2021 Malware and TTP Threat Landscape

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

The annual threat report surveys the threat landscape of 2021, summarizing a year of intelligence produced by Recorded Future’s threat research team, Insikt Group. It draws from data on the Recorded Future® Platform, including open sources like media outlets and publicly available research from other security groups, as well as closed sources on the criminal underground, to analyze global trends, malware trends, and the top trending tactics, techniques, and procedures (TTPs) from 2021. The report will be of interest to anyone seeking a broad, holistic view of the cyber threat landscape in 2021.

Executive Summary

After major disruptive attacks and constant tool development throughout 2021, ransomware-related threats have been at the forefront of security teams' priority lists. Ransomware dominated as a major threat globally to organizations in several industry verticals. In late 2019 and throughout 2020, ransomware emerged as a major threat to larger organizations, which was considered “big game hunting” targeting. Throughout 2020 and into 2021, however, it evolved into a commoditized market, allowing for an increase in ransomware operators and more widespread attacks. Threat actors hired skilled individuals to develop functionalities within ransomware, rented ransomware out to affiliates, and purchased access to the networks of victim organizations from initial access brokers. In 2021, ransomware continued to be a successful business in the cybercriminal world, with Conti and LockBit leading the charge as the most prolific ransomware operations.

Ransomware groups relied on “double extortion” throughout 2020, which provides additional pressure on victims to pay their ransom by not only locking access to their systems but also threatening to leak or sell the stolen data unless the ransom is paid. In 2021, threat actors have shifted tactics and implemented“triple-extortion” techniques. These include the recruitment of insiders to breach corporate networks, contacting victims’ customers to demand a ransom payment, threatening ransomware victims with distributed denial-of-service (DDoS) attacks, and targeting supply chains and managed service providers to amplify the effects of the attack. In addition, some ransomware groups began targeting Linux systems and added rapid vulnerability exploitation and zero-day vulnerabilities to their arsenal.

The dark web market for credential theft was very successful in 2021 and also contributed to ransomware attacks, as ransomware operators often use compromised credentials for initial access in attacks. Compromised credentials were regularly stolen using infostealers and advertised on dark web shops. These exposed passwords put networks at risk when corporate credentials were included in compromised logs or when employees reused passwords across personal and work accounts.

Alongside ransomware, malware and malicious tools such as Cobalt Strike evolved to become more difficult to detect and more dangerous when installed. We observed a continued trend of rapid vulnerability exploitation in malware attacks, especially with the late-2021 disclosure of what is widely considered one of the worst security flaws ever discovered, Log4Shell.

Lastly, in an investigation into the top MITRE ATT&CK TTPs throughout 2021, Insikt Group identified the top 5 techniques: T1486 (Data Encrypted for Impact), T1082 (System Information Discovery), T1055 (Process Injection), T1027 (Obfuscated Files or Information), T1005 (Data from Local System).

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.