Cyber Threats: 2021 in Review

Back in 2020, we saw ransomware hit the mainstream like never before. The pandemic brought more of us online from our homes, cyberattacks were higher-profile than ever, and news coverage of hefty ransoms encouraged more threat actors to try their hand. But if 2020 was the year that propelled ransomware to center stage, 2021 was the year that organizations began to strengthen their defensive lines against the evolving threat landscape. 

With the expertise of our in-house cybersecurity pros, we’re looking back at the past year to understand the ongoing trends seen from threat actors, individual businesses, and other cybersecurity professionals as we all grapple with new and emerging risks. Below, you can find our roundup of the highs (what are we collectively doing right?) and the lows (what do we need to watch for in 2022?)

The Bright Side 

Effective Law Enforcement 

In 2021, we’ve seen several ransomware gangs shutdown through government intervention. In October, REvil was forced offline through a multi-country operation. The DarkSide encryption software used to halt service at Colonial Pipeline (impacting the East Coast’s gas supply) was developed by REvil operators. That, and the intensifying landscape of ransomware like the Kaseya breach this summer, is ultimately what drove the US government to tighten their focus on ending REvil. 

Black Matter announced that it was shutting down its operations on a Ransomware-as-a-Service portal operated by the group, citing pressure from authorities as the primary reason for going offline. This is after a New York Times article referenced the collaboration of the US and Russian government to crack down on cybercriminals based in Russia, and a joint advisory from CISA, the FBI and NSA declaring that BlackMatter had targeted critical infrastructure. 

While it’s promising that the collaboration of governments across the globe has a clear impact on threat actors — through both a hands-on approach taken to hack and dismantle REvil and the pressure of future investigations — it’s impossible to permanently eradicate all cybercriminals through effective law enforcement alone.

Government Investment

The federal government is actively working towards solutions surrounding ransomware, shutting down state actors, working with other national governments, and releasing advisories for how to handle cybercrime. With a $2B investment in the Biden administration's infrastructure bill, there’s initiatives to drive innovation in the cybersecurity marketplace. Simply put, it’s being taken seriously. Looking forward to 2022, we may see more focus on the conversation surrounding cryptocurrencies and their impact on criminal activity. The federal government is unlikely to outlaw ransom payments outright, but it could crack down on cryptocurrency exchanges that enable criminal activity, making it harder to turn huge sums of cryptocurrency gained through ransoms into local currencies or US dollars.

Improvements in Cyber Hygiene

The hard work of cybersecurity experts, tighter coverage terms for cyber insurance, and the fear-inducing headlines about successful threat actors have effectively pushed organizations to take their cybersecurity posture seriously. Some security measures we’ve seen grow in popularity, and overall boost a businesses’ cyber hygiene, include:

Increased Email Security Tools

We shouldn’t neglect to mention the severity (and popularity) of phishing attacks. According to ProofPoint, 74% of US organizations experienced a successful phishing attack in 2020, and 96% of these arrive through email, reports Verizon. There’s a variety of easy-to-use tools out there that increase email security and implement scanning and filtering to limit the success of attacks. Fortunately, we saw the usage of email security tools increase 2.5x (or 158%) from pre-pandemic to Q4 of 2021. 

Declining Remote Desktop Protocol (RDP)

RDP is a legacy method of providing remote access that is particularly susceptible to credential compromise, as it's visible and accessible on the internet. So, it’s not surprising it was commonly exploited in the first half of 2020 by threat actors. However, security practitioners worked to decrease its usage and the overall presence of accessible RDP dropped by nearly 50% within a year. That’s a significant reduction of Windows systems exposed to the internet through RDP. 

Improved Multi-factor Authentication (MFA)

MFA requires the user to provide two or more credentials to gain access to an account, and can be vital for increased protection when implemented successfully. However, not all factors are created equal. In 2020, Microsoft advised users to stop using SMS-based authentication and US government agencies stopped using SMS-based authentication back in 2016, citing it as less secure. A common tactic performed by threat actors is a SIM Swap attack, where they transfer the intended user’s number to a device they own to receive the code and gain access.

We advocate for hardware tokens or application-based MFA like Duo or Google Authentication if you’re using your smartphone for access, and more businesses are following suit to do away with SMS-based authentication.

Reduced Rate of Ransoms Paid 

More organizations are hyper-aware of ransomware and the consequences that come with it. But a promising outlook, amidst all the doom and gloom of new vulnerabilities and high-profile attacks, is that the ratio of ransoms demanded to ransoms paid is declining steadily. While threat actors may attempt to double extort to increase their leverage, they can’t compete with a prepared victim who’s implemented a robust backup strategy and preserved their data. When organizations know what their core systems are, and ensure they are adequately backed up, recovery times can be drastically reduced  — and hefty ransoms and response costs — can be avoided. 

What Worries Us

Threat Actors Continued Evolution of Cyber Hacking Tactics

Offensive Security Tools and the Rise of Ransomware-as-a-Service (RaaS) 

Between January and July 2021, Cobalt Strike — a post-exploitation toolkit— was used in 19% of network intrusions investigated by SecureWorks. Originally developed for threat emulation, it provides threat actors the ability to maintain persistence in the environment through backdoor functionality. It also supplies toolkits that allow for easy post-exploitation activity, such as credential dumping and lateral movement. 

Through the rise of easily accessible software, threat actors don’t need to be experts in everything. With CobaltStrike, they don’t need to write their own backdoor, but can potentially reap the same financial benefit from victims. Ransomware-as-a-Service also takes away the need to write their own encryption tool or ransom negotiation site. As long as ransomware remains profitable, the ransomware ecosystem will continue to flourish and drive more threat actors to the scene. 

Extortion

Threat actors have a clear objective: they’d like to get paid. So, when organizations avoid paying the ransom to restore encrypted data (maybe because they have good backups, or don’t trust threat actors to restore access themselves), cybercriminals are incentivized to get creative. Through double extortion, victims need to pay or have their sensitive data publicly exposed. 

But if we have double extortion — and it works — why stop there? Triple extortion introduces a Distributed Denial-of-Service (DDoS) attack, as reported by TrendMicro, that overwhelms a server with traffic and stops operations. Quadruple extortion involves threat actors targeting the victim’s stakeholders and customers directly, increasing the pressure to pay the ransom.

Smarter Phishing

One of the most noteworthy phishing attacks this year was at Robinhood. In November, a threat actor called a customer service employee and, through social engineering tactics, was able to convince the employee to give them access to customer support systems. We saw a similar attack method in a 2020 Twitter hack, where the hacker posed as an IT staff member on a call with customer support.

Cybercriminals always take note of what works for others, and they are getting craftier with social engineering tactics as organizations step up efforts to filter out sketchy emails and train their workforces. In this case, the success of using fake calls to support staff means stepped-up awareness training will be all the more crucial for front-line call center staff to prevent attacks using this kind of tactic.

Zero Days 

In 2021 we saw two massively consequential internet-wide zero-days: Microsoft Exchange and Log4j. But while those may get the biggest play in the media (and provide the longest-lasting impact), this was truly the year of the zero-day exploit — with a record-high 66 found in use in 2021, reports the MIT Technology Review. As we move into 2022, it’s important to keep in mind that vulnerabilities remain present throughout the internet, even after the flurry of patching activity upon discovery, and there is always a tail of vulnerable systems for those who haven’t patched. 

We can attribute this to the continued presence of powerful ransomware groups with dedicated “R&D” funds to pour into uncovering zero-days and widely available OSTs. However, on the bright side, this means the “good guys” are also becoming more successful at catching these vulnerabilities in the wild. Tools are more finely tuned (EDR over its simpler predecessors) and hackers will need to work harder as our cybersecurity defenses get better.