Winter 2020-2021: Talos IR Quarterly Trends

For the seventh quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. The top variants were Ryuk and Vatet, which is notable given the absence of Ryuk last quarter. We also observed variants of Egregor and WastedLocker continuing to target organizations across the globe.

Unlike last quarter, however, these ransomware attacks overwhelmingly relied on phishes delivering commodity trojan maldocs, such as Zloader, BazarLoader and IcedID. Nearly 70 percent of ransomware attacks relied on commodity trojans this quarter. Adversaries also employ commercially available tools such as Cobalt Strike, open-source post-exploitation tools like Bloodhound, and native tools on the victim’s system, such as PowerShell. For a broader breakdown of these trends, check out our summary here.