Cyberattacks decreased in Q3 2021 claims Positive Technologies (Image Credit: Henning Witzel on Unsplash)The number of cyberattacks in Q3 2021 dropped by 4.8% compared to the previous quarter according to Positive Technologies. The details are published in the company’s Cybersecurity Threatscape Q3/2021 report. It is the first time since 2018 that Positive Technologies has reported a drop in cyberattacks.

Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies said: “This year we saw the peak of ransomware attacks in April when 120 attacks were recorded. There were 45 attacks in September, down 63% from the peak in April. The reason is that several large ransomware gangs stopped their operation, and law enforcement agencies started paying more attention to the problem of ransomware attacks (due to recent high-profile attacks).”

What has driven the drop in cyberattacks?

The two biggest trends appear to be a drop in ransomware attacks and some major cybercrime groups appearing to pack up. The latter is important. Previously cybercrime groups have appeared to pack up and leave but later returned. Sometimes it is driven by authorities disrupting their infrastructure, other times it can be down to the arrest of key individuals.

Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies
Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies

Another shift has been the change in who is being attacked and by what. In the industrial sector, ransomware attacks have fallen from 80% of the total attacks to just 32%. This may be down to more restrictions being placed on those infecting the targets by the ransomware gangs. There has certainly been some rethinking of who and what to attack.

This is borne out by Positive who says that it is seeing a change in behaviour from ransomware groups. Over the last few years, many have operated an affiliate programme using Ransomware as a Service (RaaS). However, that has led to problems for the major players. They have begun to be more restrictive on which sectors are open to attack. As such, new models are likely to appear in 2020.

What about those packing up?

The question that needs to be asked from this research is how many of the cybergangs are really going away? This is a highly lucrative market for cybercrime gangs, so for them to just walk away makes little sense.

What we do know is that few go willingly. Even when they are forced out by infrastructure being seized, they soon bounce back.

In January 2021 takedown actions targeted Emotet. However, by the end of 2021, Emotet was back up again. The Trickbot botnet was taken down at the end of 2020 but roared back with a vengeance in early 2021. It is also part of the return of Emotet story.

Two of the major ransomware gangs that disappeared in 2021 were DarkSide and REvil. DarkSide former became infamous after the attack on Colonial Pipeline led to the company shutting down its fuel pipelines. REvil shut up shop after authorities allegedly seized its infrastructure. In both cases, however, the shutdowns were temporary. REvil reappeared after what was probably just a holiday and a new group formed from DarkSide calling itself BlackMatter.

Attacks are more targeted

The report looks at how attacks were launched. The majority of attacks users become aware of are the incessant spam attacks trying to phish for their data. However, these mask a significant shift away from scattergun attacks to targeted attacks. Positive says that 75% of all attacks were targeted.

Both businesses and individuals were targeted by attackers seeking confidential information and access to financial data. What is more interesting, however, is what the attacks were looking for.

In the case of businesses, it was personal data (33%), credentials (14%), intellectual property (14%) and medical records (12%) that topped the list.

Attacks on users focused on credentials (43%), personal data (21%), payment card data (15%) and correspondence (10%). There is undoubtedly an overlap here, in that the credentials harvested from attacks on individuals also impacted companies.

Government departments (21%) were most likely to be attacked. This was followed by healthcare (12%) and manufacturing (9%). Disruption to any of these three has the ability to cause widespread disruption to a much larger number of people. The first two will also have large volumes of sensitive data for use in more personalised attacks.

More than just another collection of statistics

This report is more than just a collection of more statistics. It looks at how attackers are changing their focus. It warns that Linux is increasingly becoming a target. One reason is that there is a belief it is much harder to attack. This is the same thinking that is common in the Mac environment. Both are wrong and there is an increasing amount of malware looking at both platforms.

The report also looks in more detail at the changes in the ransomware market. It concludes with the thought that the RaaS model could be dead, at least in its current form. The reality is that this is unlikely to be the case.

Perhaps the most interesting section is the focus on vulnerabilities across Microsoft’s products. It shows how one attack leads to another despite patching. Perhaps the message here is really one of “pay attention”.

Enterprise Times: What does this mean?

This is an interesting report not least because the focus is not just on statistics. This is important. Every security vendor can trot out statistics but they are only relevant to that provider’s customer base. Few have any wider view of the Internet and few offer any insight outside of that limited view.

The statistics here suffer from that same limitation. However, it is easy to draw parallels with other reports and see some of the wider patterns. For example, the targeting of credentials and personal data.

It is, however, the second part of this report that is of most interest. While Positive uses its statistics to reinforce its points, they are in line with what other vendors are reporting.


Please enter your comment!
Please enter your name here