CrowdStrike Research Shows Massive Spike in Ransomware-Related Data Leaks
Cybercriminals are increasingly moving away from malware in their attacks.
![Business research nerd Business research nerd](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt23ace1e188333f46/652435c36f7cac8cb80e37cf/Business-Research-Nerd.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Financially motivated eCrime activity continues to dominate the interactive intrusion attempts tracked by OverWatch, CrowdStrike’s managed threat hunting service. Intrusions attributed to eCrime accounted for nearly half of the observed activity, while targeted intrusions accounted for 18%. Hacktivist activity was responsible for 1% and the remaining 32% of attacks remain unattributed. The distribution of these figures is similar to that of 2020.
Adversaries continue to show they have moved beyond malware. Attackers increasingly are trying to accomplish their objectives without writing malware to the endpoint, according to CrowdStrike. Rather, they have been seen using legitimate credentials and built-in tools — an approach known as living off the land (LOTL) — in a deliberate effort to evade detection by legacy antivirus products. Of all detections indexed by CrowdStrike Security Cloud in the fourth quarter of 2021, 62% were malware-free.
CrowdStrike’s Adam Meyers said data weaponization is a growing trend.
“This evolution of ransomware to data extortion is proving to be an extremely lucrative tactic, as it allows the attacker to take control of the narrative of the breach, and use the threat or demonstration of a data leak to put pressure on the victim,” he said. “The surge in these types of attacks in 2021 tells us that cybercriminals will continue to exfiltrate, sell and leak victim data as long as organizations are willing to pay ransoms.”
CrowdStrike continues to see the proliferation in frequency and cost of ransomware grow, Meyers said.
“In 2021, CrowdStrike observed ransomware-related demands averaging $6.1 million per ransom,” he said. “We also saw on average over 50 targeted ransomware events per week. Organizations may decide to pay and that process typically begins with a negotiation on price using specialized firms that engage directly with these threat actors.”
In addition to observing the massive growth and impact of targeted ransomware, there have been some interesting behaviors out of numerous nation-state threat actors over 2021, Meyers said.
“As an example, China has been able to effectively mine vulnerabilities and is effectively crowdsourcing the exploitation of vulnerabilities very effectively through the China Information Technical Security Evaluation Center (CNITSEC),” he said.
“Another notable observation from the CrowdStrike Intelligence team is around adversaries based out of Iran. We observed both Pioneer Kitten and Nemesis Kitten adopt the use of ransomware as well as ‘lock-and-leak’ disruptive information operations – using inauthentic ransomware to encrypt target networks and subsequently leak victim information via actor-controlled personas or entities. This is connected to the eCrime trend observed of data weaponization. We expect these disruptive operations to continue to be successful into the latter half of this year, with the potential for these operations to increase targeting of the West if it suits the objectives of the Islamic Republic of Iran.
“Additionally, we saw the 2021 threat landscape become more crowded as new adversaries emerged – my team now tracks more than 170 adversaries in total,” he added.
Attacks are not slowing down, so organizations need to assume they will continue on their current trajectory and ensure they have an always-on posture to defend against them, Meyers said.
“The two most effective things that organizations can integrate is a managed threat hunting program to help stop threats before they turn into breaches, and establishing an identity-centric zero trust architecture,” he said. “Issues around identity continue to plague businesses, and the key to holistic zero-trust architecture is requiring all users, whether inside or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data.”
Attacks are not slowing down, so organizations need to assume they will continue on their current trajectory and ensure they have an always-on posture to defend against them, Meyers said.
“The two most effective things that organizations can integrate is a managed threat hunting program to help stop threats before they turn into breaches, and establishing an identity-centric zero trust architecture,” he said. “Issues around identity continue to plague businesses, and the key to holistic zero-trust architecture is requiring all users, whether inside or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data.”
New CrowdStrike research shows an 82% increase in ransomware-related data leaks in 2021. That’s nearly 2,700 attacks last year, which compares to fewer than 1,500 in 2020.
The 8th annual CrowdStrike Global Threat Report debuts two new adversaries – Wolf (Turkey) and Ocelot (Colombia) – and adds 21 new tracked adversaries across the globe. It also outlines new operations and techniques from the big four: Iran, China, Russia and North Korea.
Moreover, it breaks down the aftermath of the Log4Shell attacks and shows adversaries are moving beyond malware.
The CrowdStrike research outlines the massive growth and impact of targeted ransomware, disruptive operations and an uptick in cloud-related attacks in 2021. The impact was felt across nearly every industry and in every country.
Key Findings
Among the findings:
CrowdStrike observed more than 2,700 “big game hunting” incidents in 2021. This is where malicious hackers target large firms instead of smaller organizations and individuals. They know larger enterprise companies can afford to pay bigger ransoms.
Adversaries increasingly are exploiting stolen user credentials and identities to bypass legacy security services.
The CrowdStrike eCrime Index (ECX) shows ransomware attacks were highly lucrative spanning all of 2021. The index displays the strength, volume and sophistication of the cybercriminal market.
Adam Meyers is senior vice president of intelligence at CrowdStrike.
CrowdStrike’s Adam Meyers
“The annual Global Threat Report paints a picture that shows enterprise risk is coalescing around three critical areas: endpoints, cloud workloads, identity and data, and provides a valuable resource for organizations looking to bolster their security strategy,” he said.
Scroll through our slideshow above for more from CrowdStrike’s latest research.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like