A report summarizing threat trends in one global cloud-based cybersecurity firm’s ecosystem unveils a growing cyber-pandemic within a coronavirus pandemic.

In a cybersecurity firm’s annual review of the cyber threat landscape in terms of its user base, ransomware-related data leaks had shot up 82% last year, and that 62% of Q4 threats detected had been malware-free—meaning that adversaries are moving beyond this software approach.

For CrowdStrike users, the 2021 threat landscape had become more crowded as new adversaries emerged—with more than 170 detected, and financially motivated e-crime activity dominating (49%) the interactive intrusion attempts tracked.

With 2,686 ransomware attacks in the firm’s user base as of December 31, 2021 (compared to 1,474 in 2020), the report concludes that the startling growth and impact of targeted ransomware, disruptive operations and an uptick in cloud-related attacks was a palpable force felt across nearly every industry and in every country in the firm’s ecosystem.

Some key findings

As expected, state-sponsored and criminal groups continue to expand last year. Some notes about the Big Four sources of adversaries:

  • Iran-based adversaries adopted the use of double-threat ransomware techniques (so-called “lock-and-leak” operations)
  • China-nexus actors emerged as the leader in vulnerability exploitation and shifted tactics to increasingly target internet-facing devices and services like Microsoft Exchange. In all, China-nexus actors exploited 12 vulnerabilities published in 2021.
  • Russia-nexus adversary Cozy Bear expanded its targeting of IT and cloud service providers in order to exploit trusted relationships and gain access to additional targets through lateral movement. Additionally, Fancy Bear increased the use of credential-harvesting tactics, including both large-scale scanning techniques and victim-tailored phishing websites.
  • North Korea threat actors targeted cryptocurrency-related entities in an effort to maintain illicit revenue generation during economic disruptions caused by the COVID-19 pandemic.
  • The alarming Log4Shell vulnerability was used as an access vector to enable ransomware operations by threat actors, including affiliates of Doppel Spider and Wizard Spider. State-nexus actors, including Nemesis Kitten (Iran) and Aquatic Panda (China), were also affiliated with probable Log4Shell exploitation before the end of 2021.
  • Overall, CrowdStrike observed 2,721 Big Game Hunting incidents; an average over 50 targeted ransomware events per week; an increase of 36% over 20202 in ransom demand value averaging US$6.1m per incident.
  • Adversaries were increasingly exploiting stolen user credentials and identities to bypass legacy security solutions: of all detections indexed in Q4 of 2021, 62% were malware-free.

Said Adam Meyers, Senior Vice President of Intelligence, CrowdStrike: “The annual Global Threat Report paints a picture that shows enterprise risk is coalescing around three critical areas: endpoints and cloud workloads, identity and data, and provides a valuable resource for organizations looking to bolster their security strategy.”