Cybersecurity firm Sophos flags how ransomware and fast-changing attacker behaviors will shape the threat landscape and IT security in 2021, according to its “Sophos 2021 Threat Report,” written by SophosLabs security researchers, Sophos’ threat hunters, rapid responders, and cloud security and AI experts.

The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques, and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands.

In 2020, such families included Ryuk and RagnarLocker. At the other end of the spectrum, Sophos anticipates an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.

Sophos finds fleeceware apps ‘still exist’ in Google’s Play Store

Sophos uncovers Maze attack chains to launch $15-M ransomware

Another ransomware trend is “secondary extortion,” where alongside the data encryption the attackers steal and threaten to publish sensitive or confidential information if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.

“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels,’” said Chester Wisniewski, principal research scientist, Sophos.

Everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers, will demand serious security attention. Such threats can seem like low-level malware noise, but they are designed to secure a foothold in a target, gather essential data, and share data back to a command-and-control network that will provide further instructions.

If human operators are behind these types of threats, they’ll review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation. For instance, in 2020, Ryuk used Buer Loader to deliver its ransomware.

All ranks of adversaries will increasingly abuse legitimate tools, well-known utilities, and common network destinations to evade detection and security measures and thwart analysis and attribution. The abuse of legitimate tools enables adversaries to stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware. For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder. In 2020, Sophos reported on the wide range of standard attack tools now being used by adversaries.

Additional trends analyzed in the Sophos 2021 Threat Report include:

• Attacks on servers: adversaries have targeted server platforms running both Windows and Linux, and leveraged these platforms to attack organizations from within
• The impact of the COVID 19 pandemic on IT security, such as the security challenges of working from home using personal networks protected by widely varying levels of security
• The security challenges facing cloud environments: cloud computing has successfully borne the brunt of a lot of the enterprise needs for secure computing environments, but faces challenge different from those of a traditional enterprise network
• Common services like RDP and VPN concentrators, which remain a focus for attacks on the network perimeter. Attackers also use RDP to move laterally within the breached network.
• Software applications traditionally flagged as “potentially unwanted” because they delivered a plethora of advertisements, but engaged in tactics that are increasingly indistinguishable from overt malware
• The surprising reappearance of an old bug, VelvetSweatshop – a default password feature for earlier versions of Microsoft Excel – used to conceal macros or other malicious content in documents and evade advanced threat detection
• The need to apply approaches from epidemiology to quantify unseen, undetected, and unknown cyberthreats in order to better bridge gaps in detection, assess risk and define priorities