Ransomware Attacks Exploded in Number and Scale in 2021, Per Cyber Firm

Pavlo Gonchar/SOPA Images/LightRocket via Getty Images

A new Crowdstrike report describes a dramatic increase in activity from both criminal and smaller nation-state groups.

Among a ballooning set of global ransomware perpetrators are WOLF, associated with Turkey, and OCELOT, associated with Colombia according to an annual report out today from the cybersecurity firm Crowdstrike. Opportunistic actors everywhere are getting in on the action. 

The report, which also provides updates on “the big four” nation-state adversaries—Russia, China, Iran and North Korea—puts numbers on an alarming cybersecurity landscape taking shape over the last year, particularly regarding ransomware. 

Our “intelligence observed an 82% increase in ransomware-related data leaks in 2021, with 2,686 attacks as of December 31, 2021, compared to 1,474 in 2020,” according to a press release of the report. “​​Observed ransomware-related demands averaged $6.1 million per ransom, up 36% from 2020.”

Crowdstrike has resonated deeply with key government officials coming out of 2021. It’s work has been important and impactful, even rivaling that of Mandiant’s, a senior General Services Administration official told Nextgov, referring to the cybersecurity firm that made huge waves disclosing the “SolarWinds hack,” which still promises to shake up cybersecurity policy.

The massive hack, which U.S. government officials have described as an espionage campaign conducted by Russia’s foreign intelligence agency, is referred to as “SolarWinds” because it penetrated the IT management firm’s software delivery mechanism to distribute malware to thousands of high-profile entities across the globe. But the adversary also exploited Microsoft’s Active Directory Federation Service to move laterally across networks in the cloud. Crowdstrike, which competes with Microsoft on cybersecurity services, has keenly pointed this out, including through congressional testimony.  

“Russia-nexus adversary COZY BEAR expands its targeting of IT to cloud service providers in order to exploit trusted relationships and gain access to additional targets through lateral movement,” the report reads. “Additionally, FANCY BEAR increases the use of credential-harvesting tactics, including both large-scale scanning techniques and victim-tailored phishing websites.”

Crowdstrike’s report highlighted heightened vulnerability to the current threat landscape associated with the cloud. That observation tracks with a recent CISA review of the ransomware scourge and observations the agency made about credential harvesting following the SolarWinds hacking campaign. 

“Adversaries are increasingly exploiting stolen user credentials and identity to bypass legacy security solutions—of all detections indexed in the fourth quarter of 2021, 62% were malware-free,” according to the report.