ESET released today its T2 2021 Threat Report highlighting several concerning trends, including increasingly aggressive ransomware tactics, intensifying brute-force attacks, and deceptive phishing campaigns targeting people working from home who have gotten used to performing many administrative tasks remotely.
Ransomware, showing three major detection spikes during T2, saw the largest ransom demands to date. The attack shutting down the operations of Colonial Pipeline – the largest pipeline company in the US – and the supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software, sent shockwaves that were felt far beyond the cybersecurity industry. Both cases appeared to pursue financial gain rather than cyberespionage, with the perpetrators of the Kaseya attack setting a USD 70 million ultimatum – the heftiest known ransom demand so far.
“Ransomware gangs may have overdone it this time: the involvement of law enforcement in these high-impact incidents forced several gangs to leave the field. The same can’t be said for TrickBot, which appears to have bounced back from last year’s disruption efforts, doubling in our detections and boasting new features,” explains Roman Kováč, chief research officer at ESET. On the other hand, the final shutdown of Emotet at the end of April 2021 saw downloader detections down by half compared to T1 2021 and a reshuffling of the whole threat landscape.
Password-guessing attacks, which often serve as a gateway for ransomware, saw further growth in T2. Between May and August 2021, ESET detected 55 billion new brute-force attacks (+104% compared to T1 2021) against public-facing Remote Desktop Protocol services. ESET telemetry also saw an impressive increase in the average number of daily attacks per unique client, which doubled from 1,392 attempts per machine per day in T1 2021 to 2,756 in T2 2021.
The exclusive research presented in the T2 2021 Threat Report includes findings about the highly targeted DevilsTongue spyware, which is used to spy on human rights defenders, dissidents, journalists, activists, and politicians; and a new spear phishing campaign by the Dukes APT group, which remains a prime threat to Western diplomats, NGOs, and think tanks. A separate section describes new tools employed by the highly active Gamaredon threat group targeting governmental organizations in Ukraine.
The ESET T2 2021 Threat Report also reviews the most important findings and achievements by ESET researchers: a new cross-platform APT group targeting both Windows and Linux systems; a myriad of security issues in Android stalkerware apps; and a diverse class of malware targeting IIS servers, highlighted in the Featured story section.
Finally, the report offers an overview of several talks given by ESET researchers and experts during the past few months and introduces talks planned for Virus Bulletin, AVAR, SecTor, and many other conferences. It also provides a general outlook of ESET’s participation in the MITRE Engenuity ATT&CK evaluation, which will focus on tactics, techniques and procedures applied by the Wizard Spider and Sandworm APT groups. ESET’s outstanding visibility into both adversary groups’ behaviors could have a significant positive impact on ESET’s results in this evaluation.