What were the main cyberattack trends observed in October 2021?

In October 2021, threat actors refined their attack strategies for maximum profit. Key trends included the use of cloned attack kits, ransomware-as-a-service (RaaS) models, intermingling of ransomware groups, exploitation of zero-day vulnerabilities, and the targeting of critical infrastructure and financial institutions. Notable campaigns included Atom Silo's exploitation of Atlassian Confluence, BlackMatter's RaaS operations, and the deployment of new RATs like MysterySnail.

How did threat actors use cloned attack kits in October 2021?

Threat actor groups increasingly used sophisticated attack kits cloned from their competitors. For example, Atom Silo used a ransomware kit identical to LockFile, leveraging intermittent encryption and side-loading malicious DLLs to evade detection and disrupt endpoint protection software.

What is ransomware-as-a-service (RaaS) and how was it used in October 2021?

Ransomware-as-a-service (RaaS) is a model where ransomware developers provide their tools to affiliates who carry out attacks. In October 2021, BlackMatter operated as a RaaS, with affiliates infiltrating networks and installing ransomware, while the RaaS provider handled ransom negotiations and payments. BlackMatter threatened to publish stolen data if ransoms were not paid, targeting US critical infrastructure such as farming co-ops.

Which ransomware groups were active in October 2021?

Active ransomware groups included Atom Silo, LockFile, BlackMatter (with ties to REvil and DarkSide), and others such as Darkside, RansomExx, and Babuk Locker. These groups targeted a range of industries, including critical infrastructure, financial institutions, and IT companies.

How did threat actors exploit VMware ESXi servers in October 2021?

In October 2021, attackers used Python scripts to encrypt VMware ESXi servers. They gained access via TeamViewer, scanned the network, logged into ESXi servers using SSH, and executed Python ransomware scripts to encrypt virtual machines. Multiple ransomware gangs exploited ESXi vulnerabilities to target centralized enterprise storage.

What was the impact of the MirrorBlast attack campaign?

The MirrorBlast campaign targeted financial institutions using tactics, techniques, and procedures (TTPs) similar to the TA505 group. Victims included major companies such as Acer and Quanta Computer, with significant financial losses reported, including a 0M extortion attempt against Acer.

How did state-sponsored actors operate in October 2021?

State-sponsored actors, such as Iranian groups (Operation GhostShell, Chafer APT, Agrius APT, MalKamak, Charming Kitten/APT35), launched targeted espionage campaigns. They used tools like ShellClient RAT to steal sensitive information and abused cloud storage for command and control. Chinese group IronHusky deployed the MysterySnail RAT in espionage campaigns against IT, defense, and diplomatic entities.

What lessons can organizations learn from the October 2021 cyberattacks?

Organizations should prioritize endpoint protection, monitor for lateral movement, validate cloud security, and ensure rapid detection and response capabilities. The attacks highlight the importance of continuous security validation and the need for proactive defense strategies against evolving threats.

How does Cymulate help organizations defend against the types of attacks seen in October 2021?

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. The platform simulates real-world attacks, tests endpoint and cloud security, and provides actionable insights to address vulnerabilities exploited in recent campaigns, such as ransomware, lateral movement, and privilege escalation.

What is Cymulate Exposure Validation and how does it work?

Cymulate Exposure Validation is a solution that makes advanced security testing fast and easy. It allows users to build custom attack chains and validate their defenses against real-world threats, all within a single, user-friendly platform. For more details, see the Exposure Validation data sheet.

How does Cymulate support validation of lateral movement and privilege escalation attacks?

Cymulate's Attack Path Discovery and Exposure Validation modules automate testing for lateral movement and privilege escalation. These modules help organizations identify and mitigate risks associated with attackers moving across networks or escalating privileges, as seen in the Atom Silo and MysterySnail campaigns.

What resources does Cymulate offer for staying updated on the latest threats?

Cymulate provides a blog covering the latest threats, research, and best practices, a newsroom for media mentions, and an events & webinars page for live and online sessions. The Resource Hub offers whitepapers, reports, and thought leadership content.

Where can I find Cymulate's case studies and customer success stories?

You can explore Cymulate's case studies and customer success stories on the Customers page. These include examples from industries such as finance, retail, and IT, demonstrating measurable improvements in threat prevention and detection.

How does Cymulate integrate with existing security tools?

Cymulate integrates with a wide range of technology partners across network, cloud, endpoint, and SIEM domains. Examples include Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, CrowdStrike Falcon, and more. For a full list, visit the Partnerships and Integrations page.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and selected scenarios. The subscription fee is non-refundable and must be paid regardless of usage. For a detailed quote, schedule a demo with the Cymulate team.

How easy is it to implement Cymulate?

Cymulate is designed for quick and easy implementation. It operates in agentless mode, requiring no additional hardware or complex configurations. Customers can start running simulations almost immediately, with comprehensive support and educational resources available to assist with onboarding.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, media, transportation, and manufacturing. It provides tailored solutions for strategic oversight, operational security, offensive testing, and vulnerability prioritization.

What are the key capabilities and benefits of Cymulate?

Cymulate offers continuous threat validation, attack path discovery, automated mitigation, detection engineering, and complete kill chain coverage. Key benefits include an 81% reduction in cyber risk within four months, 60% increase in team efficiency, 40X faster threat validation, and a 52% reduction in critical exposures. The platform is intuitive, user-friendly, and updated every two weeks with new features.

How does Cymulate compare to other security validation platforms?

Cymulate stands out with its unified platform, continuous innovation, AI-powered optimization, and extensive threat library. It is frequently compared to AttackIQ, Mandiant Security Validation, Pentera, Picus Security, SafeBreach, and Scythe. Cymulate offers broader coverage, daily threat updates, and actionable remediation guidance. For detailed comparisons, visit the Why Cymulate page.

What security and compliance certifications does Cymulate have?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications. These attest to Cymulate's robust security, privacy, and cloud compliance practices. For more details, see the Security at Cymulate page.

How does Cymulate address common pain points for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers. It provides continuous threat validation, exposure prioritization, automation, and collaboration tools to improve resilience and efficiency.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its user-friendly and intuitive platform. Testimonials highlight its ease of implementation, actionable insights, and accessible support. For example, Raphael Ferreira, Cybersecurity Manager at Banco PAN, stated, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.'

How does Cymulate map to the MITRE ATT&CK® framework?

Cymulate maps its attack vectors and modules to MITRE ATT&CK® tactics, covering reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, and credential access. This ensures comprehensive validation across the attack lifecycle. For more details, visit the MITRE ATT&CK® page.

Where can I find Cymulate's glossary of cybersecurity terms?

Cymulate offers an expanding glossary of cybersecurity terms, acronyms, and jargon. You can access it at the Cybersecurity Glossary page.

How can I contact Cymulate for support or a demo?

You can contact Cymulate for support via email at support@cymulate.com or use the chat support on the website. To schedule a personalized demo, visit the Book a Demo page.

What educational resources does Cymulate provide?

Cymulate provides a variety of educational resources, including a Resource Hub, blog, webinars, e-books, and a glossary. These resources cover best practices, threat research, and platform usage to help users stay informed and maximize the value of Cymulate.

Cymulate’s October 2021 Cyberattacks Wrap-up

By: Cymulate

Last Updated: September 15, 2025

In October 2021, threat actors kept on refining their attack strategies for maximizing their profits.

Attack Kit of the Clones

There is a trend for threat actor groups to use sophisticated techniques using attack kits that are clones of kits used by their competitors. For example, the new ransomware operator Atom Silo, exploits a vulnerability in Atlassian Confluence, a web-based virtual workplace for the enterprise allowing teams to communicate and collaborate on projects to access the victim's corporate environment.

The ransomware kit that Atom Silo used is identical to LockFile, a ransomware family known for using a unique “intermittent encryption” method as a way to evade detection and for adopting tactics from previous ransomware operators. Atom Silo used several novel techniques, such as side-loading malicious dynamic-link libraries tailored to disrupt endpoint protection software to avoid detection.

Once installed, Atom Silo moved across its victims' network, compromising multiple servers, executing the backdoor binaries, and conducting additional reconnaissance. About eleven days after this initial intrusion, the ransomware and a malicious Kernel Driver utility payload were deployed to circumvent endpoint protection.

Have Ransomware, Will Travel

Another significant trend is the intermingling of various ransomware groups for profit. For instance, the threat actor group BlackMatter has ties to both the REvil and DarkSide ransomware operators. BlackMatter operates a ransomware-as-a-service (RaaS) model where independent cyber criminals infiltrate networks and install the ransomware on servers and PCs. The RaaS providers then handle the notification and ransom negotiation, paying their affiliates part of the received ransom payments. In October 2021, BlackMatter stepped up its game by informing its victims that in case the ransomware demands were not met, all their stolen data would be published. BlackMatter targets US critical infrastructure entities, such as farming co-ops that could result in food shortages.

Rogue nations were also stepping up their game in October 2021. Iranian Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries, launched ShellClient, a Remote Access Trojan (RAT) designed to steal sensitive information about the critical assets, infrastructure, and technologies of victimized aerospace and telecom companies. ShellClient abuses cloud-based storage services for Command and Control (C2), such as Dropbox, to remain undetected. Suspected Iranian state-sponsored threat actors using ShellClient include Chafer APT (APT39), Agrius APT, and newcomer MalKamak. But also Charming Kitten ) APT35 (uploaded an app to Google’s Play Store that masqueraded as a virtual private network service collecting call logs, text messages, contacts, and location data from compromised devices.

Bank Robbers 2.0

In October 2021, financial institutions were targeted again, this time by the MirrorBlast attack campaign, which mirrors the attack tactics, techniques, and procedures (TTPs) used by the Russia-based threat group TA505. MirrorBlast uses the same attack chain, GetandGo functionality, final payload, and domain name patterns. Among REvil’s victims are hardware company Acer, which was extorted for approximately $100M, Apple supplier Quanta Computer, and thousands of companies using Kaseya IT management solutions.

Year of the RAT

This month a Chinese associated hacking group, suspected to be IronHusky, exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a new RAT dubbed MysterySnail. Variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities. The MysterySnail RAT is designed to collect and exfiltrate system information from compromised hosts before contacting its C2 server for further commands. The RAT performs various tasks on infected machines, such as creating new and killing already running processes for launching interactive shells and a proxy server supporting up to 50 simultaneous connections.

Dangerous Python

Also in October 2021, an unknown ransomware group encrypted VMware ESXi servers with Python script. In general, the Python programming language is not commonly used in ransomware development. However, for targeting ESXi systems, it is a logical choice since these Linux-based servers come with Python installed by default. The attackers used a Python ransomware script to encrypt the victimized virtual machines running on a vulnerable ESXi hypervisor once they got access.

The attackers breached the victim's network by logging into a TeamViewer account running on a device with a domain admin logged on.
They then started searching the network for additional targets using Advanced IP Scanner and logged onto an ESXi server via the built-in SSH ESXi Shell service.
The ransomware operators then executed a 6kb Python script to encrypt all the virtual disk and VM settings files of the virtual machines.
The script allowed the ransomware operators to use multiple encryption keys and email addresses also for customizing the file suffix for the encrypted files.
The threat actors shut down the virtual machines and stored the original files on the datastore volumes.
They then deleted the files, only leaving the encrypted files behind.

Multiple ransomware gangs, including Darkside, RansomExx, and Babuk Locker, have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space before.

The Bright Side

On a positive note, the FBI, the US Cyber Command, and the US Secret Service, in cooperation with several other countries, took over the Tor payment portal and data leak blog of the notorious hacker group REvil. It left the group crippled and without a platform. In October, the Ukrainian police arrested two members of a ransomware gang, quite likely REvil. They are suspected of having attacked more than 100 foreign companies in North America and Europe and causing $150m in damages to Western organizations. The police also confiscated $1.3m in cryptocurrencies.

Stay cyber safe!

Cymulate empowers organizations to fortify their defenses through continuous assessment and validation of their security posture. With a focus on threat simulation, comprehensive security assessments, and a commitment to innovation, Cymulate equips organizations with the tools and insights needed to stay ahead of cyber threats.

More about Author

Table of Contents

Attack Kit of the Clones Have Ransomware, Will Travel Bank Robbers 2.0 Year of the RAT Dangerous Python The Bright Side

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

Exposure Validation: Continuous Testing Should Drive Continuous Improvement

What’s your end goal? How exactly does this security project make you more secure? Like any technology initiative, those two

Report

2026 Gartner® Market Guide for Adversarial Exposure Validation

The guide covers AEV use cases, key features, and market trends to improve threat exposure visibility and defenses.