By Emma Okonji
Sophos, a global player in next-generation cyber-security has released the Sophos 2021 Threat Report, which revealed how ransomware and fast-changing attacker behaviors, from advanced to entry level, will shape the landscape and Information Technology (IT) security in 2021.
The report, written by SophosLabs security researchers, as well as Sophos’ threat hunters, rapid responders, and cloud security and Artificial Intelligence (AI) experts, provides a three-dimensional perspective on security threats and trends, from their inception to real-world impact.
The first dimensional perspective of the report, focused on the gap between ransomware operators at different ends of the skills and how resource spectrum will increase. According to the report, at the high end, the big-game hunting ransomware families would continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organisations with multimillion-dollar ransom demands.
In 2020, such families included Ryuk and RagnarLocker. At the other end of the spectrum, Sophos anticipates an increase in the number of entry level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, which allows them to target high volumes of smaller prey.
Another ransomware trend is, “secondary extortion,” where alongside the data encryption the attackers steal and threaten to publish sensitive or confidential information, if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.
Analysing the report, Principal Research Scientist at Sophos, Chester Wisniewski, said: “The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative cartels.”
The second dimensional perspective of the report, focused on how everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention.
According to the report, such threats could seem like low level malware noise, but they are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network that will provide further instructions. If human operators are behind these types of threats, they will review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation.
“Commodity malware can seem like a sandstorm of low-level noise clogging up the security alert system. From what Sophos analyzed, it is clear that defenders need to take these attacks seriously, because of where they might lead,” Wisniewski said.
The third dimensional perspective of the report, dwelt on all ranks of adversaries that would increasingly abuse legitimate tools, well known utilities and common network destinations to evade detection and security measures and thwart analysis and attribution. The report said abuse of legitimate tools would enable adversaries to stay under the radar while they move around the network until they were ready to launch the main part of the attack, such as ransomware.
“The abuse of everyday tools and techniques to disguise an active attack featured prominently in Sophos’ review of the threat landscape during 2020. This technique challenges traditional security approaches because the appearance of known tools doesn’t automatically trigger a red flag, the report said.
Additional trends analyzed in the Sophos 2021 Threat Report include: Attacks on servers, where adversaries have targeted server platforms running both Windows and Linux, and leveraged these platforms to attack organizations from within; The impact of the COVID 19 pandemic on IT security, such as the security challenges of working from home using personal networks protected by widely varying levels of security; The security challenges facing cloud environments; Software applications traditionally flagged as “potentially unwanted” because they delivered a plethora of advertisements, but engaged in tactics that are increasingly indistinguishable from overt malware.