• Home
  • /Learn
  • /Sophos 2021 Threat Report: Summary Blog
background image


Sophos 2021 Threat Report: Summary Blog


Perhaps the only thing more alarming than the spread of COVID-19, in the last 12 months, has been the rapid rise of ransomware. In November of 2021, the Sophos 2021 Threat Report was released, providing an insightful summary of the threat landscape faced by today’s IT security professionals. The Sophos 2021 Threat Report is devised to serve as a guide for security professionals, highlighting critical areas they should be directing their efforts towards to defend networks and endpoints in 2021.

Broken down into four main segments, the Sophos 2021 Threat Report covers key trends and topics involving ransomware, ‘everyday’ threats, COVID-19 impacts, and non-traditional platforms.


To be blunt, in 2020, ransomware families had a proverbial field day. The sort of raw carnage one could only expect from a nature documentary, attackers intensified the misery of an already suffering global population. Ransomware families continued to improve and modify their methodologies and procedures to increase their speed of transmission and evade endpoint security. Through meticulous investigation, The Sophos 2021 Threat Report highlights, Sophos analysts recognized patterns in the ransomware code, indicating that ransomware gangs appear to be collaborating rather than competing with one another – a tactic commonly observed amongst predators – when the prey is plentiful, there is no need to squabble.

 Another observed ransomware trend was “secondary extortion,” where in addition to the data encryption, ransomware operators steal and threaten to publish sensitive or confidential information, should their demands not be met favourably. In 2020, Sophos reported ransomware gangs including Doppelpaymer, REvil, DarkSide, Netwalker, among others using this same approach. In fact, REvil allows anyone to purchase the data directly from their site!

Lastly, in the last 12 months alone, the average ransom payout has increased nearly three-fold, jumping from $84,116.00, in Q4 2019, to $233,817.30 in Q4 2020. Becoming increasingly bold, partially on the account of the insurance industry, ransomware threat actors have been pushing the upper limits recognizing the cost of downtime for many organizations.

All considerations, the Sophos 2021 Threat Report supposes there is very weak predictability as to what the next 12 months will bring – threat actors and security professionals exist in an endless state of flux.

Everyday Threats

In terms of everyday threats, the Sophos 2021 Threat Report looks at “run-of-the-mill” malware, loaders and botnets, or human-operated Initial Access Brokers. While to security professionals, some these threats may seem trivial, this is by design, to lull the user into a false sense of security. It is much easier to secure the initial position within a given target, gather essential data and share data back to a ‘command-and-control network’ if your target does not recognize a real threat. When human operators are behind these types of threats, they’ll review every compromised machine for distinct signs of high value, and then, over the dark web, sell access to the most lucrative targets to the highest bidder, such as a major ransomware operation.

Moreover, The Sophos 2021 Threat Report also demonstrates that many attacks are conducted through common attack vectors, including internet-facing RDP and VPN servers. Although these systems are easily patched and protected, that does not mean that IT teams are always current with the most up-to-date requirements, essentially leaving the backdoor unlocked for threat actors. Very often, human action is required to ensure that gaps are securely closed.

The responsibility for that falls not just to cybersecurity professionals, but to every person within an organization, from the frontline to the c-suite. Once ransomware is established, through whatever route, more often than not, it is too late for organizations to react proactively, the report explains, and the human component on any network remains the most common cause of a data breach. Educating both end-users and cybersecurity teams on best practices in online behaviour is still the best way to address threats. Please review our blog on awareness training here, for more details.

COVID-19 Impacts

The COVID-19 pandemic compounded everything in information security over the past 12 months. The Sophos 2021 Threat Report highlights one theme – during times of crisis, when systems are under immense levels of stress, the duty of cyber defense is absolutely critical to maintaining an organizations’ ability to survive. Under attack, from what seems like all angles, the information security industry collectively set aside their competition in favour of collaboration.

The collaboration amongst malware gangs represents a comparatively new development – Initial access brokers and other instances of crime-as-a-service are on the uptick. Fortunately, the Sophos 2021 Threat Report explains that many white hat companies are also working together more willingly than in the past. An encouraging note from the Sophos 2021 Threat Report is that many organizations have been actively pooling their data amongst their colleagues from other organizations. This development has proved especially valuable in the face of the dramatically increased number of threats including phoney COVID-19 websites offering “cures and inside information” as well as the expanded attack surface as a result of the remote workforces.

Non-traditional Platforms

The Sophos 2021 Threat Report divulges that the principle motivation for threat actors is financial gain – as a result of automation, threat actors are playing a numbers game. Easy targets will always be singled out as hackers do not want to work especially hard for their money – think “low hanging fruit.” In addition, threat actors have put significant effort into directing attacks at technology not traditionally considered part of the attack surface such as IoT devices, Linux servers, and Macs did not escape the consideration of criminals who leveraged any and all identified vulnerabilities to install their malicious code. In parallel, the threat actors who did take aim at Windows servers and workstations have increasingly employed the tools engineered by the security industry red teams to identify or exploit vulnerabilities – in other words, they are using our own strengths against us!

Wrapping Up

The year 2020 was riddled with reports of a new breach on a weekly basis, demonstrating just how susceptible every organization is while going about their business. Considering the extraordinary circumstances of 2020, the frequency and severity of attacks have increased. As the Sophos 2021 Threat report has pointed out, no single methodology, software, or hardware-based technology should be considered adequate protection by any security professional. The best approach is one that covers all angles, enlisting the expert advice of security professionals, like penetration testers, to annually identify vulnerabilities, and provide a roadmap to a stronger security posture.

If you would like to learn more about how your organization can benefit from a Packetlabs penetration test, please contact us for more details!