Threat Intelligence Report 2021
An Overview Of The Swedish Cyber Threat Landscape 2020
The growth of the cybercriminal business affecting Swedish organizations reflects the worldwide trend. The number of ransom attacks has tripled during 2020, and more enterprises have been victims of data theft. The cost of cybercrime in Sweden is now exceeding 30 billion SEK per year. This report by Truesec Threat Intelligence Team is a general overview of the current cyber threat landscape in Sweden. The conclusions here are supported by data collected by Truesec during 2019 and 2020.
EXECUTIVE SUMMARY (Swedish)
FULL REPORT (English)
Types of Cyber Attacks
The most common form of financially motivated attacks is Ransom, making up to 49% of all attacks. The evolution of Ransomware as a Service (RaaS) model greatly contributed to the growth of ransomware attacks in 2019 and 2020.
Access harvesting and business e-mail compromise attacks together are 38% of observed incidents during 2020. Automation and diversification make these attacks very effective. Often, gathered access to victims is sold on the darknet to other groups, which can then launch other types of attacks including ransomware and data theft.
While ransomware alone is used in 39% of ransom attacks, data leak threats are used together with ransomware in 44% of the cases. Stealing data and threatening to publicly disclose it is a growing trend among the ransomware criminal gangs.
Another increasing attack type involves Distributed Denial of Service (DDoS). The threat actors launch DDoS attacks unless their victims pay a ransom.
The popularity of ransom attacks and their increased sophistication, as well as the availability of competent malware and methodologies, resulted in a steady increase of the amount requested as ransom. The highest amount observed in 2020 was 35 million USD.
The amounts are often carefully selected and based on the turnover of the victim organization, as well as on the importance of exfiltrated data threatened to be published.
More than 60% of organizations affected by large ransomware attacks did not have proper backups.
The preferred way of obtaining initial access to a target network is phishing, used in 39% of the attacks.
Leveraging exposed remote access service remote access services and exploiting vulnerable applications together make up 39% of attack vectors. This is partly due to the Covid-19 pandemic forcing IT departments to quickly implement solutions for remote access. Another factor is the decreasing time necessary to exploit a new known vulnerability, leaving organizations with very little time to patch their services before they are attacked.
The time between initial access and manual activities in the breached network varies greatly. This is due to the growing market of access for sale, leading to delays between the first intrusion and an active attack.
When the threat actors begin their manual activities inside a breached network, in 58% of the cases it takes them less than 2 hours to fully compromise the IT infrastructure. Common vulnerabilities and competent attack frameworks facilitate this process, allowing less sophisticated actors to efficiently compromise entire infrastructures.
Two trends dominate in the cybercrime area. At one end of the spectrum the big, organized cybercrime gangs continually become more innovative and sophisticated in their attacks. They have also become more skilled at identifying critical data and set the ransom demand accordingly. Demands for ransom amount is now frequently based on the turnover of the organization, and there are cases of demands over 290 million SEK.
At the same time, the increase in publicly available hacking tools, and the spread of the Ransomware-as-a-Service model, has led to an increase in successful attacks by less sophisticated attackers.