The past year has seen a surprising acceleration in ransomware incidents, with 25% of all violations containing a ransomware component.
This is a top-line search of the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events combined with violations increased 13% last year – last year’s report found that only 12% of incidents were ransomware-related. This translates into a growth rate that is higher than the five years prior to aggregate growth.
15th Annual DBIR Analyzed 23,896 security incidents, of which 5,212 violations have been confirmed. According to Verizon, four of the five were at the hands of four external cybercriminal gangs and threat groups. And according to Alex Pinto, manager of the Verizon Security research team, these nasty types are making life easier and simpler with ransomware, making other types of breaches increasingly obsolete.
“Everything in cybercrime has become so commoditized, much like a business now, and it’s very efficient for a way to monetize their activity,” he told Dark Reading, with the rise of ransomware as a service (RaaS) and early-access brokers, It takes very little skill or effort to get into the game of extortion.
“Before, you had to somehow get in, look around and find something to steal that would have a reseller at the other end,” he explained. “When we launched DBIR in 2008, data was stolen through it and large payment-cards. Now, it’s rapidly declining because they can only pay for access to someone else and install rented ransomware and it’s much easier to access. The only goal is to get money. “
One consequence of this story is that any and every organization has a goal – companies don’t have to do anything like steal highly sensitive data to fall into the cybercrime crosshair. This means that small- and midmarket firms should be wary, Pinto said, as well as very small, mother-and-pop firms.
“You don’t have to go to the big guy anymore,” Pinto said. “In fact, going for the big guys can be counterproductive because these guys usually have their ducks lined up more as a defense. If a business has a handful of computers and they take care of their data, you’re probably going to make some money out of them.”
In a different context, DBIR found that about 40% of data violations were caused by malware installations, he said (referred to as Verizon system intrusions), and that the rise of RaaS led to 55% of those specific violations. Incidents involving ransomware.
“Our concern is that there is no ceiling,” Pinto said. “I don’t think we’re sure it’s going to stop – unless someone comes up with something more efficient. I can’t imagine what it will be like, but maybe that’s why I’m not in the organized crime business.”
Solar Winds Effect
The results of the infamous Solarwinds supply-chain hack spread far and wide over the years, pushing the “software update” vector “partner breach” category to account for 62% of system-intrusion incidents (including ransomware). Events) – and this is much higher than a negligible 1% in 2020.
Pinto noted that despite the interest in headlines and SolarWinds (and other, such as Kaseya-related ransomware attacks) incidents, operational overhauls are not required for most businesses to deal with supply-chain violations.
“Protecting against a supply-chain breach if you’re one of the affected customers is no different than protecting against a variety of other malware, because your servers are beaconing where they shouldn’t be. If you’re a CISO, you The strategies you are using should be very similar to the ones you are already using because, frankly, trying to secure every software provider will drive you crazy. This is a huge lift. “
Where to start in ransomware defense
When examining entrances to breaches, Pinto noted that attacks can be reliably carried out in four different (and familiar) ways: using stolen evidence; Social engineering and phishing; Exploitation of weakness; And the use of malware.
“One of the things you need to do when you close this report is look at those four things in your environment and what control you have over them,” Pinto said.
In the case of ransomware-related violations in particular, 40% of the cases analyzed use desktop sharing software such as Remote Desktop Protocol. And 35% involved email usage (phishing, mostly).
“Locking down your external-oriented infrastructure, especially RDP and emails, can go a long way in protecting your organization from ransomware,” Pinto said.
It is noteworthy that overall, 82% of all violations analyzed by Verizon rely on human error (incorrect configuration, for example, 13% is responsible for the violation) or interaction (phishing, social engineering, or stolen credentials). Artur Kane, vice president of products for GoodAccess, says it points out some of the best practices to look out for.
First, there are technological solutions, such as network segmentation through multifactor authentication (MFA) and access facilities, with the implementation of real-time threat detection capabilities, maintaining uninterrupted access logs, and performing regular backups.
“However, security administrators must also have a strong response and recovery plan for the incident and conduct regular training and drills,” Kane said. “[And] User training can greatly contribute to improving the overall security situation of the company. Since a large portion of ransomware attacks open with a phishing temptation, training employees on how to identify them can save millions of dollars in subsequent breach recovery. “