Ransomware groups are mushrooming, hack tools became increasingly difficult to spot and human experience remains essential for cybersecurity. That’s what Sophos concludes in a new study.

Sophos supplies security software and services. The internal Sophos Rapid Response team jumps in when customers are under attack. While tackling an incident, the team gathers data on attack methods and tactics. John Shier, Senior Security Advisor at Sophos, wrote a report based on the data of 144 incidents from the past year. The report (Active Adversary Playbook 2022) provides insight into the modus operandi of cybercriminals.

Before we delve into the report, it’s important to understand how the Sophos Rapid Response team operates. The team only intervenes after an organization becomes aware of an attack. This means that the team does not come into contact with cyberattacks that go under the radar, which are quite a few. Cybercriminals rarely benefit from making themselves known. Cryptominers, trojans and data exfiltration are more effective when an organization is unaware of the infection. These attacks rarely end up on the desk of the Sophos Rapid Response team, and therefore rarely make the report.

Ransomware is an exception to the rule. An attacker needs to reveal himself to extort an organization. That explains why the Sophos Rapid Response team encountered ransomware most often. This type of attack accounted for 73 percent of all incidents. Only 2 percent involved cryptomining, whereby a cybercriminal taps into the capacity of systems. Droppers and data exfiltration occurred in 1 percent of all cases. Droppers are applications for deploying trojans, a setting stone of sorts. Data exfiltration means transferring data, which equals theft.

Security is changing

The stats differ from the previous report. In 2020, the team observed banking trojans (1 percent) and wipers (1 percent), which weren’t spotted in 2021. This does not mean that the attack types no longer exist. In 2021, the Sophos Rapid Response team described 23 percent of all incidents as ‘other intrusions’. In these cases, attack types were unknown. Banking trojans and wipers likely belong to the category. Malware forms are regularly disguised and updated. New variants don’t always fit into a known category.

The frequency of ransomware was roughly the same in 2020 and 2021. The activity of ransomware groups changed dramatically. In 2021, 26 percent of all ransomware attacks were carried out by an unknown group. In 2020, only 9 percent of the culprits were unknown. In addition, most known groups disappeared from the radar. REvil and Conti were the only two groups to make the top 15 in both 2020 and 2021. This means that the landscape is changing rapidly. A new group can become a frontrunner in one year — and disappear from the map two months later.

Almost half of all attacks (47 percent) were made possible by unpatched software. 8 percent were enabled by phishing; 6 percent stemmed from leaked login data.

Human work

Finally, attackers increasingly used a mix of legitimate and suspicious software tools. PowerShell (74 percent), PsExec (50 percent), AnyDesk (22 percent) and ADFind (15 percent) were popular. Sophos stresses that incident response is human work. “The difference between benign and malicious is not always easy to spot”, shared Shier. “Technology in any environment, whether cyber or physical, can do a great deal but it is not enough by itself. Human experience and skill and the ability to respond are a vital part of any security solution.”

Tip: Cybercrime dominates the world: ‘just the tip of the iceberg visible’