Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/25/2021
03:35 PM
50%
50%

Ransomware, Phishing Will Remain Primary Risks in 2021

Attackers have doubled down on ransomware and phishing -- with some tweaks -- while deepfakes and disinformation will become more major threats in the future, according to a trio of threat reports.

Cybercriminals and nation-states have doubled down and improved on popular attacks, targeting companies with double-extortion ransomware attacks, adopting various COVID-19-themed lures for phishing, and taking advantage of cybersecurity chaos following the move to remote work, according to three threat reports published this week. 

Ransomware made up nearly a quarter of the incident-response engagements for IBM Security's X-Force threat intelligence group. Fifty-nine percent of the ransomware incidents involved cybercriminals exfiltrating, before encrypting, the data — so-called "double-extortion" attacks, according to the "X-Force Threat Intelligence Index 2021" report. The most common ransomware group, dubbed Sodinokibi, raked in more than $123 million in profits during 2020, according to the company's calculations.

Related Content:

Rising Ransomware Breaches Underscore Cybersecurity Failures

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

The use of double-extortion ransomware attacks and the focus on large companies and big scores will continue in 2021, says Nick Rossmann, global threat intelligence lead for IBM Security X-Force.

"Double extortion is the trend that attackers have gone to in 2020 because the attack circumvents the defenses, like backups and a good incident response strategy, that companies have put into place," he says. "This shift is a natural evolution of where attackers are going to go in response to companies' defenses."

In separate threat reports published by IBM, anti-malware firm Trend Micro, and endpoint security firm BlackBerry, many of the same themes emerge. Ransomware dominated all, with Sodinokibi and Ryuk headlining lists of top ransomware campaigns, but relative newcomers Egregor and DoppelPaymer were also on the list. 

Attackers' focus on stealing and encrypting data at larger enterprises has led to an increase in ransoms, with one insurance company noting the average ransom doubled from 2019 to the first quarter of 2020, according to Trend Micro's "2020 Annual Cybersecurity Report." The top ransomware family, however, was not a new threat: The WannaCry crypto-ransomware worm, which automatically infected systems in May 2017, continues to scan for unpatched computers. 

"WannaCry, aside from being the top malware family, is the only ransomware in the list [of top malware]," Trend Micro states in its report. "Cryptocurrency miners as a whole are in second place, showing how prevalent they had become."

While many companies have seen ransomware on the rise, the number of attempted ransomware attacks — as measured by the number of e-mail messages with malicious links or malware connected to ransomware — has dropped. The decline is not because the threats have decreased, says Jon Clay, director of global threat communications at Trend Micro.

"If you look at the ransomware numbers, that number is actually down year-over-year because the tactics have shifted," he says. "We have moved from the spray-and-pray ransomware attacks to the much more targeted approach by the ransomware actors."

The notable exception is the 4-year-old WannaCry ransomware worm, which still creates the most malicious traffic, according to Trend Micro, which sees such encounters because its data is collected from endpoints.

Phishing attacks aimed at either stealing credentials or as part of a business e-mail compromise (BEC) scheme continue to be popular. With many employees working from home, they presented more of an opportunity for attackers, BlackBerry states in its "2020 Threat Report."

"Software-as-a-service (SaaS) applications and Webmail remained the most targeted services for phishing attacks, dominating others throughout the year," according to the report. "Financial and payment sectors ranked in the second and third positions."

Traditional exploits continued to be a common attack vector, claiming the top slot in the IBM report. While ransomware and phishing both climbed, IBM Security's X-Force found 35% of investigated incidents leverage vulnerabilities in the attack. The company also found attacks on Linux vulnerabilities had increased. 

"A lot of companies are moving to the cloud, so there is a lot of data there," says IBM Security X-Force's Rossmann. "In addition, the majority of Linux-based malware is cryptocurrency miners. So the Bitcoin market is driving attackers to move into Linux and try to exploit cloud services."

Looking to the future, disinformation and the threat of deepfakes are perhaps the most significant threats. Already, deepfakes are being used to enhance business scams, allowing cybercriminals to produce the voice of CEOs requesting a payment made to an attacker's account.

Put together, deepfakes and disinformation will hobble national efforts to prepare for a variety of threats, from future pandemics to cybersecurity and national security issues, says Eric Milam, a threat researcher with BlackBerry. 

"What do we do when what you see is a complete misinformation campaign, but it is so well done that you don't know it is a misinformation campaign, and those people who want to believe it now have a level of confidence that they would not have had in the past?" he says. "That is a threat to us as human beings, and we have no way to deal with that right now."

Milam predicts that machine-learning models will be the only way to defend against such threats in the future.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24028
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
CVE-2021-29370
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.