According to the 2021 Annual Threat Monitor report by NCC Group, ransomware attacks almost doubled in 2021 from 2022, rising 92.7% year-on-year 1,389 in 2020 and 2,690 in 2021).
This builds upon a gradual but noticeable rise in ransomware attacks since the COVID-19 pandemic began, with ransomware accounting for 65.38% of all incidents dealt with by NCC's global cyber incident response team (CIRT) in 2021.
Throughout the year, attacks were most commonly targeted at the public (19.35%) and industrial sectors (19.35%), followed by consumer cyclicals (16.13%).
Compiled by NCC Group’s strategic threat intelligence team, the report details the events of 2021 and their impact on the cyber threat landscape, providing an overview of incidents across all sectors and highlighting global trends.
The insights are based on incidents identified by NCC Group’s global managed detection and response service (MDR) and its global cyber incident response team (CIRT).
Remaining consistent with NCC Group’s monthly threat pulses, the most targeted regions during 2021 were North America and Europe, accounting for 53% and 30% of all attacks respectively.
NCC Group explained that these regions are densely populated with wealthy organizations, which provides an incentive to threat actors that employ a big-game-hunting methodology. The team has highlighted this as the reason for the concentrated ransomware activity in these areas and have predicted that this trend will likely continue throughout 2022 and beyond.
Trends that NCC Group identified in 2020, such as surges in specific months of the year, were also seen again in 2021. An observable increase in the number of victims was reported until July, which then dropped off before another surge in August, which the NCC Group team have attributed to seasonal and holiday-related fluctuations in cybercrime activity. This would also explain the continued trend of many threat actors once again postponing their activity for the Christmas period in 2021.
The NCC Group team has proposed that the shift in the quantity of ransomware cases will be permanent and that this trend will continue to develop in 2022.
Rise of Conti Ransomware
The most prevalent threat actor noted in the report was Conti, a Russia-based global threat actor that emerged in 2017.
Conti represented 18% of all attacks across the past two years. In line with the general trends, the industrial sector was Conti’s main target, followed by consumer cyclicals and technology, accounting for 33.1%, 21.5% and 7.4% respectively. Similarly, in line with general trends, North American businesses were top on Conti's list of targets, followed by Europe, with 63.8% and 30.2% of all attacks respectively happening in these regions.
Elsewhere, another notable group that highlighted the changing nature of the vulnerability landscape was the Lockbit threat actor. After a brief hiatus and metamorphosis into Lockbit 2.0 in June 2021, the group became one of the biggest contributors to double extortion ransomware in 2021, accounting for 16.4% of the entire year’s ransomware cases. This contrasts their activity in 2020, in which they were absent from the list of the top 10 threat actors.
Matt Hull, global lead for strategic threat intelligence at NCC Group, commented: “Many of the dangers which we first identified at the start of the pandemic have snowballed in 2021, revealing a developing threat landscape with ransomware attacks on the rise. However, despite many clear developing trends, the re-emergence of Lockbit as a prevalent actor highlights that the vulnerability landscape is still ever-changing.
“We need to remain vigilant for new and changing threats in 2022. It is now more important than ever for organizations to ensure that they are protected from the types of attack we have reported in 2021, especially in consistently targeted sectors such as industrials and consumer cyclicals.”