Copied link to clipboard.

McAfee
Labs
Threat
Report
06⋅21

Writing & Research

  • Christiaan Beek
  • Mo Cashman
  • John Fokker
  • Melissa Gaffney
  • Steve Grobman
  • Tim Hux
  • Niamh Minihane
  • Lee Munson
  • Chris Palm
  • Tim Polzer
  • Thomas Roccia
  • Raj Samani
  • Craig Schmugar

In this report we introduce additional context into the biggest stories dominating the year thus far and we can look no further than recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.

What a 2021 we have had thus far. In this report we introduce additional context into the biggest stories dominating the year thus far and we can look no further than recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.

This Threats Report provides a deep dive into ransomware, in particular DarkSide, which has resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.

That being said, we can assure the reader that all of the recent campaigns are incorporated into our products, and of course can be tracked within our MVISION Insights preview dashboard.

This dashboard shows that—beyond the headlines—many more countries have experienced such attacks. What it will not show is that victims are paying the ransoms, and criminals are introducing more Ransomware-as-a-Service (RaaS) schemes as a result. With the five-year anniversary of the launch of the No More Ransom initiative now upon us it’s fair to say that we need more global initiatives to help combat this threat.

We hope you enjoy this Threats Report, please stay safe.

—Raj Samani
McAfee Fellow, Chief Scientist

Twitter @Raj_Samani

#Ransomware: From Babuk to DarkSide and Beyond

While the DarkSide Ransomware-as-a-Service (RaaS) attack on Colonial Pipeline held recent headlines hostage in Q2 2021, the ransomware activity story actually went deeper in the first quarter of the year.

Babuk, Conti, Ryuk, and REvil, preceded DarkSide in establishing 2021 ransomware trends.

We observed that “smaller” ransomware campaigns decreased in Q1 while the Ransomware-as-a-Service campaigns targeted and breached larger organizations and companies. The number of Q1 samples dropped as more attackers shifted from mass-spread campaigns, toward fewer, but more lucrative targets. Most of these larger, targeted victims received a custom created variant of the ransomware family at a low volume.

Here’s a breakdown of McAfee Labs Ransomware research and findings from Q1 of 2021:

DAILY, WEEKLY, MONTHLY RANSOMWARE

Figure 01. A snapshot of ransomware detected among McAfee clients in Q1 2021 includes a daily high of 5,634 detections on March 25 and an average of 2,417 detections per day during the last week of March. The most ransomware detections (18,833) in Q1 2021 were recorded in the week of 3/21-3/27. According to the monthly chart,the greatest number of Q1 Ransomware Detections were recorded in March.

Top Ransomware Families and Techniques

Figure 02. Ransomware-related malware families detected in Q1 of 2021 reveals the prevalence of Revil, RansomeXX, and Ryuk prior to DarkSide’s headlinegrabbing hack of Colonial Pipeline’s systems in May of Q2.

Unique Ransomware Families

Figure 03. The amount of unique ransomware families decreased from 19 in January 2021 to 9 in March 2021, following the Q1 trend of fewer campaigns targeting larger organizations and businesses with potentially more lucrative ransoms.

Ransomware Coverage and Protection

When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.

McAfee is a proud partner of the Ransomware Task Force, which released a details on how ransomware attacks are occurring and countermeasures that should be taken. As many of us have published, presented on, and released research upon, it is time to act.

#McAfee Global Threat Intelligence (GTI)

Based on activity from millions of sensors world-wide and an extensive research team, McAfee Labs publishes timely, relevant threat activity via McAfee Global Threat Intelligence (GTI). This always-on, cloudbased threat intelligence service enables accurate protection against known and fast-emerging threats by providing threat determination and contextual reputation metrics. McAfee GTI integrates directly with our security products, protecting against emerging threats to reduce operational efforts and time between detection and containment.

Here are notable statistics from Q1 2021.

File by Country Charts

Figure 04. In Q1 2021, the United States had the highest query volume of 775 billion queries with a low detection rate of 0.31%. Of the 55 billion GTI queries in Russia, malware was detected 13.38% of the time, resulting in Russian customers experiencing the highest detection rate of malware among the top 20 countries. Turkey had the biggest change from the previous quarter with a reduction in detection rate from 9.76% to 4.8% and a query volume of 19 billion. Japan had the lowest detection rate of the countries in the top 20 which was 0.14% and a high number of queries with 165 billion. China had a detection rate of 1.26% and the second highest query volume of 199 billion.

Queries and Detections

Figure 05. In Q1 2021, the daily average of file detections was 252 million (0.99% detection rate) which increased from 243 million (1.03%) in Q4 2020. In Q1, the daily average of URL detections was 26 million detections (0.15 % detection rate) which decreased from 35 million (0.21%) in Q4. The daily average of IP detections, in Q1, was 79 million detections (0.43% detection rate) which increased from 63 million (0.34%) in Q4.

#Threats to Sectors and Vectors

The volume of malware threats observed by McAfee Labs averaged 688 threats per minute, an increase of 40 threats per minute (3%) in the first quarter of 2021.

Notable Sector increases and decreases from Q4 2020 to Q1 2021 include:

Publicly disclosed Security incidents

#Malware Threats Statistics

The first quarter of 2021 saw notable increases in several threat categories:

The first quarter of 2021 also was notable for decreases in several threat categories:

New Malware Threats

Figure 10. While unique ransomware detected in Q1 2021 decreased 50% compared to Q4 2020 detections—in part following a drop in Cryptodefense—ransomware remained a most serious threat against larger organizations and businesses in Q1 and Q2 2021.

#TOP MITRE ATT&CK TECHNIQUES APT/CRIME

Table 01. Notes from the Top MITRE ATT&CK Techniques Apt/Crime from Q1 2021: Spear Phishing moved back into the top 5-used techniques. It was closely followed by Exploiting Public-facing Application, which remained in the top 3 of Initial Access techniques due to the release of major Microsoft Exchange Vulnerabilities and thousands of affected organizations worldwide. Command line and scripting interpreter usage, such as Windows Command shell and PowerShell, were the most frequently used techniques by adversaries to execute their payloads. Command line scripts are often incorporated into Pentesting frameworks such as Cobalts Strike for additional ease of execution. An adversary may rely upon specific actions by a user to gain execution of a malicious binary. This technique is often linked to the Initial Access technique (Spear) Phishing. Process injection remains one of the top Privilege Escalation techniques. Common open source Pentest tools such as Lazange, Grabff and most RAT tools have an ability to extract credentials from web browsers. The usage of Lazange and Grabf have been observed in various Ransomware attacks in Q1 2021. Tools such as MEGAsync and Rclone are commonly used by adversaries to exfiltrate sensitive data from a victim’s network to a cloud storage. Both tools were utilized by multiple ransomware groups like REvil, Conti and DarkSide. Data encrypted for impact technique can almost solely be attributed to Ransomware, one of the top cyber threats of Q1 2021.

Tactics Techniques
(Top 5 per Tactic)
Comments
Initial Access Spearphishing Link Spear Phishing (Link and Attachment) moved back to the top 5 used Techniques closely followed by Exploiting Public facing Application.

Exploiting Public facing Application reamained in the top 3 Initial Access techniques due to the major Microsoft Exchange Vulnerabilities being released which affected thousands of organizations worldwide.
  Spearphishing Attachment  
  Exploit public facing application  
  Phishing  
Execution Windows Command Shell Commandline and scripting interpreter usage, such as Windows Command shell and PowerShell, were the top used techniques by adversaries to execute their payloads. Command line scritps are often incorporated into Pentesting frameworks like Cobalts Strike for additional ease of excecution.
  Malicious File  
  Powershell  
  User execution An adversary may rely upon specific actions by a user in order to gain execution of a malicious binary. This technique is often linked the the Initial Access technique (Spear) Phishing.
  Visual Basic  
Persistence Windows Service  
  Registry Run Keys / Startup Folder  
  Scheduled Task  
  Web Shell  
  DLL Side-Loading  
Privilege Escalation Windows Service  
  Process Injection Process injection remains to be one of the top Privilege Escalation techniques.
  Registry Run Keys / Startup Folder  
  Scheduled Task  
  Process Hollowing  
Defense Evasion Deobfuscate/Decode Files or Information  
  Obfuscated Files or information  
  Software Packing  
  Process Injection  
  File Deletion  
  Modify Registry  
Credential Access Keylogging  
  Credentials from Web Browsers Common opensource pentest tools like Lazange, Grabff and most RAT tools have an ability to extract credentials from web browsers. The usage of Lazange and Grabff have been obeserved in various Ransomware attacks in Q1 2021.
  Brute Force  
  OS Credential Dumping  
  Credentials from Password Stores  
Discovery System Information Discovery  
  File and Directory Discovery  
  Process Discovery  
  System Network Configuration Discovery  
  System Owner/User Discovery  
Lateral Movement Remote File Copy  
  Remote Desktop Protocol  
  SMB/Windows Admin Shares  
  Exploitation of Remote Services  
  SSH  
Collection Data from Local System  
  Screen Capture  
  Keylogging  
  Archive Collected Data  
  Clipboard data  
Command and Control Web protocols  
  Ingress Tool transfer  
  Standard Encoding  
  Symmetric Cryptography  
  Application Layer Protocol  
Exfiltration Exfiltration Over Command and Control Channel  
  Exfiltration Over Alternative Protocol  
  Automated Exfiltration  
  Exfiltration over unencrypted/obfuscation Non-C2 Protocol  
  Exfiltration to Cloud Storage Tools like MEGAsync and Rclone are commonly used by adversaries to exfiltrate sensitive data from a victim’s network to a cloud storage. Both tools were utilized by multiple ransomware groups like REvil, Conti, DarkSide.
Impact Data Encrypted for impact  
  Resource Hijacking Service  
  System Shutdown/Reboot  
  Direct Network Flood