Cybercrime Report. PHOTO: Secureworks.

Ransomware Is the Number One Cybercrime In 2021

Less attention-grabbing threats also pose major risk

Jane Adams

Edinburgh, Scotland – Nov. 4, 2021

For organizations trying to make sense of the cyber threat landscape, some public reporting can be both a blessing and a curse. Much of it provides valuable information for certain audiences but trying to filter what is most relevant to the individual organization can be a challenge.

For example, research carried out by the Economist Intelligence Unit (EIU) and the Cybersecurity Tech Accord in February 2021 showed that a majority of businesses perceive state-sponsored cyberattacks as a major threat. Headlines over the past year have rightly highlighted attacks carried out by Russian and Chinese state-sponsored advanced persistent threat groups. Businesses could be forgiven for being alarmed. Yet, what makes compelling headlines doesn’t always align with what organizations really need to prioritize.

The reality, for the vast majority of businesses, is that cybercrime attacks by criminal threat actors are far greater threats.

That finding is reflected in Secureworks ®’ ‘2021 State of the Threat’ annual report, which was based on the over 1,400 incident response engagements carried out by Secureworks’ incident responders, on trillions of log events from customer telemetry, and on the research conducted by its 85-strong Counter Threat Unit research team. Secureworks’ top finding, unsurprisingly, was that ransomware remained the number one threat for most organizations.

In fairness, ransomware has grabbed its share of the headlines over the past year too. That is largely due to the way that the ransomware-as-a-service model is enabling more criminals to join these operations as ‘affiliates’ and launch bigger and bolder attacks at an unprecedented rate.



Secureworks found that the volume of ransomware incidents, the number of ransomware groups, and the average value of the ransom demanded all rose compared to the previous year. Importantly, ransomware remained a crime of opportunity. Any organization that is perceived to have money is a target. Nearly all ransomware attacks during 2020-2021 arose because of gaps in security controls.

Ransomware operators continued to innovate, first with the move to name-and-shame attacks, then with the move to additional extortion factors like DDoS attacks and placing pressure on the clients and associates of the victim. Groups, including Babuk, HelloKitty, 777, and REvil also diversified into ransomware for Linux-based ransomware versions too. Linux ransomware often targets VMware ESXi servers, a hypervisor for deploying and hosting virtual machines. This is yet more evidence of the threat actors devoting resources to improve their effectiveness against enterprise targets.

The report also covers other, less attention-grabbing types of cybercriminality that continued to thrive over the past year and posed just as great a threat as ransomware. Business email compromise (BEC) remained a significant problem for all organizations, as did cryptojacking, and significant levels of credential harvesting.

Another flourishing element of cybercriminality, covered in the report, was the loader landscape. Whether the ultimate payload is ransomware or cryptominers, loader malware and botnets have always played a significant part in delivery. The report looks at how law enforcement activity over the past year impacted loaders and botnets, and the extent to which it made a difference to malware delivery. For some botnet operators, the only major impact was the need to move their infrastructure into more friendly jurisdictions. Mobile botnets thrived too, almost exclusively targeting Android devices.

While BEC may not pose quite the same risk of crippling its victims that ransomware does, it remains highly lucrative for threat actors. A BEC attack only requires access to email inboxes. With cloud-based email services, that often meant just a username and password, with no requirement to deploy malware or any other tools. Multi-factor authentication on email accounts was therefore an essential protection, as was something as simple as monitoring for changes on mail forwarding rules.

The targeting by BEC threat actors of single factor Microsoft 365 accounts over the past year in particular formed part of another significant trend detected by Secureworks. As more organizations move to cloud services or hybrid operating models, understanding the role of security controls in authentication, and protecting against credential abuse will remain a crucial way of protecting against both cybercriminal and state-sponsored threat activity.

Indeed, the report covers many techniques common to both cybercriminals and state-sponsored threat actors. So, while cybercrime should undoubtedly be the bigger priority for most organizations, compared to state-sponsored activity, protecting against many types of threat actor technique pays double dividends.

Another such example, also featured in the report, is the use of widely available offensive security tools (OSTs) in network intrusions. These tools are easy to use, carry no development cost, and are hard to attribute, making them an attractive proposition. Cobalt Strike, by far the most popular OST tool used by threat actors, featured in 19 percent of network intrusions investigated by Secureworks incident responders in the past year. Its unexpected presence on a network can therefore provide a sign of threat actor activity.  

A further example lies in how 2021 saw a significant increase in the use of zero-day exploits by threat actors, according to figures from Google Project Zero. The overall number of vulnerabilities detected grew too. The report shows how threat actors used the scan-and-exploit approach to find unpatched vulnerabilities, both new and old, to take advantage of. This finding reinforces the importance of regular and timely patching in deterring threat actors of all types.

Patching is just one of the security fundamentals that the report recommends. Other aspects of good security practice include the use of strong authentication, such as multi-factor authentication, and implementing the principle of least privilege, as well as thorough monitoring and detection of endpoints and network assets.

Of course, the report in no way downplays the threat posed by state-sponsored threat actors from Russia, China, Iran, and North Korea. But while state-sponsored threat actors pose significant problems for a subset of organizations, especially those in areas of critical infrastructure and other sectors of strategic importance, cybercrime is a major threat to all organizations.

2021 State of the Threat gives organizations the Secureworks view of the most significant developments in the threat landscape over the past year and helps them focus on and protect themselves against the threats most relevant to them. Download it from the Secureworks website.

Jane Adams is Consultant, Information Security Research at Secureworks


About Secureworks

Secureworks is 100 percent focused on cybersecurity. In fact, it’s all we do. For nearly two decades, we’ve committed to fighting the adversaries in all their forms and ensuring that organizations like yours are protected.

Secureworks® Taegis™, a cloud-native security analytics platform built on 20+ years of real-world threat intelligence and research, improves your ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions.



Send this to a friend