What a 2021 we have had thus far. In this report we introduce additional context into the biggest stories dominating the year thus far and we can look no further than recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.
This Threats Report provides a deep dive into ransomware, in particular DarkSide, which has resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.
That being said, we can assure the reader that all of the recent campaigns are incorporated into our products, and of course can be tracked within our MVISION Insights preview dashboard.
This dashboard shows that—beyond the headlines—many more countries have experienced such attacks. What it will not show is that victims are paying the ransoms, and criminals are introducing more Ransomware-as-a-Service (RaaS) schemes as a result. With the five-year anniversary of the launch of the No More Ransom initiative now upon us it’s fair to say that we need more global initiatives to help combat this threat.
- Letter from Our Chief Scientist
- Ransomware: From Babuk to DarkSide and Beyond
- McAfee Global Threat Intelligence (GTI)
- Threats to Sectors and Vectors
- Malware Threats Statistics
- TOP MITRE ATT&CK TECHNIQUES APT/CRIME
We hope you enjoy this Threats Report, please stay safe.
McAfee Fellow, Chief Scientist
#Ransomware: From Babuk to DarkSide and Beyond
While the DarkSide Ransomware-as-a-Service (RaaS) attack on Colonial Pipeline held recent headlines hostage in Q2 2021, the ransomware activity story actually went deeper in the first quarter of the year.
We observed that “smaller” ransomware campaigns decreased in Q1 while the Ransomware-as-a-Service campaigns targeted and breached larger organizations and companies. The number of Q1 samples dropped as more attackers shifted from mass-spread campaigns, toward fewer, but more lucrative targets. Most of these larger, targeted victims received a custom created variant of the ransomware family at a low volume.
Here’s a breakdown of McAfee ATR Ransomware research and findings from Q1 of 2021:
DAILY, WEEKLY, MONTHLY RANSOMWARE
Top Ransomware Families and Techniques
Unique Ransomware Families
Ransomware Coverage and Protection
When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.
McAfee is a proud partner of the Ransomware Task Force, which released a details on how ransomware attacks are occurring and countermeasures that should be taken. As many of us have published, presented on, and released research upon, it is time to act.
#McAfee Global Threat Intelligence (GTI)
Based on activity from millions of sensors world-wide and an extensive
research team, McAfee ATR publishes timely, relevant threat activity
via McAfee Global Threat Intelligence (GTI). This always-on, cloudbased
threat intelligence service enables accurate protection against
known and fast-emerging threats by providing threat determination
and contextual reputation metrics. McAfee GTI integrates directly with
our security products, protecting against emerging threats to
reduce operational efforts and time between detection and containment.
Here are notable statistics from Q1 2021.
File by Country Charts
Queries and Detections
#Threats to Sectors and Vectors
The volume of malware threats observed by McAfee ATR averaged 688 threats per minute, an increase of 40 threats per minute (3%) in the first quarter of 2021.
Notable Sector increases and decreases from Q4 2020 to Q1 2021 include:
- Technology 54%
- Education 46%
- Finance/Insurance 41%
- Wholesale & Retail -76%
- Public Administration -39%
Publicly disclosed Security incidents
#Malware Threats Statistics
The first quarter of 2021 saw notable increases in several threat categories:
- Coin Miner malware increased 117% primarily due to growth in 64-bit coin miner applications
- Internet of Things (IoT) surged 55% due to Mirai
- Linux rose 38% along with the increase in Mirai
The first quarter of 2021 also was notable for decreases in several threat categories:
- New PowerShell was down 89% due to the drop in Donoff
- New Office malware decreased 87% also due to the drop in Donoff
- MacOS decreased 70% due to the drop in EvilQuest
- Ransomware fell 50% due to the drop in Cryptodefense
New Malware Threats
#TOP MITRE ATT&CK TECHNIQUES APT/CRIME
(Top 5 per Tactic)
|Initial Access||Spearphishing Link||
Spear Phishing (Link and Attachment) moved back to the top 5 used Techniques closely followed by Exploiting Public facing Application.
Exploiting Public facing Application reamained in the top 3 Initial Access techniques due to the major Microsoft Exchange Vulnerabilities being released which affected thousands of organizations worldwide.
|Exploit public facing application|
|Execution||Windows Command Shell||Commandline and scripting interpreter usage, such as Windows Command shell and PowerShell, were the top used techniques by adversaries to execute their payloads. Command line scritps are often incorporated into Pentesting frameworks like Cobalts Strike for additional ease of excecution.|
|User execution||An adversary may rely upon specific actions by a user in order to gain execution of a malicious binary. This technique is often linked the the Initial Access technique (Spear) Phishing.|
|Registry Run Keys / Startup Folder|
|Privilege Escalation||Windows Service|
|Process Injection||Process injection remains to be one of the top Privilege Escalation techniques.|
|Registry Run Keys / Startup Folder|
|Defense Evasion||Deobfuscate/Decode Files or Information|
|Obfuscated Files or information|
|Credentials from Web Browsers||Common opensource pentest tools like Lazange, Grabff and most RAT tools have an ability to extract credentials from web browsers. The usage of Lazange and Grabff have been obeserved in various Ransomware attacks in Q1 2021.|
|OS Credential Dumping|
|Credentials from Password Stores|
|Discovery||System Information Discovery|
|File and Directory Discovery|
|System Network Configuration Discovery|
|System Owner/User Discovery|
|Lateral Movement||Remote File Copy|
|Remote Desktop Protocol|
|SMB/Windows Admin Shares|
|Exploitation of Remote Services|
|Collection||Data from Local System|
|Archive Collected Data|
|Command and Control||Web protocols|
|Ingress Tool transfer|
|Application Layer Protocol|
|Exfiltration||Exfiltration Over Command and Control Channel|
|Exfiltration Over Alternative Protocol|
|Exfiltration over unencrypted/obfuscation Non-C2 Protocol|
|Exfiltration to Cloud Storage||Tools like MEGAsync and Rclone are commonly used by adversaries to exfiltrate sensitive data from a victim’s network to a cloud storage. Both tools were utilized by multiple ransomware groups like REvil, Conti, DarkSide.|
|Impact||Data Encrypted for impact|
|Resource Hijacking Service|
|Direct Network Flood|