IBM Security released its 2021 X-Force Threat Intelligence Index that analyzes how cyberattacks evolved during the previous year in 130 countries, and the way that attackers tried to profit from the business and social changes brought on by the COVID-19 pandemic worldwide.
Ransomware, the most common type of attack in 2020, accounted for about a quarter (23%) of the attacks covered by the report . The most active ransomware group reported in 2020 was Sodinokibi (also known as REvil), accounting for 22% of all ransomware incidents that IBM's systems identified.
The company estimates that Sodinokibi stole approximately 21.6 terabytes of data from its victims, and that nearly two-thirds of its victims paid ransom, which resulted in the group making over $123 million in the past year, including about $55 million in August alone. Nearly 60% of ransomware attacks covered by the report used a double extortion strategy in which attackers encrypt, steal and then threaten to leak data if the victim doesn't pay the ransom.
As for the data breaches covered in the report, 36% came from ransomware attacks that also involved alleged data theft, suggesting that data breaches and ransomware attacks are beginning to collide. The report also noted the trend of the creation of ransomware-as-a-service (RaaS) cartels and outsourcing key aspects of their operations to cybercriminals that specialize in different aspects of an attack.
Attacks for stealing data surged in 2020, rising by 160% compared to 2019. Attacks for breaching servers also surged, with a rise of 233% compared to 2019. In terms of the methods of attack, attacks exploiting vulnerabilities exceeded attacks for phishing, with 35% compared to 33%. Eighteen percent of the attacks were via exploitation of personal details that were stolen.
In addition, the report shows a 40% increase in Linux-related malware in 2020, and an increase of 500% increase in Go-written malware in the first half of the year, a trend that indicates attackers are copying the model of "write once, run anywhere" and increasing efforts to attack cloud platforms.
Well-known and trusted brands turn into 'honey trap'
An additional trend mentioned in the report is an effort by attackers to disguise themselves as brands that consumers trust so they can receive data that the victims would not provide to other entities. Amid a year of social distancing and remote work, brands offering collaboration tools such as Google (first on the list with 35%), Dropbox and Microsoft, online shopping brands such as Amazon and PayPal, and content platforms like YouTube and Facebook were the most spoofed brands in 2020.
For the first time, Adidas, one of the most well-known and influential brands in the world, became an attractive target (seventh in the rankings) for attackers, who exploited consumer demand to drive consumers to malicious websites designed to look like legitimate sites. Once a user visited these legitimate-looking domains, cybercriminals would use various methods of fraud to encourage online payment, steal users' financial information, harvest user credentials, or infect victims' devices with malware.
For example, attackers disguised themselves as websites selling the popular Yeezy line of sneakers, designed by Kanye West, and the Superstar line. The Yeezy line alone pulled in $1.3 billion in 2019, and it is possible that amid expectation for the release of the line last year, attackers leveraged the demand for the money-making brand for their own benefit.
Vital sectors during COVID-19 era become "hot" targets for attack
Another trend shown in the report is that in 2020 attackers pivoted their attacks toward businesses linked to COVID-19 response efforts, such as hospitals, medical equipment and pharmaceutical manufacturers, companies involved in the supply chains for vital merchandise, as well as energy companies. Thus, the number of cyberattacks on healthcare, manufacturing, and energy doubled from the previous year. The attackers targeted organizations that could not afford to shut down their systems due to risks of disrupting medical efforts or critical supply chains.
Entities from the financial and insurance sector suffered the highest rate of cyberattacks in 2020 (23%), and after them, in second place, were manufacturing and energy companies (17.7%), as opposed to 2019 when that sector was in eighth place on the list of those attacked. The energy field was ranked third last year on the list of those attacked, as opposed to ninth in 2019. In the field of manufacturing and energy, the attackers exploited a growth of close to 50% in vulnerabilities of industrial control systems that these organizations depend on for continuous operations.
The 2021 X-Force Threat Intelligence Index can be downloaded at: https://www.ibm.biz/threatindex2021.