The transition to remote and hybrid working has had a considerable impact on the cyber-threat landscape over the past 18 months. Security policies were rewritten, best practices reshaped and new challenges burgeoned. Cybercrime was a growing, highly successful and profitable industry before COVID-19, and the global pandemic has made cybercrime even more profitable and dangerous.
The types of cyber-attacks that have occurred in 2021 have affected organizations in many ways — from minor disruptions in operations, to significant financial and reputational losses. This year, some industries have become more vulnerable to attacks than others. Banks and financial institutions, healthcare, higher education and corporations have found themselves to be particularly appetizing targets.
Growth in Cyber-Attacks
Google had registered just over 2.1 million phishing sites as of January 17 2021. This is an increase from just shy of 1.7 million on January 19 2020 (up 27% over 12 months), according to Verizon’s 2021 Data Breach Investigations Report. This number is sure to swell throughout 2021. Conversely, ransomware attacks have increased exponentially in 2021 compared to 2020, with a 41% increase in attacks since the beginning of 2021 and a 93% increase year on year. This trend has an unsettling corollary, implying an increasingly precarious future landscape. Strikingly, the cost of cybercrime is estimated to grow by 15% per year to reach $10.5tn by 2025, according to Cybersecurity Ventures.
The fulcrum of the increase in cyber-attacks in 2021 compared to 2020 is that attacks have become much easier to carry out, with payment methods such as cryptocurrency being far more criminal-friendly.
Cyber-criminals are also digitizing their operations and leveraging automation. This is especially true of ransomware attacks. Max Heinemeyer, director of threat hunting at Darktrace, recognizes how digitized and widespread ransomware attacks are becoming. “Attacks are on the rise, and the perpetrators are using increasingly sophisticated methods, including automation. The attack against software provider Kaseya in July, which impacted thousands of businesses internationally, was the latest in a string of high-profile, damaging ransomware attacks.”
Brad LaPorte, a former Gartner analyst for cybersecurity and threat intelligence and partner of HighTide Advisors, echoes this view and points out that a significant shift is occurring within the cybercrime world itself. He says, “Criminals are evolving their own digital transformation and are now modernizing their operations. Threat actors are becoming well-organized and are utilizing automated tools to streamline criminal activities at unprecedented rates. This has become evident through the wide use of underground criminal forums and other collaboration tools as well as the advent of full-service options on illicit marketplaces such as ransomware-as-a-service.”
Much has been written about how the COVID-19 pandemic has provided ample opportunities for cyber-attackers. According to Purplesec’s 2021 Trends Report, the COVID-19 outbreak has revealed countless opportunities for threat actors. Malicious actors have posed as the Centers for Disease Control and Prevention (CDC) or World Health Organization (WHO) representatives.
"Threat actors are becoming well-organized and are utilizing automated tools to streamline criminal activities at unprecedented rates"
The European Union Agency for Cybersecurity, ENISA, reported a 47% rise in attacks on hospitals and healthcare networks in the same period, showing that criminal networks sought to capitalize financially on the pandemic’s most vital services.
Across the Globe
The 2021 threat landscape contains considerable differences according to region, with intentions, goals and methods varying considerably. “Despite this variance, it is most common for criminal organizations in Europe to be financially motivated while having a tactical focus when compared to countries in Asia who are typically motivated by power and have a much more strategic focus,” says Brad LaPorte. “Additionally, nation-state organizations have increasingly been leveraging organized crime groups as a source of additional labor to execute their objectives.”
Serious cyber-attacks against critical targets in Europe have doubled in the past year, according to ENISA. The State of Ransomware 2021 Report by Sophos shows that organizations in India, Austria and the US are most likely to be victims of ransomware attacks. In India, this number is exceptionally high, with 68% of organizations grappling with ransomware. Verizon’s 2021 Data Breach Investigations Report reveals that there are considerable differences in the success of phishing attacks across the globe. For example, 74% of organizations in the United States experienced a successful phishing attack.
Cyber experts often highlight political and economic reasons when ascertaining cyber-criminals’ motivations. While this is true, the picture is incomplete since said motivations are typically wide-ranging depending on the crime involved. Cybercrimes linked to ransomware, phishing, password cracking, malware and hacking are typically motivated by financial gain, but many are motivated by activism, cyber-theft and espionage. In Verizon’s 2021 Data Breach Investigations Report, organized crime is recognized as the central threat action, occupying 80% of attacks. This fact is not surprising since financially motivated cybercrime has been statistically high for several years.
Arrests, Nation-States and ‘Professional’ Cybercrime
In 2021, we’ve witnessed some rare law enforcement wins in the ransomware space. In February, French and Ukrainian police disrupted the Egregor ransomware group, with several arrests made. Later, in June 2021, members of the notorious FIN11 (Clop) ransomware gang were arrested by Ukrainian police. In the same month, the FBI seized the majority of the funds paid to Russian hackers by Colonial Pipeline. Yet, why has it been so difficult, historically, to arrest cyber-attackers? Simply put, cyber-criminals are challenging to catch. They are often professional cybercrime gangs, who work nine-to-five hours and comprise coders, money specialists and data miners.
‘Professional’ cybercrime groups aside, arguably even more alarming, stealthy nation-states are orchestrating cyber-attacks. Peter Yapp, former deputy director of the UK’s National Cyber Security Centre and a partner of the international privacy consultancy Schillings, argues this point: “What we are seeing is nation-states who do not conform to cyber norms taking advantage of an interconnected world built upon digital sand. In 2016, the Chinese State (APT10) infiltrated a global network of Managed Service Providers in order to get access to hundreds, if not thousands, of businesses worldwide. The tools used were not sophisticated, but the planning and project management was clever. This approach to target the supply chain has now been used by the Russian State in the SolarWinds attack of 2020, potentially impacting 33,000 customers.”
Unsurprisingly, 2021 has witnessed numerous high-profile supply chain attacks. Sam Curry, chief security officer at Cybereason, elucidates this point, saying that we see “the merger of supply chain exploits with ransomware to kick-start distribution, a yet higher set of extortions, and the same ecosystem at work.” Many cyber experts raise questions about the culprits, often flagging certain nation-states as refusing to take cyber-attacks seriously — even if nation-states are not themselves orchestrating the attacks.
Sam Curry points out the prevalent number of attacks coming out of Eastern Europe in 2021: “Today, we have highly profitable criminal organizations that are operating mostly out of Eastern Europe with zero risk, no accountability, motivated by greed and with no scruples. These attacks are ‘state ignored’ by the highest levels of government. Have we ever seen a company say, ‘hey, slow down, we’re making too much money and should stop?’ No, we have not, and it won’t start now.”
Dmitry Smilyanets, a former Russian hacker and now cybersecurity expert, contends that most of the biggest ransomware attacks that have taken place in 2021 have come from former Soviet block countries, namely Russia, Ukraine and others. His argument is that most of the major ransomware groups advertize their malicious software products exclusively on Russian-speaking hacker forums on the dark web. Additionally, hacker groups predominately operate during Moscow business hours and ransomware software has specific instructions that require a Russian keyboard to follow. Lastly, there are few known victims of ransomware in former Soviet states.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, claimed that the Biden administration aims to identify and pursue criminal transactions in cryptocurrencies, and is reviewing the current US policies surrounding ransomware payments.
This will go some way to help businesses that have decided to pay their attackers. Coined “following the money” tactics, there is a considerable possibility that this will rattle the ransomware network. Lisa Monaco, US deputy attorney general, said that this countermeasure demonstrates that the US will make ransomware attacks more costly and less profitable for criminal enterprises. However, there is a growing sense that many are expecting an interdiction of ransomware payments. Indeed, four US states have recently proposed laws to ban ransomware payments.
For now, most domestic intelligence and security services, like the FBI, argue that companies and organizations should turn to law enforcement officials to assist with unlocking their data. After all, many point out that there is no guarantee that cyber-attackers will not try to monetize the data after receiving the payment. In November 2020, a Coveware report claimed that groups such as REvil sometimes still publish data after payment and, in some cases, demand a second payment.
"...the cost of recovery after a shut-down normally far exceeds that of the ransom demanded - often by 10-times or more"Max Heinemeyer
While this debate will surely continue throughout 2021, many will still be asking why more focus isn’t placed on preventative measures. As Max Heinemeyer says, “Rather than focusing on whether ransom demands should be met by the victim, we should focus on how to stop attacks from evolving into crises before the ransom is demanded.” When a ransomware attack occurs, “security teams too often have their hands tied — forced to choose between ceasing operations or paying a ransom. But the cost of recovery after a shut-down normally far exceeds that of the ransom demanded — often by 10-times or more.”
The unexpected and immediate shift to remote and hybrid working has hugely affected the cyber-threat landscape. The inordinate number of large, damaging cyber-attacks in 2021 has left organizations and their customers overwrought due to operational disruptions and the financial and reputational losses. Crucially, the objective of writing The State of the Global Threat Landscape was to cover a diverse range of significant threats to have occurred in 2021 and the threat landscape generally. Yet, it became evident that ransomware has overshadowed all other threats in 2021. There are good reasons for organizations to be consternated by the threat of ransomware when national intelligence agencies deem it the biggest online threat to businesses. This threat will unlikely retreat anytime soon. Notwithstanding, many will be desperately hoping that the global threat landscape will change hastily — given increasing innovations within the cybersecurity industry, more government intervention and comprehensive education — helping to ebb the growing risk of ransomware.
-
North and South America
In late May 2021, Brazilian-based JBS was hit by one of the most significant ransomware attacks ever seen. The attack was attributed to the Russian-speaking cybercrime group, REvil, and it shut down facilities in the US, Canada and Australia. The company decided to mitigate any unforeseen issues pertaining to the attack and ensure no data was exfiltrated by paying its extorters $11m.
Also in May, attackers targeted Colonial Pipeline, the largest fuel pipeline in the US. Affiliates working with the Russian-based DarkSide group were blamed by the FBI for the attack, which forced operational systems offline. The attack caused major fuel shortages across most of the US. Colonial Pipeline paid the requested ransom (75 Bitcoins or $4.4m). Interestingly, the Department of Justice (DoJ) announced that it tracked down and accessed 63.7 out of the 75 Bitcoins paid.
-
Europe
In March 2021, the UK’s Harris Federation, which runs 50 primary and secondary academies in the London area, suffered a cyber-attack that resulted in 37,000 email accounts and the internet-enabled telephone system being disabled, including any Harris Federation devices. Ransomware gang REvil is thought to be responsible.
In May 2021, Ireland’s national health service, the Health Service Executive (HSE), was a victim of a large ransomware attack, which resulted in the HSE system shutting down. The Conti ransomware group, a Russia-based cybercrime group, reportedly asked the health service for $20m (£14m) to restore services. HSE chief Paul Reid made the grim announcement that it will take months to fix the system and cost as much as €100m (£85m) to recover, with considerable other “human costs” involved.
-
Asia and Oceania
In January, the retail-chain giant Dairy Farm Group was hit by a ransomware attack reportedly by the REvil ransomware operation. The attackers compromised its network, encrypted devices and demanded a $30m ransom. Dairy Farm Group operates over 10,000 outlets across various sectors in Asia, including grocery, health and beauty and restaurants. Dairy Farm announced that they were unaware of any stolen data. Despite this admission, screenshots showed that the attackers continued to have access to email and computers post-attack.
In May, a subsidiary of Japanese tech giant Toshiba admitted to suffering a cybersecurity breach reportedly caused by the DarkSide ransomware gang. Toshiba Tec Corporation — creators of printing, scanning and other office equipment — did not confirm whether any customer data was taken in the incident. Worryingly, Toshiba admitted that it is possible that the criminal gang may have leaked some information and data. The cybersecurity firm’s screenshots of DarkSide’s post show more than 740 gigabytes of data compromised and included passports and other personal information.