Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM

Ransomware Makes Up Half of All Major Incidents

Misconfigurations and lack of visibility allow attackers to compromise networks and monetize their intrusions, according to CrowdStrike's analysis of about 200 incidents.

Ransomware attacks made up the majority of serious cyber intrusions this year, accounting for 51% of all incidents investigated by CrowdStrike in 2020, according to the company's yearly incident-analysis report.

Financially motivated crimes accounted for 63% of the more than 200 incidents the company investigated on behalf of new and existing clients, the firm states in its "CrowdStrike Services Cyber Front Lines" report. Of those, 81% — or 51% of all incidents — saw the deployment of ransomware or tools that typically result in a ransomware infection, the company says.

Related Content:

Three Years After WannaCry, Ransomware Accelerating While Patching Still Problematic

The Changing Face of Threat Intelligence

New on The Edge: 10 Ways Device Identifiers Can Spot a Cybercriminal

The data underscores that cybercriminals have completed their change in direction, from attacks that focus on stealing personally identifiable information (PII) to sell online, to disrupting corporate operations to score a six- or seven-digit ransom, says Shawn Henry, president of CrowdStrike Services and chief security officer for the company.

"The theft of data is bad, but what we are seeing now, the disruption of operations and destruction of data, is a whole new dynamic, and it really creates critical concerns for companies," he says. "We have seen companies shut down for weeks or months, or at least part of their network, ... so the impact on operations is significantly more critical than the theft of PII."

CrowdStrike's analysis of incidents also finds that both attackers and defenders have become more sophisticated. The number of days that attackers have been able to operate inside a victim's network without detection — known as the dwell time — declined to 79 days in 2020, down from 95 days in 2019. Defenders detected 46% of attacks within a week of compromise, up from 29% in 2019. 

Yet attackers' capabilities improved as well. Cyberattacks were able to evade antivirus defenses in 40% of the incidents, and escaped notice in another 30% of incidents, because the defender had misconfigured or failed to set up the antivirus correctly, CrowdStrike states in its report

"This data highlights ... the need to not just buy a security product, but actually invest in ensuring comprehensive coverage in your environment and proper configuration, tuning and integrating it into your security operations program to mitigate even the most sophisticated attacks," the report states.

Ransomware and its ability to disrupt operations has made ransomware the most notorious threat facing companies, especially after the WannaCry and NotPetya global cyberattacks of 2017. Now, more than three years after those attacks caused billions of dollars in damages, ransomware has become the most common way that attackers attempt to monetize a compromise. 

In 2020, ransomware groups became much more aggressive, expanding their tactics of stealing data and then publishing the information if the target did not pay. Cybercriminals published information exfiltrated by more than 500 companies in the third quarter of 2020 alone, according to CrowdStrike.

The attacks investigated by CrowdStrike also continue to shed bespoke and commercial malware in favor of using administrative tools that may already be on the system. The number of attacks using only malware declined from 49% in 2019 to 42% in 2020, while attacks that use no malware increased to 24% from 22% in 2019.

Detecting the attacks has become harder because more security analysts are also working from home, the company states. In a previous report, CrowdStrike found that 56% of security professional reported working from home more often during the pandemic. Companies have reacted by moving away from on-premises-based security to in-the-cloud security services, the company says.

The CrowdStrike report also suggests that attackers keep coming back to target the same companies, with 68% of organizations facing a second attack within 12 months of their initial incident. While the US has begun to be more proactive in disrupting attackers' activities under its Defend Forward doctrine, until cyber operators are arrested, they will continue to learn from their failed attacks, says Henry, a former special agent with the FBI.

"Information security is not unlike physical security," he says. "If you think about the physical world, and you have bank robbers, they are going to keep going until they get caught. it is similar here with these actors. Until you actually stop the actors, this will continue."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...