REvil counts for 73% of ransomware detections in Q2, reveals new McAfee Enterprise Threat Report

McAfee Enterprise today released its Advanced Threat Research Report: October 2021, examining cybercriminal activity related to ransomware and cloud threats in the second quarter of 2021. With the shift to a more flexible pandemic workforce and the highly publicised Colonial Pipeline attack, cyber criminals introduced new – and updated – threats and tactics in campaigns targeting prominent sectors, such as Government, Financial Services and Entertainment.

“Ransomware has evolved far beyond its origins, and cybercriminals have become smarter and quicker to pivot their tactics alongside a whole host of new bad-actor schemes, said Raj Samani, McAfee Enterprise fellow and chief scientist. “Names such as REvil, Ryuk, Babuk, and DarkSide have permeated into public consciousness, linked to disruptions of critical services worldwide. And with good measure, since the cybercriminals behind these groups, as well as others, have been successful at extorting millions of dollars for their personal gain.”

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

 

Ransomware Increases Dominance with Colonial Pipeline Impact

The second quarter of 2021 was a vibrant quarter for ransomware, earning its place as a high-profile cyber agenda item for the U.S. administration following the Colonial Pipeline attack. The impact of the abrupt halt in the supply chain affected much of eastern U.S., creating a frantic consumer run on fuel. Beyond the supply chain impact, ransomware expelled from the historically safe cybercriminal underground forums. The political response to the Colonial Pipeline attack saw two of the most influential underground forums- XSS and Exploit- announce a ban on ransomware advertisements. It also appeared to cause the DarkSide ransomware group to abruptly halt its operations, though McAfee Enterprise strongly believes its silence, at the same time the BlackMatter group appeared, is more than coincidental, especially as it mirrors the same move made before and after REvil’s period of silence. Despite these notable shifts in behavior, McAfee Enterprise’s global threat network identified a surge in DarkSide attacks from the group upon legal services, wholesale, and manufacturing targets in the United States.

Equally concerning to DarkSide’s activity were other ransomware groups operating similar affiliate models, including Ryuk, REvil, Babuk, and Cuba. They deployed business models supporting others involvement to exploit common entry vectors and similar looks to move within an environment. In fact, REvil/Sodinokibi topped our ransomware detections in Q2 of 2021, accounting for 73% of our top-10 ransomware detections.

 

COVID-19 Impact on Workforce Continues to Increase Cloud Threats

In the second quarter of 2021, we continued to see the challenges of shifting cloud security to accommodate a more flexible pandemic workforce and an increased workload, which presented cybercriminals more potential exploits and targets.

According to McAfee Enterprise Advanced Threat research, in Q2 2021, the following cloud threat incidents and targets ranked high among the top 10 reporting countries (United States, India, Australia, Canada, Brazil, Japan, Mexico, Great Britain, Singapore and Germany):

• Financial Services were targeted the most among reported cloud incidents, followed by Healthcare, Manufacturing, Retail, and Professional Services.

• Financial Services were targeted in 50% of the top 10 cloud incidents, including incidents in the United States, Singapore, China, France, Canada, and Australia.
• Cloud incidents targeting verticals in the United States accounted for 34% of incidents recorded, with a 19% decrease in Great Britain
• The most cloud incidents targeting countries were reported in the United States followed by India, Australia, Canada, and Brazil.
• Cloud incidents targeting the United States accounted for 52% of incidents recorded.

 

Q2 2021 Threat Activity

Ransomware Focus. The most targeted sector by ransomware in Q2 of 2021 was Government, followed by Telecom, Energy, and Media & Communications.

Attack vectors. In Q2 2021, malware was the technique used most often in reported incidents. Spam showed the highest increase of reported incidents – 250% — from Q1 to Q2 2021, followed by Malicious Script with 125% and Malware with 47%.

Sector Activity. McAfee Enterprise tracked a 64% increase in publicly reported cyber incidents targeting the Public sector during the second quarter of 2021, followed by the Entertainment sector with a 60% increase. Notably, Information/Communication had a 50% decrease in Q2 2011, with Manufacturing down 26%.

Regions. These incidents surged in primarily in the Unities States and Europe in Q2 2021. The United States experienced the most reported incidents in the second quarter, and Europe saw the largest increases in reported incidents in Q2 with 52%.

 

Adam Philpott, EMEA President at McAfee Enterprise comments:

“The fact that the government saw a 64% increase in publicly reported cyber incidents specifically targeting the public sector should be a warning that no one is safe from a cyber attack. As cyber criminals adapt their methods to target the most sensitive data and services, the public sector must shore up their defences to mitigate further threats. 

“By deploying a security strategy that blends both Zero Trust and SASE approaches, the public sector can be more confident knowing that they have the necessary barriers in place to protect against sophisticated attacks. This has become particularly important as workers split their time between home and the office, with organisations needing to protect entry and data at every control point. 

“However, the good news is that data shows that attacks across several other sectors, including information and the manufacturing sectors, were down. Organisations shouldn’t get complacent, however, and should use this as an opportunity to figure out what has worked well and how they could tighten up their defences against future attacks. This could include the use of threat intelligence, which helps organisations to predict and prioritise potential threats before pre-emptively adapting their defensive countermeasures, ensuring optimised security and future business resilience.”