Article
Cybersecurity Trends: What We Saw in 2020, What We Expect to See in 2021
Cybersecurity Trends

Where change seems a constant, perhaps the biggest and most surprising cybersecurity issue of 2020 was a lack of change. But before we get to that, let’s look at some other key cybersecurity trends.
A continued rise in ransomware attacks
Kidnapping data and holding networks hostage remains a lucrative “business.” In the past year, the number of groups exfiltrating data for double extortion schemes has risen from two to 27.
With so many new entrants on the playing field, it may not come as much of a surprise that Arete saw the number of cases involving data exfil increase by a factor of six from Q4 2019 to Q4 2020.
As data exfiltration became a “common norm” by mid-2020, cyber burglars started to pay closer attention to the data they stole. It was a calculated move that often paid off.

After exfiltrating and encrypting a company’s data, they not only demanded ransoms for decryption, but also applied additional pressure for payments by threatening to sell or post the stolen information to leak sites, also referred to as “double-extortion.” Quite often, in either a blog post or during ransomware negotiations, they would provide specific files — which may have contained social security numbers, credit card information, or even, GDPR-regulated information on EU citizens — as “proof of exfiltration.”
While Maze successfully blazed the leak-site “shaming” trail back in 2019, multiple variants followed suit. By late summer 2020, the trend had evolved even further. Smaller variants were teaming with larger groups to reap the benefits of hosting files on established blog sites.
Big or small, all companies live or die by their reputation. If a single negative online review can get customers second-guessing, imagine the potential damage when a company needs to notify its customers of the theft and sale of their personally identifiable information (PII).
And sure, ransomware attacks on larger companies may get more press coverage, but it’s especially noteworthy that threat actors are increasingly targeting small- to medium-sized businesses (SMBs). According to ConnectWise’s “The State of SMB Cybersecurity in 2020” report, 55 percent of SMBs experienced a cyberattack in 2020. At Arete, we saw attacks on SMBs increase by a factor of three over the course of the year.
In 2021, there’s little doubt these numbers will continue to rise. We can expect threat actors to continue to focus on unpatched, under-secured SMB networks — especially as it’s no secret that the SMB market lacks the resources to pour into cybersecurity to protect the perimeter.
Often, these businesses don’t even have IT staff let alone the in-house security skills to defend against these types of threats. In short, they’re sitting ducks, hamstrung for many reasons, not least of which is an inability to make timely, informed decisions. Attackers know all of this, and they exploit weaknesses primarily for monetary gain.
Remote access compromises more than doubled
The COVID-19 pandemic certainly added its own twist to cybersecurity. With government mandates to shutter physical offices, many organizations had to adapt quickly to connect their workforce remotely. For some, this meant upgrading their VPN appliances. For others, it required implementing net-new remote access.
In both scenarios, the haste of implementation and upgrades created a metaphorical candy store for cybercriminals to ransack. Loads of misconfigurations, disabling of multifactor authentication (MFA) services, and phishing attacks added to the stress of an already chaotic time. For example, in the cases Arete worked last year, more than 90 percent of clients did not have MFA in place.

For SMBs, average ransom demands tripled, and payments doubled last year. In 2021, we expect more of the same. Ransomware groups will continue to increase attacks on the SMB market while also raising ransom demands and joining forces with other cybercrime groups to wreak maximum damage.
Threat actors stole and publicly released private red team tools
On November 11, 2020, Bleeping Computer published an article stating that someone had allegedly stolen and leaked the source code for the popular post-exploitation framework Cobalt Strike. The leak was identified from a GitHub account, which anyone could access and download.
Cobalt Strike itself is designed with optimum stealth. Essentially, when the program runs on an endpoint, it loads into the computer’s memory and “calls home” (aka beacons). When the command-and-control (C2) server establishes a connection, the attacker can perform any number of actions on the infected system without leaving much, if any, trace of activity.
Cobalt Strike’s stealth evades a large majority of AV products and even, some EDR solutions; and because forensic data is not captured when attackers use Cobalt Strike, it’s difficult to recreate their activity. Arete has observed attackers leveraging Cobalt Strike to move laterally within the environment, establish persistence, harvest credentials, and exfiltrate data.
An interesting observation and point of correlation: Since the source code was posted publicly, downloads from GitHub were anonymous. However, it’s also important to note that while many popular groups — such as Maze (no longer operating), Wasted Locker, Egregor, and Conti — leveraged Cobalt Strike prior to November 11, 2020, Lockbit emerged as the only group that did not leverage it prior to November 11. Given the publicity and strength of Cobalt Strike, we can expect to see wider adoption and use of the post-exploitation framework throughout 2021.

It’s common knowledge that many organizations purchase cyber insurance policies; and now, cyber thieves will explicitly look to target such organizations. On the off chance they find and steal cyber policies, they can use that information to set the ransom price accordingly — and they don’t care how new a policy is. If they obtain an older policy, they most likely know that the monetary coverage amount should still apply, which can then make ransom negotiations that much more difficult.
Most will state up front, “We know the coverage limit is $1 million and we won’t accept less than $900,000. You can use the remaining $100,000 for your legal fees.” The problem with these kinds of assumptions is that, nearly 100 percent of the time, they’re incorrect. Threat actors have minimal understanding of the insurance business and how to read policies. The reality is that there is very little money left to play with.
This trend will continue in 2021, with these groups increasing pressure on victim organizations by searching for sensitive information and cyber policies and contacting and harassing victims or clients of victims via phone or email.
A bigger issue for SMBs: overall cybersecurity
Though ransomware will continue to plague SMBs, these types of attacks are just a symptom of the market’s overall cybersecurity issues. Consequently, because so many SMBs lack security resources, it may be time for them to consider outsourcing. Managed detection and response (MDR) services can offer a cost-effective option that would allow them to re-focus on their core competencies while leaving defense to those with the requisite skills and experience.
At Arete, if we’ve heard it once, we’ve heard it a thousand times. Incident after incident, it’s the same story. A client calls about a breach and as soon as we hear what security products and configurations are in place, we know their next words before they can say them. The “script” goes something like this:
VICTIM
IT received a call that our sales team couldn’t access their email. When IT logged into the Exchange server, they found all the files with a random extension and a readme.txt ransom note.
ARETE
Do you have RDP enabled for external access? Essentially, if I were working from home, could I use RDP to connect to the network? Also, is the file extension different on every system? Does the readme note contain a reference to TOR browser?
VICTIM
Yes. Yes, to all.
ARETE
That’s most likely Sodinokibi ransomware. We will confirm it once we receive the ransom note.
To be frank, we haven’t seen any real change in most points of entry or password usage, not only in 2020, but since the 90s. It’s time to rewrite the script. Most SMB IT technology implementations date back to the early 2000s, and the market hasn’t seen the need to upgrade or enhance security since. RDP is one of the easiest remote access technologies to implement, yet the hardest to secure. Without SMBs putting an emphasis on security, “technologies from the 90s” will continue to be used — and exploited.
Too often, companies with thousands of endpoints will not have an endpoint detection and response (EDR) solution. They may have the latest security technologies in place, but ones that threat actors easily bypass. The toughest aspect of having a threat actor bypass a security product is explaining to clients that the relabeling of their antivirus (AV) product to an endpoint product was just marketing. An AV product isn’t tamperproof. And once attackers gain domain or local administrator privileges, they will disrupt the AV service, unloading virus definitions, disabling the service, whitelisting a folder where they plan to store their tools, and even, uninstalling the product.
By contrast, a true EDR tool will not hook into Active Directory and can’t be uninstalled, disabled, or unloaded by a domain administrator. Rather, only the central console can control the EDR tool. If you’re having doubts about that last statement, take a look at Gartner’s Peer Insights on EDR tools. The reviews may surprise you.
Cybersecurity requires more than technology
The right technology is crucial and can give you a leg up, but it doesn’t replace the experience, talent, and know-how to implement that technology. Again, service delivery will become increasingly important in 2021. In this regard, companies need to: 1) establish and follow the proper protocols in response to attacks; and 2) never cease to innovate and become more relentless in leveraging early warning systems, utilizing threat intelligence, and integrating automation.
A consistent commonality across SMBs is that, while they have successful businesses, they lack documented policy specifically around disaster recovery, responding to computer security events, and general security-leading practices. Managed service providers can work with SMBs to build and enhance security-focused programs to mitigate threats against their organizations. They can apply knowledge they’ve gained from the large Fortune 500 company engagements into a practical format that is easily integrated into SMB business operations.
What’s more, managed services providers should work with their industry partners, current clients, and former clients to “pulse check” the security landscape to identify common challenges — like the need for faster access to intelligence and faster identification and remediation of threats. They should also be able to integrate open-source intelligence with security know-how to deliver actionable information. For example, when mass access or major vulnerabilities are posted to hacker forums, it’s critical to work with partners to respond, threat hunt, and secure client networks before threat actors can exploit access.
Stronger government focus on cyberattacks
Between the COVID-19 pandemic, ransomware groups’ change of tactics, techniques, and procedures (TTPs), and their increased awareness of stolen data, 2020 was a year ripe with challenges.
In 2021, while we’re likely to see more new challenges, we can also expect to see a stronger government focus on cyberattacks, specifically ransomware. We will also see greater government engagement with municipalities, school districts, and healthcare organizations to prevent cyberattacks on these critical services.
Just as Arete IR is trying to stop cyberattacks from occurring, the Cybersecurity and Infrastructure Security Agency (CISA) recently rolled out a new campaign to help grow awareness and fight the increasing ransomware threat. CISA’s intention is to reduce or outright prevent ransomware attacks by equipping organizations with the necessary knowledge and expertise to detect cyberattacks earlier.
In short, a glimmer of hope for better days ahead.
Back to Blog Posts
Article
FortiBleed Campaign Linked to INC and Lynx Ransomware Operations
Researchers have linked the FortiBleed credential-harvesting campaign to the INC and Lynx ransomware-as-a-service (RaaS) operations, establishing a direct connection between large-scale FortiGate credential theft and subsequent ransomware deployment. The attribution is based on a variety of factors, including an operator observed managing negotiation panels for both ransomware groups, notable overlap between FortiBleed victim data and subsequent ransomware targets, and internal infrastructure exposing attack workflows. The campaign is estimated to have targeted more than 430,000 internet-facing FortiGate devices, resulting in administrative access to hundreds of organizations.
What’s Notable and Unique
Researchers identified a shared operator actively managing negotiation panels for both the INC and Lynx ransomware groups, providing rare operational evidence linking the two RaaS operations beyond infrastructure or malware similarities.
Analysis of the exposed infrastructure revealed a structured ransomware operation with dedicated roles for access acquisition, victim management, negotiations, and technical support, reflecting an organized ransomware-as-a-service (RaaS) model rather than an ad hoc criminal group.
The operation reportedly integrates artificial intelligence into multiple stages of the attack lifecycle, including vulnerability research, penetration testing, attack automation, and ransomware development, demonstrating the increasing adoption of AI to enhance offensive capabilities.
Mitigations
Organizations should assume that exposed or previously compromised FortiGate credentials may be leveraged for ransomware deployment and immediately reset administrative and VPN credentials while enforcing multi-factor authentication (MFA) for all privileged access. Security teams should ensure that FortiGate appliances are fully patched, restrict management interfaces to trusted networks, and audit administrative accounts and firewall configurations for unauthorized changes. Organizations should also monitor for anomalous authentication activity, hunt for published indicators of compromise (IOCs), and review VPN and firewall logs for signs of unauthorized access. Maintaining centralized logging and a well-practiced incident response process can help detect and contain attacks before they progress to lateral movement or ransomware deployment.
Analyst Comments
The attribution of FortiBleed to the INC and Lynx ransomware operations reinforces the growing convergence between credential-harvesting campaigns and ransomware deployment, highlighting the role of initial access operations in modern RaaS ecosystems. The relationship between INC and Lynx also aligns with Arete's previous research, which identified a shared malware lineage. INC Ransom, first observed in 2023, was later leaked or sold, enabling code reuse by other threat actors. Lynx, which emerged in 2024, is widely regarded as an evolution of the INC codebase. Sinobi ransomware, identified in 2025, shares near-identical binaries and infrastructure, and approximately 99% code similarity with Lynx. Further details on the code correlation between INC, Lynx, and Sinobi are available in Arete's 2025 Annual Report.
Sources
Is FortiBleed Linked to INC and Lynx Ransomware?
FortiBleed credential-theft campaign linked to Lynx ransomware
FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups
FortiBleed Credential Theft Campaign Attributed to INC and Lynx Ransomware Groups
Article
Ransomware Trends & Data Insights: June 2026
Although Akira was once again the most active ransomware threat in June, activity remained relatively distributed among multiple threat groups, with 17 unique threat groups observed throughout the month. Along with Akira, Qilin and INC Ransom remained active and were among the top five most active threat groups observed in June. Several new threat actors also emerged during the month, including KryBit, Settra, and Icarus.

Figure 1. Activity from the top 5 threat groups in June 2026
Throughout the month, analysts at Arete identified several trends behind the threat actors perpetrating cybercrime activities:
In June, a threat actor calling themselves Icarus compromised and exfiltrated data from customers of the market intelligence platform Klue. Klue later confirmed the security incident, which involved attackers stealing OAuth tokens used to connect to customers' Salesforce environments, and reported that the threat actor was deleting the data stolen from affected Klue customers. In an odd twist, reports emerged of a second threat actor claiming to have compromised Icarus's infrastructure and attempting to re-extort Klue's customers. Regardless, the Klue breach highlights the growing threat of software-as-a-service (SaaS) supply chain compromises, particularly those exploiting OAuth tokens and trusted integrations to bypass traditional security controls.
In mid-June, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways, relying heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation. The scale of exposure and attack activity has been significant and globally distributed, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 countries. There is no singular ‘fix’ to mitigate the database exposure, and it is important that organizations work with their security teams, incident response providers, and other stakeholders to review environments holistically and monitor for signs of potentially unauthorized activity.
Multiple threat groups continue to leverage vulnerable drivers to bypass endpoint detection and response (EDR) solutions in a technique known as Bring Your Own Vulnerable Driver (BYOVD). Arete has observed Akira and DragonForce using the technique in multiple engagements, and The Gentlemen ransomware-as-a-service (RaaS) has also been observed using what researchers are calling "GentleKiller", a framework consisting of multiple variants that leverage vulnerable drivers and EDR-disabling utilities to target a wide range of endpoint security products.
Sources
Arete Internal
Article
Update on FortiBleed Credential Exposure
Last week, security researchers identified a large-scale credential-harvesting and valid account abuse campaign dubbed “FortiBleed” that systematically targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways. The campaign relies heavily on automated password spraying and configuration exfiltration rather than vulnerability exploitation.
Attackers first scan for exposed FortiGate devices and rank targets based on revenue. SSH brute-force attacks are used against admin accounts to gain initial access.
Following initial access, operators deploy stealthy packet-sniffing capabilities and establish external listening posts to receive harvested credentials and session data in near real time.
Observed post-exploitation activity strongly indicates pre-positioning for broader enterprise compromise, including lateral movement and potential ransomware deployment.
The scale of exposure and attack activity has been significant and globally distributed. The campaign has been ongoing since at least February 2026, with attackers collecting the login credentials of over 86,000 FortiGate devices across 194 nations.
How Arete Can Help
Arete continues to monitor this campaign, utilizing our extensive experience in detection, threat hunting, and attack surface review to look for indications of unauthorized activity related to this database exposure. Additional information regarding important considerations, containment and credential compromise mitigation actions, and additional hardening recommendations can be found in Arete’s FortiBleed Advisory.
Sources
FortiBleed: SOCRadar’s Investigation into 86,644 Compromised Fortinet Firewalls
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
FortiBleed: The Most Detailed Breakdown Yet of an Active Russian Credential-Harvesting Operation
Hackers Using FortigateSniffer Tool That Turns Compromised Firewalls Into Password Collectors
Article
Europol Disrupts AudiA6 Crypto Laundering Service
European authorities have dismantled AudiA6, a major cryptocurrency laundering service linked to ransomware groups and broader cybercriminal networks. Between 2022 and 2025, the platform is believed to have processed over €336 million in illicit funds, enabling threat actors to obscure financial trails and monetize cybercrime proceeds. Its operators are also suspected of running Dark2Web, a dark web forum that facilitated collaboration, services, and connections among cybercriminals globally. This development underscores the expanding role of sophisticated, large-scale cryptocurrency laundering services in sustaining the cybercrime economy, enabling threat actors to obscure illicit funds and evade regulatory controls.
What’s Notable and Unique
Following law enforcement disruption of Cryptex and Garantex, AudiA6 emerged as another platform involved in financial activities linked to ransomware groups. Investigators believe that AudiA6 became a central hub for cybercriminals seeking to launder stolen digital assets while obscuring the transaction trail from authorities.
On June 10, 2026, a coordinated operation resulted in two arrests in Georgia, the dismantling of key infrastructure (30+ servers, 25 domains), the freezing or seizure of over €778,000 in crypto, and the takedown of the AudiA6 and Dark2Web platforms.
Analyst Comments
Ransomware groups and cybercriminal networks are increasingly leveraging sophisticated techniques, including chain-hopping, decentralized exchanges, and mixer-as-a-service platforms, to rapidly move illicit cryptocurrency across multiple blockchains, effectively obscuring transaction trails. Concurrently, the widespread use of fraudulent exchange accounts, mule wallets, and privacy-enhancing tools has elevated cryptocurrency laundering to a core enabler of the cybercrime ecosystem, allowing actors to bypass anti-money-laundering controls at scale. This investigation identified over 6,000 KYC records linked to money-mule accounts, many of which were tied to Russian-speaking intermediaries specifically recruited to facilitate the movement of illicit proceeds. These threat actors systematically used both commercial and domain-controlled email services to establish mule accounts across multiple cryptocurrency platforms. Collectively, these findings underscore the growing scale, coordination, and professionalization of cryptocurrency-enabled crime, highlighting the critical need for sustained, intelligence-led, and internationally coordinated efforts to disrupt these evolving financial ecosystems.
Sources
Ransomware gangs cut off from EUR 336 million ‘AudiA6’ crypto laundering pipeline



