Ransomware has become so efficient, and the underground economy so professional, that traditional monetization of stolen data may be on its way out.

Ominous orange code on a laptop screen lights up a darkened room
Source: CSueb via Alamy Stock Photo

The past year has seen a staggering acceleration in ransomware incidents, with 25% of all breaches containing a ransomware component.

That's the top-line finding in the 2022 Verizon Data Breach Investigations Report (DBIR), which found that ransomware events in conjunction with breaches ballooned 13% in the past year — last year's report found that just 12% of incidents were ransomware-related. That translates into a rate of increase that's more than the previous five years of growth combined.

The 15th annual DBIR analyzed 23,896 security incidents, of which 5,212 were confirmed breaches. About four in five of those were the handiwork of external cybercriminal gangs and threat groups, according to Verizon. And according to Alex Pinto, manager of the Verizon Security Research team, these nefarious types are finding it easier and easier to earn an ill-gotten living with ransomware, making other types of breaches increasingly obsolete.

"Everything in cybercrime has become so commoditized, so much like a business now, and it's just too darn efficient of a methodology for monetizing their activity," he tells Dark Reading, noting that with the emergence of ransomware as-a-service (RaaS) and initial-access brokers, it takes very little skill or effort to get into the extortion game.

"Before, you had to get in somehow, look around, and find something worth stealing that would have a reseller on the other end," he explains. "In 2008 when we started the DBIR, it was by and large payment-card data that was stolen. Now, that has fallen precipitously because they can just pay for access someone else established and install rented ransomware, and it's so much simpler to reach the same goal of getting money."

A corollary to this story is that any and every organization is a target — companies no longer need to have something worth stealing in the way of highly sensitive data to fall in the cybercrime crosshairs. That means that small- and midmarket organizations should beware, Pinto said, as well as very small, mom-and-pop organizations.

"You don't have to go for the big guys anymore," Pinto said. "In fact, going for the big guys might be counterproductive because those folks usually have their ducks more in a row as far as defenses. If a business has a handful of computers and they care about their data, you're potentially going to make a few bucks out of them."

Put into a different context, the DBIR found that around 40% of data breaches are due to the installation of malware, he said (what Verizon refers to as system intrusions), and the rise in RaaS has led to 55% of those specific breach incidents involving ransomware.

"Our concern is that really, there's no ceiling here," Pinto says. "I think we're not convinced anymore that it's going to stop — unless someone comes up with something that's even more efficient. I cannot imagine what that would be, but maybe this is why I'm not in the organized crime business."

The SolarWinds Effect

The fallout from the infamous SolarWinds supply-chain hack blew far and wide over the course of the year, with the "software updates" vector pushing the "partner breach" category up to being responsible for 62% of system-intrusion incidents (including ransomware incidents) — and that's way, way up, from a negligible 1% in 2020.

Pinto noted that despite the headlines and the interest in incidents like SolarWinds (and others, such as the Kaseya-related ransomware attacks), dealing with supply-chain breaches doesn't require an operational overhaul for most businesses.

"Protecting against the fallout of a supply-chain breach if you were one of the affected customers is not so different from protecting from several other types of malware, because your servers are beaconing out to somewhere they shouldn't be. If you're a CISO, the techniques you use should be fairly similar to the ones you already use because, quite frankly, trying to go after every single software supplier you have to try to make them secure will make you insane. It's a very big lift."

Where to Start on Ransomware Defense

In examining the entry paths for breaches, Pinto noted that attacks can reliably be boiled down to four different (and familiar) avenues: the use of stolen credentials; social engineering and phishing; vulnerability exploits; and the use of malware.

"The one thing when you close this report to do is, go look at those four things in your environment and what controls you have for them," Pinto says.

When it comes to ransomware-related breaches in particular, 40% of incidents analyzed involved the use of desktop sharing software such as Remote Desktop Protocol. And 35% involved the use of email (phishing, mostly).

"Locking down your external-facing infrastructure, especially RDP and emails, can go a long way toward protecting your organization against ransomware," Pinto says.

It's worth noting that overall, 82% of all breaches analyzed by Verizon relied on human error (misconfigurations, for example, accounting for 13% of breaches) or interaction (phishing, social engineering, or stolen credentials). Artur Kane, vice president of product at GoodAccess, says that this indicates a few best practices to take a look at.

First, there are the technical solutions, such as requiring multifactor authentication (MFA) and network segmentation by access privileges, along with implementing real-time threat detection capability, keeping continuous access logs, and running regular backups.

"However, security administrators also need to have solid response and recovery plans in place for these occurrences, and should conduct regular trainings and drills," Kane says. "[And] user training can greatly contribute to improving the overall company security posture. As a large part of ransomware attacks opens with a phishing lure, training employees in how to spot them can save millions of dollars in later breach recovery."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights