2021 Cyber Year in Review
2021 marked another year of rise in cybercrime activity and in many ways, it was a continuation of what we experienced in 2020, but seemingly worse. Last year showed us that just when organizations thought they were starting to get a handle on cyber threats with added protection measures, new widespread vulnerabilities were discovered leaving many organizations scrambling and having to rethink their approach. Sound familiar? As with the pandemic, cyber threats keep throwing us for a loop and underscoring the many parallels between the two.
Ransomware spiked in the second half of 2020 and by all indications the same level of attacks carried on throughout 2021 although with slightly different underlying metrics and several high-profile attacks. Collaboration among threat actors continued to evolve into a more sophisticated ransomware ecosystem with initial access brokers (IABs) and ransomware-as-a-service (RaaS) groups fueling more targeted attacks.
In addition to the on-going nuisance of targeted ransomware attacks and a record number of data breaches it was a busy year for systemic vulnerabilities and systemic events. Many organizations started off the year responding to the December 2020 Solarwinds attack, but that was quickly overshadowed by zero-day vulnerabilities in Accellion’s File Transfer Appliance’s and Microsoft’s Exchange Server, followed by a coordinated ransomware attack on users of Kaseya’s VSA remote monitoring and management platform. The zero-day flaw in Log4j, described by some as potentially the most serious vulnerability in the past decade, rounded out the 2021 year.
Although this can all make the cyber outlook seem quite bleak, there were also many positive developments. Organizations continue to improve their cyber resilience and several recent government actions will likely make a dent in the ransomware activity. Cyber insurers have been forced to make significant adjustments to ensure the long-term sustainability of the market and some of those actions are helping to improve private sector protection.
Ransomware Solidified its Position as the Number One Cyber Threat
Although there is no universal reporting of ransomware attacks and associated losses there were clear signs that ransomware continued to be the number one driver of cybercrime losses in 2021.
Average ransom payments appear to have flattened in the past 12 months after a steep increase in the prior two years. According to Coveware, the average ransom payment was $165,000 for the first three quarters of the year compared to $174,000 for the same period in 2020 (4). The likely reason for that trend is the improved ability of many victim organizations to recover from a backup, but a return to less impactful attacks delivered by phishing may also be a factor. It’s worth noting that even when organizations see no other option than to pay the ransom there is still significant additional financial loss associated with the incident response and business interruption.
Several exceptional attacks took place in 2021. First, a large US insurer reportedly paid threat actors $40 million – the single highest ransom payment ever - to have its data unlocked after enduring several weeks of interruption to its operations (5). Not long after that a major RaaS group, DarkSide, attacked the largest US gasoline pipeline and, in the process, managed to interrupt the gasoline supply and cause shortages and panic buying across much of the southeastern U.S. region (6).
The reasons for the persistent ransomware issue are multiple: 1) The risk/reward ratio remains very favorable to threat actors, 2) criminals’ access to cryptocurrency infrastructure is largely undisrupted, 3) the availability of ransomware services on the dark web continues to expand, and 4) the pool of eligible targets is still substantial.
Ransomware attacks increasingly incorporate data theft, known as double-extortion attacks, which was likely the cause of the dramatic increase in reported data breaches in the U.S. in 2021. After a nearly 50% drop in in 2020, breaches rose 68% to an all-time high of 1,862 in 2021. Last year also saw the return of jumbo data breaches with T-Mobile suffering theft of 53M customers’ records (8).
While data is not yet available for the 2021-year, business email compromise fraud remains the most frequently occurring type of cybercrime, albeit with a much lower cost per incident compared to ransomware and data breaches. Despite a 17% drop in frequency based on the latest report from the FBI’s IC3, there were 19,369 incidents reported in 2020. The total loss from those incidents amounted to $1.86B, the highest ever since reporting began and about a 5% increase over 2019. (9)
An Unprecedented Year for Systemic Events and Systemic Vulnerabilities
2021 saw a total of 20,141 Common Vulnerabilities and Exposures (CVEs) - publicly disclosed security vulnerabilities - logged to the MITRE database. While that was the highest number ever recorded in a single year, each year since 2016 has seen an increase over the previous year and that’s probably not surprising given the pace at which technology continues to make its way into all aspects of life. For context, there are currently more than 167,000 CVEs for all years combined since logging started in 1999, but only a fraction become popular attack vectors among and only for as long as they remain unpatched. Once a patch is released for a specific vulnerability it’s common for threat actors to reverse engineer the patch to exploit organizations that remain vulnerable. Only when patching reaches close to 100% does a vulnerability become obsolete to threat actors. (10)
The most dangerous CVEs typically have a combination of three characteristics:
CVE’s can rise to the level of systemic vulnerabilities that result in widespread on-going data theft or malware attacks against organizations that haven’t yet patched, or worst case cause a systemic event impacting thousands or millions of organizations simultaneously. There were multiple examples of both in 2021.
Systemic Events
2021 started off with a systemic event that spilled over from December 2020, when it was discovered that nation-state actors had compromised Solarwinds’ software publishing infrastructure and distributed malware laced updates to users of Solarwinds’ Orion product. Of the total Orion customer base of 33,000 organizations, the attack only truly impacted an estimated 100 organizations, but forcing thousands of other Solarwinds customers to investigate potential intrusions of their networks. The Solarwinds attack appears to have been entirely espionage motivated. (11)
The next major systemic event of the year was also discovered in December 2020, when file sharing provider Accellion learned that attackers had compromised its 20-year-old File Transfer Appliance (FTA) software by exploiting multiple zero-day vulnerabilities. The threat actors, known as the Clop ransomware gang, used the attack to exfiltrate sensitive data from FTA customers and then attempt to extort money from them by threatening to leak the information. While exploitation continued over several months the attack appears to have impacted most users simultaneously. An estimated 300 mid-sized to large organizations have been affected by the attack so far, including in some instances customers of the immediate targets. (12)
In early July a coordinated attack against remote management and monitoring software provider Kaseya caused yet another systemic event. REvil, a major RaaS group, used a zero-day vulnerability to compromise Kaseya’s VSA platform used by many managed service providers (MSPs). About 50 MSPs and their many customers were hit with ransomware simultaneously and presented with ransom demands of $25,000 to $5M per customer depending on size. As many as 1,500 organizations were infected and a total ransom demand of $70M to unlock all impacted organizations was subsequently put forward. About 10 days after the attack REvil’s website and infrastructure mysteriously went offline and Kaseya eventually obtained a universal decryption key, but only after three weeks of disruption. (13)
Systemic Vulnerabilities
Weakly configured Remote Desktop Protocol (RDP) and phishing have competed for the top spot among attack vectors used in ransomware attacks for the past two years, with a mix CVEs making up the rest. The most exploited CVEs, some of which date back as far as 2018, relate to remote access software such as Pulse, Fortinet, and Citrix (14). On top of the already solid suite of unpatched vulnerabilities and other attack vectors available to cybercriminals, they were awarded several additional useful tools in 2021.
The most significant new vulnerability that led to widespread exploitation throughout 2021 was ProxyLogon. In early January Microsoft became aware of four zero-day RCE vulnerabilities in its on-premise Exchange Server product and attacks were reported shortly thereafter. A patch for ProxyLogon wasn’t available for almost two months, providing cybercriminals with an extensive window to exploit the vulnerabilities. A mix of nation-state groups and for-profit threat actors quickly seized on the opportunity to carry out espionage, data breach, business email compromise and ransomware attacks against Exchange Server users. Once patches were released mass exploitation began as other threat actors either purchased exploits kits or reverse engineered the patches. While patching reached over 90 percent by late March, attacks on vulnerable organizations continued throughout the year with an estimated 30,000 to 60,000 organizations impacted (15).
Among other critical vulnerabilities discovered in 2021, particularly the following were targeted by various threat actor groups with ransomware and other attacks:
As 2021 came to a close a series of zero-day RCE vulnerabilities known as Log4Shell was discovered in Apache’s open-source Log4j framework, a logging utility used by a long list of major software and cloud service providers. The Log4Shell vulnerability has been characterized as one of the most critical vulnerabilities ever due to its widespread use and the simple process required to carry out the exploit. While the zero-day window was relatively short, the identification and patching of Log4Shell has proved to be complicated for many users and initial patches didn’t fix the issue. So far there have been relatively few reports of attacks successfully using this vulnerability, but it may be too early to tell if the concerns raised by many cybersecurity experts are unfounded. (17)
The Cyber Insurance Market Adjusts to the New Normal of Ransomware
While cyber insurance still has a much lower penetration rate than most traditional insurance products, the cyber insurance market provides useful macro insights into changes in the cyber threat landscape.
Premium and loss data reported by insurers to the National Association of Insurance Commissioners show that profit margins deteriorated significantly from 2018 to 2020. The main reason was the increase in ransomware attacks according to research conducted by major reinsurance brokers. From 2018 to 2020 the industry cyber loss ratio, as measured by incurred loss to written premiums, increased from 35% to 67%. The reported loss figures don’t include loss development – the difference between the initial reserve and the final paid loss - which in an average year adds an additional 10 to 25 points to the loss ratio. Overall, theses figure point to a cyber insurance market well into unprofitable territory in 2020. (18, 19)
Cyber insurers have been quick to respond to the increase in ransomware losses with sweeping changes to limits, deductibles, pricing, and underwriting requirements in 2021, all of which will lead to a long term sustainable cyber insurance market. Some of these changes are helping insureds become more resilient to cyberattacks with insurers demanding certain security controls such as multi-factor authentication and offline backups. Cyber insurance policies also increasingly include complementary risk mitigation services.
The change in attritional losses due to ransomware and several recent systemic events have brought additional focus on the potential for catastrophic cyber losses and the need to price that exposure into policy premiums. Catastrophe modeling remains a major challenge in cyber insurance due the constantly changing threat landscape, lack of historical data, and the difficulties in attributing losses to a specific systemic vulnerability or event.
Recommended by LinkedIn
Government Response to the Increase in Cybercrime
Cybercrime is both borderless and virtual making it very difficult to combat from a law enforcement perspective. However, the US government took several necessary steps last year to reduce the motivation and ability of threat actors to carry out ransomware attacks against US organizations.
Among these initiatives was the establishment of a ransomware taskforce to coordinate law enforcement actions and strategies between all the various agencies involved with cybercrime as well as the creation of a one-stop hub for ransomware resources available to organizations. A $10M reward for information relating to high-profile ransomware groups was also announced as part of the launch. (20)
The government added new measures aimed specifically at disrupting the infrastructure used by threat actors to carry out ransomware attacks. OFAC sanctions against the Russian based Suex cryptocurrency exchange and new guidance on ransom payment detection and reporting issued to the cryptocurrency industry and financial institutions will impact the financial infrastructure used by ransomware groups (21). Additionally, the FBI successfully shut down servers used by the REvil ransomware group and obtained a universal decryption key for victims of the Kaseya attack (22). The FBI also partially recovered the ransom paid to the DarkSide ransomware group following the Colonial Pipeline attack (6).
Improved collaboration and coordination between governments and private sector organizations appears to have paid off. Multiple arrests involving ransomware threat actors were made in 2021 including members or affiliates of the REvil and GandCrab groups and Interpol arrested over 1,000 individuals involved with various cybercrime activities in a single coordinated operation known as HAEICHI-II. Diplomatic efforts by the US government to encourage Russia to take action against ransomware groups operating out of its territory may even have been fruitful with the recent announcement of the arrest of the REvil group’s leadership in Russia. (23, 24, 25)
2022 Outlook
The high-level summary for the 2021 cyber year is that the cyber threat kept worsening, while organizations continued to improve their resilience to attacks and the US government took important steps to target prolific ransomware groups and disrupt their infrastructure. In all likelihood the combination of these measures will have a positive impact on cyber risk long term, but it may take most of 2022 before there’s a measurable decline in ransomware and other cybercrime. The improved cyber resilience of private sector companies will not only help reduce the ransomware threat, but also provide stronger protection against the systemic malware events that many organizations worry about. It’s important that measures to fight cybercrime, whether at the individual organizational level or at the government level, take a holistic approach as cybercriminals have so far proven very agile. If ransomware is successfully choked, we could very well see cybercriminals return to data breach attacks or turn to attacks against critical infrastructure to increase leverage.
This article provides general information, and every effort has been made to ensure accuracy of the information contained herein. In no event will The Hartford be liable for direct, special, incidental, or consequential damages (including, without limitation, damages for loss of business profits, business interruption, loss of business information or other pecuniary loss) arising directly or indirectly from the use of (or failure to use) or reliance on the information contained herein, even if The Hartford has been advised of the possibility that such damages may arise.
Founder at TalaSecure | Helping medtech startups comply with FDA and SEC security guidelines | Fix vulnerabilities in days instead of months
2yAmazing review of the year. For a while, security professionals had been disappointed by companies transferring their cyber-security risk to insurance companies instead of reducing their actual cyber risk. As you had predicted in the 2021 Cyber Insurance, A Hard Reset, the cyber insurance industry is going into the red territory. Your new report proves that the predictions were on target. Harold Lea Josh Schein Nachiketa Das RV Raman
Christ Follower | Men's Ministry | Retired
2yExcellent analysis of the present and future state of cyber risk, Jacob. Thank you.
Delivering cyber risk analytics for the insurance industry
2yJacob, this is a really excellent analysis of the year in review and what is to come. Great job!
CYPFER: 24x7 Cyber DFIR, Recovery, Remediation, & Ransomware Experts
2yJacob, thought provoking, extremely thorough, and interesting as always. It was particularly timely for me as I return to the cyber insurance ecosystem after 1 year on the sidelines. Please add me to the newsletter distribution. I look forward to finding time to discuss.
Guiding people on how to protect what's important to them, their families, assets and lifestyle | Personal Insurance Producer | Basketball Official | 2021 Missoula Chamber George Award Recipient
2yAre there any statistics or data surrounding cyber attacks on the personal/individual level? People might be more lax at home and on personal devices because they are accustomed to the prevenative measures that their employers have in place.