The report maps the trends and patterns observed by X-Force, IBM’s threat intelligence sharing platform, covering key data points including network and endpoint detection devices, and incident response (IR) engagements.
The report, which covers 2021, reported ransomware as the top attack type; phishing and unpatched vulnerabilities as leading infection vectors; cloud, open-source, and Docker environments as the biggest areas of focus for malware; manufacturing the most attacked industry; and Asia the most attacked region.
Ransomware thrived despite government takedowns
Ransomware accounted for 21% of all cyberattacks in 2021, according to X-Force. This was, however, down 2% from 2020. Law enforcement activities have been instrumental in driving down ransomware in 2021, albeit with potential for resurgence in 2022, X-Force said.
REvil, also known as Sodinikibi, was the leading ransomware strain, making up 37% of the attacks, followed by Ryuk at 13%, and Lockbit 2.0 at 7%. Other ransomware involved in cyberattacks included DarkSide, Crystal, BlackMatter, Ragnar Locker, BitLocker, Medusa, EKing, Xorist.
The report identified an average lifespan of ransomware gangs amidst the major takedowns in recent times. “We started noticing a trend across ransomware groups that we follow suggesting there comes a time by when they either disband or need to make a change so law enforcement can lose their trails — and that lifespan averages out at 17 months,” says Laurance Dine, global lead of incident response for IBM Security X-Force.
An instance of such a turnaround is the rebranding of GandCrab group as REvil and operating for 31 months before being finally shut down in October 2021.
The report found there are five stages of deployment of a ransomware attack:
- Initial access: involves initial access vectors such as phishing, vulnerability exploitation and Remote Desktop Protocol establishing persistent access.
- Post-exploitation: involves a RAT (remote access tool) or malware to establish interactive access.
- Understand and expand: screening the local system and expand access for lateral movement.
- Data collection and exfiltration: identifying valuable data and exfiltrate it.
- Ransomware deployment: distribution of ransomware payload.
Additionally, the report traced the evolution of ransomware attacks and noted the increasing usage of what is called triple extortions, which have encryption, extraction, and DDoS (distributed denial of service) as a combined offensive. Triple extortion is an onslaught of threats against the victim and, at times, the victim’s partners as it looks to barrage victims from multiple fronts, increasing the potential disruption, adding to the psychological effects of the attack, and heightening the pressure to pay up, according to Dine.
Server access attacks and business email compromise (BEC) were the second and third most common attack types, at 14% and 8% respectively, according to the report.
Top vectors: phishing and vulnerability exploitation
Phishing became the most common attack method in 2021, used in 41% of all attacks, up from 33% in 2020, while vulnerability exploitations (34%) dropped to second place, down from 35%.
Simulated phishing campaigns by X-Force Red, a global network of hackers hired to break into organizations’ systems to uncover vulnerabilities, yielded a 17.8% click rate. When added with vishing (voice phishing) phone calls, the click rate jumped three times to 53.2%.
“The obvious scams are getting a bit easier to spot by an average savvy consumer,” says Liz Miller, an analyst at Constellation Research. “That’s why the scams shift and add elements of increased legitimacy like a phone call with a phishing email follow-up. I was personally once reached out by someone about a possible account problem with a financial institution, offering to send email instructions to resolve the same.”
The report underlines that the phishing kit deployments are usually short-lived, with about two-thirds being used for no longer than a day, and only about 75 visitors/victims per deployment. Almost all the deployments asked for user credentials (IDs and passwords), followed by credit card details (40%). Very few requested ATM pins (3%). Microsoft, Apple, Google, Amazon, and Dropbox are among the most spoofed in phishing kits.
Unpatched vulnerabilities for businesses in Europe, Asia, and MEA caused approximately 50% of all attacks in 2021. The two most exploited vulnerabilities were found in widely used enterprise applications Microsoft Exchange and Apache Log4J Library.
Other common infection vectors identified in the report included stolen credentials, brute force, remote desktop protocol (RDP), removable media, and password spraying.
Attacks leverage Docker, open-source, OT
With data sourced from Intezer, the report noted that Linux ransomware with unique code jumped about 2.5 times (146%) for the year, highlighting the innovation in the segment. The report also noted that attackers are shifting from targeting generic Linux systems and focusing on Docker containers.
“The attack vector of open source, and by extension containerized environments in which code can sit, even segmented from other parts of the network, has been increasing exponentially in the past several years,” says Miller. “Open Source, for all of its best intentions, can allow vulnerabilities and lines of malicious code to sit deep within libraries that have not been touched in a decade.”
The report notes an increased activity in operational technology (OT) environments, with attackers conducting massive reconnaissance campaigns searching for exploitable communications in industrial networks. In 2021, most of these activities were seen to target TCP port 502. This port uses an application layer messaging protocol for client-to-server communication between connected buses, networks, and programmable logic controller (PLC) devices in industrial networks. There was a 2204% increase in the reconnaissance activity targeting port 502.
Within OT-connected organizations, 61% of incidents were observed in the manufacturing segment, and 36% of the incidents observed were ransomware.
Cyberattacks by region and recommendations
Asia was the most attacked region in 2021, getting hit with 26% of all attacks. Of these attacks, 20% were server access and 11% ransomware, the top two attacks for the region. Finance — including insurance — and manufacturing were the most attacked sectors, at 30% and 29%, respectively. Japan, Australia and India were the most-attacked countries in Asia.
Europe was a close second with 24% of all attacks, concentrated in manufacturing (25%) and finance and insurance (18%). Ransomware (26%) and server access (12%) topped the attack types for the region. The UK, Italy, and Germany were the most-attacked countries in Europe.
Overall, manufacturing accounted for 23.2% of attacks in 2021, registering a 34% jump from the previous year. Ransomware (23%) and server access (12%) were the top attack types in this industry.
The report concluded that a zero-trust approach, automation of incident response, and extended detection and response capabilities can be helpful when combating today’s threats.
A zero-trust approach, with the implementation of multifactor authentication and the principle of least privilege, have the potential to decrease organizations’ susceptibility to the top attack types identified in the report, particularly ransomware and business email compromise.
Automating machines to take care of threats that would take a person or a team of cyber professionals hours to do is another option, according to the report.
The report suggests that the combination of several different solutions into an extended detection and response (XDR) solution can provide organizations advantage at identifying and blocking attackers.
“Cybercriminals are becoming increasingly more resilient, resourceful, and stealthy in their pursuit of businesses’ critical data — so where businesses keep their data matters more than ever,” says Dine. “It’s paramount they modernize their infrastructure to better manage, secure, and control the ‘who, what and why’ of accessing their data.”