Ransomware Retrospective 2021

At the time, the ransom demand on electronics giant Acer ($50 million) broke the record for the largest ransom demand to date. REvil used multiple extortion techniques to add leverage to the demand by combining encryption with data exfiltration and exploitation. As a result of their success with Acer, a newly emboldened REvil went on to set higher demands months later with an attack on Kaseya.

According to BleepingComputer, REvil may have leveraged a Microsoft Exchange Server vulnerability to gain initial access, which would mark the first time a major ransomware actor successfully weaponized Microsoft Exchange as an attack vector.

Ransomware halted production for Sierra Wireless, a Canadian IoT manufacturer with operations around the world. According to a statement released by the company, the attack affected internal operations and made the company's corporate website inaccessible, but the risk did not extend to consumer products or systems.

Sierra Wireless hired an independent incident response firm to investigate the attack, but the initial access point, demand, and responsible party are not publicly known. The impact of the attack is believed to have caused significant financial damage to the company, who withdrew their Q1 revenue forecast in the aftermath.

In March, attackers gained a foothold on CNA's network using a fake browser update—which came from a legitimate website which had itself been hacked. Attackers maintained access from March 5-21, using living-off-the-land tactics to avoid detection, disabling logging and security tools, and exfiltrating data to hold as additional leverage. On March 21, they deployed ransomware, encrypting more than fifteen-thousand systems and demanding $40 million in ransom.

It was reported that the source code used resembled that of the sanctioned WastedLocker ransomware, leading to speculation that Phoenix Locker was another evasion by Evil Corp to avoid 2019 sanctions, which prohibited any financial transactions with them.

REvil (also known as Sodinokibi) accessed the network of technology supplier Quanta, exfiltrating data and encrypting an undisclosed number of systems. Among the stolen data was schematics for a number of yet-to-be-released Apple products, which Quanta manufactures.

When Quanta refused to pay the ransom, hackers then demanded the same amount from Apple, otherwise threatening to release the stolen blueprints. When Apple refused to pay, REvil posted the data, which included schematics for the upcoming MacBook Pro.

While few details of the initial hack were shared publicly, REvil commonly exfiltrates data for additional leverage, encrypts systems, and modifies backup software to prevent companies from restoring their data after encryption.

Attackers exfiltrated sensitive files from the Metropolitan Police Department, claiming to have more than 250 GB of personnel and case files.

Babuk uses existing tools like Bloodhound, CobaltStrike, and Metasploit to achieve and maintain the access needed for both encryption and exfiltration tactics.

There is nothing like the spectre of a gas shortage to capture the attention of the American public or the federal government, and the Darkside ransomware attack on Colonial Pipeline in May 2020 did just that, rocketing ransomware to the top of the national agenda. While Darkside made clear in the days following the attack that they didn't intend to hit such a critical and visible target, the damage was done. While only Colonial Pipeline's IT systems were hit, the company nevertheless shut down pipeline operations until it could fully investigate the scope of the incidents, resulting in hours-long lines and a panic over access to fuel up and down the Eastern seaboard.

Ultimately, the US government responded by attacking and disabling Darkside's servers, the first—but not the last—such action the US government would take in 2021.

Watch the Webinar: How to Catch & Stop Next-Gen Ransomware

While REvil claimed to have compromised Acer's build server, they made good on the threat when they successfully infiltrated IT solutions provider Kaseya. Not only was Kaseya locked out of it's systems and data, the malware spread through Kaseya software to over 1,500 organizations across multiple countries.

The ransom demand—$70 million in Bitcoin to provide the encryption keys—was the largest in history, handily beating the previous record demanded in REvil's attack on Acer. Although it's not known how many Kaseya customers independently paid to have their data released, Kaseya itself opted not to pay the ransom, instead cooperating with the US government. Kaseya's decision to cooperate in the investigation would ultimately lead to the takedown of REvil.

Learn More About the Kaseya REvil Ransomware Attack