Sophos 2021 Threat Report that covers attacks on servers, the impact of the COVID 19 pandemic on IT security, the security challenges facing cloud environments shows how ransomware and fast-changing attacker behaviors, from advanced to entry-level.
Three key trends expected to shape IT security
This report has written by SophosLabs security researchers. Sophos’ threat hunters, rapid responders, and cloud security and AI experts. Let’s have a look at three key trends analyzed in the Sophos 2021 Threat Report.
- The gap between ransomware operators at different ends of the skills and resource spectrum will increase. At the high end, the big-game hunting ransomware families will continue to refine and change their tactics, techniques and procedures (TTPs) to become more evasive and nation-state-like in sophistication, targeting larger organizations with multimillion-dollar ransom demands. Sophos predicts an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, such as Dharma, that allows them to target high volumes of smaller prey.
- The second trend is secondary extortion. The attackers steal and threaten to publish sensitive or confidential information if their demands are not met. In 2020, Sophos reported on Maze, RagnarLocker, Netwalker, REvil, and others using this approach.

Chester Wisniewski, the principal research scientist, Sophos, explained secondary extortion, saying,
“The ransomware business model is dynamic and complex. During 2020, Sophos saw a clear trend towards adversaries differentiating themselves in terms of their skills and targets. However, we’ve also seen ransomware families sharing best-of-breed tools and forming self-styled collaborative ‘cartels. “Some, like Maze, appeared to pack their bags and head for a life of leisure, except that some of their tools and techniques have resurfaced under the guise of a newcomer, Egregor. The cyberthreat landscape abhors a vacuum. If one threat disappears another one will quickly take its place.”
- Serious security attention is a must because of everyday threats such as commodity malware, including loaders and botnets, or human-operated Initial Access Brokers. Although such threats can seem like low-level malware noise, they are designed to secure a foothold in a target, gather essential data, and share data back to a command-and-control network. For instance, in 2020, Ryuk used Buer Loader to deliver its ransomware. All ranks of adversaries will increasingly abuse legitimate tools that enable adversaries to stay under the radar while they move around the network until they are ready to launch the main part of the attack, such as ransomware. For nation-state-sponsored attackers, there is the additional benefit that using common tools makes attribution harder.