Sophos 2021 Threat Report

EXECUTIVE SUMMARY

The Sophos 2021 Threat Report covers topic areas into which Sophos has gained insight from the work over the past 12 months by SophosLabs on malware and spam analysis, and by the Sophos Rapid Response, Cloud Security, and Data Science teams. These aspects of our daily work protecting customers provide insight into the threat landscape that can guide incident responders and IT security professionals on where they should direct their efforts to defend networks and endpoints in the coming year.

We’ve segmented the report into four main parts: Discussion of how ransomware has transformed itself, and where this threat is headed; analysis of the most common attacks large organizations face, and why these metaphorical canaries in the coal mine remain significant threats; how the emergence of a global pandemic affected information security in 2020; and a survey of the scope of attacks targeting platforms not traditionally considered part of an enterprise’s attack surface.

To summarize the key takeaways from the report:

Ransomware

• Ransomware threat actors continue to innovate both their technology and their criminal modus operandi at an accelerating pace
• More ransomware groups now engage in data theft so they may threaten targets with extortion over the release of sensitive private data
• As ransom groups put more effort into active attacks against larger organizations, the ransoms they demand have risen precipitously
• Further, distinct threat actor groups that engage in ransomware attacks appear to be collaborating more closely with their peers in the criminal underground, behaving more like cybercrime cartels than independent groups
• Ransomware attacks that previously took weeks or days now may only require hours to complete

‘Everyday’ threats

• Server platforms running both Windows and Linux have been heavily targeted for attack, and leveraged to attack organizations from within
• Common services like RDP and VPN concentrators remain a focus for attack on the network perimeter, and threat actors also use RDP to move laterally within breached networks
• Even low-end “commodity” malware can lead to major breaches, as more malware families branch out into becoming “content distribution networks” for other malware
• A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated

COVID-19

• Working from home presents new challenges, expanding an organization’s security perimeter to thousands of home networks protected by widely varying levels of security
• Cloud computing has successfully borne the brunt of a lot of enterprise needs for secure computing environments, yet still has its own challenges unique from those in a traditional enterprise network
• Threat actors have attempted to launder their reputations making promises not to target organizations involved in life-saving health operations, but later reneged on those promises
• Criminal enterprises have branched out into a service economy that eases new criminals into the fold
• Cybersecurity professionals from around the world self-organized in 2020 into a rapid reaction force to combat threats that leverage the social engineering potential of anything relating to the novel Coronavirus

Nontraditional platforms

• Attackers now routinely take advantage of the wealth of “red team” tools and utilities pioneered by penetration testers in live, active attacks
• Despite efforts on the part of operators of mobile platforms to monitor apps for malicious code, attackers continue to work around the edges, developing techniques to bypass these code scans
• Software classified in an earlier era as “potentially unwanted” because it delivered a plethora of advertisements (but was otherwise not malicious) has been engaging in tactics that are increasingly indistinguishable from overt malware
• Data scientists have applied approaches borrowed from the world of biological epidemiology to spam attacks and malware payloads, as a method to bridge gaps in detection