Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/25/2021
03:35 PM
50%
50%

Ransomware, Phishing Will Remain Primary Risks in 2021

Attackers have doubled down on ransomware and phishing -- with some tweaks -- while deepfakes and disinformation will become more major threats in the future, according to a trio of threat reports.

Cybercriminals and nation-states have doubled down and improved on popular attacks, targeting companies with double-extortion ransomware attacks, adopting various COVID-19-themed lures for phishing, and taking advantage of cybersecurity chaos following the move to remote work, according to three threat reports published this week. 

Ransomware made up nearly a quarter of the incident-response engagements for IBM Security's X-Force threat intelligence group. Fifty-nine percent of the ransomware incidents involved cybercriminals exfiltrating, before encrypting, the data — so-called "double-extortion" attacks, according to the "X-Force Threat Intelligence Index 2021" report. The most common ransomware group, dubbed Sodinokibi, raked in more than $123 million in profits during 2020, according to the company's calculations.

Related Content:

Rising Ransomware Breaches Underscore Cybersecurity Failures

Special Report: 2020 State of Cybersecurity Operations and Incident Response

New From The Edge: Security + Fraud Protection: Your One-Two Punch Against Cyberattacks

The use of double-extortion ransomware attacks and the focus on large companies and big scores will continue in 2021, says Nick Rossmann, global threat intelligence lead for IBM Security X-Force.

"Double extortion is the trend that attackers have gone to in 2020 because the attack circumvents the defenses, like backups and a good incident response strategy, that companies have put into place," he says. "This shift is a natural evolution of where attackers are going to go in response to companies' defenses."

In separate threat reports published by IBM, anti-malware firm Trend Micro, and endpoint security firm BlackBerry, many of the same themes emerge. Ransomware dominated all, with Sodinokibi and Ryuk headlining lists of top ransomware campaigns, but relative newcomers Egregor and DoppelPaymer were also on the list. 

Attackers' focus on stealing and encrypting data at larger enterprises has led to an increase in ransoms, with one insurance company noting the average ransom doubled from 2019 to the first quarter of 2020, according to Trend Micro's "2020 Annual Cybersecurity Report." The top ransomware family, however, was not a new threat: The WannaCry crypto-ransomware worm, which automatically infected systems in May 2017, continues to scan for unpatched computers. 

"WannaCry, aside from being the top malware family, is the only ransomware in the list [of top malware]," Trend Micro states in its report. "Cryptocurrency miners as a whole are in second place, showing how prevalent they had become."

While many companies have seen ransomware on the rise, the number of attempted ransomware attacks — as measured by the number of e-mail messages with malicious links or malware connected to ransomware — has dropped. The decline is not because the threats have decreased, says Jon Clay, director of global threat communications at Trend Micro.

"If you look at the ransomware numbers, that number is actually down year-over-year because the tactics have shifted," he says. "We have moved from the spray-and-pray ransomware attacks to the much more targeted approach by the ransomware actors."

The notable exception is the 4-year-old WannaCry ransomware worm, which still creates the most malicious traffic, according to Trend Micro, which sees such encounters because its data is collected from endpoints.

Phishing attacks aimed at either stealing credentials or as part of a business e-mail compromise (BEC) scheme continue to be popular. With many employees working from home, they presented more of an opportunity for attackers, BlackBerry states in its "2020 Threat Report."

"Software-as-a-service (SaaS) applications and Webmail remained the most targeted services for phishing attacks, dominating others throughout the year," according to the report. "Financial and payment sectors ranked in the second and third positions."

Traditional exploits continued to be a common attack vector, claiming the top slot in the IBM report. While ransomware and phishing both climbed, IBM Security's X-Force found 35% of investigated incidents leverage vulnerabilities in the attack. The company also found attacks on Linux vulnerabilities had increased. 

"A lot of companies are moving to the cloud, so there is a lot of data there," says IBM Security X-Force's Rossmann. "In addition, the majority of Linux-based malware is cryptocurrency miners. So the Bitcoin market is driving attackers to move into Linux and try to exploit cloud services."

Looking to the future, disinformation and the threat of deepfakes are perhaps the most significant threats. Already, deepfakes are being used to enhance business scams, allowing cybercriminals to produce the voice of CEOs requesting a payment made to an attacker's account.

Put together, deepfakes and disinformation will hobble national efforts to prepare for a variety of threats, from future pandemics to cybersecurity and national security issues, says Eric Milam, a threat researcher with BlackBerry. 

"What do we do when what you see is a complete misinformation campaign, but it is so well done that you don't know it is a misinformation campaign, and those people who want to believe it now have a level of confidence that they would not have had in the past?" he says. "That is a threat to us as human beings, and we have no way to deal with that right now."

Milam predicts that machine-learning models will be the only way to defend against such threats in the future.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.
CVE-2021-3287
PUBLISHED: 2021-04-22
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
CVE-2021-31547
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. Its AbuseFilterCheckMatch API reveals suppressed edits and usernames to unprivileged users through the iteration of crafted AbuseFilter rules.
CVE-2021-31548
PUBLISHED: 2021-04-22
An issue was discovered in the AbuseFilter extension for MediaWiki through 1.35.2. A MediaWiki user who is partially blocked or was unsuccessfully blocked could bypass AbuseFilter and have their edits completed.