McAfee Report: Ransomware Adopts New Tactics and Targets
As 2021 progressed through the second quarter and into the third, cybercriminals introduced new—and updated—threats and tactics in campaigns targeting prominent sectors, McAfee’s October 2021 Advanced Threat Research Report found.
The report called the second quarter of 2021 a “vibrant quarter” for ransomware, earning its place as a high-profile cybersecurity agenda item for the U.S. government and the Biden administration.
A 64% increase in publicly reported cybersecurity incidents targeted the public sector during the second quarter of 2021, followed by the entertainment sector, which saw a 60% increase, according to the report. However, McAfee analysts noted that the information/communications vertical had a 50% decrease in incidents in the second quarter, and attacks targeting manufacturing dipped 26%.
Ransomware Evolves
In addition, the report noted ransomware campaigns were adept at evolving their business models to extract valuable data and millions in ransoms from enterprises large and small.
Despite the most influential underground forums, XSS and Exploit, announcing a ban on ransomware advertisements, and the DarkSide ransomware group abruptly halting operations, McAfee Enterprise’s global threat network identified a surge in ransomware attacks by popular malware families, in addition to expanded target sectors.
The threats team found that nearly three-quarters (73%) of ransomware detections in Q2 2021 were related to the REvil/Sodinokibi family and that DarkSide ransomware attacks extended beyond the oil, gas and chemical sector to legal services, wholesale and manufacturing.
Meanwhile, the challenges of shifting cloud security to accommodate a more flexible pandemic workforce while still maintaining—and even increasing—workloads presented cybercriminals with even more potential exploits and targets in Q2 of 2021.
The United States experienced the most reported incidents in Q2 2021, while Europe saw the largest increases in reported incidents in Q2 with 52%.
Notable increases of publicly reported incidents against sectors in the second quarter of 2021 included multiple Industries that were targeted most often, with a considerable increase in attacks on public sector institutions and entertainment.
The McAfee team’s cloud threat research found that financial services faced the greatest challenge against cloud threat campaigns in Q2 of 2021, ranging from insider data exfiltration to privileged access misuse. Incidents targeting financial services represented 29% of total cloud incidents among the top 10 sectors. Among the other top industries targeted by cloud threats include health care, manufacturing and retail.
Cloud incidents targeting the financial services sector accounted for 33% of the top 10 industries reported, followed by health care and manufacturing with 8% each.
The Prevalence of Threats
Raj Samani, chief scientist and McAfee Fellow, said the key difference in this McAfee report is that it focuses on the actual prevalence of threats in the world.
“It is less theoretical in a sense because rather than counting raw volume, we determine what is being seen in the wild,” he said. “This is the most concerning aspect, since it reveals what is actually happening.”
Malware was the technique used most often in reported incidents in Q2 2021. Spam showed the highest increase in reported incidents—250%—from Q1 to Q2 2021, followed by malicious scripts at 125% and malware with 47%.
“We have seen a change in power between operators and their partners, otherwise known as affiliates,” Samani said. “This breakdown in relationships will have an impact and perhaps provide an opportunity to disrupt their operations.”
Ransomware developers introduced new campaigns as well. The Hive ransomware family was first observed in June of 2021 with prevalence in India, Belgium, Italy, the United States, Turkey, Thailand, Mexico, Germany, Colombia and Ukraine, operating as a ransomware-as-a-service (RaaS) written in the Go language and compromising health care and critical infrastructure organizations.
The report noted that despite the ban on some of the larger cybercriminal forums, ransomware has shown no indication of slowing down and still must be considered as one of the most impactful cyberthreats to organizations of any size.
“Understanding their own risk depends on organizations identifying the weaknesses in their environment,” Samani said. “Typically, attackers exploit such oversights; it is rarely zero-day and more likely an unsecured system.”
Samani said the surge in public sector cyberattacks shows that governments are and will continue to be targets of these kinds of attacks.
“It’s crucial to execute extra-strong defenses against adversaries and actively incorporate research within a network to combat threat actors,” he said.
