Ransomware continues to be the leading cyberthreat, with Maze, Egregor and Conti ransomware accounting for nearly half of all known large ransomware attacks in 2020. More than 1,100 companies had their data stolen this year after successful ransomware attacks, which was later leaked to underground sites. The shift in focus to data exfiltration is one of the major trends described in the Acronis Cyberthreats Report 2020 – and we expect that trend to accelerate in the coming year.

The trend of double extortion makes sense for cybercriminals and is the logical evolution that has happened in 2020. By now, organisations have recognised the importance of having a good backup strategy and working disaster recovery plan. The risk of losing data due to illicit encryption has therefore decreased, and the victims are less motivated to pay for a decryption key.

New business model

In response, cybercriminals have adapted their business model. Now they steal proprietary or embarrassing data and then threatening to publicly release the stolen files if the victim doesn’t pay up, increasing the pressure. Some of the cybercriminals even argue during negotiations that the victim will have to pay either the ransom or will face a privacy regulation fine, which could be a few million pounds in the case of GDPR. The argument is that the victim will lose less if they pay the ransom, and they may have a cyber insurance policy that can cover some of the ransom for them. Needless to say, the ransom demands can be very high, as the initial asking price of US$ 34 million during the recent Foxconn attack showed.

Of course, not all initial ransom demands are paid, but even if an organisation pays just a fraction, it is still very profitable for the attackers. Telemetry data from the Acronis Cyber Protection Operations Centre (CPOC) shows that 19 percent of the global ransomware detections in November were in the USA, rising 11 percent in the last quarter. We expect this trend to grow even further in 2021, with an increase in automated attacks and more crimeware-as-service collaborations.

Another clear trend is the focus on attacking MSPs and cloud data centres. The accelerated digital transformation due to the pandemic, in combination with the lack of cyber protection skills, might be one of the reasons why many small and medium-sized businesses are turning to MSPs for security services. Unfortunately, this move makes the MSPs an even more interesting target for cybercriminals. If attackers manage to compromise a service provider, they can gain access to the internal tools and spread the attack to all of the connected clients. This strategy amplifies the attack’s impact and provides new profit opportunities, as the cybercriminals can now also go after each individual client. Even if the attacker does not leverage that trusted relationship for further attacks, there is still a high dependency on data centres for all customers. Any downtime at the data centre can be very expensive and disruptive, such as when desktop-as-a-service software is used. This disruption puts additional pressure on the service provider to pay the ransom. The cloud hosting and services provider Netgain discovered this fact the hard way at the end of November. The company was compromised by ransomware, forcing it to take some of its data centres offline. According to the company, this was in accordance with further efforts to contain the issue and install additional security measures. For clients, the result was a downtime incident that was very disruptive.

Such attacks can be seen as an expansion of the living-off-the-land tactics, as attackers use existing tools within the IT infrastructure against the victim. Blocking such living-off-the-land tactics is often difficult because legitimate tools such as PowerShell or WMI are involved. A common modus operandi is to find domain administrator accounts or management consoles, uninstall all security software on them, and delete all available backups before using the same software distribution channel to roll out the malware across the enterprise. With the move to the cloud, the attack surface also increases, which we expect cybercriminals will exploit in the coming year.

2021 cyberthreats outlook

It comes as no surprise that cybercriminals have used the COVID-19 pandemic to increase their attacks. They did not use groundbreaking new methods, but rather automated existing techniques to increase the frequency of their attacks. With the advances in AI/ML and available cloud services, this will likely continue to increase and might even produce new attack techniques such as swarm attacks.

As we detail in the 2020 report, we expect cybercriminals to increase their attacks against employees working from home, as they are still not adequately protected. A recent survey by Acronis showed that 92 percent of global organisations had to adopt new technologies to complete the switch to remote work. As a result, 72 percent of global organisations saw their IT costs increase during the pandemic.

The adoption of double-extortion attacks will continue to spread, replacing encryption as the primary ransomware tactic. And in their effort to maximise the impact of their attacks, some ransomware groups will turn their focus onto new fields such as cloud infrastructure, going after data buckets, serverless apps, and containers.

Going forward into 2021, it will be important to have a data-centric cyber protection strategy to combat the increasing wave of automated attacks against all locations where data is stored or processed.