The 10 Biggest Ransomware Attacks of 2021

Recent Cyber Attacks Hit Infrastructure and Critical Facilities Across the US

November 12, 2021
A silver-colored pipe transporting liquid over a field.
Recent ransomware attacks have targeted a wide range of high-profile organizations and companies, including Colonial Pipeline, an oil pipeline system.

Ransomware attacks on Colonial Pipeline, JBS Foods, and other major organizations made headlines in 2021, and show no sign of slowing down. Across the world, hackers are exploiting security weaknesses and holding the data of companies, governments and healthcare organizations hostage, sometimes demanding tens of millions of dollars in payment.

How is Ransomware Defined?

According to the U.S. Government’s Cybersecurity and Infrastructure Assurance Agency (CISA): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

So what does that mean? Hackers take advantage of security weak spots to steal sensitive data or lock files. These criminals will only give you the key to access your system, or return the files, once you’ve paid their ransom.

Recent Ransomware Attacks in the News

Over the past few years, we have seen an increase in ransomware attacks, many of them high-profile attacks. Cyber attacks in 2021 that have used ransomware as their attack vector include attacks perpetrated against the Colonial Pipeline, Steamship Authority of Massachusetts, JBS (the world’s largest meatpacker), and the Washington DC Metropolitan Police Department. These attacks against U.S. companies and organizations result in shutdown of critical infrastructure, which can create shortages, increased cost of goods/services, financial loss due to shutdown of operations, and loss of money due to having to pay the ransom to the hackers, and worse.

2020 also saw an increase in the frequency of cyber attacks and higher ransom payments. According to Harvard Business Review, the amount companies paid to hackers grew by 300%. The sudden increase in remote work and more lax security protections at home gave hacker groups the perfect opportunity to breach sensitive data.

Healthcare Ransomware

During times of crisis, many hackers take advantage of upheaval and disorder and look for potential monetary gain. With the onset of the COVID-19 crisis in 2020, there was increased attention on cyber attacks in the healthcare space. A study by Comparitech has shown that ransomware attacks had a huge financial impact on the healthcare sector, with over $20 billion lost in impacted revenue, lawsuits, and ransom paid in 2020 alone. Over the course of the year, over 600 hospitals, clinics, and other healthcare organizations were impacted by 92 ransomware attacks.

CEO of cybersecurity firm FireEye, Kevin Mandia, shed some light on why these healthcare organizations are targeted. "Pharmaceuticals, hospitals, healthcare, public companies, organizations that don’t have the talent and skills to defend themselves—they’re getting sucker-punched," Mr. Mandia said. Marene Allison, J&J's chief information security officer, said that Johnson & Johnson experiences 15.5 billion cybersecurity incidents on a daily basis. (Becker's Hospital Review)

And it’s not only finances and patient data that’s at risk; given the crucial importance of healthcare, ransomware attacks can also lead to loss of life. According to NBC News, Teiranni Kidd sued Springhill Medical Center in Alabama after a botched delivery. In 2019, the hospital was the victim of a ransomware attack that shut down their IT infrastructure. The hospital failed to inform Kidd of the attack. According to the article, Kidd and her child received “diminished care” and missed key tests that could have prevented the baby’s severe brain injury, which led to her death nine months later. This is just one example and we’re likely to see more dire ways cyber attacks affect human life.

High-Profile Ransomware Attacks in 2021

In 2021, we’ve seen many high-profile attacks on corporations and firms across the country and the world. Just six ransomware groups are responsible for breaching the cybersecurity defenses of 292 organizations. These criminal organizations have so far taken more than $45 million in ransom money from their attacks. (ZDNet)

Here are 10 of the biggest ransomware attacks that made headlines in 2021.

Colonial Pipeline

Of all of the cyber and ransomware attacks in 2021, the breach of Colonial Pipeline in late April had the most news coverage. As Touro College Illinois Cybersecurity Program Director Joe Giordano notes, “The Colonial Pipeline attack made such an impact because the pipeline is an important part of the national critical infrastructure system. Taking the system down disrupted gas supplies all along the East Coast of the United States, causing chaos and panic.”

As most Americans are directly impacted by gasoline shortages, this attack hit close to home for many consumers. The DarkSide gang was behind the attack and targeted the firm’s billing system and internal business network, leading to widespread shortages in multiple states. To avoid further disruption, Colonial Pipeline eventually gave in to the demands and paid the group $4.4 million dollars in bitcoin.

This attack was particularly dangerous because consumers started to panic and ignored safety precautions. Some East Coast residents tried to hoard gasoline in flammable plastic bags and bins, and one car even caught on fire. After the chaos receded, government officials confirmed that Colonial Pipeline’s cybersecurity measures were not up to par and may have been prevented if stronger protection was in place.

Thankfully, US law enforcement was able to recover much of the $4.4 million ransom payment. The FBI was able to trace the money by monitoring cryptocurrency movement and digital wallets. But finding the actual hackers behind the attack will prove a lot harder. (The New York Times)


At around the same time in early May 2021, the same notorious hacker group that targeted Colonial Pipeline, DarkSide, also targeted Brenntag, a chemical distribution company. After stealing 150 GB worth of data, DarkSide demanded the equivalent of $7.5 million dollars in bitcoin.

Brenntag soon caved to the demands and ended up paying $4.4 million. Although it was a little more than half of the original demand, it still stands as one of the highest ransomware payments in history. (IT Governance)


Also in May this year, the computer manufacturer Acer was attacked by the REvil hacker group, the same group responsible for an attack on London foreign exchange firm Travelex. The $50 million ransom stood out as the largest known to date. REvil hackers exploited a vulnerability in a Microsoft Exchange server to get access to Acer’s files and leaked images of sensitive financial documents and spreadsheets. 

JBS Foods

Although Spring 2021 held hopeful news for the end of the pandemic, the increased trend of cyber attacks that began in 2020 showed no signs of slowing down. Another high-profile ransomware attack took place this May on JBS Foods, one of the biggest meat processing companies in the world. The same Russia-based hacking group that attacked Acer, REvil, is thought to be behind the attack. (CNN)

Although there weren't any major food shortages as a result of the attack, government officials told consumers not to panic buy meat in response. On June 10th, it was confirmed that JSB paid the $11 million ransom demand after consulting with cybersecurity experts. This massive payment in bitcoin is one of the largest ransomware payments of all time. (CBS News)


As with the Acer attack, the REvil gang also demanded a $50 million ransom from computer manufacturer Quanta in April. Although Quanta may not be a household name, the company is one of Apple’s major business partners. After the firm refused negotiations with the hacker group, REvil targeted Apple instead. After leaking Apple product blueprints obtained from Quanta, they threatened to release more sensitive documents and data. By May, REvil seemed to have called off the attack.

National Basketball Association (NBA)

Businesses and organizations from all different kinds of industries are targeted by ransomware attacks. One of the more surprising on the list this year was the National Basketball Association (NBA). In mid-April of this year, the hacker group Babuk claimed to have stolen 500 GB of confidential data concerning the Houston Rockets. Babuk warned that these confidential documents, including financial info and contracts, would be made public if their demands were not met. As of this posting, no ransom payments have been made.


This May, the European insurance company AXA was attacked by the Avaddon gang. The attack happened soon after the company announced important changes to their insurance policy. Essentially, AXA stated they would stop reimbursing many of their clients for ransomware payments. This unique (and somewhat ironic) attack on a cyber-insurance firm made headlines and the hacker group gained access to a massive 3 TB of data. (BlackFog)


Earlier this year in March, another large insurance firm fell victim to a ransomware attack. CNA’s network was attacked on March 21 and the hacker group encrypted 15,000 devices, including many computers of employees working remotely. The attack is supposedly linked to the hacker group Evil Corp and uses a new type of malware called Phoenix CryptoLocker.

CD Projekt

CDProjekt Red is a popular videogame development firm based in Poland. In February of this year, the firm was hacked by the HelloKitty gang. The hacker group accessed source code to game projects in development and encrypted devices. However, CDProjekt refused to pay the ransom money, and has backups in place to restore the lost data. (ExtremeTech)


REvil, the same hacker group that targeted Acer, Quanta, and JBS Foods, again made headlines in July with an attack on Kaseya. While not a name commonly known by consumers, Kaseya manages IT infrastructure for major companies worldwide. Similar to the attacks on Colonial Pipeline and JBS Foods, this hack had the potential to disrupt key areas of the economy on a large scale.

To carry out the attack, REvil sent out a fake software update through Kaseya’s Virtual System Administrator, which infiltrated both Kaseya’s direct clients as well as their customers. According to REvil, one million systems were encrypted and held for ransom. According to Kayesa, around 50 of their clients and around 1000 businesses in total were impacted. The hacker group demanded $70 million in bitcoin. To illustrate the impact of the cyber attack, Coop, a Swedish supermarket chain, was forced to close 800 stores for a full week. (ZDNet)

Soon after the attack, the FBI gained access to REvil’s servers and obtained the encryption keys to resolve the hack. Fortunately, no ransom was paid and Kaseya was able to restore the IT infrastructure of its clients. Although it started out as one of the biggest ransomware attacks of the year, the situation was salvaged in the end. (ZDNet)

Progress in the Fight Against Ransomware

Although not a state-sponsored organization, the group behind the Kaseya attack is based in Russia. According to the Associated Press, the widespread security event prompted a call between President Biden and President Putin in July. During the call, Biden pressured Putin to take a stronger stance on targeting malicious agents in his country. Although exactly what took place after this phone call is unclear, the FBI gained access to REvil’s servers, and REvil’s website and infrastructure went down soon after. While it’s uncertain whether Biden’s call made a difference, the White House asserts that it will keep up the pressure on Russia to cooperate.

Despite the continued onslaught of ransomware attacks, there have been some hopeful developments. In November, news broke that five suspected associates of the REvil group were arrested by the European law enforcement agency Europol. According to, “the alleged hackers are suspected of involvement in about 5,000 ransomware infections and received about half a million Euros ($579,000) in ransom payments.”

Using wiretapping and other methods, police were able to access group infrastructure and track down the alleged hackers. The two most recent arrests were the result of collaboration between 17 countries, including major world powers like the U.S., U.K. and France.

One of the men, Yaroslav Vasinskyi, 22, was allegedly responsible for the attack against Kaseya. Both of the men arrested in November may face life in prison. Although REvil is still an active player in the world of cybercrime, authorities hope to find and prosecute more hackers and end their operations. (NPR)

A Dire Need for Cybersecurity Experts

There are two key components necessary to address this issue. One is that companies need to take cybersecurity seriously and invest in it with adequate resources. Secondly, there needs to be more highly educated cybersecurity experts ready to address the scourge of ransomware attacks we’re currently facing. As Giordano notes, “So many companies and institutions still have weak security, and strong security requires constant vigilance and updates, not a one-time upgrade. When more organizations start to take cybersecurity seriously and invest the time and resources to combat threats, we’ll start to see these threats diminish.”

Unlike some other STEM fields, you don’t need a master’s to get started in cybersecurity. Completing a graduate certificate program is often one of the best ways to qualify for relevant job opportunities. The Touro College Illinois graduate certificate program in cybersecurity for healthcare addresses the critical needs of the sector. Our hands-on courses build expertise in network security, HIPAA, cloud security, medical device security, and incident response and recovery.