Ransomware and phishing attacks continued to threaten Singapore organisations and individuals in 2021

Published on 29 Aug 2022

Singapore, 29 August 2022 – The Cyber Security Agency of Singapore (CSA) released the Singapore Cyber Landscape (SCL) 2021 publication today. The publication highlights the continuous threats that ransomware and phishing posed to organisations and individuals in Singapore in 2021 (see Appendix A).

Key Malicious Cyber Activities in 2021

i. Ransomware. 137 ransomware cases were reported to CSA in 2021, an increase of 54 per cent from the 89 cases reported in 2020. The cases affected mostly small-and-medium enterprises (SMEs) from sectors such as manufacturing and IT. The around-the-clock nature of these sectors’ operations did not provide for much time to patch their systems, thus potentially allowing ransomware groups to exploit vulnerabilities. CSA observed that ransomware groups targeting SMEs in Singapore utilised the Ransomware-as-a-Service (RaaS) model, which made it easier for amateur hackers to use existing infrastructure – created by developers – to distribute ransomware payloads.

ii. Phishing. About 55,000 unique Singapore-hosted phishing URLs (with a “.SG” domain) were observed in 2021. This was an increase of 17 per cent compared to the 47,000 URLs seen in 2020. Social networking firms made up more than half of the spoofed targets. This was possibly driven by malicious actors’ exploitation of public interest in WhatsApp’s updated privacy policy announcement on users’ phone numbers being shared with Facebook. Scammers also exploited the COVID-19 pandemic amidst the Omicron sub-variant outbreak in late 2021 to spoof Government websites.

iii. Malicious Command and Control (C&C) Servers & Botnet Drones. In 2021, CSA observed 3,300 malicious C&C servers hosted in Singapore, more than triple the 1,026 C&C servers observed in 2020. This was the largest number recorded since 2017. This spike was driven by a large increase in servers distributing CobaltStrike malware, which made up nearly 30 per cent of all C&C servers observed.

In 2021, CSA detected about 4,800 botnet drones with Singapore IP addresses daily, a 27 per cent decrease from 2020’s daily average of 6,600. Malware strains for the infected drones varied greatly, with no single strain accounting for a clear majority among compromised devices. This trend could have been caused by threat actors diversifying away from ‘old’ malware strains and exploring new infection methods, as system owners cleaned up infected computers and devices progressively.

iv. Website Defacements. 419 ‘.sg’ websites were defaced in 2021, a decrease of 15 per cent from 495 in 2020. The majority of victims were SMEs. The downward trend could be attributed to hacktivist activities moving to other platforms with potentially wider reach, such as social media sites.

v. Cybercrime. The Singapore Police Force reported that cybercrime remained a key concern, with 22,219 cybercrime cases in 2021, a 38 per cent increase from the 16,117 cases in 2020. Online scam1 cases made up the top cybercrime category in Singapore, accounting for 81 per cent of cybercrime cases. 17 per cent of cybercrime cases were Computer Misuse Act offences and 2 per cent were cyber extortion cases.

Anticipated Cybersecurity Trends

2      The SCL 2021 report also highlighted several trends to watch, against the backdrop of an increasingly complex and dynamic cyber threat landscape:

(a) Decreased global reliance on Western technology due to increased geopolitical tensions. Russia had previously faced a major hurdle in decoupling from US technology, due to the risks that various payment services and product offerings used by Russian citizens would be suspended. With the sanctions imposed by Western technology firms, Russia’s desire to wean itself off Western technology is very likely to strengthen. Meanwhile, countries such as China have also sought to gain self-sufficiency in advanced technology areas. A world of differing cyber norms, ecosystems and standards may become a reality in the near future.

(b) Non-state actors playing a larger role in geopolitical conflicts. Cybercriminal and hacktivist groups have been observed taking sides in the Russia-Ukraine conflict, engaging in more malicious cyber activities for politically-motivated purposes, in addition to personal gain. This development increases the risk of reprisals, as any serious cyber incident by these groups may be used as a pretext for escalation by one side or the other. In a hyper-connected global cyberspace, collateral damage to organisations not linked to Russia or Ukraine have become a worrying possibility.

(c) Rise of crypto-based scams. Crypto-based crime has been increasing, largely through the use of Decentralised Finance (DeFi) – peer-to-peer financial platforms that enable direct transactions, without the need for intermediaries. The borderless accessibility of DeFi’s open and distributed platforms, alongside anonymity features, have made it difficult to track illicit activity and enforce our regulations across borders. Such challenges further embolden cybercriminals to perpetuate more of such crypto-based scams.

(d) Targeting critical Internet of Things (IoT) devices in ransomware attacks. Cybercriminals are recognising that they can inflict significant damage to organisations by infecting critical IoT devices, such as Internet-connected Uninterruptible Power Supply (UPS) units, leading to significant downtime costs. IoT devices often lack critical cybersecurity protection. Employees have also been known to connect their personal IoT devices to the organisation’s networks without the knowledge of security teams. Should organisations in critical, time-sensitive industries such as healthcare, be infected with ransomware, there could be serious, life-threatening consequences.

CSA’s Efforts to Strengthen Collective Cybersecurity Posture

3      Improving the awareness and adoption of good cybersecurity practices by individuals and enterprises is key to enabling our digital economy and digital way of life. CSA launched the SG Cyber Safe Programme last year to help enterprises in Singapore better protect themselves in the digital domain and raise their cybersecurity posture. Under the programme, CSA introduced cybersecurity toolkits tailored to different enterprise roles. This included cybersecurity tips for employees, who are the first line of defence for their organisation’s cybersecurity – such as through setting strong passphrases and protecting their devices with updated software and anti-virus. Since the toolkits were launched in October 2021, they have been downloaded more than 6,000 times.

4      As SMEs tend to have limited IT and/or cybersecurity expertise and resources, CSA worked with the Infocomm Media Development Authority (IMDA) to offer SMEs pre-approved cybersecurity solutions under the SMEs Go Digital Programme. Since the programme’s launch in 2017, more than 6,000 SMEs have benefited from these cybersecurity solutions that provide endpoint protection, managed detection, response and unified threat management.

5      CSA also recently launched the Critical Information Infrastructure (CII) Supply Chain Programme to enhance the security and resilience of Singapore’s CII sectors. Led by CSA, it is a national effort to establish processes and best practices to help CSA, Sector Leads, CII owners (CIIOs) and their vendors manage supply chain risks holistically. 

6      CSA will also re-launch its “Better Cyber Safe Than Sorry” national cybersecurity awareness campaign later this year, focusing on raising awareness and driving adoption of good cybersecurity practices. The national campaign augments concurrent efforts by CSA to target students and seniors respectively under the SG Cyber Safe Students Programme and SG Cyber Safe Seniors Programme. In collaboration with various government agencies, such as the Ministry of Education, GovTech, SPF and IMDA, these initiatives enable CSA to reach out to students and seniors with relevant cybersecurity messages through platforms – such as roadshows and webinars – to raise awareness and adoption of good cyber practices. Initiatives such as the Go Safe Online Pop-up and Go Safe Online Drama Skit under the SG Cyber Safe Students Programme have reached more than 160 schools, libraries, and community spaces, while CSA has engaged more than 45,000 seniors under the SG Cyber Safe Seniors Programme since the launch of both programmes in 2021.


The cyber landscape in 2021 was fraught with increasingly sophisticated threats and more brazen threat actors. The government has stepped up efforts to work with our stakeholders to do more, but cybersecurity is a team sport. Only by banding together and working across borders, do we stand a fighting chance against the ever-evolving threat. Governments, businesses and individuals must continue to do their part to strengthen our collective cybersecurity posture. We must act now.
Mr David Koh
Commissioner of Cybersecurity and Chief Executive of CSA


Online scam cases are cheating cases in which victims were approached through the Internet, or which involved e-commerce.


About the Singapore Cyber Landscape 2021

The “Singapore Cyber Landscape 2021” publication reviews Singapore’s cybersecurity situation in 2021 against the backdrop of global trends and events, and highlights Singapore’s efforts in creating a safe and trustworthy cyberspace.

CSA analyses multiple data sources to shed light on the common cyber threats observed in Singapore’s cyberspace. Through case studies of incidents in Singapore, the publication aims to raise awareness of cyber threats among cyber stakeholders and the general public, and to offer practical and actionable insights to better defend ourselves against ever-evolving cyber threats. Please refer to this link for a copy of the report.

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.


For media queries, please contact:

Cheryl Lee
Senior Manager, Comms & Engagement Office
DID: 64709940
Email: Cheryl_LEE@csa.gov.sg




Report a Cybersecurity Incident

SingCERT encourages the reporting of cybersecurity incidents as it enables us to better understand the scope and nature of cyber incidents in Singapore. This will enable us to issue alerts or advisories on relevant threats, and assist a broader range of individuals and organisations.
Report Incident