The annual threat report surveys the threat landscape of 2021, summarizing a year of intelligence produced by Recorded Future’s threat research team, Insikt Group. It draws from data on the Recorded Future® Platform, including open sources like media outlets and publicly available research from other security groups, as well as closed sources on the criminal underground, to analyze global trends, malware trends, and the top trending tactics, techniques, and procedures (TTPs) from 2021. The report will be of interest to anyone seeking a broad, holistic view of the cyber threat landscape in 2021.

Executive Summary

Après des attaques perturbatrices majeures et le développement constant de nouveaux outils tout au long de l'année 2021, les menaces liées aux ransomwares figurent en tête des priorités des équipes de sécurité. Ransomware domine en tant que menace majeure à l'échelle mondiale pour les organisations dans plusieurs secteurs verticaux. À la fin de l'année 2019 et tout au long de l'année 2020, les ransomwares sont apparus comme une menace majeure pour les grandes organisations, considérées comme des proies de choix. Toutefois, tout au long de l'année 2020 et jusqu'en 2021, ce marché s'est transformé en un marché banalisé, ce qui a entraîné une augmentation du nombre d'opérateurs de ransomware et une généralisation des attaques. Les auteurs de menaces ont recruté des personnes qualifiées pour développer des fonctionnalités au sein des ransomwares, ont loué des ransomwares à des affiliés et ont acheté l'accès aux réseaux des organisations victimes auprès de courtiers en accès initial. En 2021, les ransomwares ont continué à prospérer dans le monde de la cybercriminalité, avec Conti et LockBit en tête des opérations les plus prolifiques.

Ransomware groups relied on “double extortion” throughout 2020, which provides additional pressure on victims to pay their ransom by not only locking access to their systems but also threatening to leak or sell the stolen data unless the ransom is paid. In 2021, threat actors have shifted tactics and implemented“triple-extortion” techniques. These include the recruitment of insiders to breach corporate networks, contacting victims’ customers to demand a ransom payment, threatening ransomware victims with distributed denial-of-service (DDoS) attacks, and targeting supply chains and managed service providers to amplify the effects of the attack. In addition, some ransomware groups began targeting Linux systems and added rapid vulnerability exploitation and zero-day vulnerabilities to their arsenal.

The dark web market for credential theft was very successful in 2021 and also contributed to ransomware attacks, as ransomware operators often use compromised credentials for initial access in attacks. Compromised credentials were regularly stolen using infostealers and advertised on dark web shops. These exposed passwords put networks at risk when corporate credentials were included in compromised logs or when employees reused passwords across personal and work accounts.

Alongside ransomware, malware and malicious tools such as Cobalt Strike evolved to become more difficult to detect and more dangerous when installed. We observed a continued trend of rapid vulnerability exploitation in malware attacks, especially with the late-2021 disclosure of what is widely considered one of the worst security flaws ever discovered, Log4Shell.

Lastly, in an investigation into the top MITRE ATT&CK TTPs throughout 2021, Insikt Group identified the top 5 techniques: T1486 (Data Encrypted for Impact), T1082 (System Information Discovery), T1055 (Process Injection), T1027 (Obfuscated Files or Information), T1005 (Data from Local System).

Note de la rédaction : Le message suivant est un extrait d'un rapport complet. Pour lire l'analyse complète, click here to download the report as a PDF.