Anna Zhadan Editor Updated on: 16 August 2022
It takes a ransomware group, on average, 17 months to either rebrand or seize operations. But even after a complete shutdown, they are never really gone, with the majority expected to resurface in 2022, according to the latest report by IBM.
Over the past five years, the IBM Security X-Force Threat Intelligence team has observed a constant increase in the number of discovered vulnerabilities, which are presenting more opportunities for threat actors. In 2021, 19,649 vulnerabilities were discovered compared to 19,137 found in 2020 and 17,997 in 2019.
Ransomware made up for the largest portion of attacks last year, although their overall frequency reduced to 21% from 23%. These were observed at irregular intervals, although ransomware attacks tended to intensify in May/June and decrease in late summer or early fall.
REvil threat actors were responsible for 37% (over one-third) of all ransomware attacks in 2021 despite permanently seizing operations in October, followed by Ryuk (13%.)
Based on the collected data, many threat groups rebranded in 2021 – on average, it took a group 17 months to rebrand or shut down completely, primarily due to law enforcement activity. However, this doesn’t indicate that ransomware is soon to be tackled. Even those groups that have since disappeared are expected to likely re-emerge in 2022.
“X-Force assesses that criminal ransomware activity will continue into the foreseeable future, based on the high profits generated by this activity and current limitations on law enforcement for widely shutting down ransomware activity,” the report suggests.
Server access was the second most common attack vector (11%,) with the majority of incidents taking place in Asia. During such attacks, a threat actor gains unauthorized access to a server, although it is not always clear what the end goal is. In several recorded instances, cybercriminals exploited vulnerabilities, installed spyware or malware, attempted to steal data, as well as employed penetration testing tools on a server.
Business email compromise came third, although this type of attack seems to be generally declining in popularity. IBM suspects that this new pattern has to do with the more widespread implementation of multi-factor authentication (MFA,) which forces threat actors to shift focus to geographies where MFA is not as widely implemented. Notably, the majority of such incidents took place in Latin America.
When it comes to initial access, the majority of cybercriminals preferred phishing to infiltrate victims’ networks last year. The average click rate for an X-Force Red simulated campaign was 17.8%, with the most spoofed brands being Microsoft, Apple, and Google. In 2020, however, the most popular intrusion method was vulnerability exploitation, which came in second in 2021.