Ransomware Makes Up Half of All Major Incidents

Misconfigurations and lack of visibility allow attackers to compromise networks and monetize their intrusions, according to CrowdStrike's analysis of about 200 incidents.

4 Min Read

Ransomware attacks made up the majority of serious cyber intrusions this year, accounting for 51% of all incidents investigated by CrowdStrike in 2020, according to the company's yearly incident-analysis report.

Financially motivated crimes accounted for 63% of the more than 200 incidents the company investigated on behalf of new and existing clients, the firm states in its "CrowdStrike Services Cyber Front Lines" report. Of those, 81% — or 51% of all incidents — saw the deployment of ransomware or tools that typically result in a ransomware infection, the company says.

The data underscores that cybercriminals have completed their change in direction, from attacks that focus on stealing personally identifiable information (PII) to sell online, to disrupting corporate operations to score a six- or seven-digit ransom, says Shawn Henry, president of CrowdStrike Services and chief security officer for the company.

"The theft of data is bad, but what we are seeing now, the disruption of operations and destruction of data, is a whole new dynamic, and it really creates critical concerns for companies," he says. "We have seen companies shut down for weeks or months, or at least part of their network, ... so the impact on operations is significantly more critical than the theft of PII."

CrowdStrike's analysis of incidents also finds that both attackers and defenders have become more sophisticated. The number of days that attackers have been able to operate inside a victim's network without detection — known as the dwell time — declined to 79 days in 2020, down from 95 days in 2019. Defenders detected 46% of attacks within a week of compromise, up from 29% in 2019. 

Yet attackers' capabilities improved as well. Cyberattacks were able to evade antivirus defenses in 40% of the incidents, and escaped notice in another 30% of incidents, because the defender had misconfigured or failed to set up the antivirus correctly, CrowdStrike states in its report

"This data highlights ... the need to not just buy a security product, but actually invest in ensuring comprehensive coverage in your environment and proper configuration, tuning and integrating it into your security operations program to mitigate even the most sophisticated attacks," the report states.

Ransomware and its ability to disrupt operations has made ransomware the most notorious threat facing companies, especially after the WannaCry and NotPetya global cyberattacks of 2017. Now, more than three years after those attacks caused billions of dollars in damages, ransomware has become the most common way that attackers attempt to monetize a compromise. 

In 2020, ransomware groups became much more aggressive, expanding their tactics of stealing data and then publishing the information if the target did not pay. Cybercriminals published information exfiltrated by more than 500 companies in the third quarter of 2020 alone, according to CrowdStrike.

The attacks investigated by CrowdStrike also continue to shed bespoke and commercial malware in favor of using administrative tools that may already be on the system. The number of attacks using only malware declined from 49% in 2019 to 42% in 2020, while attacks that use no malware increased to 24% from 22% in 2019.

Detecting the attacks has become harder because more security analysts are also working from home, the company states. In a previous report, CrowdStrike found that 56% of security professional reported working from home more often during the pandemic. Companies have reacted by moving away from on-premises-based security to in-the-cloud security services, the company says.

The CrowdStrike report also suggests that attackers keep coming back to target the same companies, with 68% of organizations facing a second attack within 12 months of their initial incident. While the US has begun to be more proactive in disrupting attackers' activities under its Defend Forward doctrine, until cyber operators are arrested, they will continue to learn from their failed attacks, says Henry, a former special agent with the FBI.

"Information security is not unlike physical security," he says. "If you think about the physical world, and you have bank robbers, they are going to keep going until they get caught. it is similar here with these actors. Until you actually stop the actors, this will continue."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights