Cyber-extortionists are no joke; last year, a hefty ransom DDoS campaign aimed at the finance industry was deployed. These cybercriminals circled back to earlier victims who did not pay at an even more aggressive rate than their first collection attempt, which ended up lasting through the first half of Q1 of 2021. Other industries like biotechnology and pharmaceutical experienced steady waves of minor attacks targeted at their operations, which was very similar to what they experienced in Q4 of 2020.
To overcome the pandemic, organizations began relying on remote operations, teleworking and remote access infrastructure. As a result, DDoS actors found new opportunities and began targeting the backend of the communication infrastructure of organizations. Several global organizations had branches/remote offices impacted during this period, with actors leveraging new tactics to impact organizational productivity by targeting internet connectivity and remote access. With limited bandwidth, attackers achieved more impact and disrupted organization’s operations.
Q4 Vs. Q1: Monthly Volume of Attacks
The total number of attacks in Q1 decreased compared to Q4. However, it’s not because of a lack of trying. The total attack volume sharply rose. Upon further study, the average attack size in Q1 of 2021 was down from over 315Mbps in December to levels just below 150Mbps. In March of 2021, one in every 1,000 attacks was greater than 10Gbps compared to three per 1,000 attacks in December of 2020.
Attacks by Industry
Activity in the healthcare industry shifted to a smaller number of attacks targeting hospitals towards the end of Q1, but biotechnology and pharmaceutical industries were attacked more intensely for their public assets.
In contrast, the government sector experienced a lower number of attacks but higher volumes towards the end of Q1, vastly different from what it experienced in Q4 with high numbers of low-volume assaults.
Upon dissecting attacks on the finance industry, attacks changed from infrequent, high-volume attacks in Q4 to smaller, more frequent global attacks in March, impacting more offices and branches of multinational organizations.
What They Targeted: On-Premise vs. Cloud Mitigated
This year in Q1, more than 85% of attacks were mitigated on-premise. When attack volumes are close to the saturation level of the internet connection, on-premise devices will divert to the cloud. On-premise devices, detection and mitigation will fail to prevent 15% of the attacks. If latency introduced by cloud protection is essential, 85% of the attacks can be mitigated by on-premise equipment. Intrusions made up 73% of all malicious events with the majority mitigated on-premise. The cloud scrubbing centers are responsible for mitigating 94% of DoS events.
The Affect Time of Day Had on Attacks
In Q4, the government was the most attacked industry. Towards the end of Q1, it was superseded by the finance industry.
There is a distinctive pattern in reference to timing. The highest concentration of attacks occurred during business hours Monday thru Friday. Very few attacks were recorded during the holidays. Also, it is important to note the number of attacks initiated at night is lower than the number of attacks deployed during office hours and is consistent across time zones.
In conclusion, biotechnology and pharmaceutical continued to experience attacks; however, the threat landscape shifted from fewer, high-volumetric attacks to minor attacks characterized by lower volumes.
Overall, major attacks of 10Gbps or more tripled in Q1 of 2021 versus December of 2020. And though the number of attacks held steady (down 2% from Q4 of 2020), attack volumes increased by 31%.