirmed that it is responsible for the attack that occurred last week on Creos Luxembourg S.A., a company that owns and manages electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg.
- Crystal Valley – was alerted on September 19 that it had been targeted in a ransomware attack. This attack has infected its computer systems and severely interrupted the daily operations of the company.
- Dairy Farm Group – the company was attacked in January by REvil ransomware group that asked for a $30 million ransom;
- DESFA – In August 2022, DESFA, a natural gas transmission system operator in Greece, revealed that a cyberattack led to “a limited scope data breach and IT system outage”, with Ragnar Locker claiming responsibility for the incident.
- Discount Car and Truck Rentals – the attack that occurred in February was conducted by the Darkside ransomware group that claims to have stolen 120GB of corporate, banking, and franchise data;
- Ecuador’s Ministry of Finance – Hotarus Corp ransomware group hit the financial institution in February, encrypted their website, and stole information;
- Edward Don – suffered a ransomware attack in June that has damaged its business operations, including phone systems, networks, and email;
- Entrust – The LockBit ransomware group has declared that it was behind the American software company Entrust incident that occurred in June 2022.
- ERG – reported “only a few minor disruptions” on its IT&C infrastructure after a ransomware attack targeted its systems in August;
- FatFace – it had been impacted by a Conti ransomware attack in January that exposed data of 200GB of customers and employees;
- Fujifilm – disclosed in June that their Tokyo headquarters have suffered a ransomware attack that disrupted its business operations;
- Gigabyte – RansomEXX ransomware gang attacked the company in August forcing it to halt its systems in Taiwan, causing inaccessibility of its website and support sites;
- Grupo Fleury – on June 24th, the company disclosed that its online systems were targeted in a REvil ransomware attack that led to the disruption of its operations;
- Guess – it had suffered a DarkSide ransomware cyberattack back in February with around 1,300 individuals having their data exposed or accessed during it;
- Harris Federation – fell victim to a ransomware attack in March that forced them to disable the devices given to the students, and temporarily suspended email and telephone systems;
- Howard University – revealed in September that it was the victim of a ransomware attack that impacted its systems.
- IObit – was hacked in January to carry out a widespread attack in order to spread DeroHE ransomware to its forum members;
- Ireland’s health service (HSE) – had to shut down all of its IT systems following a Conti ransomware attack that took place in May;
- Ireland’s Department of Health (DoH) – has also been a victim of the Conti Ransomware gang being forced to shut down its entire IT system in May;
- Italian City Palermo – in June 2022, the Vice Society ransomware gang declared that it had been behind the attack that targeted the capital of the Italian island of Sicily, Palermo. The incident has caused a large-scale service outage.
- JBS Foods – in June, the world’s largest meatpacking organization was forced to shut down production at several sites globally following a REvil ransomware attack that affected its production facilities;
- JVCKenwood – revealed in October that it had suffered a ransomware attack conducted by the Conti ransomware group. The ransomware gang has allegedly accessed and stole almost 2TB of information belonging to the company.
- Kaseya – the biggest ransomware attack on record, took place in July and was coordinated by the REvil ransomware gang. Threat actors accessed its customers’ data and demanded ransom for the data’s recovery;
- Kia Motors – it suffered a ransomware attack in February conducted by the DoppelPaymer ransomware gang that affected internal and customer-facing systems;
- Kronos – in December 2021, the well-known workforce management solutions provider suffered a ransomware attack that disrupted many of their cloud-based solutions for weeks.
- LAUSD – the largest public school system in California and the 2nd largest public school district in the United States, revealed that it had been the victim of a ransomware incident that impacted its Information Technology (IT) systems.
- Lincoln College – has announced that it will shut its doors in May 2022, following a devastating financial impact of the COVID-19 outbreak and a recent ransomware attack. The incident in December was the tipping point, and the decision to close the facility on May 13, 2022, was one that couldn’t be avoided. A decryption key was delivered after money was paid, however not enough data was recovered.
- Macmillan Publishers – the worldwide trade publishing firm declared in July 2022 that was hit by a security breach that looks to have been a ransomware assault. As a result, the company was forced to shut down its network and offices while it recovered. It is unknown which ransomware group is responsible for the assault, and whether or not any data was taken.
- Marketron – was hit in September by the BlackMatter ransomware gang. As a result, they went offline with their services.
- MediaMarkt – the German multinational chain of consumer electronics stores was hit by Hive ransomware in November, with the threat actors initially demanding a ransom of $240 million. As a result, IT systems in the Netherlands and Germany were closed down, and store operations were disrupted.
- Mediatixx – was hit by ransomware at the beginning of November. Following the attack that crippled its whole operation, Medatixx, a medical software provider from Germany, advised users to reset their application passwords.
- Memorial Health System – computers owned by Memorial Health System were affected by an attack performed by the Hive ransomware group in August. Following the attack, they suspended user access to information technology applications related to their operations;
- Metropolitan Police Department (MPD) – was the subject of a Babuk ransomware attack back in April with the hackers claiming they had stolen approximately 250 GB of data and threatening to expose it if they were not paid;
- Mutuelle Nationale des Hospitaliers (MNH) – RansomExx Ransomware attack on the French insurance company has severely disrupted the company’s operations in February;
- National Basketball Association (NBA) – in April, the Babuk ransomware gang claimed on its dark web page to have stolen 500 gigabytes of data such as contracts, non-disclosure agreements, and financial information and threatened to disclose it if the team failed to pay the ransom;
- New Cooperative – the Iowa-based farm service provider has been hit with a BlackMatter ransomware attack. The company confirmed for Bloomberg News that it did suffer a “cybersecurity incident” impacting some of its devices and systems.
- Nikkei – a famous company whose core business is newspaper publishing announced that a ransomware attack impacted the Singapore group’s headquarters on May 13.
- Nordex – disclosed they had been the victim of a cyberattack that was discovered early and also that the business had shut down its IT systems to prevent the assault from spreading. It seems that Conti ransomware was behind the assault that occurred on March 31st.
- NSW Transport agency – in March, transport for NSW disclosed that their agency suffered a data breach following a Clop ransomware attack that exploited a vulnerability to steal files;
- Pierre Fabre – at the beginning of April, the pharmaceutical group was hit by a ransomware attack organized by the hacking group known as REvil/Sodinokibi. The hackers asked for a $25 million ransom and doubled it when the victim failed to respond;
- PrismHR – following a ransomware attack that allegedly took place at the end of February, the company disabled access to its platform for all users to contain the incident;
- Professional Finance Corporation, Inc. (PFC) – the debt management company stated that a ransomware assault that occurred in February 2022 resulted in a data breach that affected over 600 healthcare businesses.
- Quanta – REvil ransomware gang stole data belonging to the company, like drawings and schematics meant to be used in relation to some Apple products. Because Quanta didn’t pay the $50 million ransom the hackers asked for, they started posting the stolen schematics for Apple Macbooks on their data leak site;
- Rompetrol – In March, Rompetrol, the company that operates Romania’s largest refinery Petromidia, was attacked by Hive ransomware. Following the attack, the petroleum provider was forced to shut down its websites and the Fill&Go service at gas stations.
- Sandhills Global – suffered a ransomware attack that caused hosted websites to become inaccessible, disrupting their business operations.
- Scripps Health – in May, a ransomware attack on Scripps Health’s computer network forced the healthcare provider to block patient access to its online portal, postpone consultations, and transfer critical care patients to other hospitals;
- Shutterfly – the American-based company specialized in photography, photography-related products, and image sharing was impacted by a Conti ransomware attack with hackers managing to encrypt thousands of devices and also to perform corporate data theft.
- Sierra Wireless – revealed its internal IT systems were hit by a ransomware attack on March 20th, forcing it to suspend production at its manufacturing sites;
- Sinclaire TV Stations – was impacted by a ransomware attack at the end of October. The Active Directory services were shut down and the network domain resources access was blocked. This also impacted various corporate assets including newsroom systems, broadcasting, and e-mail servers.
- Sol Oriens – in June, the company confirmed it had suffered a REvil/Sodinokibi ransomware attack that resulted in data theft;
- SpiceJet – the low-cost airline SpiceJet’s computer systems were targeted by ransomware in May 2022, which resulted in delayed departures of flights scheduled for the next morning.
- Stanford Medicine – in the attack, the Clop ransomware group had stolen and leaked personal information such as names, addresses, email addresses, Social Security numbers, and financial information;
- Stratus Technologies – on March 17, 2021, the company had become the victim of a ransomware attack. Upon detecting suspicious activity, they took some systems offline to prevent the attack’s spread;
- Synology – when it comes to Synology NAS devices, the eCh0raix ransomware hackers use brute-force techniques: this means they make attempts into guessing the most popular admin credentials to be able to attack these devices and distribute ransomware payloads;
- The Technological University of Dublin – the ransomware attack took place in April and affected both IT systems and campus back-ups;
- The Lazio region in Italy – was impacted by a supposed ransomware incident that has disabled the region’s IT systems, including the COVID-19 vaccination registration portal. It is believed that the cyberattack was either conducted by the RansomEXX ransomware operation or LockBit 2.0;
- The National College of Ireland (NCI) – after a ransomware attack that occurred in April, NCI experienced significant disruption to IT services that have impacted a number of college systems, including Moodle, the Library service;
- The National Rifle Association of America (NRA) – Grief claimed to have hacked the NRA exposing 13 papers apparently belonging to the group and threatening to leak more unless the NRA pays an unknown extortion charge.
- The Resort Municipality of Whistler (RMOW) – suffered a ransomware attack on April 28, 2021, that forced them to shut down their network, website, email, and phone systems;
- The San Francisco 49ers – The BlackByte ransomware gang took credit for the 49ers’ attack. The team did not confirm whether or not the ransomware was successfully delivered, but stated they were in the process of restoring systems, implying that the devices were most likely encrypted.
- The systems of SEPE – the attack was aimed at the systems of SEPE, which is the Spanish government agency for labor. The systems were taken down following a Ryuk ransomware attack that affected more than 700 agency offices across Spain;
- TietoEVRY – was impacted by a ransomware attack that forced them to disconnect clients’ services. However, the company declared no private information has been exfiltrated or accessed;
- UK rail network Merseyrail – in April, the rail network became the victim of a LockBit ransomware attack. The hacker used the Merserayl email system to email employees and journalists about the attack;
- UK Research and Innovation (UKRI) – in January, the organization revealed it had suffered a ransomware attack that encrypted its data and impacted two of its services;
- Underwriters Laboratories – was hit by a ransomware attack in February encrypting their devices and forcing the company to instantly halt its systems. UL has decided not to pay the ransom instead restore it from backups;
- The University of Colorado (CU) – in February, the University of Colorado (CU) issued a statement revealing that they were the victims of a cyberattack where Clop ransomware operators exfiltrated data through an Accellion FTA vulnerability;
- The University of Miami – even if the university never reported a cyberattack, the Clop ransomware group leaked screenshots of patient data including medical records, demographic reports, and a spreadsheet with email addresses and phone numbers;
- Zegna – The Italian luxury fashion brand Ermenegildo Zegna has admitted that it was the victim of a ransomware attack in August 2021 that caused widespread disruption of its IT systems. The RansomEXX organization claimed responsibility for the assault, in which data was disseminated as a means of extorting the victim into paying a ransom in exchange for the release of the data.
Every day, over 200,000 new ransomware strains are detected, meaning that every minute brings us 140 new ransomware strains capable of evading detection and inflicting irreparable damage. Ransomware operators will never stop, not even after the victim pays the demanded ransom.
How Can Heimdal™ Help?
In the fight against ransomware, Heimdal™ Security is offering its customers an outstanding integrated cybersecurity suite including the Ransomware Encryption Protection module, that is universally compatible with any antivirus solution, and is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
Try it now and avoid being one more of the victims on the list!
Heimdal™ Ransomware Encryption Protection
- Blocks any unauthorized encryption attempts;
- Detects ransomware regardless of signature;
- Universal compatibility with any cybersecurity solution;
- Full audit trail with stunning graphics;