WestRock, a leading provider of differentiated paper and packaging solutions, fell victim to a ransomware attack on **January 23, 2021**, severely disrupting its **IT and operational technology systems**. The incident caused a **$189 million decline in net sales** and an **$80 million reduction in segment income** during Q2 2021 due to lost sales and operational disruptions. Additionally, the company incurred **$20 million in recovery costs**, primarily for professional fees tied to incident response, forensic investigations, and system restoration. While WestRock anticipated recovering losses through **cyber and business interruption insurance**, the attack forced prolonged downtime, supply chain delays, and reputational damage. The financial strain extended beyond immediate ransom payments (if any), highlighting how ransomware can cripple core business functions, erode customer trust, and trigger long-term operational setbacks. The attack underscored the cascading financial and operational risks of ransomware, particularly for manufacturing and logistics-dependent enterprises.
Source: https://www.csoonline.com/article/572321/sec-filings-show-hidden-ransomware-costs-and-losses.html
TPRM report: https://www.rankiteo.com/company/westrockcompany
"id": "wes0713107102825",
"linkid": "westrockcompany",
"type": "Ransomware",
"date": "11/2019",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Media and Broadcasting',
'location': 'USA',
'name': 'Sinclair Broadcast Group',
'type': 'Publicly Traded Company'},
{'customers_affected': 'Multiple (570 claims filed)',
'industry': 'Cloud Technology',
'location': 'USA',
'name': 'Blackbaud, Inc.',
'type': 'Publicly Traded Company'},
{'industry': 'Paper and Packaging',
'location': 'USA',
'name': 'WestRock Company',
'type': 'Publicly Traded Company'},
{'customers_affected': 'Customers and employees (data '
'extracted)',
'industry': 'Logistics and Transportation',
'location': 'USA',
'name': 'Radiant Logistics',
'type': 'Publicly Traded Company'},
{'industry': 'Mineral Processing',
'name': 'Mineral Technologies',
'type': 'Publicly Traded Company'},
{'industry': 'Electronics Engineering',
'name': 'Benchmark Electronics',
'type': 'Publicly Traded Company'},
{'industry': 'Business Process Outsourcing',
'name': 'Faneuil (subsidiary of ALJ Regional)',
'type': 'Subsidiary'},
{'industry': 'Meat Processing',
'location': 'Global (HQ in Brazil)',
'name': 'JBS',
'size': "World's largest meat processor",
'type': 'Private Company'},
{'industry': 'Energy (Fuel Pipeline)',
'location': 'USA',
'name': 'Colonial Pipeline',
'type': 'Private Company'},
{'industry': 'Data Backup Appliances',
'name': 'ExaGrid',
'type': 'Private Company'}],
'customer_advisories': [{'company': 'Radiant Logistics',
'details': 'Proactively engaging affected '
'customers/employees'},
{'company': 'Blackbaud, Inc.',
'details': 'Notified customers of data breach; '
'offered reimbursement for claims'}],
'data_breach': {'data_encryption': [{'company': 'Blackbaud, Inc.',
'details': 'Partial encryption attempt '
'(prevented)'}],
'data_exfiltration': [{'company': 'Blackbaud, Inc.',
'details': 'Subset of data copied from '
'private cloud'},
{'company': 'Radiant Logistics',
'details': 'Data extracted from '
'servers before systems '
'taken offline'}],
'personally_identifiable_information': [{'company': 'Blackbaud, '
'Inc.',
'details': 'Likely '
'(customer/employee '
'data)'},
{'company': 'Radiant '
'Logistics',
'details': 'Likely '
'(customer/employee '
'data)'}],
'type_of_data_compromised': [{'company': 'Blackbaud, Inc.',
'data': 'Customer and employee '
'data (subset)'},
{'company': 'Radiant Logistics',
'data': 'Customer and employee '
'data'}]},
'description': 'A series of high-profile ransomware attacks in 2020-2021 '
'affected multiple publicly traded companies, resulting in '
'significant financial losses, operational disruptions, and '
'legal expenses. Notable incidents included attacks on JBS, '
'Colonial Pipeline, ExaGrid, Sinclair Broadcast Group, '
'Blackbaud, WestRock, Radiant Logistics, Mineral Technologies, '
'Benchmark Electronics, and Faneuil. Ransom payments ranged '
'from millions to tens of millions, with additional costs from '
'lost revenue, remediation, legal fees, and insurance claims.',
'impact': {'customer_complaints': [{'company': 'Blackbaud, Inc.',
'complaints': '570 claims for '
'reimbursement from '
'customers/attorneys'}],
'data_compromised': [{'company': 'Blackbaud, Inc.',
'data': 'Subset of data from self-hosted '
'private cloud (customer/employee '
'data)'},
{'company': 'Radiant Logistics',
'data': 'Customer and employee data '
'extracted from servers'}],
'financial_loss': [{'company': 'Sinclair Broadcast Group',
'loss': '$63 million (lost advertising '
'revenue) + $11 million (remediation) '
'= $74 million gross; $24 million net '
'after insurance'},
{'company': 'Blackbaud, Inc.',
'loss': '$10.4 million (expenses) - $9.4 '
'million (insurance) = $1 million net; '
'$50 million anticipated legal '
'expenses'},
{'company': 'WestRock Company',
'loss': '$189 million (lost sales) + $80 '
'million (segment income) + $20 '
'million (recovery costs) = $289 '
'million gross (insurance recovery '
'expected)'},
{'company': 'Radiant Logistics',
'loss': '$750,000 (incident costs)'},
{'company': 'Mineral Technologies',
'loss': '$4 million (system restoration and '
'risk mitigation)'},
{'company': 'Benchmark Electronics',
'loss': '$7.681 million (incident costs) - '
'$3.989 million (insurance) = $3.692 '
'million net'},
{'company': 'Faneuil',
'loss': '$2.8 million (expenses and penalties) '
'- $1.3 million (insurance received) = '
'$1.5 million net (additional $0.6 '
'million insurance expected)'},
{'company': 'JBS',
'loss': '$11 million (ransom paid)'},
{'company': 'Colonial Pipeline',
'loss': '$4.43 million (ransom paid; $2.3 '
'million recovered by DOJ)'},
{'company': 'ExaGrid',
'loss': '$2.6 million (ransom paid)'}],
'legal_liabilities': [{'company': 'Blackbaud, Inc.',
'liabilities': '$50 million anticipated '
'legal expenses; lawsuits '
'proceeding (July 2021)'}],
'operational_impact': [{'company': 'Sinclair Broadcast Group',
'impact': 'Disruption to advertising '
'revenues (Q4 2021)'},
{'company': 'WestRock Company',
'impact': 'Lost sales and operational '
'disruption (Q2 2021)'},
{'company': 'Radiant Logistics',
'impact': 'Loss of revenue and incremental '
'costs (December 2021)'},
{'company': 'Benchmark Electronics',
'impact': 'Disrupted customer and employee '
'access (November 2019)'},
{'company': 'Faneuil',
'impact': 'Containment and remediation '
'measures (August 2021)'},
{'company': 'Colonial Pipeline',
'impact': 'Operational shutdown (May '
'2021)'},
{'company': 'JBS',
'impact': 'Disruption to meat processing '
'operations (June 2021)'}],
'revenue_loss': [{'company': 'Sinclair Broadcast Group',
'loss': '$63 million (advertising revenue)'},
{'company': 'WestRock Company',
'loss': '$189 million (net sales) + $80 million '
'(segment income)'},
{'company': 'Radiant Logistics',
'loss': 'Unspecified (adverse effect on Q2 2022 '
'results)'}],
'systems_affected': [{'company': 'Sinclair Broadcast Group',
'systems': 'Network (restored from backups)'},
{'company': 'WestRock Company',
'systems': 'IT and operational technology '
'systems'},
{'company': 'Radiant Logistics',
'systems': 'Operational and IT systems '
'(taken offline)'},
{'company': 'Blackbaud, Inc.',
'systems': 'Self-hosted private cloud '
'environment'},
{'company': 'Benchmark Electronics',
'systems': 'Customer and employee access '
'systems'},
{'company': 'Faneuil',
'systems': 'Information technology '
'systems'}]},
'initial_access_broker': {'data_sold_on_dark_web': [{'companies': ['Blackbaud, '
'Inc.',
'Radiant '
'Logistics'],
'details': 'Likely (data '
'exfiltrated)'}]},
'investigation_status': [{'company': 'Blackbaud, Inc.',
'status': 'Ongoing lawsuits (as of February 2022)'},
{'company': 'Sinclair Broadcast Group',
'status': 'Recovery ongoing; financial impact still '
'fluid (as of reporting date)'},
{'companies': ['WestRock Company',
'Radiant Logistics',
'Mineral Technologies',
'Benchmark Electronics',
'Faneuil'],
'status': 'Incident closed; financial reporting '
'completed'}],
'lessons_learned': ['Ransomware recovery costs extend beyond ransom payments, '
'including legal expenses, remediation, and technical '
'debt redress.',
'Insurance reimbursements can offset but not fully cover '
'financial losses.',
'Publicly traded companies must report material cyber '
'incidents to the SEC (8-K filings).',
'Post-incident security improvements (e.g., MFA) are '
'often accelerated due to increased budgets.',
'Data exfiltration is a common tactic alongside '
'encryption in ransomware attacks.'],
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': ['Accelerated security '
'budget approvals '
'post-incident',
'Implementation of delayed '
'projects (e.g., MFA, '
'network segmentation)',
'Enhanced monitoring and '
'incident response planning',
'Review of cyber insurance '
'policies'],
'root_causes': ['Delayed security projects (e.g., '
'MFA not implemented)',
'Inadequate network segmentation '
'or backup strategies',
'Vulnerabilities in self-hosted or '
'legacy systems (e.g., Blackbaud’s '
'private cloud)']},
'ransomware': {'data_encryption': [{'company': 'Blackbaud, Inc.',
'details': 'Partial (prevented full '
'encryption)'}],
'data_exfiltration': [{'company': 'Blackbaud, Inc.',
'details': 'Subset of data exfiltrated'},
{'company': 'Radiant Logistics',
'details': 'Customer/employee data '
'exfiltrated'}],
'ransom_paid': [{'amount': '$11 million', 'company': 'JBS'},
{'amount': '$4.43 million ($2.3 million '
'recovered)',
'company': 'Colonial Pipeline'},
{'amount': '$2.6 million',
'company': 'ExaGrid'},
{'amount': 'Undisclosed (ransom paid)',
'company': 'Blackbaud, Inc.'}],
'ransomware_strain': [{'company': 'ExaGrid', 'strain': 'Conti'},
{'company': 'Mineral Technologies',
'strain': 'Egregor'}]},
'recommendations': ['Implement multifactor authentication (MFA) and other '
'delayed security projects proactively.',
'Maintain offline backups to enable recovery without '
'paying ransom.',
'Engage third-party forensic and legal experts early in '
'incident response.',
'Review cyber insurance coverage to ensure adequate '
'protection against ransomware losses.',
'Monitor dark web for signs of stolen data being sold or '
'leaked.',
'Comply with SEC reporting requirements for material '
'cyber incidents (within 4 days, per proposed rules).'],
'references': [{'source': 'CSO Online'},
{'source': 'U.S. Securities and Exchange Commission (SEC) 8-K '
'Filings',
'url': 'https://www.sec.gov/edgar/searchedgar/companysearch.html'},
{'source': 'U.S. Department of Justice (DOJ) Press Release on '
'Colonial Pipeline Ransom Recovery'}],
'regulatory_compliance': {'legal_actions': [{'actions': '570 customer claims; '
'lawsuits proceeding '
'(July 2021)',
'company': 'Blackbaud, Inc.'}],
'regulatory_notifications': [{'companies': ['Sinclair '
'Broadcast '
'Group',
'Blackbaud, '
'Inc.',
'WestRock '
'Company',
'Radiant '
'Logistics',
'Mineral '
'Technologies',
'Benchmark '
'Electronics',
'Faneuil'],
'details': 'SEC 8-K '
'filings '
'for '
'material '
'cyber '
'incidents'}]},
'response': {'communication_strategy': [{'company': 'Radiant Logistics',
'strategy': 'Proactively engaging '
'affected '
'customers/employees'}],
'containment_measures': [{'company': 'Faneuil',
'measures': 'Systems containment; '
'remediation'},
{'company': 'Radiant Logistics',
'measures': 'Systems taken offline'}],
'incident_response_plan_activated': [{'company': 'Sinclair '
'Broadcast '
'Group',
'details': 'Restored '
'network from '
'backups; no '
'ransom paid'},
{'company': 'Blackbaud, '
'Inc.',
'details': 'Prevented full '
'encryption; '
'expelled '
'threat actor; '
'paid ransom'},
{'company': 'WestRock '
'Company',
'details': 'Incurred '
'recovery '
'costs; expects '
'insurance '
'reimbursement'},
{'company': 'Radiant '
'Logistics',
'details': 'Took systems '
'offline; '
'engaged '
'forensic '
'experts and '
'legal counsel'},
{'company': 'Faneuil',
'details': 'Engaged legal '
'counsel and '
'cybersecurity '
'firms; '
'implemented '
'containment/remediation'}],
'law_enforcement_notified': [{'company': 'Colonial Pipeline',
'details': 'DOJ seized $2.3 '
'million of ransom '
'payment'}],
'remediation_measures': [{'company': 'Sinclair Broadcast Group',
'measures': 'Network restoration from '
'backups'},
{'company': 'Blackbaud, Inc.',
'measures': 'Expelled threat actor; '
'risk mitigation'},
{'company': 'Mineral Technologies',
'measures': 'System restoration ($4 '
'million)'},
{'company': 'Benchmark Electronics',
'measures': 'Incident response and '
'recovery'}],
'third_party_assistance': [{'assistance': 'Forensic experts, IT '
'professionals',
'company': 'Radiant Logistics'},
{'assistance': 'Legal counsel, '
'leading cybersecurity '
'firms',
'company': 'Faneuil'}]},
'title': 'Ransomware Attacks on Major Companies (2020-2021)',
'type': ['Ransomware', 'Data Breach']}