Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

05:45 PM

Ransomware Makes Up Half of All Major Incidents

Misconfigurations and lack of visibility allow attackers to compromise networks and monetize their intrusions, according to CrowdStrike's analysis of about 200 incidents.

Ransomware attacks made up the majority of serious cyber intrusions this year, accounting for 51% of all incidents investigated by CrowdStrike in 2020, according to the company's yearly incident-analysis report.

Financially motivated crimes accounted for 63% of the more than 200 incidents the company investigated on behalf of new and existing clients, the firm states in its "CrowdStrike Services Cyber Front Lines" report. Of those, 81% — or 51% of all incidents — saw the deployment of ransomware or tools that typically result in a ransomware infection, the company says.

Related Content:

Three Years After WannaCry, Ransomware Accelerating While Patching Still Problematic

The Changing Face of Threat Intelligence

New on The Edge: 10 Ways Device Identifiers Can Spot a Cybercriminal

The data underscores that cybercriminals have completed their change in direction, from attacks that focus on stealing personally identifiable information (PII) to sell online, to disrupting corporate operations to score a six- or seven-digit ransom, says Shawn Henry, president of CrowdStrike Services and chief security officer for the company.

"The theft of data is bad, but what we are seeing now, the disruption of operations and destruction of data, is a whole new dynamic, and it really creates critical concerns for companies," he says. "We have seen companies shut down for weeks or months, or at least part of their network, ... so the impact on operations is significantly more critical than the theft of PII."

CrowdStrike's analysis of incidents also finds that both attackers and defenders have become more sophisticated. The number of days that attackers have been able to operate inside a victim's network without detection — known as the dwell time — declined to 79 days in 2020, down from 95 days in 2019. Defenders detected 46% of attacks within a week of compromise, up from 29% in 2019. 

Yet attackers' capabilities improved as well. Cyberattacks were able to evade antivirus defenses in 40% of the incidents, and escaped notice in another 30% of incidents, because the defender had misconfigured or failed to set up the antivirus correctly, CrowdStrike states in its report

"This data highlights ... the need to not just buy a security product, but actually invest in ensuring comprehensive coverage in your environment and proper configuration, tuning and integrating it into your security operations program to mitigate even the most sophisticated attacks," the report states.

Ransomware and its ability to disrupt operations has made ransomware the most notorious threat facing companies, especially after the WannaCry and NotPetya global cyberattacks of 2017. Now, more than three years after those attacks caused billions of dollars in damages, ransomware has become the most common way that attackers attempt to monetize a compromise. 

In 2020, ransomware groups became much more aggressive, expanding their tactics of stealing data and then publishing the information if the target did not pay. Cybercriminals published information exfiltrated by more than 500 companies in the third quarter of 2020 alone, according to CrowdStrike.

The attacks investigated by CrowdStrike also continue to shed bespoke and commercial malware in favor of using administrative tools that may already be on the system. The number of attacks using only malware declined from 49% in 2019 to 42% in 2020, while attacks that use no malware increased to 24% from 22% in 2019.

Detecting the attacks has become harder because more security analysts are also working from home, the company states. In a previous report, CrowdStrike found that 56% of security professional reported working from home more often during the pandemic. Companies have reacted by moving away from on-premises-based security to in-the-cloud security services, the company says.

The CrowdStrike report also suggests that attackers keep coming back to target the same companies, with 68% of organizations facing a second attack within 12 months of their initial incident. While the US has begun to be more proactive in disrupting attackers' activities under its Defend Forward doctrine, until cyber operators are arrested, they will continue to learn from their failed attacks, says Henry, a former special agent with the FBI.

"Information security is not unlike physical security," he says. "If you think about the physical world, and you have bank robbers, they are going to keep going until they get caught. it is similar here with these actors. Until you actually stop the actors, this will continue."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.