2020 Cyber Year in Review

Introduction

Even though it’s only been a few weeks, it already feels like a long time ago that we said goodbye to 2020. It was an unprecedented year in so many ways that the word “unprecedented” was named the people's choice “2020 Word of the Year” by Dictionary.com. Among all of the unusual events of last year cybercrime didn’t fall short of that characterization. COVID fundamentally changed the way many organizations operate their network infrastructure and communication as employees transitioned to remote work potentially amplifying vulnerabilities and creating new opportunities for cyber enabled fraud. Ransomware hit new highs and although we won’t know until the FBI IC3’s annual report is published it is highly likely that business email compromise fraud set a new record in 2020. We once again experienced an alleged nation state attack that may have impacted thousands of companies. However, there were also some positive developments as we did not see any of the giant data breaches that have occurred every year for the past many years. Let’s take a closer look at some of the cyber trends of 2020.

Spike in Ransomware Attacks

Ransomware was once again the big cyber headline in 2020. A shift to targeted attacks and more sophisticated ransomware delivery methods causing greater impact to victim organizations enabled cybercriminals to demand significantly higher ransoms. The average ransom payment increased more than fivefold from $41,198 in Q3 2019 to $233,817 in Q3 2020 with ransoms frequently reaching millions of dollars (1). Criminals turned to new tactics to force victims to pay the ransom by destroying or encrypting available backups or stealing sensitive data before infecting organizations with ransomware and threatening to disclose the data.

As in 2019 Remote Desktop Protocol (RDP) was the preferred ransomware attack vector and not by coincidence (1). RDP credentials and access continue to be available for sale at very competitive rates on the dark web and many organizations are easily identifiable targets by leaving RDP exposed to the Internet. At the same time RDP is a very effective tool for ransomware delivery because it often provides unrestricted access to enterprise network resources. Phishing continued to be the number two most common method of attack with a number of VPN related vulnerabilities coming in third place (1).

While there’s no requirement to report ransomware attacks and most attacks likely go unreported, some trends can be derived from those attacks that did make it into the public domain. Data from BitSight based on publicly disclosed attacks shows that education (23%), healthcare (22%) and government (10%) were the most frequently impacted sectors by ransomware attacks in 2020. The sector specific impact is further supported by BitSight’s tracking of ransomware attacks based on detected communication between organizations and ransomware command and control servers - a strong indication of a successful infection. Another trend displayed in BitSight’s 2020 analysis was a spike in ransomware attacks, on top of the already elevated attack activity, starting in September and continuing through to the end of the year. The last four months of the year on average saw 60% more ransomware attacks than the first 8 months.

COVID – Did it Impact Cyber Risk?

One of the most frequently debated cybersecurity topics of 2020 was whether the pandemic had an impact on cyber risk due to organizations’ rapid transition to remote work as countries were forced to put lockdown measures in place to limit the spread of coronavirus. With the general challenges in cyber attribution it is on average very difficult to impossible to determine whether a particular attack was successful because of the pandemic disruption and an increase in overall attacks may have simply been part of the trend we’ve observed for the past several years. When it comes to ransomware for example, the attack vectors most commonly used to infect organizations were largely the same before, during and after the lockdown went into effect. However, one indication of elevated risk due to the pandemic was the number of internet exposed instances of RDP which increased about 40% in the month of March as many countries went into lockdown (2). It is also possible that attacks during full or partial lockdown measures made it harder for organizations to recover in the same way they otherwise would have been able to.

Jumbo Data Breaches Skipped 2020

One of the surprising developments of last year was the absence of the jumbo data breaches that have become an annual fixture of cyber risk. On average three to four of these have occurred each year for the past decade with the common characteristics that they involve unauthorized disclosure of tens or hundreds of millions of consumers’ personal information and result in financial injury in excess of a hundred million dollars to the impacted organization. The lack of jumbo data breaches wasn’t the only change, in fact there was a significant drop in the severity of data breaches altogether. BitSight’s tracking of data breaches shows that the number of breaches involving more than 100,000 consumer data records dropped by more than 60% in 2020 compared to 2019. This is likely explained by the transition to ransomware attacks and business email compromise fraud as the preferred methods of threat actors to monetize their cybercrime activities. On average it requires less effort or skill to inject ransomware into an organization’s network and collect a ransom than to exfiltrate large volumes of sensitive data from the organization and sell it on the dark web. The return on effort is simply much greater with ransomware attacks than data breaches.

Solarwinds Supply Chain Attack

To round out 2020 cybercriminals allegedly operating on behalf of a nation state carried out a sophisticated supply chain attack against network management software provider Solarwinds, delivering malware hidden in a software update to as many as 18,000 of its customers. While the attack started as early as September 2019 it wasn’t discovered until cybersecurity company FireEye, a customer of Solarwinds, detected the malware in its network in December last year. The attack appears to have been espionage motivated and mainly targeting US government agencies, which in itself is unnerving, but further revelations in the aftermath of the attack have raised concerns about whether the same malware could be repurposed for supply chain attacks against other major software providers (3). NotPetya, another supply chain attack carried out in 2017 and similarly using software updates as its distribution mechanism, reminds us how bad the Solarwinds hack could have been had the perpetrators’ motive been one of destruction.

Expectations for 2021

With all of these developments what can we expect in 2021? Many countries are undergoing a second or third round of lockdowns due to the pandemic and the remote work situation appears on track to continue at least through the first half of this year. However, it is also fair to assume that any disruption to cybersecurity practices as a result of the transition has now largely been overcome, but organizations must continue to stay vigilant and reduce their remote access exposure. Ransomware shows no sign of slowing with the spike in Q4 and there continues to be plenty RDP access and other vulnerabilities available to be exploited. Cybercriminals are generating record profits from ransomware attacks which is a strong indication that current activity levels will persist and that their focus will be on those attacks rather than reverting to large scale data breaches. The Solarwinds hack will no doubt continue to unravel for several months to come and we will learn in the process whether the impact goes beyond the organizations and government agencies already revealed including, perhaps, whether the perpetrators got access to US government cyber tools.

BitSight contributed data insights to this article. BitSight transforms how organizations manage cyber risk. The BitSight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct financial diligence; and assess aggregate risk. With over 2,100 global customers and the largest ecosystem of users and information, BitSight is the Standard in Security Ratings. For more information, please visit www.bitsight.com, read our blog or follow @BitSight on Twitter.

 1)  https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report

2)  https://securityboulevard.com/2020/03/spike-in-remote-work-leads-to-40-increase-in-rdp-exposure-to-hackers/

3)  https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/