2021: The Year of Multi-Level Data Extortion

Many companies fast-tracked transformation to cloud services during 2020. Yet, while traditional security measures struggle to secure these complex environments, extortionist cyber attackers will take advantage.

Dark Reading Staff, Dark Reading

December 28, 2020

4 Min Read

Many companies fast-tracked their transformation to cloud services during 2020 to adapt to the new requirements of today’s work environment. While this situation provided them with the needed flexibility and agile planning capabilities, it also added new layers of complexity – and since companies had to work within short time constraints and often lacked internal know-how about cloud services, the implementation was not always ideal – let alone secure.

At the beginning of the pandemic, we saw an increased focus on finding and exploiting security vulnerabilities in collaboration tools such as the Zoom video app and Microsoft Teams, which were suddenly mission-critical for all organizations. Of the 3,400 companies we surveyed during the lockdown, 39% reported that they experienced attacks against videoconferencing systems. In the same way, we expect to see attention turn toward cloud services in 2021 as their popularity and importance continue to increase. There has already been a boost in attacks against misconfigured cloud data buckets such as Amazon AWS S3 or misconfigured cloud database instances. Many of these attacks led to large data breaches or stealthy formjacking attacks that will continue to haunt us beyond the holiday shopping season.

These simple cloud attacks are just the beginning. Attackers are extending their reach further into the cloud and targeting serverless applications, API services, and container frameworks such as Kubernetes with all its corresponding automation scripts. Traditional security measures often fall short in protecting these new workloads.

These new frontiers can be interesting targets, especially for extortion attacks. We have noticed targeted ransomware groups trying to open up new profitable markets using this approach. From industrial OT and IoT devices to the cloud environment, there are many profitable opportunities for cybercriminals. They already created a lucrative business model with the data extortion model this year. According to our analysts, over 1,000 companies had their data stolen and later published due to ransomware attacks this year. These “doxing” and blackmail threats give attackers more  leverage, so victims are pressured into paying. The demands can be very high, as the initial asking price of $34 million during the Foxconn attack showed, and we expect this trend to grow in 2021.

Telemetry data from the Acronis Cyber Protection Operation Centers shows that in November, 19% of the global ransomware detections were in the U.S., catapulting the U.S. to rank second in the world. There is no shortage of ransomware threats. From Q2 to Q3/2020, we observed an increase of 11% in ransomware detections in North America. We also noticed an increase in collaboration between different cybercriminal groups. Although affiliate programs and ransomware-as-a-service have been around for a decade, they are gaining more traction now. All of these factors are driving the number of automated threat factories even higher.

This influx of attacks, in combination with the lack of cyber protection skills, might be one of the reasons why many small- and medium-sized businesses are turning to MSPs for security services. Unfortunately, this move puts the target on the backs of MSPs. If attackers can successfully penetrate a service provider, they can leverage that trusted relationship to take over all of their clients. This strategy amplifies the attack’s impact and provides new profit opportunities because the cybercriminals can not only blackmail the provider but each individual client as well. A recent example occurred in Finland, where the attacker of a psychiatric clinic blackmailed some of the patients directly with the stolen data. As we detail in the Acronis Cyberthreats Report 2020, we expect this tactic to be one of the key threat trends in 2021.

Attackers also love to use existing tools within the infrastructure against the victim. This living off the land tactic is often hard to block because legitimate tools such as PowerShell or WMI are misused. A common approach is to find domain administrator accounts or management consoles and then uninstall all security software, and then delete all available backups before using the same software distribution channel to roll out malware to the enterprise. With the move to the cloud, this attack surface also increased, and we expect cybercriminals to benefit from it in the next year.

Clearly, 2021 will be a year when data protection is more relevant than ever. Given how quickly cybercriminals are adjusting their strategies, a holistic approach is needed – one that unifies and automates data protection and cybersecurity, empowering companies to quickly adapt to fast-changing threats. Companies need visibility into and integration of their infrastructure and the cloud so they can know what is happening with their data at all times. They also need automation to efficiently cope with the increasing complexity and flood of data attacks that will inevitably happen.


Author: Candid Wüest

Candid Wüest is the VP of Cyber Protection Research at Acronis, where he researches new threat trends and comprehensive protection methods. Previously he worked for more than 16 years as the tech lead for Symantec’s global security response team.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights