Cybercriminals and nation-states have doubled down and improved on popular attacks, targeting companies with double-extortion ransomware attacks, adopting various COVID-19-themed lures for phishing, and taking advantage of cybersecurity chaos following the move to remote work, according to three threat reports published this week.
Ransomware made up nearly a quarter of the incident-response engagements for IBM Security's X-Force threat intelligence group. Fifty-nine percent of the ransomware incidents involved cybercriminals exfiltrating, before encrypting, the data — so-called "double-extortion" attacks, according to the "X-Force Threat Intelligence Index 2021" report. The most common ransomware group, dubbed Sodinokibi, raked in more than $123 million in profits during 2020, according to the company's calculations.
The use of double-extortion ransomware attacks and the focus on large companies and big scores will continue in 2021, says Nick Rossmann, global threat intelligence lead for IBM Security X-Force.
"Double extortion is the trend that attackers have gone to in 2020 because the attack circumvents the defenses, like backups and a good incident response strategy, that companies have put into place," he says. "This shift is a natural evolution of where attackers are going to go in response to companies' defenses."
In separate threat reports published by IBM, anti-malware firm Trend Micro, and endpoint security firm BlackBerry, many of the same themes emerge. Ransomware dominated all, with Sodinokibi and Ryuk headlining lists of top ransomware campaigns, but relative newcomers Egregor and DoppelPaymer were also on the list.
Attackers' focus on stealing and encrypting data at larger enterprises has led to an increase in ransoms, with one insurance company noting the average ransom doubled from 2019 to the first quarter of 2020, according to Trend Micro's "2020 Annual Cybersecurity Report." The top ransomware family, however, was not a new threat: The WannaCry crypto-ransomware worm, which automatically infected systems in May 2017, continues to scan for unpatched computers.
"WannaCry, aside from being the top malware family, is the only ransomware in the list [of top malware]," Trend Micro states in its report. "Cryptocurrency miners as a whole are in second place, showing how prevalent they had become."
While many companies have seen ransomware on the rise, the number of attempted ransomware attacks — as measured by the number of e-mail messages with malicious links or malware connected to ransomware — has dropped. The decline is not because the threats have decreased, says Jon Clay, director of global threat communications at Trend Micro.
"If you look at the ransomware numbers, that number is actually down year-over-year because the tactics have shifted," he says. "We have moved from the spray-and-pray ransomware attacks to the much more targeted approach by the ransomware actors."
The notable exception is the 4-year-old WannaCry ransomware worm, which still creates the most malicious traffic, according to Trend Micro, which sees such encounters because its data is collected from endpoints.
Phishing attacks aimed at either stealing credentials or as part of a business e-mail compromise (BEC) scheme continue to be popular. With many employees working from home, they presented more of an opportunity for attackers, BlackBerry states in its "2020 Threat Report."
"Software-as-a-service (SaaS) applications and Webmail remained the most targeted services for phishing attacks, dominating others throughout the year," according to the report. "Financial and payment sectors ranked in the second and third positions."
Traditional exploits continued to be a common attack vector, claiming the top slot in the IBM report. While ransomware and phishing both climbed, IBM Security's X-Force found 35% of investigated incidents leverage vulnerabilities in the attack. The company also found attacks on Linux vulnerabilities had increased.
"A lot of companies are moving to the cloud, so there is a lot of data there," says IBM Security X-Force's Rossmann. "In addition, the majority of Linux-based malware is cryptocurrency miners. So the Bitcoin market is driving attackers to move into Linux and try to exploit cloud services."
Looking to the future, disinformation and the threat of deepfakes are perhaps the most significant threats. Already, deepfakes are being used to enhance business scams, allowing cybercriminals to produce the voice of CEOs requesting a payment made to an attacker's account.
Put together, deepfakes and disinformation will hobble national efforts to prepare for a variety of threats, from future pandemics to cybersecurity and national security issues, says Eric Milam, a threat researcher with BlackBerry.
"What do we do when what you see is a complete misinformation campaign, but it is so well done that you don't know it is a misinformation campaign, and those people who want to believe it now have a level of confidence that they would not have had in the past?" he says. "That is a threat to us as human beings, and we have no way to deal with that right now."
Milam predicts that machine-learning models will be the only way to defend against such threats in the future.