A Quarterly Review of the Evolving Cyber Threat Landscape: Q3, 2021

A Quarterly Review of the Evolving Cyber Threat Landscape: Q3, 2021
6 minute read

Between August and October of this year, the global cyber threat landscape changed in a number of significant ways. We saw persistent ransomware attacks, numerous disclosed vulnerabilities and enhanced threat actor tactics, techniques, and procedures (TTPs). Ransomware groups in particular continued launching attacks, using both new and existing ransomware types. The persistence and impact of ransomware led to governments around the world working with cybersecurity experts to promote education and response plans. The involvement of mobile malware and banking trojans in attacks surged. Newly-disclosed exploits and vulnerabilities emerged this quarter, including various security flaws in enterprise and cloud software, Apple devices, and a surge of vulnerabilities in Microsoft products. Cybercriminal underground networks endured a quarter rife with data leak advertisements, sale of cybercrime tools, and more groups operating ransomware data leak and digital extortion websites – including the discovery of the Colossus ransomware through ZeroFox collection and detection efforts. Within this blog, we’ll review a few of the key trends identified by ZeroFox Threat Intelligence in the latest report.

The Evolving Ransomware Landscape

Within Q3 2021, the ransomware landscape continued to evolve.  Some of the major players from past quarters shifted to smaller presences while other threat actors that had “rebranded” in previous quarters re-established their prominence under their new names.

One example of this is seen in Figure 1 below. The Conti ransomware group settled into a smaller percentage of the total number of attacks after being very active in the second quarter.  Though Conti was still a significant factor in the landscape, they were overtaken by the LockBit 2.0 group - a rebrand of the original LockBit group.  Newcomer BlackMatter displays similarities to the ransomware used by DarkSide, REvil, and LockBit as well.  The group referred to as Grief, who appears at seventh on our list of observed attacks, is a rebrand of the DoppelPaymer group.  And the Payload.bin group is believed to be a new manifestation of the Babuk ransomware team.

As can be seen in Figure 1, even though the specific groups and their individual percentages have changed, it’s continued to be true that approximately 75% of our observed ransomware and digital extortion attacks have been carried out by ten actors, and all other actors combined comprise the other approximately 25% of attacks.  Figure 2 and Figure 3, however, indicate a continued upward trend in the number of attacks.  This holds true across all of 2021 for average daily attacks, number of attacks month over month, and number of attacks per quarter.

ZeroFox Threat Intelligence did observe a downward trend in the number of attacks beginning in May 2021 and continuing into July.  We believe that this is a result of the law enforcement crackdowns and high-profile attacks earlier this year.  Despite that slowdown and some intervention in the way of government policies and private industry focus, attack groups seem to have regained their motivation and performed attacks in keeping with former growth.  Of particular note is LockBit 2.0, which emerged from their rebrand in July 2021 and have since become more prolific than any other group we have observed.

National and International Cybersecurity Initiatives

In response to increased ransomware activity, governments worldwide continued prevention efforts for cyberattacks on organizations and individuals. New policies and legislation were drafted in Q3 2021 following large-scale cyber attacks targeted global businesses in 2021, such as the SolarWinds Orion breach, and ransomware attacks on Colonial Pipeline and Kaseya. Due to the impact of cyber attacks on small to large businesses worldwide, governing bodies drafted legislation and initiatives that promote cybersecurity education and programs to help companies prevent and address cyberattacks. Some initiatives in Q3 2021 were demonstrated by countries in Europe. The United Kingdom (UK) launched a bug bounty program on behalf of the UK Ministry of Defence (MoD) that allowed security researchers to identify vulnerabilities in MoD's digital assets, and apply appropriate patches to the flawed software. France released a "cyberattack alert system" to help inform small- and medium-sized companies of attacks against their organizations and to take appropriate action in response to cyber attacks. Italy introduced a national cybersecurity agency, "Agenzia per la Cybersicurezza Nazionale," that aims to combat cyber attacks targeting Italy, as well as securing cloud infrastructure for the country.

The United States continued efforts to develop strategies for cyber attack prevention, especially as ransomware operators consistently target US-based organizations. In the second quarter of 2021 (Q2 2021), US president Joe Biden's administration published Executive Order 14028, which presents a thorough set of plans to improve the US cybersecurity posture. The plans in the executive order continued in Q3 2021 when the Biden administration met with major technology companies in an effort to work with the federal government to invest and secure critical infrastructure. Some of the companies involved with the initiative are Apple, Microsoft, and Google, and promise to improve security features within their products and services. Furthermore, the Administration also directed the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to develop specifications for managing and securing critical infrastructure.

In addition to ransomware-related prevention efforts, the US Department of the Treasury's Office of Foreign Assets Control drafted sanctions for individuals and organizations who choose to pay ransom demands using the SUEX cryptocurrency exchange. The intent of these sanctions is to prevent victims of ransomware attacks from complying with threat actor demands to retrieve stolen information and decryption keys. By participating in ransomware negotiations and payments, threat actors can profit from nefarious activities and continue their operations, leading to more attacks on vulnerable targets.

These initiatives from governing bodies demonstrate the critical need for improving cybersecurity education and response worldwide. As threat actors continue launching attacks on organizations and individuals, world leaders must work with cybersecurity experts to develop solutions that decrease the chances of attacks. Ransomware played a significant role in large-scale attacks in 2021, and operators continue evolving their strategies to ensure targets meet their demands. Only time will tell if such programs and sanctions present an effective solution for cyber attacks.

Read More in the Quarterly Cyber Threat Landscape Report

Throughout Q3 2021, threat actors once more proved how the global cyber threat landscape is evolving through novel threats and improved TTPs. As malware operators launched updated tools and technologies in attack chains, ransomware groups continued operations using both rebranded and revived ransomware variants. In response to these threats, governments around the world strategized plans and initiatives to form a robust response to cyber threats, including prevention methods by creating cybersecurity-focused agencies and organizations.  With only a few months remaining in 2021, it is clear that the cyber threat landscape will continue to evolve making it critical for businesses and individuals to be vigilant for the remainder of 2021. Read the full findings from the ZeroFox Threat Intelligence team in the Quarterly Threat Landscape Report, Q3 2021 here.

See ZeroFox in action