Cyber Incident Victim: Underwriters Laboratories
Date:
Feb 2021
Location:
United States of America
Summary
Underwriters Laboratories experienced a ransomware attack that encrypted servers, prompting a system-wide shutdown to contain the incident and causing operational disruptions, including the temporary unavailability of its client portal. The organization opted against paying the ransom, initiating restoration from backups while engaging cybersecurity experts and authorities; potential data compromise remains under investigation given common ransomware tactics involving data theft for extortion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Underwriters Laboratories (UL), a prominent safety certification company with 14,000 employees and global operations, experienced a ransomware attack on February 13, 2021. The organization detected unusual activity on its systems and promptly initiated containment measures, including shutting down affected systems to prevent further spread of the encryption malware. The attack targeted servers in UL's data center, forcing the company to disconnect infrastructure and disrupting normal operations. This led to significant operational challenges, with some employees unable to perform their duties due to system unavailability. UL engaged a cybersecurity firm to investigate the incident and notified relevant authorities about the breach. The company publicly confirmed the attack and stated its immediate priority was restoring systems to minimize customer disruption. The myUL client portal remained offline during recovery efforts as technicians worked to rebuild encrypted systems from backups.
UL adopted a policy of non-negotiation with the threat actors, explicitly instructing employees not to communicate with the ransomware operators or visit any associated websites. The organization chose to restore operations using backup data rather than paying a ransom, a process that extended system downtime due to the time-intensive nature of large-scale data restoration. While UL acknowledged the possibility of data compromise during the attack, investigators had not yet determined the scope of any information exfiltration at the time of public reporting. The company committed to notifying affected parties if evidence of data exposure emerged from their forensic analysis. Though the specific ransomware variant and threat group responsible were not identified, industry patterns suggested the attackers likely employed double-extortion tactics common in enterprise-targeting ransomware campaigns, involving both data encryption and potential theft of unencrypted files prior to system lockdowns.