03 Dec Sharp Increase in Cybercrime predicted for 2021

2021 will bring aggressive cybercrime activity as criminals pivot their attacks from data encryption to data exfiltration.

These are the findings of the 2020 Acronis Cyberthreats Report, an in-depth review of the current threat landscape and projections for the coming year, based on the protection and security challenges that were amplified by the shift to remote work during the COVID-19 pandemic.

Cyber protection company Acronis says ransomware continues to be the leading threat, with Maze ransomware accounting for nearly half of all known cases in 2020. Maze ransomware encrypts and steals terabytes of private data in targeted attacks.

The Acronis Cyberthreats Report points to a growing trend of cybercriminals now trying to further maximise their financial gain. Going a step further than collecting ransoms to decrypt infected data, the criminals steal proprietary, and sometimes embarrassing, data even before encrypting it. The threat is then to publicly release the stolen files if the victim doesn’t pay.

Acronis’ analysts found evidence that more than 1,000 companies globally had their data leaked following ransomware attacks in 2020, a trend that is expected to accelerate in the coming year, overtaking encryption as the primary tactic.

“When it comes to existing solutions and strategies, the current trends in cyberattacks show that traditional cybersecurity is failing – usually because of weak technologies and human error, which are both avoidable,” explained Candid Wüest, VP of Cyber Protection Research at Acronis and co-author of the report.

“Just as cybercriminals are evolving their attacks, organisations need to advance their protection and security. Comprehensive cyber protection solutions offer the integration and automation that eliminate complexity, optimise performance, and streamline recovery.”

“More than any year in recent memory, 2020 posed a tremendous number of challenges to IT professionals, organisations and service providers who support them,” explained Stas Protassov, Acronis co-founder and Technology President. “What we’ve seen is how quickly bad actors are adjusting their attacks to the new IT landscape. By analysing the activity, attacks and trends, we hope to empower our partners and help the IT community at large to prepare for the threats on the 2021 horizon.”

Among the notable findings in the Acronis Cyberthreats Report include:

• Attacks against remote workers will increase. While 31% of global companies reported daily cyberattacks in 2020, the frequency of attacks targeting their remote workers is projected to increase in 2021, since the defenses for systems outside the corporate network are more easily compromised, giving access to that organisation’s data.
• Ransomware will look for new victims, become more automated. Rather than continuing to cast a wide net, ransomware attackers will focus on targets that provide a bigger return on their efforts. Breaking into one network to steal data from several companies is more profitable than attacking individual organisations. So, while small businesses will continue to be targeted, cloud environments and organisations such as managed service providers will become more valued targets because their systems can provide access to the data of multiple clients.
• Legacy solutions struggle to keep up. Blocking the new wave of malware has rendered traditional antimalware solutions obsolete, as they cannot keep pace with the increased sophistication and frequency of new threats. The average lifespan of a malware sample in 2020 was just 3.4 days. As attackers continue to utilise automation, the number of malware samples will continue to climb. Organisations will need to find new approaches to protection that are agile and designed to stay ahead of new threats. Simple standalone security and backup solutions will no longer be enough.

Creating the Acronis Cyberthreats Report 2020

The Acronis Cyberthreats Report 2020 is based on examining attack and threat data collected by the company’s global network of Acronis Cyber Protection Operations Centers (CPOCs), which monitor and research cyberthreats 24/7. Malware data was collected by more than 100,000 unique endpoints around the world running Acronis Cyber Protect, which launched in May 2020, and covers attacks targeting endpoints detected between June and October.

The full report provides in-depth insights into the top security/threat trends the CPOCs observed in 2020, a review of malware families and related statistics, a deep dive into ransomware’s most dangerous groups, the vulnerabilities that contribute to successful attacks, and Acronis’ complete security forecast and recommendations for 2021.

Ransomware Background

Evasive Maze ransomware encrypts and steals terabytes of private data in targeted attacks

Maze ransomware has been seen in targeted attacks since at least May 2019 and is allegedly responsible for the latest attack against Canon on July 30, 2020, resulting in the outage of the image.canon cloud storage service. Moreover, the Maze ransomware operator claimed to steal 10TB of private data as a part of the attack on Canon. The Maze operators already published the data from Xerox and LG that have been stolen during successful attack in June 2020, as the companies refused to pay a ransom.

• Not only encrypts but also steals data to publish it later if a ransom is not paid
• Canon, Xerox, and LG are among the biggest victims of Maze
• Employs anti-disassembly and anti-debugging techniques
• Does not encrypt systems with a Russian default locale
• wmic.exe call to delete shadow copies is obfuscated
• Sends an HTTP check-in request to C&C server located in ‘91.218.114.0’ network in Moscow, Russia
• Uses Mimikatz, Procdump, and Cobalt Strike hacking tools for proliferation

Maze ransomware is typically delivered as the result of a targeted attack against an organization that starts with a spear-phishing email, getting access via compromised RDP or VDI (the credentials are usually bought on the Dark Web), and exploiting vulnerabilities in VPNs.

Once the Maze operator obtains access to the internal network of the orgаnization, it runs Mimikatz and Procdump to harvest passwords stored in the memory and switch to reconnaissance using the Cobalt Strike red-teaming tool.

Maze uses anti-disassembly techniques to harden the code analysis in a disassembler.

The obfuscation techniques include:

1. Conditional jumps which redirect to the same location, replacing absolute jumps.
2. Calls are followed by pushing the return address to the stack and jumping to the caller address.

Additionally, Maze can detect if its code is being debugged. It checks the flag ‘BeingDebugged’ in the PEB structure if the process is run under a debugger. If so, the code goes into an infinite loop and does no encryption. Also, Maze kills the processes of the malware analysis tools and office tools by the hashes of the process names.

Maze ransomware is similar to recent ransomware strains such as WastedLocker, Netwalker, and REvil in that it not only encrypts, but also steals data. It uses 7zip utility to pack collected data and exfiltrate archives to the attacker’s FTP server using the WinSCP client. In some incidents, it was reported that the exfiltrated data was also Base64 encoded. All in all, this made the Maze ransomware family one of the most dangerous we saw in 2020.

About Acronis

Acronis unifies data protection and cybersecurity to deliver integrated, automated cyber protection that solves the safety, accessibility, privacy, authenticity, and security (SAPAS) challenges of the modern digital world. With flexible deployment models that fit the demands of service providers and IT professionals, Acronis provides superior cyber protection for data, applications, and systems with innovative next-generation antivirus, backup, disaster recovery, and endpoint protection management solutions. With award-winning AI-based antimalware and blockchain-based data authentication technologies, Acronis protects any environment – from cloud to hybrid to on-premises – at a low and predictable cost.

Founded in Singapore in 2003 and incorporated in Switzerland in 2008, Acronis now has more than 1,500 employees in 33 locations in 18 countries. Its solutions are trusted by more than 5.5 million home users and 500,000 companies, including 100% of the Fortune 1000, and top-tier professional sports teams. Acronis products are available through 50,000 partners and service providers in over 150 countries in more than 40 languages.