Professional Documents
Culture Documents
1 2 3 4
Ransomware actors test Cobalt Strike is on the rise Commodity malware can Dark Web actors challenge
new extortion methods invade OT from IT space IT and OT networks
Since the beginning of 2021, Accenture CTI A threat actor can use malware logs to Accenture CTI considers the malware logs that
observed a slight but noticeable increase masquerade as a legitimate network user Dark Web actors sell in Genesis Market to pose
in threat actors selling malware logs, which and avoid detection, gaining initial access a particularly serious threat to organizations’ IT
constitute data derived from information to a victim system by using valid credentials. and OT assets. Genesis Market has drastically
stealer malware.51 Information stealers Threat actors often use malware logs to access lowered barriers to entry for malware log
can collect and log a wide range of sensitive an organization’s Web resources and attempt exploitation by compiling and selling malware
system, user and business information, to access privileged administrator accounts logs in a format Genesis ads dub “bots”
such as the following: on an organization’s webservers. In some or a “plug-ins.” Even less technically savvy
cases, they may try to access computers threat actors can intuitively use a plug-in
• System information on a victim’s network via services like RDP with Genesis’ freely available Web browser.
• Web browser bookmarks or SSH. A common alternative action is for
threat actors to sell malware logs directly
• Web session cookies
to hackers, or to sell them in bulk to
• Login credentials (websites, “malware log” Dark Web marketplaces,
Remote Desktop Protocol (RDP), such as Genesis Market or Russian Market.
Secure Shell Protocol (SSH))
• Payment card data
• Cryptocurrency wallet addresses
• Undertake responsible monitoring: • Increase intelligence sharing • Prepare a continuity of operations plan:
Seek early warning of potential of incident response analysis: Anticipate and develop contingency
unauthorized access through Share information to identify threat plans for a potential theft of administrator
responsible Dark Web monitoring, signatures and attribution, plan and credentials, a bypass of Endpoint
whether directly or through a cyber execute defense and response and Detection and Response systems
threat intelligence provider. prepare network defense and business and physical shutdowns (either as
operations for future threat activity. preventive or reactive measures),
to prepare network and business
operations for the future occurrence
of a ransomware or similar event.
But low rates of network monitoring52 security policies are consistent with Stringent edge device policies may
make it difficult for OT incident responders National Institute for Standards and encourage organizations to allocate
to identify attack vectors and causes of Technology (NIST) recommendations.54 funds from many parts of the business
intrusion—and unable to advise on how The law promises greater security for edge to bolster security efforts. With investment
to secure OT systems. As a result, securing devices and addresses some longstanding in the right places, security leads can
edge devices has become as important challenges. On May 12, 2021, President Biden secure edge devices in OT environments
as securing ICS themselves. signed the Executive Order on Improving through a combination of monitoring,
the Nation’s Cybersecurity which includes response and intelligence.
Policy matters. On December 4, 2020, direction to create pilot cybersecurity
former President Trump signed the Internet labelling programs to educate the public
of Things Cybersecurity Improvement Act on security capabilities of IoT devices
of 2020.53 The act encourages government and software development practices.55
agencies to work collaboratively so that IoT
6. Accenture Cyber Threat Intelligence, “Ransomware Attack 13. “What We Know About the DarkSide Ransomware and 23. Ilascu, Ionut, ”Hackers use black hat SEO to push ransomware,
on Cyber Insurer Highlights Risks to Cyber Insurance Sector the US Pipeline Attack,” TrendMicro, May 12, 2021. trojans via Google,” Bleeping Computer, March 1, 2021.
and its Customers,” April 8, 2021. IntelGraph reporting.
14. Accenture Cyber Threat Intelligence, “Ransomware Gang 24. Welling, Eric, “It’s getting hot in here! Unknown threat
7. Accenture Cyber Threat Intelligence, “CLOP Ransomware Extortion Techniques Evolve in 2020 to Devastating Effect,” group using Hades ransomware to turn up the heat on
Operators Leak CGG Data on Name-and-Shame Site November 6, 2020. IntelGraph reporting. their victims,” Accenture, March 26, 2021.
on 1 March 2021,” March 10, 2021. IntelGraph reporting;
Accenture Cyber Threat Intelligence, “CLOP Ransomware 15. Mansfield, Paul. “Tracking and combatting an evolving 25. Michael, Melissa, “Episode 49| Ransomware 2.0,
Operators Leak CSX Documents on Name-and-Shame Site danger: Ransomware extortion.” December 15, 2020. with Mikko Hypponen,” F-Secure, January 19, 2021.
on 2 March 2021,” March 10, 2021. IntelGraph reporting. 26. Toby L, “The rise of ransomware,” National Cyber Security
16. Accenture Cyber Threat Intelligence, “iDefense Global
8. Mansfield, Paul, “Tracking and combatting an evolving Research Intelligence Digest for 31 March 2021,” Centre, January 29, 2021.
danger: Ransomware extortion,” December 15, 2020, March 31, 2021. IntelGraph reporting. 27. “Adversary Infrastructure Report 2020: A Defender’s View,”
Khodzhibaev, Azim et al, “Interview with a Lockbit Recorded Future, January 7 2021.
Ransomware Operator,” Talos, January 4, 2021. 17. Abrams, Lawrence, “Ransomware gang plans to call
victim’s business partners about attacks,” March 6, 2021. 28. Cunliffe, Amy, “The development of Mimir (Amy Cunliffe,
Smilianets, Dmitry, “‘I scrounged through the trash Accenture),” CREST Videos, April 9, 2021.
heaps… now I’m a millionaire:’ An interview with REvil’s
Unknown,” March 16, 2021.
2021 Cyber Threat Intelligence Report 21
29. “Threat Landscape Trends – Q3 2020,” 39. Accenture Cyber Threat Intelligence, “iDefense Global 49. Arghire, Ionut, “Boat Building Giant Beneteau Says
Symantec, December 18, 2020. Research Intelligence Digest for 6 April 2021,” April 6, 2021. Cyberattack Disrupted Production,” Security Week,
IntelGraph reporting. March 1, 2021.
30. “Highly Evasive Attacker Leverages SolarWinds Supply Chain
to Compromise Multiple Global Victims With SUNBURST 40. Accenture Cyber Threat Intelligence, “MAN1,” July 16, 2016. 50. Bertrand, Natasha et al, “Colonial Pipeline did pay
Backdoor,” FireEye, December 13, 2020. IntelGraph reporting. ransom to hackers, sources now say,” CNN, May 13, 2021.
31. “Deep dive into the Solorigate second-stage activation: 41. Seals, Tara, “Accellion FTA Zero-Day Attacks Show Ties to 51. Accenture Cyber Threat Intelligence,
From SUNBURST to TEARDROP and Raindrop,” Clop Ransomware, FIN11,” Threatpost, February 22, 2021. “Monthly Reconnaissance Report,” April 1, 2021.
Microsoft, January 20, 2021.
42. Accenture Cyber Threat Intelligence, “SITREP: Accellion 52. Filkins, Barbara, Wylie, Doug, “SANS 2019 Sate of OT/ICS
32. Welling, Eric, “It’s getting hot in here! Unknown threat FTA,” March 5, 2021. IntelGraph reporting. Cybersecurity Survey,” SANS, June 2019. Slightly over 50%
group using Hades ransomware to turn up the heat on of survey respondents reported continuous monitoring
their victims,” Accenture, March 26, 2021. 43. Accenture Cyber Threat Intelligence, “CLOP Ransomware to detect vulnerabilities, and only 1/3 of 25 surveyed
Operators Leak Qualys Documents on Name-and-Shame Site OT/ICS security monitoring technologies were in use
33. Accenture Cyber Threat Intelligence, “Microsoft Exchange on 3 and 4 March 2021,” March 4, 2021. IntelGraph reporting. across all respondents.
On-Premise Zero-Day Vulnerabilities Related Malware
Activity in March 2021,” March 10, 2021. IntelGraph reporting. 44. Accenture Cyber Threat Intelligence, “CLOP Ransomware 53. United States Congress, “PUBLIC LAW 116–207—DEC. 4,
Operators Leak CGG Data on Name-and-Shame Site on 2020,” December 4, 2020.
34. “HAFNIUM targeting Exchange Servers with 0-day exploits,” 1 March 2021,” March 10, 2021. IntelGraph reporting.
Microsoft, March 2, 2021. 54. United States Congress, “PUBLIC LAW 116–207—DEC. 4,
45. Accenture Cyber Threat Intelligence, “CLOP Ransomware 2020,” December 4, 2020.
35. Accenture Cyber Threat Intelligence, “EvilGrab and Cobalt Operators Leak CSX Documents on Name-and-Shame Site
Strike Beacon Observed having Shared Infrastructure and on 2 March 2021,” March 10, 2021. IntelGraph reporting. 55. The White House, “Executive Order on Improving the
Communicating,” February 3, 2021. IntelGraph reporting. Nation’s Cybersecurity,” May 12, 2021,
46. Welling, Eric, “It’s getting hot in here! Unknown threat
36. Accenture Cyber Threat Intelligence, “Spam Campaign group using Hades ransomware to turn up the heat on 56. Accenture Cyber Threat Intelligence, “Threat Actor …
Distributes Gziploader to Deploy IcedID (a.k.a. BokBot) their victims,” Accenture, March 26, 2021. Advertise Compromised Citrix Access to Three Large
Malware in March 2021,” April 14, 2020. IntelGraph reporting. Corporations,” February 26, 2021, IntelGraph reporting.
47. Accenture Cyber Threat Intelligence, “Hades Ransomware
37. Accenture Cyber Threat Intelligence, “Technical Analysis of Affects Large Corporate Networks from December 2020 to 57. “Groups,” MITRE, accessed May 27, 2021.
DoppelDridex,” April 27, 2021. IntelGraph reporting. March 2021,” April 9, 2021. IntelGraph reporting.
58. “Fox Kitten Campaign,” Clearsky Cyber Security,
38. Stone-Gross, Brett; Frankoff, Sergei; and Hartley, Bex, 48. Accenture Cyber Threat Intelligence, “Hades Ransomware February 16, 2020.
“BitPaymer Source Code Fork: Meet DoppelPaymer Affects Large Corporate Networks from December 2020 to
Ransomware and Dridex 2.0,” July 12, 2019. March 2021,” April 9, 2021. IntelGraph reporting. 59. “Managed Security,” Accenture, accessed April 4, 2020.
Josh Ray is Managing Director for Cyber Defense across Howard Marshall is Managing Director for Accenture Cyber Jayson Jean is Director of Business Operations for
Accenture globally. Josh has more than 20 years of combined Threat Intelligence (CTI) and leads the business globally. Accenture CTI in North America and the Asia Pacific
commercial, government and military experience in the Prior to joining, Howard was FBI Deputy Assistant Director region, with responsibility for business development of
field of cyber intelligence, threat operations and information of the Cyber Readiness, Outreach and Intelligence Branch. the Cyber Threat Intelligence portfolio. Prior to this role,
security. He holds a Bachelor of Science degree in information He holds a Bachelor of Arts degree in Political Science and Jayson has 14 years of experience building the strategic
technology from George Mason University, an Executive a Juris Doctorate from the University of Arkansas. direction and leading product development for vulnerability
Certificate in strategy and innovation from MIT Sloan School management at Accenture CTI.
of Management and served honorably as a member of
the United States Navy.
This document refers to marks owned by third parties. All such third-party marks are the property of their respective owners.
No sponsorship, endorsement or approval of this content by the owners of such marks is intended, expressed or implied.
This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation.
The information in this report is general in nature and does not take into account the specific needs of your IT ecosystem and network, which may vary and require unique
action. As such, Accenture provides the information and content on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to
act taken in response to the information contained or referenced in this report. The reader is responsible for determining whether or not to follow any of the suggestions,
recommendations or potential mitigations set out in this report, entirely at their own discretion.