Ransomware-related data leaks up 82 per cent year-on-year, says Crowdstrike
Cybercrime and state-backed groups are changing tactics to avoid detection
Data leaks as a result of ransomware attacks increased by 82 per cent in 2021 compared to 2022, according to cyber security vendor Crowdstrike.
Ransom demands were up too, averaging $6.1 million (£4.5 million), a 36 per cent rise. The worst hit sectors were Industrials & engineering, Manufacturing, and Technology.
While some prominent cyber actors disbanded in 2021, in part because of political action and arrests, the overall number of ransomware families increased, says Crowdsrike in its annual Global Threat Report.
The primary motive for cyber attacks is financial, and crime groups have altered their approach to avoid detection, creating their own exploit tools and increasingly carrying out data theft and extortion without using ransomware, leading to the establishment of new marketplaces dedicated to selling the victims' data.
Threat groups apparently prefer not to rely on malware at all, but instead to use stolen credentials to bypass antivirus solutions. Sixty-two per cent of attacks detected by Crowdsrike did not involve writing any malware to the end point.
Some threat actors are criminal gangs, some are linked to national intelligence agencies, and other are somewhere in between. US-headquartered Crowdstrike's report noted some patterns in the behaviour of groups from different countries.
Russian groups have been seen targeting IT and cloud service providers to exploit trusted relationships, with state-related actors such as Fancy Bear and Cozy Bear proficient at stealing credentials and moving laterally within service providers networks.
Chinese actors have been observed rapidly developing and deploying exploits for newly discovered vulnerabilities, particularly in internet-facing devices that require no user interaction to compromise. Exploits include attacks on Oracle WebLogic and Zoho ManageEngine by the group Aquatic Panda.
Meanwhile, in 2021 North Korean hackers were focused on cryptocurrency heists to raise funds, and Iranian state groups such as Nemesis Kitten used low-level ransomware attacks to blur the boundaries between 'lock and leak' cyber crime activities and disruptive actions by the state.
Nemesis Kitten and Aquatic Panda were thought to be behind attempts to exploit the Log4Shell vulnerability in December.