HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2021 Saw Sharp Increase in Ransomware Data Leaks and Ransom Demands

CrowdStrike has released its annual threat report which shows there was a major increase in data leaks following ransomware attacks in 2021, rising 82% from 2020. CrowdStrike observed 2,686 ransomware attacks in 2021 compared to 1,474 in 2020. There were more than 50 ransomware attacks a week in 2021.

Ransomware gangs also increased their ransom demands in 2021, which were 36% higher than in 2020. In 2021, the average ransom demand was $6.1 million. The healthcare industry was extensively targeted by ransomware gangs in 2021, even though several threat actors claimed they would not conduct attacks on healthcare organizations. CrowdStrike tracked 154 ransomware attacks on healthcare organizations in 2021, up from 94 in 2020, with healthcare ranking 6th out of all industry sectors for data leaks, down from 4th position in 2020.

CrowdStrike said the threat landscape became much more crowded in 2021, with several new adversaries emerging including threat actors that have previously not been extensively involved in cyberattacks such as Turkey and Colombia. CrowdStrike identified 21 new adversaries in 2021, with significant increases in Iran-nexus and China-nexus threat actors.

A threat group tracked as Wizard Spider was one of the most prolific ransomware actors in 2021, Carbon Spider specialized in big game hunting, Cozy Bear specialized in targeting cloud environments, Prophet Spider used the Log4j exploit for harvesting credentials from cloud workspace services, and Aquatic Panda targeted the Log4j vulnerability and used the Log4Shell exploit to achieve remote code execution on victims’ systems.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Iran-nexus actors extensively adopted lock-and-leak tactics, Russian threat actors increasingly targeted cloud environments, and China-nexus threat actors specialized in deploying exploits for new vulnerabilities. CrowdStrike said there was a sixfold increase in vulnerability exploitation in 2021, with 10 named adversaries or activity clusters involved in those attacks. Only 2 vulnerabilities were exploited by Chinese threat actors in 2020, compared to 12 in 2021.

Since 2020, ransomware gangs have been exfiltrating sensitive data prior to encrypting files and have been using double extortion tactics on their victims, where payment is required for the keys to decrypt data and also to prevent the leaking of the stolen data on data leaks sites. While ransomware attacks were commonplace, there was also an increase in data theft and extortion without the use of ransomware and there was an active market for the sale and purchase of stolen information on hacking forums and darknet sites.

Malware is commonly used in cyberattacks but attackers are increasingly avoiding the use of malware and are using legitimate credentials to access networks and then living-off-the-land techniques, where existing system tools are used rather than malware to evade security solutions. In 2021, only 38% of cyberattacks involved malware, with 62% of attacks malware free.

CrowdStrike expects cloud-related threats to become more prevalent and to evolve in 2022 as threat actors prioritize targets that provide direct access to large consolidated stores of high-value data. Threat actors are also likely to diversify their tool arsenal to include mobile malware 9nm 2022, and it is highly probable adversaries will continue to seek weaknesses in platforms used by their targets in 2022. “Through the coming year, adversaries are expected to continue to react to vulnerability identification and seek to gain access to their targets through exploitive means as quickly as possible,” said CrowdStrike.

To counter these threats, CrowdStrike recommends learning about the adversaries that are known to target your industry, as this will allow you to better prepare for attacks. It is vital to protect all workloads and have a tested response plan to allow immediate action to be taken in the event of an attack. The speed of the response often dictates whether mitigations succeed or fail.

Cloud misconfigurations are often exploited to gain access to large data stores. One way to reduce the risk of human error is to set up new accounts and infrastructure using default patterns. While it is important to implement technical measures to detect and stop intrusions, it is also important to invest in user awareness programs, as end users can play a key role in preventing data breaches, especially detecting and avoiding phishing attacks and social engineering techniques.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.