Credit: Dreamstime
Ransomware and phishing were the top cyber security issues for businesses in 2021, according to IBM Security’s annual X-Force Threat Intelligence Index.
The report maps the trends and patterns observed by X-Force, IBM’s threat intelligence sharing platform, covering key data points including network and endpoint detection devices, and incident response (IR) engagements.
The report, which covers 2021, reported ransomware as the top attack type; phishing and unpatched vulnerabilities as leading infection vectors; cloud, open-source, and Docker environments as the biggest areas of focus for malware; manufacturing the most attacked industry; and Asia Pacific the most attacked region.
Ransomware thrived despite government takedowns
Ransomware accounted for 21 per cent of all cyber attacks in 2021, according to X-Force. This was, however, down two per cent from 2020. Law enforcement activities have been instrumental in driving down ransomware in 2021, albeit with potential for resurgence in 2022, X-Force said.
REvil, also known as Sodinikibi, was the leading ransomware strain, making up 37 per cent of the attacks, followed by Ryuk at 13 per cent, and Lockbit 2.0 at seven per cent. Other ransomware involved in cyber attacks included DarkSide, Crystal, BlackMatter, Ragnar Locker, BitLocker, Medusa, EKing, Xorist.
The report identified an average lifespan of ransomware gangs amidst the major takedowns in recent times.
“We started noticing a trend across ransomware groups that we follow suggesting there comes a time by when they either disband or need to make a change so law enforcement can lose their trails — and that lifespan averages out at 17 months,” said Laurance Dine, global lead of Incident Response at IBM Security X-Force.
An instance of such a turnaround is the rebranding of GandCrab group as REvil and operating for 31 months before being finally shut down in October 2021.
The report found there are five stages of deployment of a ransomware attack:
- Initial access: involves initial access vectors such as phishing, vulnerability exploitation and Remote Desktop Protocol establishing persistent access.
- Post-exploitation: involves a RAT (remote access tool) or malware to establish interactive access.
- Understand and expand: screening the local system and expand access for lateral movement.
- Data collection and exfiltration: identifying valuable data and exfiltrate it.
- Ransomware deployment: distribution of ransomware payload.
Additionally, the report traced the evolution of ransomware attacks and noted the increasing usage of what is called triple extortions, which have encryption, extraction, and DDoS (distributed denial of service) as a combined offensive.
Triple extortion is an onslaught of threats against the victim and, at times, the victim’s partners as it looks to barrage victims from multiple fronts, increasing the potential disruption, adding to the psychological effects of the attack, and heightening the pressure to pay up, according to Dine.
Server access attacks and business email compromise (BEC) were the second and third most common attack types, at 14 per cent and eight per cent respectively, according to the report.
Top vectors: phishing and vulnerability exploitation
Phishing became the most common attack method in 2021, used in 41 per cent of all attacks, up from 33 per cent in 2020, while vulnerability exploitations (34 per cent) dropped to second place, down from 35 per cent.
Simulated phishing campaigns by X-Force Red, a global network of hackers hired to break into organisations’ systems to uncover vulnerabilities, yielded a 17.8 per cent click rate. When added with vishing (voice phishing) phone calls, the click rate jumped three times to 53.2 per cent.
“The obvious scams are getting a bit easier to spot by an average savvy consumer,” says Liz Miller, an analyst at Constellation Research. “That’s why the scams shift and add elements of increased legitimacy like a phone call with a phishing email follow-up. I was personally once reached out by someone about a possible account problem with a financial institution, offering to send email instructions to resolve the same.”
The report underlines that the phishing kit deployments are usually short-lived, with about two-thirds being used for no longer than a day, and only about 75 visitors/victims per deployment.
Almost all the deployments asked for user credentials (IDs and passwords), followed by credit card details (40 per cent). Very few requested ATM pins (three per cent). Microsoft, Apple, Google, Amazon, and Dropbox are among the most spoofed in phishing kits.
Unpatched vulnerabilities for businesses in Europe, Asia Pacific, and Middle East and Africa caused approximately 50 per cent of all attacks in 2021. The two most exploited vulnerabilities were found in widely used enterprise applications Microsoft Exchange and Apache Log4J Library.
Other common infection vectors identified in the report included stolen credentials, brute force, remote desktop protocol (RDP), removable media, and password spraying.
Attacks leverage Docker, open-source, OT
With data sourced from Intezer, the report noted that Linux ransomware with unique code jumped about 2.5 times (146 per cent) for the year, highlighting the innovation in the segment. The report also noted that attackers are shifting from targeting generic Linux systems and focusing on Docker containers.
“The attack vector of open source, and by extension containerised environments in which code can sit, even segmented from other parts of the network, has been increasing exponentially in the past several years,” added Miller. “Open Source, for all of its best intentions, can allow vulnerabilities and lines of malicious code to sit deep within libraries that have not been touched in a decade.”
The report notes an increased activity in operational technology (OT) environments, with attackers conducting massive reconnaissance campaigns searching for exploitable communications in industrial networks.
In 2021, most of these activities were seen to target TCP port 502. This port uses an application layer messaging protocol for client-to-server communication between connected buses, networks, and programmable logic controller (PLC) devices in industrial networks. There was a 2204 per cent increase in the reconnaissance activity targeting port 502.
Within OT-connected organisations, 61 per cent of incidents were observed in the manufacturing segment, and 36 per cent of the incidents observed were ransomware.
Cyber attacks by region and recommendations
Asia Pacific was the most attacked region in 2021, getting hit with 26 per cent of all attacks. Of these attacks, 20 per cent were server access and 11 per cent ransomware, the top two attacks for the region. Finance — including insurance — and manufacturing were the most attacked sectors, at 30 per cent and 29 per cent, respectively. Japan, Australia and India were the most-attacked countries in Asia Pacific.
Europe was a close second with 24 per cent of all attacks, concentrated in manufacturing (25 per cent) and finance and insurance (18 per cent). Ransomware (26 per cent) and server access (12 per cent) topped the attack types for the region. The UK, Italy, and Germany were the most-attacked countries in Europe.
Overall, manufacturing accounted for 23.2 per cent of attacks in 2021, registering a 34 per cent jump from the previous year. Ransomware (23 per cent) and server access (12 per cent) were the top attack types in this industry.
The report concluded that a zero-trust approach, automation of incident response, and extended detection and response capabilities can be helpful when combating today’s threats.
A zero-trust approach, with the implementation of multi-factor authentication and the principle of least privilege, have the potential to decrease organisations’ susceptibility to the top attack types identified in the report, particularly ransomware and business email compromise.
Automating machines to take care of threats that would take a person or a team of cyber professionals hours to do is another option, according to the report.
The report suggests that the combination of several different solutions into an extended detection and response (XDR) solution can provide organisations advantage at identifying and blocking attackers.
“Cyber criminals are becoming increasingly more resilient, resourceful, and stealthy in their pursuit of businesses’ critical data — so where businesses keep their data matters more than ever,” says Dine. “It’s paramount they modernise their infrastructure to better manage, secure, and control the ‘who, what and why’ of accessing their data.”
