Ransomware was a significant threat to global organizations in the first half of 2021, but it was not the only one, according to a new Trend Micro report.

Ransomware remained the standout threat in the first half of the year as cybercriminals continued to target big-name victims. Working with third parties to gain access to targeted networks, cybercriminals used Advanced Persistent Threat tools and techniques to steal and encrypt victims’ data, the report shows.

The banking industry was disproportionately affected, experiencing a 1,318% year-on-year increase in ransomware attacks in the first half of 2021. Other key findings include:

• Business email compromise (BEC) attacks increased by 4%, potentially due to new COVID-19 opportunities for threat actors.
• Cryptocurrency miners became the most detected malware, surging ahead of WannaCry and web shells in recent months.
• The Zero Day Initiative detected 770 vulnerabilities, a slight (2%) drop from 1H 2020.
• A total of 164 malicious apps related to COVID-19 scams were detected, 54% of which impersonated TikTok.

The report’s overall findings highlight the effectiveness of – an increasing need for – a holistic and scalable cybersecurity solution at the enterprise level. As threats continue to increase in frequency and sophistication, enterprise SOC teams will require a platform that can streamline security processes without sacrificing reliability, the report shows.

Attacks aimed at government, manufacturing and banking sectors keep rising in frequency and intensity due to their high potential for payout, Stefano De Blasi, Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains.

“To make sense of this information, it is essential to remember that the cybercriminals’ top priority is simply to get paid at the end of an offensive operation. In particular, cybercriminals can monetize more effectively when targeted organizations hold sensitive information and/or cannot afford any downtime due to production needs. This observation is likely to have driven attacks against the sectors mentioned above for different reasons.”

De Blasi says that governments, which typically maintain highly sensitive data about their citizens and critical infrastructure, are consequently pressured to pay the requested ransom to protect those pieces of information.

“On the other hand, cybercriminals often perceive organizations in the financial sector as wealthy and are thus incentivized to target them because of the potential of a high payout. Finally, manufacturing companies can typically afford minimal downtime and would likely be pressured into paying the ransom to restart production,” he adds. “In the past 18 months, ransomware operations have become more frequent and profitable than ever. In this timeframe, a few ransomware groups managed to establish well-organized Ransomware-as-a-Service (RaaS) programs and become renowned players in the threat landscape. On the other hand, although we’ve observed dozens of smaller ransomware groups appearing on the scene, these groups often struggle to establish long-lasting operations when competing with the technical and financial resources of established RaaS programs.

“Keeping the pace of threat actors is a daunting task for every security team and can often result in a whack-a-mole game. Cybercriminals are constantly improving and updating their tactics, techniques, and procedures (TTPs) to stay one step ahead of security professionals and have now reached an impressive level of sophistication in their operations. However, security teams can increase the robustness of their defensive strategies by making themselves a difficult target. Cybercriminals are typically opportunistic, financially motivated actors who target low-hanging fruits. Therefore, by following basic cyber hygiene best practices and sticking to their threat model, security teams have more chances to adopt a proactive and agile posture that would place them in a much better position.”

In addition, ransomware attacks are increasing because companies are paying the ransom, says Timur Kovalev, chief technology officer at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs. 

JBS allegedly paid an $11 million ransom to cybercriminals. The CEO of Colonial Pipeline said a $4.4 million ransom payment was made. Brenntag, a company that deals with the distribution of chemical products, allegedly paid close to $7.5 million after Darkside stole more than 150 GB of information.

Cybercriminals see the large payouts, and it encourages them to strike more often, and at larger, more lucrative targets, Kovalev explains: “While ransomware attacks continue and the amounts demanded increase too, there are several defensive moves companies and governments can make to help prevent ransomware attacks in the future. First and foremost, companies should not pay the ransom. Law enforcement agencies encourage organizations not to pay fees to cybercriminals as it encourages more attacks. In addition, there should be consistent policies for international cooperation. It’s time to recognize that this is an international issue and that the most effective way to stop ransomware is by developing a global solution. Business and government leaders must work together to readily share information, develop prosecution agreements for cybercriminals and impose sanctions against rogue nations that harbor cyber pirates. Lastly, to combat attacks, large corporations that could be targeted may begin to add cryptocurrency and blockchain specialists to their security teams. Those with investigative and tracing skills may soon be in high demand for law enforcement and businesses.”

John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, says, “Clearly, the cadence of attacks is not going to relax anytime soon. Organizations need to take a serious look at their attack surface to find where their points of weakness are and focus their spending on protecting those assets. Many entities are still behind the ball on making sure they are planning for resiliency for when attacks succeed.”