There’s an old superstition that bad things come in threes—and it definitely rings true when it comes to global cyberattack volumes. In our latest global incident response analysis for the first half of 2021, Accenture Security found that there’s a triple digit increase in intrusion volume— driven by three, sometimes familiar trends.

  1. No slowdown in sight despite some positive news on the pandemic front: In the first half of the year, there’s been no slowdown of cyberattacks as global incident volume continues to trend upward. With a 125% increase in incident volume year-over-year, the impact was observed for almost every industry and geography. The triple digit increase noted was primarily driven by a global uptick in web shell activity by way of nation-state and cybercrime actors alike, targeted ransomware and extortion operations and supply chain intrusions.
  2. Certain industries and geos are being disproportionately impacted: Five industries (Figure 1) comprised more than 60% of total intrusion volume—Consumer Goods & Services (21%), Industrial (16%), Banking (10%), Travel & Hospitality (9%) and Insurance (8%). And one region (Figure 2) in particular felt the brunt of the impact—the United States was the most impacted geography with 36% of incident volume. Just like the animal kingdom, any sign of weakness breeds vulnerability, so being aware of industry and geographic impact patterns, coupled with sound threat intelligence, can help to counteract determined threats.

    <<< Start >>>

    <<< End >>>

    <<< Start >>>

  3. Ransomware and extortion isn’t new—but they’re still a top threat: Ransomware and extortion operations continue to reign supreme as the top malware category (38%) observed and second-highest incident type (29%) by volume (Figures 3-6). We observed some well-known names in the top five ransomware variants list—consistent with last year, REvil/Sodinokibi was top of the list at 25% and, as we noted in an earlier report, the threat group using Hades has been active in the first half of the year. In addition, more than 85% of ransomware and extortion victim size, as measured by annual recurring revenue, were US$1B+, a strong indicator of “big game hunting.” 

    <<< Start >>>

    1. Backdoors allow a threat actor to bypass normal authentication channels and interactively issue commands to a system (i.e., remote access). Examples include the ubiquitous Cobalt Strike BEACON, SUNBURST, China Chopper.
    2. Credential Stealers are typically designed to obtain credentials with functionality beyond basic keylogging. This could include usernames, passwords, keys, tokens, etc. Examples include Mimikatz, KeeThief, XLoader, Collector Stealer.
    3. Droppers & Launchers can facilitate the delivery, unpacking and installation of malware, as well as launch (i.e., execute or load) files. Examples include TEARDROP, jRAT, Mosquito.
    4. Ransomware is designed to encrypt data or drives in order to extort payment from victims. Examples include Revil/Sodin, Hades, Ryuk, Netwalker.
    5. Other includes items such as commodity malware, spyware, loggers, miners, and downloaders that don’t include backdoor, dropper or credential stealer as a primary function. Examples include Emotet, TrickBot, XMRig.

    <<< End > 

    <<< End >>>

    <<< Start >>>

    <<< End >>>

Watchlist for the future

What are the implications of these findings for the second half of the year? Here’s how the impact might play out:

  • Return to normal could turn the spotlight on “dormant” industries:
    As the global pandemic begins to wane, world economies will expect to return to pre-pandemic levels. But this is no time for complacency; we expect industries such as Consumer Goods & Services, Industrials, Travel & Hospitality and Retail—already reeling from lockdowns and staff shortages—to experience upward trends in threat activity.
  • Ransomware and extortion operations are expected to retain pole position: No surprise here, but despite heightened awareness, government action and industry collaboration, ransomware is likely to remain one of the top threats to businesses globally. If anything, it has entered a new phase as threat actors adopt stronger pressure tactics and capitalize on opportunistic intrusion vectors.
  • Chaining vulnerabilities and more web shells, everywhere: Despite a sweeping executive order on cybersecurity, threat actors are expected to continue to take advantage of product and supply chain weaknesses for opportunistic intrusion vectors and enhanced persistence operations. Watch for the uptick in web shell activity to continue into the second half of the year.

The rapid pace of cyber evolution means that intelligence should be timely and relevant, so look for more updates to come from our Cyber Defense team.

The metrics outlined in this blog are based on collection from CIFR incident response engagements conducted between January 2021 and June 2021. In addition, all intrusion data and analysis herein are based on our distinct collection sources and could be subject to field of view limitations, such as our client’s size, industry sectors, and geographies served, among others.

If you have an incident or need additional information on ways to detect and respond to cyber threats, contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or e-mail

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademark.

Copyright © 2021 Accenture. All rights reserved.

Cyber Investigations, Forensics and Response (CIFR)

Subscription Center
Subscribe to Security Blog Subscribe to Security Blog