The three most significant cyberattacks of 2021

The three most significant cyberattacks of 2021

People that predict tomorrow’s weather by looking at today’s are often right. Cloudy today? It’ll probably be cloudy tomorrow. The same is often true for cybersecurity threats. Looking back at 2021 it looks a lot like 2020: A lot of ransomware attacks.

So, when I was asked to write about the three most significant cyberattacks of 2021, it was no real surprise that my thoughts turned to ransomware attacks.

But what made these three stand out from the other attacks this year, and from many we’ve seen before, were not the direct consequences for the targeted systems, or even the people in the organizations that were attacked, but the consequences for people far beyond those organizations.

The three I’ve chosen are:

  • The Conti ransomware attack on Ireland’s Health Service Executive
  • The REvil ransomware attack on Kaseya VSA
  • The Darkside ransomware attack on the USA’s Colonial Pipeline

Let me explain why I chose these three from the multitude of ransomware attacks we went through in 2021.

The human cost of a ransomware attack

On May 14, Ireland’s Health Service Executive (HSE) was paralyzed by a cyberattack which turned out to be Conti Ransomware. The attack forced the organization to shut down more than 80,000 affected endpoints and plunged it back into the age of pen and paper.

Our colleague, Mark Stockley interviewed a doctor working in one of the affected hospitals.

Because of the ransomware attack, the doctor had to put in hours of extra effort after his day’s work just to determine which of the next day’s appointments he would have to cancel for lack of information. And then he could expect to deal with those anguished, sometimes angry patients, when he told them their appointment cannot go ahead.

“Imagine the scenario,” he said. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” The doctor’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”

Asked what he would say to the attackers if he could speak to them , he responded with:

“If your loved one was sick. Would you do this? If you had somebody you cared about, would you do this to them. That’s what I’d ask them.”

“I think they lost their humanity.”

Four months later, after drafting in the army to help restore its systems, and after cancelling tens of thousands of appointments, HSE was still not fully recovered.

The ultimate supply-chain attack

On July 2, a severe ransomware attack against the popular remote monitoring and management software tool Kaseya VSA forced Kaseya into offering this urgent advice to its customers: Shutdown VSA servers immediately.

Members of the REvil ransomware gang had managed to push out a malicious Kaseya VSA update that encrypted machines and networks running the highly privileged software. The impact of the attack was enormous. Kaseya VSA is one of the more popular remote monitoring and management tools used by Managed Service Providers (MSPs) to administer their customers’ systems. The MSPs that were hit by the attack saw not only their own systems encrypted, but also the systems of their customers too.

An attack on one organization quickly became an attack on thousands.

The attack hit at a painful point in time for the Dutch Institute for Vulnerability Disclosure (DIVD), a volunteer-run organization that found a remote code execution flaw in Kaseya VSA on April 1, 2021. It was working with Kaseya to patch the VSA vulnerabilities for months prior to the attack. It took Kaseya quite a lot of effort and time, and more and more expertise to get the right patch out—to get it tested, to get it through quality assurance. And then, disaster struck just before the patches went out.

Only rarely do companies allow us a look inside their organization while they are recovering from a ransomware attack. Many find it more convenient to keep a low profile or to be secretive. We went over the work that had to be done by a Dutch MSP to repair the damage done by this attack. Doing this provided us with some valuable insights.

And our colleague David Ruiz talked to Victor Gevers, chair of the DIVD, on an episode of Malwarebytes’ Lock and Code podcast, about the ransomware attack that his organization was racing to prevent.

Gevers’ damning verdict on the current state of software: “The quality of products that are online and are exposed to the Internet are not up to par for the current situation that we are in and this is going to screw us over in the long term.”

Vital infrastructure is called vital for a reason

On May 10 the FBI confirmed that the Colonial Pipeline had been attacked by Darkside ransomware. The pipeline exists to supply gasoline and other products across the southern and eastern United States. It is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast. The US government declared an emergency and brought in emergency powers to ensure people would still be supplied with fuel.

The attack spurred new rules for critical infrastructure that represent a tidal shift in how the Transportation Security Administration (TSA) has protected pipeline security in the country for more than a decade. But it also made clear that the federal government is no longer satisfied with private industry’s lagging cybersecurity protections. President Joe Biden signed an Executive Order to place new restrictions on software companies that sell their products to the federal government.

A spokeswoman for the National Security Council explained at the time the importance of a requirement, that contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any breach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.

One other remarkable aspect of this attack that led to an 11-day shutdown and gas shortages in the eastern US, is that the US Department of Justice recovered much of the ransomware payment.

Ransom payments are the fuel that propels the digital extortion engine, and the recovery of the payment marked something of a turning point in the year. Ransomware attacks continued, but life became more uncomfortable for the gangs involved.

In August, we welcomed Lesley Carhart to the Lock and Code podcast to talk about critical infrastructure cybersecurity. Surprisingly, she managed to reassure us that while there are improvements to be made to critical infrastructure security, it’s not nearly as bad as some people think.

Have a safe 2022, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.