How have cybercriminals changed their behavior and has this made them more dangerous?

How have cybercriminals changed their behavior and has this made them more dangerous?

Sophos, a global leader in next-generation cybersecurity, has announced the findings of its global survey, The State of Ransomware 2021, which reveals that the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from US$761,106 in 2020 to US$1.85 million in 2021.

The average ransom paid is US$170,404. The global findings also show that only 8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.

The survey polled 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East and Africa.

Globally, fewer organizations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020). The new survey results reveal worrying upward trends, particularly in terms of the impact of a ransomware attack.

“The apparent decline in the number of organizations being hit by ransomware is good news, but it is tempered by the fact that this is likely to reflect, at least in part, changes in attacker behaviors,” said Chester Wisniewski, Principal Research Scientist, Sophos.

“We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking. While the overall number of attacks is lower as a result, our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher. Such attacks are also harder to recover from, and we see this reflected in the survey in the doubling of overall remediation costs.”

Globally, the number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021, although fewer than one in 10 (8%) managed to get back all of their data.

“The findings confirm the brutal truth that when it comes to ransomware, it doesn’t pay to pay. Despite more organizations opting to pay a ransom, only a tiny minority of those who paid got back all their data,” said Wisniewski.

“This could be in part because using decryption keys to recover information can be complicated. What’s more, there’s no guarantee of success. For instance, as we saw recently with DearCry and Black Kingdom ransomware, attacks launched with low quality or hastily compiled code and techniques can make data recovery difficult, if not impossible.”

Rick McElroy, Principal Cybersecurity Strategist, VMware

Rick McElroy, Principal Cybersecurity Strategist, VMware

The pandemic provided the time, capital and opportunity for cybercrime to industrialize. We’ve observed e-crime groups collaborating to form advanced enterprises that provide Ransomware-As-a-Service (RaaS), sell network access points on the Dark Web and execute destructive cyberattacks.

In January 2021, we surveyed 180 security professionals from around the world and found that a significant majority (63%) have witnessed incidents of counter incident response (IR) since the start of the pandemic. The top counter IR techniques include security tool disablement, DDoS attacks, security tooling bypass, destruction of logs, email monitoring and destructive attacks. This reflects the dangerous nature of today’s threat landscape. Attackers are becoming more sophisticated and more destructive.

In this same survey, two out of three security professionals reported being targeted by ransomware during the past year. A new technique that was most observed by security teams was double-extortion ransomware, where attackers exfiltrate sensitive information during a ransomware attack and use it for blackmail to ensure financial gain. For this reason, it’s safe to assume that today’s cybercriminals who are executing ransomware attacks have a second command and control post inside an organization’s infrastructure.

These changes in behavior underscore the importance of threat hunting. It’s easy to forget that there’s a human being on the other end of the system who is working tirelessly to get visibility into the entire environment. Security teams must know that it’s no longer a matter of if you’ll get attacked, but when. Adopt a proactive mindset and ensure you have a threat hunting program in place.

Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4

Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4

If we go back to the beginning of cybercrime, we visualize the teenagers in the basement of their family home, driven by curiosity and the challenge of finding out if they could get into a secure system. Starting with hacking into the AT&T phone system using toy whistles to employees using inside access to embezzle money.  

The first computer virus came out in 1982 which was a prank devised by a 15-year-old, then the first malicious code in the guise of the Morris worm was created by a Cornell graduate student and infected about 6,000 computers. 20,000 attendees of the 1989 World Health Organizations AIDS Conference experienced the first instance of ransomware deployed from a floppy disk asking for US$189 in exchange for the decryption key.  

In 1999, the first mass emailing virus interrupted over a million email accounts across the globe causing an estimated US$80 million in damages. The first juvenile hacker was jailed in 2000 for hacking into NASA, the Pentagon and the Department of Defense just for the challenge. But in 2010, we saw Chinese hackers steel Google’s intellectual property in a sophisticated attack which was both criminal and disruptive. 

The motivation shifted in 2013 when Target was breached during the Christmas shopping season. Hackers obtained about 40 million credit card and debit cards by using stolen credentials they obtained from a third-party vendor.

The numbers kept on rising with over 500 million Yahoo users finding themselves victim to their account details and personal identifiable information being hacked. Having realized the potential for incredible financial gain, cybercriminals focused on finding ways to steal as many financial details and as much personal identifiable information as possible. The added bonus is that these details can be sold multiple times to other cybercriminals.  

2014 saw 56 million credit cards compromised from Home Depot customers, then 83 million accounts compromised at JP Morgan Chase. 79 million Anthem accounts were compromised in 2015 and in 2017 the global WannaCry ransomware was unleashed to the world causing considerable chaos across the globe, affecting more than 150 countries and over 300,000 people. 

Not happy with that, cybercriminals moved their focus to universities where in 2018 we saw 144 US and 176 outside-the-US universities attacked by Iranian hackers. Why? To steal over US$3 billion in intellectual property. In 2019, 540 million records were stolen from Facebook users and in 2020, CAM4 had is server breached with over 10 billion records exposed. 2021 gave us the Russian-led SolarWinds cyberattack that spread to its clients, undetected for months and we have just seen the fall out of the recent cyberattack on the US oil and gas pipeline with global implications. 

The history of cyberattacks (and these are only the tip of the iceberg) provides us with a clear change in behavior from innocent curiosity to intentional criminal activity and cyber warfare. 

There is no doubt that the behavior of cybercriminals has become extremely dangerous and will only get worse.

Richard Marr, General Manager APAC at Auth0

Richard Marr, General Manager APAC at Auth0

Hackers are continually becoming more creative and refining their tactics to steal and sell user data. As our lives are more reliant on digital platforms at work and at home, there is an increased threat around online account credentials.

A key development was the use of botnets and automated tools. Traditionally, brute force-type attacks are easy to mitigate, but once you spread them across a huge number of bots – where each bot has its own IP and most of them are recycled from residential IP addresses (not blacklists) – one bot sending five requests every 10 minutes doesn’t look that suspicious. 

Multiply that by ten-thousand, and you’re getting somewhere, and the victim site doesn’t really notice. It’s not like your company’s internal records are one day posted on the Internet. It’s a slow attrition of user accounts that you may not be aware of.


In most cases of cyberattack, identity isn’t just the safe – it’s the keys. The use of stolen credentials is one of the most common methods used in observed data breaches according to the 2020 Verizon Data Breach Investigations Report.

In APAC, 30% of hacking attacks used stolen credentials or exploited vulnerabilities against web applications. We know people reuse their passwords. So, hackers simply take credentials leaked in data breaches and try them against other sites.

They do this in an automated fashion that is called a credential stuffing attack, so that they can try thousands of credentials over time. It’s really a numbers game. If just 0.01% of a massive list of credentials are reused on a second website, you can still take over a significant number of accounts.

The resulting fraud can range from everyday purchase of goods, gift cards or voucher codes at e-commerce firms, to stealing points in loyalty programs of airlines and hotel chains. The theft of insignificant amounts of money from companies means they often go unnoticed, but the cost to the business can add up.

According to a study by Ponemon Institute, credential stuffing attacks in the region cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of $1.2 million, $1.5 million and $1.1 million annually, respectively

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive