A North Korean national is identified in a complaint for involvement in a range of cyberattacks, including the cyberattack against Sony Pictures in 2014, and the WannaCry 2.0 ransomware attack. Sophos pointed to the expansion of ransomware operators as one of the top trends to watch in 2021. (Photo by Mario Tama/Getty Images)

Widening gaps between the high- and low-end ransomware operators, the increased use of loaders and botnets, and the continued abuse of legitimate tools all top the list among security trends for the year ahead, according to Sophos.

In releasing its Sophos 2021 Threat Report today, the company’s researchers identified how ransomware and fast-changing attacker behaviors will shape the threat landscape and IT security in 2021.  

The report analyzes the following three trends in-depth:

  • A widening gap between ransomware operators at different ends of the spectrum. 

At the high end, the ransomware families attacking high-profile targets will continue to refine and change their tactics, techniques and procedures to become more evasive and operate more like nation-state attackers. In 2020, these families included Ryuk and RagnarLocker. At the other end of the spectrum, Sophos anticipates an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, which lets attacker target high volumes of smaller prey. Ransomware operators will also focus on secondary extortion, where attackers not only focus on data encryption, but also steal and threaten to publish sensitive or confidential information if demands are not met. During the past year, groups using this approach that Sophos reported on included Maze, RagnarLocker, Netwalker and REvil.

  • Security team will need to focus on commodity malware, including loaders and botnets, or human-operated initial access brokers. 

These threats can appear like low-level malware, but they are designed to secure a foothold in a target, gather essential data and share data back to a command-and-control network that delivers further instructions. If human operators are behind these types of threats, they’ll review every compromised machine for its geolocation and other signs of high value, and then sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation. For instance, during 2020, Ryuk used Buer Loader to deliver its ransomware.

  • All adversaries will abuse legitimate tools, well-known utilities and common network destinations.

The abuse of legitimate tools lets adversaries stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware. For nation-state attackers, there’s the additional benefit that using common tools makes attribution harder. In 2020, Sophos reported on the wide range of standard attack tools now being used by adversaries.