Threat report T2 2021

Welcome to the T2 2021 issue of the ESET Threat Report!

Despite threats seemingly looming around every corner (I’m looking at you, Delta), the past four months were the time of summer vacations for many of us, offering a much-needed break after the tough start of the year.

I wish the same could be said for the area of cyberthreats, but as you’ll learn in the following pages, we’ve seen several concerning trends instead: increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns targeting people working from home.

Indeed, the ransomware scene officially became too busy to keep track of in T2 2021, yet some incidents were impossible to miss. The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya IT management software, sent shockwaves that were felt not only in the cybersecurity industry. Unlike the SolarWinds hack, the Kaseya attack appeared to pursue financial gain rather than cyberespionage, with the perpetrators setting a USD 70 million ultimatum – the heftiest known ransom demand to date.

But ransomware gangs may have overdone it this time: the involvement of law enforcement in these high impact incidents forced several gangs to leave the field. The same can’t be said for TrickBot, which appears to have bounced back from last year’s disruption efforts, doubling in our detections and boasting new features. Emotet, on the other hand, following a final shutdown at the end of April, disappeared from the scene, reshuffling the whole threat landscape. But these are just a few of the developments seen in our telemetry – I invite you to read the Statistics & Trends section of this report to see the full picture.

The past four months were fruitful in terms of research, too. Our researchers uncovered – among others – a diverse class of malware targeting IIS servers; a new cross-platform APT group targeting both Windows and Linux systems; and a myriad of security issues in Android stalkerware apps. They also took a closer look at the activities of the Gamaredon group, the Dukes, and the highly targeted DevilsTongue spyware, with the latter findings presented exclusively in this report.

With their deep dive into IIS malware and stalkerware, ESET researchers made it to Black Hat USA and the RSA Conference – you can find wrap-ups of their talks in the final section of this report. For the upcoming months, we are happy to invite you to ESET talks at Virus Bulletin, AVAR, SecTor, and many others.

Happy reading, stay safe – and stay healthy!

Roman Kováč
ESET Chief Research Officer