Ride the Lightning

Ransomware Running Wild: The 2018 Verizon Data Breach Investigations Report

April 12, 2018

The 2018 Verizon Data Breach Investigation Report (DBIR) has been published and boy oh boy, does it have a lot to say about ransomware. As SC Magazine reported, ransomware was the most commonly detected malware in data breaches and related security incidents last year.

The 2018 DBIR is the 11th edition of the report, and includes data not only from forensic investigations conducted by Verizon, but also 67 contributing organizations. In total, the report covers analysis on over 53,000 incidents and 2,216 breaches from 65 countries. The number of incidents increased by 11,000 over the previous year.

Malware was involved in a far smaller share of breaches last year, compared to the previous year – 30 percent versus 51 percent, respectively – but when malware was discovered, ransomware was determined to be the cause 39 percent of the time. The frequency of ransomware attacks doubled in 2016 and again in 2017. Worse yet, Verizon noted ransomware attacks increasingly targeted critical systems and data centers, rendering entire businesses inoperable while increasing cybercriminals' leverage and escalating their ransom demands.

"Ransomware remains a significant threat for companies of all sizes," said Bryan Sartin, executive director, security professional services at Verizon, in a press release. "It is now the most prevalent form of malware, and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom – the cybercriminal is the only winner here!"

Christian Vezina, CISO at VASCO Data Security, agreed that ransomware was an "important issue" in 2017, but "rogue cryptocurrency mining will probably surpass ransomware in terms of revenues for cybercriminals this year."

John is making the same prediction here at Sensei. That's one to watch . . .

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, also believes ransomware could soon take a back seat, if only temporarily. "We are likely to see a reprieve before the next storm of ransomware attacks," said Hahad. "Some threat actors are dipping their toes into the cryptocurrency pond to see if they can make a decent return on what is perceived as a lesser crime, namely cryptocurrency mining. Other threat actors will probably get pulled into the market of hacking for political actors, be it nation states or groups with political interests. This will lead to an increase in attacks like DDoS or destructors disguised as ransomware, and the targeting [of] critical infrastructure."

This is also something we've seen increasing in the past year, using ransomware as a disguise for an objective far more dangerous – the destruction of data.

Outside of ransomware, other tactics used to facilitate breaches were hacking (the leading category, representing 48 percent of breaches), followed by errors (17%), social engineering attacks (17%), privilege misuse (12%) and physical actions (11%).

Verizon found users are three times more likely to be breached via social engineering tactics than through vulnerabilities – employee cybersecurity training, anyone? Incidents of pretexting – the act of obtaining information from someone by adopting a false identity or narrative – increased by a factor of five since the 2017 report, with 88 of these scams specifically targeting human resource departments in order to procure enough data to file a fraudulent tax return.

According to Verizon, in a typical organization, 78 percent of employees subjected to phishing simulations did not fail a phishing test all year, but an average of four percent of the workforce population would fall for any given test. Even worse, the more phishing e-mails an individual clicks, the more likely he or she is to be fooled again in the future. I'm not sure any employer needs those kind of employees . . .

Based on the phishing simulation data, it takes an average 16 minutes until someone in an organization first clicks on a phishing email and an average of about 28 minutes before an employee notes and reports the scam.

According to Verizon, 87 percent of examined breaches took just minutes or less to happen, but only three percent were detected just as quickly. 68% of the breaches took months or longer to be discovered.

Strikingly, Verizon reported more than 43,000 breaches – over 13,000 in the U.S. – that were performed automatically by botnets that target organizations' customers by infecting their devices with malware that captures log-in credentials – an attack method that is so high in frequency that it's counted separately so as not to skew the report's numbers.

Other report statistics:

76% of breaches were financially motivated; espionage was the next most common motive.

Organized criminal groups were responsible for half of all breaches; 12 percent were the work of nation-states or their proxies.

24 percent of breaches affected health care organizations – more than any other industry, followed by hospitality and the public sector.

Most (72%) of the security breaches covered in the report were perpetrated by outsiders – including 50% representing organized criminal groups and 12% nation-state or state-affiliated threat actors. About 27% of the breaches originated from the inside, however – including 17% that were simply employee errors – as well as 2% that were from third-party partners.

And for the first time in the history of the Verizon DBIR report, one vertical industry suffered more breaches at the hands of insiders than outsiders: insiders were responsible for 56% of the breaches in healthcare.

In healthcare, 35% of the incidents were due to insider error, and 24% to insider "misuse." The misuse was primarily privilege abuse, and the motivation for 13% percent of the cases was "fun or curiosity:" for example, checking records without authorization to determine why a celebrity or ex-girlfriend might be checked into the hospital.

Other ransomware resources from the U.S. Computer Emergency Readiness Team: https://www.us-cert.gov/ncas/current-activity/2018/04/09/Ongoing-Threat-Ransomware and https://www.us-cert.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_Document-FINAL.pdf. Happy hand-wringing while you read!

Hat tip to Dave Ries, my friend – and always a reliable source of wonderful information.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson