Verizon 2021 DBIR: Ransomware Attacks Doubled
If there is one lesson we can take away from 2020 is that we all need to be prepared for the worst. Resilience has emerged as the top skill that people and businesses need to possess not only to survive but also to thrive in a changing and challenging world.
Rapid changes require businesses to make rapid but well-informed decisions on how to respond and adapt. Informed decision making should be based on intelligence and feedback from past experiences to be able to foresee what is probable to happen in the future and prepare accordingly. This is the key takeaway of the Verizon 2021 Data Breach Investigations Report (DBIR).
What else can we learn from the DBIR 2021?
Key report findings
- Phishing was present in 36% of breaches, up from 25% last year. Business Email Compromises (BECs) were the second-most common form of Social Engineering.
- 70% of all misuse varieties in breaches were privilege misuse.
- 61% of breaches involved credential data.
- Ransomware was the preferred attack vector in 10% of examined data breaches – more than double since 2019.
- User credentials, personal and medical data are the most sought-after data in breaches.
- Compromised cloud assets were more common than on-premises assets in both incidents and breaches.
- Breaches happened mostly due to external, financially motivated actors.
Ransomware attacks on the rise
Although phishing attacks continue to be one of the top attack methods in data breaches, what was different during 2020 was that ransomware attacks doubled since 2019. This increase is not related to the remote working environments, rather with the shift in tactics of the ransomware gangs. Unfortunately, this trend seems to continue well into 2021, as the recent attack against Colonial Pipeline demonstrated.
These actors will first exfiltrate the data they encrypt so that they can threaten to reveal it publicly if the victim does not pay the ransom. This modus operandi targets two sensitive attributes: brand reputation and data availability. Even if the PR departments do their best to downgrade the impact of a ransomware attack, criminals issue their own “press releases” on the Dark Web where they make sure to name their victims – the reputation damage is certain.
Focusing on data availability, this can be analyzed into obscuration and loss. Obscuration is the result of data encryption because of the ransomware installation, while loss occurs because businesses no longer have access to the obscured data. Either way, the violation of data availability results in serious operations disruption, affecting the victim for many days or weeks after the initial infection.
The positive outcome of the DBIR 2021 report regarding ransomware attacks is that 90% of victims did not experience any financial loss. This should be attributed to the fact that many businesses have now implemented simple security controls – such as data backups – to help them respond to these kinds of attacks. However, and this should become a strong motivation for everyone, the remaining 10% of the victims experienced losses ranging from $70 up to $1.2 million. Although the Department of Justice managed to claw back the ransom paid by Colonial Pipeline, that will not always be the case.
Of course, direct losses are not the sole cost one encounters due to a breach. Apart from the damage done by the attacker, there remains the expense of Digital Forensics and Incident Response (DFIR) and legal counsel. When forensics costs were present, 95% fell into the range of $2,400 to $336,500, while the legal costs fell between $800 and $54,000. Furthermore, breaches can impact the stock price of the affected businesses. According to an analysis, downward trends in stock price may be witnessed even two years after the incident.
Mitigating the threat posed by ransomware attacks is of crucial importance for all organizations, no matter their sector. With criminals targeting across sectors, from schools and hospitals to critical infrastructures, it is essential to deploy solutions that can help organizations detect and prevent these attacks. So, the question is which solution to select? There are so many security vendors that provide EDR solutions and promise to block all ransomware variants that it’s hard to choose.
And, EDR alone may not provide organizations with the visibility needed to identify the root cause of the malware infection so that it doesn’t happen again, nor can the EDR tool provide the full impact of the incident. To get full visibility into ransomware incidents, organizations need to gather data from multiple sources often across multiple environments including Cloud, not just from an EDR tool alone. Ransomware investigations will involve data from the SIEM, Firewalls, VPNs, cloud environments, SaaS applications and others in order to identify the point of intrusion and whether data was compromised.
ReliaQuest’s GreyMatter Open XDR-as-a-Service platform provides this visibility as well as automated response capabilities to quickly remediate the threat, while also providing a full picture of the attack across the kill chain. An analyst may see ransomware blocked in the environment without digging further into the details of how the malware got into the environment in the first place, which is a recipe for a repeat occurrence. With the ReliaQuests GreyMatter platform, organizations can identify the root cause to prevent it from happening again as well as communicate to the business the impact. Learning how the ransomware attack unfolded and blocking are both essential to the business as well as a post-mortem to improve mitigation and detection capabilities for the next attack.
Businesses need to be aware that for ransomware gangs there is a low risk of getting caught but with a high reward of getting paid. Ransomware is a proving to be a highly profitable “business,” so things will only get worse. Organizations need to take the ransomware threat seriously and deploy appropriate preventative and response controls to properly mitigate the threat that goes beyond the perimeter.
ReliaQuest has provided our customers with a threat advisory report regarding ransomware which included an outline of key behaviors to monitor for ransomware. As ransomware is increasingly customized for specific organizations, and the infrastructure constantly changes, relying on Indicators of Compromise (IoCs) alone can be a challenge, so multiple, layered preventative and response controls should be deployed.
ReliaQuest’s Threat Management Team continues to monitor the threat posed by ransomware families and continuously updates our Intel and Detect capabilities within the GreyMatter platform, ensuring our customers have the most up-to-date coverage.