6 High-Profile Ransomware Attack Examples and What You Can Learn From Them

A Ransomware attack can wreak havoc on your business. Explore six recent high-profile ransomware attacks and what you can learn from them.

Carolyn Norton

Director of Cloud

Follow Me:

Table of Content

    The World Economic Forum Global Cybersecurity Outlook 2022 report found that the threat of ransomware is continuing to rise. 80% of IT leaders said they believe ransomware is both a “dangerous and evolving threat to public safety.”

    Findings from the Allianz Risk Barometer 2022 shared those concerns. Global respondents cited “cyber incidents” such as ransomware attacks, cloud outages, and data breaches, as their top business concern — beating out COVID, climate change, and supply chain disruptions.

    Business leaders are right to be concerned.

    Ransomware can bankrupt businesses, hijack supply chains, and disable critical infrastructure. It can ruin your reputation, put customers at risk, and create a ripple of infections among the vendors and partners connected to your network.

    In this article, we’ll zoom in on six high-profile attacks and what you can learn from them.

    1. SolarWinds Ransomware Attack

    The SolarWinds cyberattack is one of the most infamous and far-reaching ransomware campaigns in history.

    The breach first began in September 2019 with an initial dry run – the threat actor injected test code into SolarWinds’ Orion software, a suite of network management and monitoring tools used by a segment of high-value accounts, including the US government.

    Then, in February 2020, the attacker injected trojanized code into a file that was then distributed by SolarWinds, as part of an Orion update.

    The attack was found to be perpetrated by Russian hacking group, Nobelium, as part of a targeted espionage campaign. Nobelium is particularly skilled at backdoor attacks that evade detection. SolarWinds had no idea anything was wrong until November 2020, when cybersecurity firm FireEye detected an intrusion within its systems.

    The compromised Orion software enabled the threat actor to gain access to FireEye’s Microsoft cloud platforms. And – in December 2020, Microsoft, FireEye, SolarWinds, and others began working with the US government as part of an emergency response.

    Lessons learned:

    Minimize third-party risks. According to Microsoft, security leaders are beginning to pay more attention to supply chain risks. While traditional vetting measures can help reduce risk during the selection process, they don’t mitigate risk or enforce compliance in real-time. Here, hackers inserted malicious code into a third-party system — Orion — with access to the SolarWinds network. Extending Zero Trust best practices like using least-privileged access and verifying explicitly to third-party partners and vendors can help, as can frequent audits and robust monitoring systems.

    Keep an eye on all code & components. Organizations must take proactive measures to keep malicious code out of software products.These include things like disabling forking, scanning and auditing your repository, setting automated alerts for vulnerable dependences, tightly manage developer credentials and access permissions, whitelisting IP addresses, revoking external contributor permissions after a project. The list goes on.

    Closely monitor outgoing traffic. Organizations should implement the same kinds of protections to monitor outbound traffic as inbound traffic. The idea is, even if you configure your network to only grant access to approved users, devices, etc., you’ll still see new systems and devices connecting to your network all the time. Implementing solutions like Defender for Endpoint, Defender for Office 365, and Antivirus software can help you keep stealth attacks out of your system and make it easier to spot unauthorized users, bad configurations, and unusual traffic.

    Campfire365 Ep.1 – The Big Disaster: Is Your Organization Ready for the Next Major Catastrophe

    2. Colonial Pipeline Ransomware Attack

    In May 2021, the Colonial Pipeline Company was hit by a ransomware attack, forcing the oil pipeline system to shut down operations for almost a full week — dealing a serious blow to critical infrastructure.

    Because the Texas-based pipeline supplies much of the eastern and southeastern United States with gas and jet fuel, the disruption forced some gas stations to shut down, while others experienced miles-long lines of panicked customers.

    Within hours of the attack, Colonial Pipeline paid ~$44M in ransom, a figure that doesn’t account for downtime, recovery costs, and reputational damage.

    Later, the incident was attributed to the Russian ransomware gang, REvil, which offers ransomware-as-a-service to clients. Hackers gained access to the Colonial Pipeline network using compromised credentials to log into an inactive VPN account.

    Lessons learned:

    Enable MFA. Colonial Pipeline Chief Executive Joseph Blount explained to a US Senate committee that at the time of the attack, the legacy VPN hackers used to enter the system only had single-factor authentication enabled. Blount emphasized that the password linked to the account wasn’t a default password like “Colonial123.” The problem is, password complexity doesn’t matter in cases of credential theft. Something as simple as multi-factor authentication (MFA) could have prevented this attack from happening in the first place.

    Swap your VPN for a secure portal. Hackers often use VPNs to gain access to a target network. Once they’re in, it’s relatively easy to move laterally across the system. Worse, if you share information with external clients or 3rd-party vendors through your VPN, threat actors can break into their systems, too. Ultimately, your best bet is ditching your VPN for a more secure solution that provides greater visibility and more control.

    Implement an automated review system. An automated internal review system provides visibility into individual accounts, access permissions, and usage, as well as the devices, assets, and apps in your network. The legacy VPN used in the Colonial Pipeline attack was inactive, albeit, still connected to the rest of the network. AI-driven analytics and automated alerts would have been a game-changer, here — flagging the VPN and allowing IT to intervene before something happened.

    3. CNA Financial Ransomware Attack

    In March 2021, CNA Financial was hit by a ransomware attack that ended up encrypting an estimated 15k of its systems. The attack began when an employee downloaded a fake browser update from a legit website containing the Phoenix CryptoLocker ransomware strain.

    The attacker was then able to obtain access credentials and move laterally through the system.
    The $40M ransom payment set a record at the time that still stands today.

    While experts and law enforcement generally advise against making ransom payments, CNA leaders felt that they didn’t have other options. The attack disabled such a large share of the company’s IT infrastructure, that paying the ransom seemed like the fastest path to recovery.

    Lessons learned:

    Make cybersecurity education a priority. Arguably, the most important lesson you can learn from this attack is the need to better educate employees about cybersecurity. While attackers might deploy sophisticated tactics once they’ve gained access to a network, they often gain entry through basic methods like phishing. The person who downloaded the ransomware likely had no idea they were putting the company at risk.

    Implement rapid threat detection. When businesses can detect anomalies, vulnerabilities, and breaches in real-time, they can take action faster and mitigate potential damage.

    Develop cyber attack playbooks. While prevention is the best medicine, there’s no way to guarantee that you won’t become a ransomware victim at some point. Putting together incident response plans for different scenarios (data breaches, stolen credentials, how to handle ransom demands, etc.) facilitates smart decisions and quick action when disaster strikes.

    4. JBS USA Ransomware Attack

    On May 30, 2021, JBS Foods was hit by an organized ransomware attack, forcing temporary closures of all its US beef plants, one Canadian plant, as well as beef and lamb kill operations in Australia.

    The organization paid an $11M ransom and was able to fully restore global operations by June 3 using backups. Given that JBS Foods is the world’s largest meat supplier, this incident could have caused far more damage.

    DHS classifies food suppliers as “critical infrastructure,” as attacks on major suppliers could lead to prolonged shortages and price increases.

    According to the FBI, the attack likely came from a Russian ransomware gang known as REvil. Like Colonial Pipeline, JBS is among the 85% of critical infrastructure that is privately-owned — which indicates that the attack was part of a broader strategy aimed at companies that control critical supply chains. And — because consumers depend on commodities like food and fuel, those companies are likely to pay large ransoms to get things back on track.

    Lessons learned:

    Implement an incident response plan. JBS reportedly spends over $200M per year on IT. Reps said those investments – along with robust security protections, protocols, redundant systems and encrypted backup servers – were key in helping them recover relatively quickly following the attack. Equally important was the fact that the JBS team knew exactly what to do from the moment they learned of the attack.

    Automate ID governance. With a large manufacturer like JBS, new employees, vendors, and partners are always coming and going, so manual provisioning can easily lead to over-provisioning, shadow accounts, and inactive IDs — all of which introduce serious compliance challenges and security threats. Automating identity governance allows orgs to outsource provisioning, de-provisioning, access approvals, and more — significantly reducing the risk of noncompliance and preventing bad actors from accessing sensitive data and apps.

    Secure non-human identities. Non-human identities include IoT and mobile devices, social media and service accounts, and “secrets” like API keys, passwords, and certificates. Organizations can protect their stack by implementing IAM capabilities at the edge, storing privileged credentials and keys away from devices (preventing lateral movement), and using endpoint privilege management tools.

    5. Planned Parenthood Ransomware Attack

    In October 2021, Planned Parenthood Los Angeles fell victim to a ransomware attack that exposed medical information of 400k patients – many of whom visit the organization’s network of health centers for sensitive matters – sexually transmitted diseases, contraception, abortions.

    Healthcare orgs (particularly small, outpatient clinics) are prime targets for attackers looking to sell PHI/PII on the Dark Web, demand a ransom, or leak data for political or malicious purposes.

    Cyber attacks on health care organizations are always scary, because they put real lives at risk. Service disruptions prevent patients from receiving critical care, while data leaks can threaten their reputation or physical safety. On the business side, class action lawsuits (like the one PPLA is facing right now) and HIPAA violations can take down a non-profit clinic in no time.

    Regardless of where you stand on the Supreme Court’s decision to overturn Roe v. Wade, this attack is particularly concerning – especially given the fact that RaaS marketplaces allow anyone to buy malware, credentials, exploits, and other “tools” that make it easy to launch a DIY attack on any organization (or individual) for less than $10.

    Lessons learned:

    • Run regular risk assessments. Continuous risk assessment is one of the best ways to find and fix vulnerabilities before threat actors can exploit them. Ultimately, though, you’ll need to be able to measure and calculate risks in real-time — so you mitigate threats and make plans to eliminate them.
    • Embrace integrated threat protection. According to Microsoft, unmonitored internet-facing systems are easy targets for human-operated attacks — with recent attacks spreading payloads throughout environments containing user credentials, inboxes, endpoints, and web apps. Experts advise healthcare orgs to implement solutions with XDR and SIEM capabilities like Microsoft Defender Advanced Threat Protection (ATP), Microsoft Sentinel, and Microsoft Defender for Cloud. This enables them to detect, investigate, and response to threats from a single dashboard.
    • Practice good cyber hygiene. Microsoft also recommends that orgs continue to enforce security hygiene practices such as tamper protection, minimal privileges, and using firewalls to prevent lateral movement. On the identity side, solutions like Azure AD allow users to set up conditional access policies, enable single-sign on, and monitor ID-related security risks. You can also secure privileged access to seal off unauthorized pathways, making it easier to monitor access and usage and protect against targeted data theft. Entra Verified ID allows you to provision and verify decentralized credentials – preventing credential abuse.

    6. Accenture

    On July 30, 2021, Accenture detected irregular activity in its system indicating a breach, and immediately isolated and contained the incident. Luckily, the firm was able to maintain business continuity through effective planning, protocols, and quick action.

    By August 11, Accenture confirmed in a statement to CNN that all systems had been fully restored and that neither the firm’s operations nor its clients’ systems were impacted by the attack.

    Then – they were hit with the second part of what turned out to be a double extortion attack.

    Someone claiming to be part of the LockBit gang was posting screenshots, threatening to publish 2400 stolen files (or 6TB) unless the firm paid a $50M ransom within four hours.

    The stolen data contained case studies, PowerPoints, proprietary data, even information about how a cyber incident might affect Accenture and its clients.

    Accenture believes that this attack led to several chain attacks on its clients’ systems. Initially, the culprit was thought to be the LockBit gang – though some experts believe it was an inside job, as recent investigations revealed no evidence that LockBit was behind the attack.

    Lessons learned:

    • Centralize cybersecurity efforts. Organizations need to put up a unified front against cyber attacks. And building an effective security operations center (SOC) is one of the best ways to do that. Accenture’s SOC protocols and controls enabled the firm to ID irregular activity in one of its environments, contained the infected files, and isolated the impacted servers — allowing them to quickly restore operations.
    • Protect your customers. One of the best ways to avoid double extortion is by implementing a Zero Trust architecture. For example, reducing the size of the attack surface, limiting lateral movement, and continuous monitoring put some distance between attackers and your customers.
    • Be transparent. Accenture has been quiet about the incident and has never officially confirmed nor denied that it paid the ransom. But silence only further erodes trust among clients – and the general public. It’s better to acknowledge what happened, address the problem, then communicate what steps you’ve taken to protect client data moving forward.

    Final Thoughts

    Manufacturing companies, IoT networks, and SMBs with valuable IP are most at risk – but as you can see, cyberattacks go after every type of organization there is – consulting firms, non-profits, big meat – literally everything.

    This list only represents a fraction of the victims that made headlines – the reality is, organizations of all shapes, sizes, and sectors, get hit by attacks every day – and pay a heavy price. You just don’t hear about it.

    To learn more about cybersecurity, ransomware protections, or staying safe in the cloud, Velosio can help.

    Carolyn Norton

    Director of Cloud

    Follow Me: