IBM: REvil dominated ransomware activity in 2021
IBM X-Force's Threat Intelligence Index report also found a 'triple extortion' ransomware tactic in 2021, where threat actors use DDoS attacks to put extra pressure on victims.
REvil accounted for 37% of ransomware attacks in 2021, according to a new report from IBM Security.
The report, released Wednesday, is the latest IBM X-Force Threat Intelligence Index, an annual report released by the tech giant that provides a general summary of cyberthreats identified over the previous year. Ransomware was front and center in the 2022 report, though phishing attacks were also given special attention.
Ransomware was, like last year, the top cyber attack type seen in 2021, though its share of the overall pie decreased year over year. Ransomware accounted for 23% of cyber attacks identified by X-Force in 2020, but 21% in 2021. Server access attacks jumped from 10% in 2020 to 14% in 2021. Business email compromise and data theft-related attacks marked third and fourth place, each accounting for 8% of all attacks.
REvil accounted for 37% of all tracked ransomware attacks, followed by Ryuk (13%), LockBit 2.0 (7%) and AtomSilo (3%). REvil was responsible for multiple major attacks last year, most notably the supply-chain ransomware attack against Kaseya. This January, Russia said it had "stopped" the gang's operations while announcing more than a dozen arrests of alleged gang members.
IBM noted two emerging ransomware trends. The first involves ransomware threat actors reaching out to a victim's partner network after a supply chain attack and using these business partners to pressure the primary victim into paying the ransom.
The second trend, which IBM refers to as "triple extortion" tactics, is an evolution of commonplace double extortion tactics in which a ransom actor encrypts a victim's data before stealing and threatening to leak said data. The third extortion tactic is to inflict a DDoS attack on the victim.
"In this type of attack, threat actors encrypt and steal data and also threaten to engage in a [DDoS] attack against the affected organization," the report read. "This kind of attack is particularly problematic for organizations because victims have their networks held hostage with two kinds of malicious attacks -- often simultaneously -- and are then further victimized by the theft (and often leak) of data."
IBM executive security advisor Limor Kessem said neither of these trends are especially common at the moment due to the additional complexity required for each. For both, the point isn't just to get the victim to pay, but to pay quickly.
"[A threat actor] wants to use every leverage available to force a company to pay and pay quicker, because the longer this trails, the more chance there is that law enforcement will step in and convince them not to pay," she said. "Maybe [the victim] will do a risk assessment and figure that the data the attackers are threatening with doesn't have all the leverage they thought it would."
Regardless of attack type, phishing led the pack in attack vectors. Forty-one percent of attacks used phishing to exploit victims, up from 33% in 2020. During penetration testing, IBM X-Force found that simulated, targeting phishing campaigns achieved an average click rate of 17.8%. When campaigns added phone calls, the effectiveness tripled to a click rate of 53.2%.
Vulnerability exploitation was the second most common attack vector (34%) seen in 2021, followed by stolen credentials (9%) and brute force (6%). Stolen credentials being 9% was particularly notable, as it was utilized in 18% of attacks the previous year.
In a section dedicated to IBM's regional findings, the report showed how different types of attack vectors would impact different regions. In North America, phishing was the most common attack vector; in the Middle East and Africa, meanwhile, vulnerability exploitation led to 50% of incidents.
This year's X-Force Threat Intelligence Index made four recommendations for improving cybersecurity posture. According to IBM, organizations should develop a ransomware response plan, implement multifactor authentication on every remote access point to a network, adopt a multi-layered approach to combat phishing, and continuously refine and mature their vulnerability management program.
Alexander Culafi is a writer, journalist and podcaster based in Boston.