How Cyberattacks are Changing

IT Support

Cybercrime will be more sophisticated, widespread, and relentless by 2022. Criminals have been targeting healthcare, IT, financial services and energy markets with headline-grabbing attacks.  

These attacks have proven to be extremely damaging to our infrastructure and have also made a lot of consumers unhappy in the process. Despite this, there are some positive trends. Cyber attack victims are coming forward, demonstrating the scale of the problem, humanising the effects, and prompting law enforcement to take it even more seriously.  

Governments have been cracking down on cybercrime recently as well, with national security protection becoming a higher priority. 

Earlier this month, Microsoft published the 2021 Microsoft Digital Defense Report (MDDR). Drawing upon over 24 trillion daily security signals across the Microsoft cloud, endpoints, and the intelligent edge, the 2021 MDDR expands upon last year’s inaugural report and contains input from more than 8,500 security experts spanning 77 countries. The report includes insights on the evolving state of ransomware, malicious email, malware, and more. 

Ransomware goes Retail

Ransomware can offer criminals an appealing, low-investment, high-profit business model. What began with single-PC attacks now includes crippling network-wide attacks using multiple extortion methods to target both your data and reputation.  

Recent updates in malware software have enabled operators to expand the scope of ransomware schemes in recent years. It has made them more profitable than before, with no signs of slowing down. 

This human-operated ransomware, also known as ‘big game ransomware,’ involves criminals hunting for large targets, which will provide a substantial payday, through syndicates and affiliates. Ransomware has become popular enough to be turned into a modular system like any other big business, with RaaS.  

With RaaS, there are no single actors behind a ransomware attack. For example, one attacker might use malware to target a specific category of people and one attacker might just deploy it. Similar to a syndicate, individuals are paid according to their activity. 

Once a criminal actor compromises a network, they may steal confidential information, financial documents, and insurance policies. Analysing this intelligence means that they will want an “appropriate” ransom. This includes both unlocking systems and preventing disclosure of data that the hacker has just stolen. This is known as the double extortion model: a victim is expected to pay for both losing their data and intellectual property. After they have been extorted, the attacker may extort the victim again to prevent the stolen information from being published. 

To collect payment, criminals are increasingly using crypto-wallets. This removes the risk of having to show their face, making it much harder for law enforcement to catch them.  

After payment, the criminal actor needs to find a way to use the “stolen” crypto, which is where middlemen in the cryptocurrency ecosystem step in to help move it around and make payments.  

A lot of people are upset by the current ransomware epidemic. One way to fight back is for government agencies, private sector companies, prosecution & civil litigation to take coordinated action against the intermediaries that are contributing to this problem, thereby disrupting the payment process. Data from Microsoft’s DART team show that most ransomware targets are the consumer, financial, and manufacturing sectors. 


Malicious Email: Bait and Switch

Reports of phishing attacks have increased significantly in the last two years. Security firms have noted that credential phishing has been rampant in many of the most damaging attacks. The Microsoft Digital Crimes Unit has investigated online organized crime networks, specifically the method in which the hackers steal credentials.  

Diversity in their methods of verification has been found, showing that a lot of criminals are increasingly investing in automation tools to upgrade their criminal activities. They’re buying these tools to make their crimes more efficient, profitable, and “successful.” 

The most common type of malicious email we see is phishing. Industry-specific phishing scams are becoming more prevalent in the modern era. They depend on the objectives of the attacker, their preferred target, or recent events in order to be successful. We observed a significant increase in the number of phishing emails in Microsoft Exchange email flow over the last 12 months. There was a noticeable surge in November – possibly to take advantage of increased holiday usage. 

Phishing sites are everywhere, but they’re usually easy to spot due to their use of famous brand logos & impersonation. A few crafty phishers recently used an open redirector link with bait that claimed to be Microsoft.  

People who clicked on this link were redirected through a series of obstacles, including a CAPTCHA verification page that lends the process a sense of legitimacy, before finally getting to an elaborate fake sign-in page. The stolen IDs can be weaponized in phishing attacks or by creating BEC websites. Once the account is compromised, the attacker might resell it to other people if they still have access. 

In the last year, Microsoft found over a million domains used in phishing attacks. Of those compromised domains, just five percent were actually involved in the phishing. Those domains typically host phishing attacks on legitimate websites without disrupting any legitimate traffic, so their attack remains hidden as long as possible. 

Attacks don’t tend to last long. Over the course of this year, Microsoft has seen attacks occur in short bursts- for as little as one or two hours at a time. 

Microsoft is again co-sponsoring the annual Terranova Gone Phishing Tournament™, which uses real-world simulations to establish accurate clickthrough statistics. The time saved from phishing emails adds up and the result is a more effective way to protect your company.  

The Microsoft employee attack simulator is a powerful new training resource. By leveraging real phishing email templates, the attack simulations are contextual and provide hyper-targeted training to strengthen users’ defences. Furthermore, behavioural tracking metrics serve as an excellent way to evaluate changes in user behaviour. 

Malware: Opportunity Knocks

Online security has been a concern for everyone and it’s important to be vigilant as well as proactive. However, as phishing scams diversify and malware evolves, there are plenty of ways to protect oneself from unwanted intrusions. Microsoft 365 Defender Threat Intelligence is now able to track if your organization is at risk with recent innovations in security. Complexity increases with the number of malware attacks and goals they can pursue- from data theft and ransom to credential theft and espionage. Yet all of these variations operate off a few basic strategies: stay hidden, find a way in, exploit vulnerabilities for maximum damage.

Web shells are being used more and more, both by nation-state groups and by criminals. They let attackers execute commands on a server or use it as a base to launch further attacks. Microsoft observed a decrease in the use of PowerShell in malware this year, with suspicious flags or encoded values being the most common behavior.

Malware that hides data in browser caches or mimics system processes is also popular. It’s not just about Trojans. Other malware that is prevalent nowadays are: the use of specific reconnaissance strings; processes added to startup folders; Windows Antimalware Scan Interface AMSI registry alterations or executables dropped from Microsoft Office 365 files. We also observed malware tactics that are more difficult to mitigate, such as:

  • There are many malware programs designed to be difficult to detect. These include fileless malware techniques like those used by botnets, writable downloaders and chameleon-style projects which allow infections to evade detection.
  • Legitimate services can be abused to spread malware – Google Drive, Microsoft OneDrive, Adobe Spark, Dropbox and other sites are still popular for this. In the meantime, sites such as, and have been seen as increasingly popular sources for component download is multi-part.

To learn more about Microsoft Security solutions, get in touch with one of our experts.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp