Iranian hackers behind biggest ransomware attacks of 2021: report

Iranian hackers used ransomware tools the most in 2021 to steal data and blackmail users and companies, while hackers from China were the biggest exploiters of software vulnerabilities around the world in the same period, reveals a new report from cybersecurity firm CrowdStrike.

Iran-based hacker groups, according to the report released on Friday, have been focusing on using ransomware as their key tool since late 2020. The use of ransomware in global cybercrimes rose by 82 percent through the year, the report added. Through 2021, Iranian groups such as BlackShadow and Deus figured among the biggest ransomware users in the world – targeting both Iranian and global companies.

The groups in question were seen to be conducting ‘lock and leak’ operations – where the attackers lock down a system by using ransomware, and subsequently leak sensitive company information through their own channels on the Dark Web.

This is not the first time that Iranian hackers have been linked to increasing ransomware activities. In November 2021, a report by the Microsoft Threat Intelligence Centre (MSTIC) and Digital Security Unit (DSU) noted that hacker groups based in Iran were increasingly targeting Indian companies in the information technology (IT) space – something that was not prevalent until at least July 2021.

“Most of the targeting is focused on IT services companies based in India, as well as several companies based in Israel and United Arab Emirates. Although different in technique from other recent supply chain attacks, these attacks represent another example of how nation state actors are increasingly targeting supply chains as indirect vectors to achieve their objectives,” the Microsoft report stated.

Also read: Russia-linked hackers amass 74% of ransomware revenues in 2021: Report

CrowdStrike said that 2021 also saw a rise in the number of ransomware families, or groups of malware that attack a server or internet-facing company infrastructure to lock them down and subsequently ask for ransom. The company observed 2,686 ransomware attacks through 2021 – up from 1,474 recorded ransomware attacks in 2020. 

“Given the success of these operations, Iran will likely continue to use disruptive ransomware into 2022,” it said.

Ransomware exploits have also contributed to a growing volume of ‘criminal whales’, or cryptocurrency wallets with holdings above $1 million – where at least 10 percent of credited funds were linked to blacklisted addresses. The 2022 Crypto Crimes Report by blockchain data tracker Chainalysis said that as holdings in criminal whales rose to over $25 billion in 2021, ransomware bounties contributed $30 million to this haul.

Chinese hackers, meanwhile, made a shift in their overall attack strategy last year – moving from user-centric attacks to exploiting new, unpatched enterprise vulnerabilities. These unpatched, new exploits are called ‘zero-day’ flaws, which stand for security gaps that have remained unpatched in an existing cyber architecture. 

To this end, CrowdStrike says that while Chinese hacking groups made two such exploits in 2020, the number rose to 12 exploits in 2021. India has been on the target radar of Chinese attackers, too.  

In September 2021, a report by American cyber security company Recorded Future stated that Chinese government-backed hackers used a malware family named ‘Winnti’, which is typical to Chinese hacker groups, to target organisations in India. The list of targets allegedly included the Unique Identification Authority of India (Uidai) – which issues India’s Aadhaar identification document. Uidai, though, had denied the claims behind the report.