Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

03:35 PM

Ransomware, Phishing Will Remain Primary Risks in 2021

Attackers have doubled down on ransomware and phishing -- with some tweaks -- while deepfakes and disinformation will become more major threats in the future, according to a trio of threat reports.

Cybercriminals and nation-states have doubled down and improved on popular attacks, targeting companies with double-extortion ransomware attacks, adopting various COVID-19-themed lures for phishing, and taking advantage of cybersecurity chaos following the move to remote work, according to three threat reports published this week. 

Ransomware made up nearly a quarter of the incident-response engagements for IBM Security's X-Force threat intelligence group. Fifty-nine percent of the ransomware incidents involved cybercriminals exfiltrating, before encrypting, the data — so-called "double-extortion" attacks, according to the "X-Force Threat Intelligence Index 2021" report. The most common ransomware group, dubbed Sodinokibi, raked in more than $123 million in profits during 2020, according to the company's calculations.

Related Content:

Rising Ransomware Breaches Underscore Cybersecurity Failures

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

The use of double-extortion ransomware attacks and the focus on large companies and big scores will continue in 2021, says Nick Rossmann, global threat intelligence lead for IBM Security X-Force.

"Double extortion is the trend that attackers have gone to in 2020 because the attack circumvents the defenses, like backups and a good incident response strategy, that companies have put into place," he says. "This shift is a natural evolution of where attackers are going to go in response to companies' defenses."

In separate threat reports published by IBM, anti-malware firm Trend Micro, and endpoint security firm BlackBerry, many of the same themes emerge. Ransomware dominated all, with Sodinokibi and Ryuk headlining lists of top ransomware campaigns, but relative newcomers Egregor and DoppelPaymer were also on the list. 

Attackers' focus on stealing and encrypting data at larger enterprises has led to an increase in ransoms, with one insurance company noting the average ransom doubled from 2019 to the first quarter of 2020, according to Trend Micro's "2020 Annual Cybersecurity Report." The top ransomware family, however, was not a new threat: The WannaCry crypto-ransomware worm, which automatically infected systems in May 2017, continues to scan for unpatched computers. 

"WannaCry, aside from being the top malware family, is the only ransomware in the list [of top malware]," Trend Micro states in its report. "Cryptocurrency miners as a whole are in second place, showing how prevalent they had become."

While many companies have seen ransomware on the rise, the number of attempted ransomware attacks — as measured by the number of e-mail messages with malicious links or malware connected to ransomware — has dropped. The decline is not because the threats have decreased, says Jon Clay, director of global threat communications at Trend Micro.

"If you look at the ransomware numbers, that number is actually down year-over-year because the tactics have shifted," he says. "We have moved from the spray-and-pray ransomware attacks to the much more targeted approach by the ransomware actors."

The notable exception is the 4-year-old WannaCry ransomware worm, which still creates the most malicious traffic, according to Trend Micro, which sees such encounters because its data is collected from endpoints.

Phishing attacks aimed at either stealing credentials or as part of a business e-mail compromise (BEC) scheme continue to be popular. With many employees working from home, they presented more of an opportunity for attackers, BlackBerry states in its "2020 Threat Report."

"Software-as-a-service (SaaS) applications and Webmail remained the most targeted services for phishing attacks, dominating others throughout the year," according to the report. "Financial and payment sectors ranked in the second and third positions."

Traditional exploits continued to be a common attack vector, claiming the top slot in the IBM report. While ransomware and phishing both climbed, IBM Security's X-Force found 35% of investigated incidents leverage vulnerabilities in the attack. The company also found attacks on Linux vulnerabilities had increased. 

"A lot of companies are moving to the cloud, so there is a lot of data there," says IBM Security X-Force's Rossmann. "In addition, the majority of Linux-based malware is cryptocurrency miners. So the Bitcoin market is driving attackers to move into Linux and try to exploit cloud services."

Looking to the future, disinformation and the threat of deepfakes are perhaps the most significant threats. Already, deepfakes are being used to enhance business scams, allowing cybercriminals to produce the voice of CEOs requesting a payment made to an attacker's account.

Put together, deepfakes and disinformation will hobble national efforts to prepare for a variety of threats, from future pandemics to cybersecurity and national security issues, says Eric Milam, a threat researcher with BlackBerry. 

"What do we do when what you see is a complete misinformation campaign, but it is so well done that you don't know it is a misinformation campaign, and those people who want to believe it now have a level of confidence that they would not have had in the past?" he says. "That is a threat to us as human beings, and we have no way to deal with that right now."

Milam predicts that machine-learning models will be the only way to defend against such threats in the future.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to unauthorized access via user_edit_password.php, remote attackers can modify the password of any user.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 is vulnerable to CSRF. Attackers can use the user_edit_password.php file to modify the user password.
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.