In 2021, cybercrime has become more sophisticated, widespread, and relentless. Criminals have targeted critical infrastructure—healthcare,1 information technology,2 financial services,3 energy sectors4—with headline-grabbing attacks that crippled businesses and harmed consumers. But there are positive trends—victims are coming forward, humanizing the toll of cyberattacks and prompting increased engagement from law enforcement. Governments are also passing new laws and allocating more resources as they recognize cybercrime as a threat to national security.
Earlier this month, Microsoft published the 2021 Microsoft Digital Defense Report (MDDR). Drawing upon over 24 trillion daily security signals across the Microsoft cloud, endpoints, and the intelligent edge, the 2021 MDDR expands upon last year’s inaugural report and contains input from more than 8,500 security experts spanning 77 countries—including insights on the evolving state of ransomware, malicious email, malware, and more.
Ransomware goes retail
Ransomware offers a low-investment, high-profit business model that’s irresistible to criminals. What began with single-PC attacks now includes crippling network-wide attacks using multiple extortion methods to target both your data and reputation, all enabled by human intelligence. Through this combination of real-time intelligence and broader criminal tactics, ransomware operators have driven their profits to unprecedented levels.
This human-operated ransomware, also known as “big game ransomware,” involves criminals hunting for large targets that will provide a substantial payday through syndicates and affiliates. Ransomware is becoming a modular system like any other big business, including ransomware as a service (RaaS). With RaaS there isn’t a single individual behind a ransomware attack; rather, there are multiple groups. For example, one threat actor may develop and deploy malware that gives one attacker access to a certain category of victims; whereas, a different actor may merely deploy malware. It’s effectively a crime syndicate where each member is paid for a particular expertise.
Once a criminal actor compromises a network, they may steal confidential information, financial documents, and insurance policies. After analyzing this intelligence, they will demand an “appropriate” ransom to not only unlock their victim’s systems but also to prevent public disclosure of exfiltrated data. This is known as the double extortion model: a victim is extorted for ransom on stolen data and intellectual property (IP), and then again to prevent the attacker from publishing it.
Typically, threat actors will demand payment through cryptocurrency wallets. The underlying blockchain technology enables the owners of crypto wallets to remain pseudonymous. But the criminal actor needs to find a way to cash out, which is where middlemen in the cryptocurrency ecosystem step in to facilitate ransom-related transactions and payments. Both the private sector and government agencies—through civil litigation, prosecution, regulatory enforcement, and international collaboration—can take coordinated action against ransomware intermediaries to disrupt the payment process. Data from Microsoft’s Detection and Response Team (DART) shows that the three sectors most targeted by ransomware were consumer, financial, and manufacturing.
Figure 1: DART ransomware engagements by industry (July 2020 to June 2021).
The best way to be prepared against ransomware is to make it harder for attackers to access systems while making it easier for victims to recover—without paying a ransom. Encouraging organizations to prepare for the worst is actually a proactive strategy, one that’s designed to minimize monetary incentives for attackers. To learn more about defending against ransomware, read the 2021 MDDR. Microsoft also supports the guidance presented in the Ransomware Playbook by the Cyber Readiness Institute.
Figure 2: Three steps for limiting damage from ransomware.
Malicious email: Bait and switch
Reports of phishing attacks doubled in 2020, with credential phishing used in many of the most damaging attacks. The Microsoft Digital Crimes Unit (DCU) has investigated online organized crime networks involved in business email compromise (BEC), finding a broad diversification of how stolen credentials are obtained, verified, and used. Threat actors are increasing their investment in automation and purchasing tools, so they can increase the value of their criminal activities.
Overall, phishing is the most common type of malicious email observed in our threat signals. All industries receive phishing emails, with some verticals more heavily targeted depending on attacker objectives, availability of leaked email addresses, or current events regarding specific sectors and industries. The number of phishing emails we observed in Microsoft Exchange global email flow increased from June 2020 to June 2021, with a pronounced surge in November potentially taking advantage of holiday-themed traffic.
“In 2020, the industry saw a surge of phishing campaigns that has remained steady throughout 2021. Internally at Microsoft, we saw an increase in overall number of phishing emails, a downward trend in emails containing malware, and a rise in voice phishing (or vishing).”—2021 Microsoft Digital Defense Report
Figure 3: Malicious email techniques.
Phishing sites frequently copy well-known, legitimate login pages, such as Microsoft Office 365, to trick users into inputting their credentials. In one recent example, attackers combined open redirector links with bait that impersonates well-known productivity tools and services. Users clicking the link were lead to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy—before landing on a fake sign-in page and finally, credential compromise. Those stolen identities can then be weaponized in BEC attacks or via phishing websites. Even after a successful attack, threat actors may re-sell accounts if the credentials remain compromised.
Microsoft Defender SmartScreen detected more than a million unique domains used in web-based phishing attacks in the last year, of which compromised domains represented just over five percent. Those domains typically host phishing attacks on legitimate websites without disrupting any legitimate traffic, so their attack remains hidden as long as possible.
Domains created specifically for attacks tend to be active for shorter periods. Over the last year, Microsoft has seen attacks come in short bursts that begin and end within as little as one to two hours.
Because those minutes matter, Microsoft is again co-sponsoring the annual Terranova Gone Phishing Tournament™, which uses real-world simulations to establish accurate clickthrough statistics. By using a real phishing email template included in Microsoft Defender for Office 365, Attack Simulator provides context-aware simulations and hyper-targeted training to educate employees and measures behavior changes.
Malware: Opportunity knocks
Just as phishing has grown in scale and complexity over the last year, malware too has continued to evolve. Microsoft 365 Defender Threat Intelligence has observed recent innovations that can lead to greater success among attackers. Even with a range of attack goals—ransom, data exfiltration, credential theft, espionage—many malware types rely on time-tested strategies for establishing themselves in a network.
“In every month from August 2020 to January 2021, we registered an average of 140,000 web shell threats on servers, which was almost double the 77,000 monthly average. Throughout 2021 we saw an even bigger increase, with an average of 180,000 encounters per month.”—2021 Microsoft Digital Defense Report
Simple and effective, web shell usage continues to climb among both nation-state groups and criminal organizations, allowing attackers to execute commands and steal data from a web server, or use the server as a launchpad for further attacks. PowerShell, using suspicious flags or encoded values, was the most common behavior Microsoft observed from malware this year.
Also popular is malware that attempts to rename or inject payloads to mimic system processes and collect data from browser caches. Other forms of malware in play were: use of specific reconnaissance strings; processes added to startup folders; Windows Antimalware Scan Interface (AMSI) and registry alterations; and executables dropped from Microsoft Office 365 files accompanied by other alerts. We also observed malware tactics that are more difficult to mitigate, such as:
- Fileless malware and evasive behavior—these include numerous fileless malware techniques employed by botnets, commodity downloaders, and advanced malware campaigns, all designed to make removal and detection more difficult.
- Legitimate service abuse in network communications—Google Drive, Microsoft OneDrive, Adobe Spark, Dropbox, and other sites are still popular for malware delivery, while “content dump” sites such as Pastebin.com, Archive.org, and Stikked.ch are increasingly popular for component download in multi-part and fileless malware.
Every person and organization has the right to expect the technology they use to be secure and delivered by a company they can trust. As part of Microsoft’s differentiated approach to cybersecurity, the DCU represents an international team of technical, legal, and business experts that have been fighting cybercrime to protect victims since 2008. We use our expertise and unique view of online criminal networks to take action. We share insights internally that translate to security product features, we uncover evidence for criminal referrals to law enforcement throughout the world, and we take legal action to disrupt malicious activity.
For a comprehensive look at the state of cybercrime today, including the rise of malicious domains and adversarial machine learning, download the 2021 Microsoft Digital Defense Report. Look for upcoming blog posts providing in-depth information for each themed week of Cybersecurity Awareness Month 2021. Visit our Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1Cybercriminals Ramp Up Attacks on Healthcare, Again, James Liu, Security Boulevard. 03 June 2021.
2Microsoft Warns of Continued Attacks by the Nobelium Hacking Group, Nathaniel Mott, PCMag. 26 June 2021.
3Attacks on Financial Apps Jump 38% in First Half of 2021, Natasha Chilingerian, Credit Union Times. 23 August 2021.
4One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators, Stephanie Kelly, Jessica Resnick-ault, Reuters. 08 June 2021.