According to cybersecurity firm Sophos, the growing threat of ransomware tops the list of threats that will shape IT security trends in 2021.
The company’s 2021 Threat Report written by security researchers, threat hunters, rapid responders, cloud security and AI experts, details how cybersecurity threats like ransomware are evolving and becoming more sophisticated.
The report analyzed three key trends: the widening gap between ransomware skill levels, the need to focus on every threats and the abuse of legitimate tools to evade detection.
According to Sophos’ report, the gap between expert-level ransomware operators who target big paydays and entry-level attackers looking for high volumes of smaller pretty is widening.
Notorious ransomware families like Ryuk and RagnarLocker are becoming more evasive and sophisticated and increasingly target large organizations with ransomware demands well into the millions of dollars.
Other operators are threatening to publish sensitive or confidential information if ransoms aren’t paid, according to Sophos.
Chester Wisniewski, a principal research scientist at the company, said it a statement that the ransomware business model continues to change, as the company observed operators differentiating themselves in terms of skills and targets.
However, some operators also form collaborative groups and share tools and techniques.
“Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor,” Wisniewski said.
“The cyberthreat landscape abhors a vacuum. If one threat disappears another one will quickly take its place. In many ways, it is almost impossible to predict where ransomware will go next, but the attack trends discussed in Sophos’ threat report this year are likely to continue into 2021.”
Everyday, low-level threats like malware, loaders, botnets, and human-operated initial access brokers will demand more attention than in the past because these tools give attackers a foothold in a target and allow them to gather data they need to inflict further damage, according to the report.
They give operators the opportunity to review compromised devices for more lucrative data, like geolocation and other signs of high value, the report says.
That information can then be sold to a ransomware operator. Sophos notes that Ryuk used Buer Loader to carry out ransomware attacks this year.
According to Wisniewski, IT professionals need to take those low-level attack methods seriously.
“Many security teams will feel that once malware has been blocked or removed and the compromised machine cleaned, the incident has been prevented,” said Wisniewski.
“They may not realize that the attack was likely against more than one machine and that seemingly common malware like Emotet and Buer Loader can lead to Ryuk, Netwalker and other advanced attacks, which IT may not notice until the ransomware deploys, possibly in the middle of the night or on the weekend. Underestimating ‘minor’ infections could prove very costly.”
Attackers are increasingly using legitimate tools, known utilities and common network destinations to carry out these attacks and avoid detection.
This also makes it harder for cybersecurity professionals and law enforcement to track down and identify attackers.
Many of these kits are freely availably on the internet and are designed to help organizations test their networks against various attack methods. The company reported on this earlier this year.
Appearances of known tools many not trigger security warnings, and this gives rise to the human-led threat hunting and managed threat response, Wisniewski said.
“Human experts know the subtle anomalies and traces to look for, such as a legitimate tool being used at the wrong time or in the wrong place,” he said.
“To trained threat hunters or IT managers using endpoint detection and response (EDR) features, these signs are valuable tripwires that can alert security teams to a potential intruder and an attack underway.”