Rise in ransomware and disruptive operations

CrowdStrike Holdings, Inc., a provider of cloud-based protection for endpoints, workloads, identity and data, announces the release of the 2022 CrowdStrike Global Threat Report.

Among other things, the report not only reveals an 82 percent increase in ransomware-related data leaks, but also introduces two completely new groups of nation-state attackers, WOLF (Turkey) and OCELOT (Colombia). In addition, the experts add 21 new groups from around the world to the list of groups watched by CrowdStrike. The 8th annual Global Threat Report also details new operations and techniques from the Big Four: Iran, China, Russia and North Korea. Furthermore, the new report analyzes the consequences of the Log4Shell attacks and shows that attackers are less and less relying on malware, as 62 percent of the most recent discoveries were malware-free.

The CrowdStrike Intelligence report documents both the continued evolution of state-affiliated and criminal attackers, as well as the increasing sophistication, speed, and impact of targeted ransomware attacks, disruptive operations, and cloud-related attacks in 2021.

Key findings from this year’s report give organizations the insights they need to improve their security strategies and protect themselves against a wide range of cyber threats.

Nation-state and criminal groups continue to expand

The threat landscape in 2021 has expanded with the emergence of new adversaries. CrowdStrike monitors a total of more than 170 such groups today. Notable developments include:

    • Financially motivated eCrime activity continues to dominate the interactive intrusion attempts tracked by CrowdStrike OverWatch. Attacks attributable to eCrime accounted for almost half (49%) of all observed activity.
    • Iran-based attackers use ransomware and disruptive “lock-and-leak” information operations – they use ransomware to encrypt target networks and then leak information about victims through channels they control.
    • In 2021, pro-China players have been at the forefront of exploiting vulnerabilities, increasingly shifting their tactics to internet-enabled devices and services such as Microsoft Exchange. CrowdStrike confirmed the exploitation of 12 vulnerabilities published in 2021 by China-affiliated actors.
    • Russia-affiliated attacker COZY BEAR extended its attacks on IT to cloud service providers to exploit trusted relationships and gain access to additional targets through lateral movement. In addition, FANCY BEAR increased its use of credential harvesting tactics, including large-scale scanning techniques and customized phishing websites.
    • The Democratic People’s Republic of Korea (DPRK) has been targeting cryptocurrency-related businesses to generate illicit revenue during the economic disruptions caused by the COVID-19 pandemic.
    • eCrime actors – including DOPPEL SPIDER and WIZARD SPIDER partners – used Log4Shell as an access vector for ransomware operations. Pro-nation state actors, including NEMESIS KITTEN (Iran) and AQUATIC PANDA (China), have also been linked to a likely Log4Shell exploit before the end of 2021.

Attackers’ methods are becoming more and more sophisticated

The new GTR report highlights that the immense growth and impact of targeted ransomware attacks, disruptive operations and a surge in cloud-related attacks in 2021 has been felt across almost every industry and country.

    • CrowdStrike observed an 82 percent increase in ransomware-related data leaks in 2021, spread across 2,686 attacks as of December 31, 2021, compared to 1,474 attacks in 2020.
    • The eCrime Index (ECX) shows that ransomware attacks were very lucrative throughout 2021. Demonstrating the strength, volume and sophistication of the cybercrime market, the ECX is updated weekly based on 20 unique indicators of criminal activity, tracking things like big game hunting victims, data leaks and ransom demands. Over the course of 2021, the CrowdStrike ECX recorded the following:
      – 2,721 cases of big game hunting in the past year.
      – an average of over 50 targeted ransomware events per week.
      – Observed ransomware requests averaged $6.1 million per ransom, up 36 percent from 2020.
    • Attackers are increasingly using stolen user information and identities to bypass existing security solutions – of all discoveries indexed in Q4 2021, 62 percent were malware-free.