Ransomware attacks have become more commonplace than payment card theft incidents for the first time, as cyber criminals alter how they go about their malicious operations in an effort to gain the biggest financial reward for the least amount of effort.
Analysis of more than a trillion security events over the past year and hundreds of breach investigations by researchers at cybersecurity company Trustwave found that ransomware attacks have become the most common security incident.
Almost one in five – 18% – of incidents throughout 2019 involved ransomware attacks, where organisations found part or all of their environment compromised by network encrypting malware – and then faced a financial demand from hackers to regain access to the data.
The number of ransomware incidents quadrupled when compared with the previous year and it now means that ransomware attacks are more common that payment card and financial data breaches for the first time. Incidents involving stolen bank account details and credit card information accounted for 17% of incidents during 2019.
One of the reasons why ransomware attacks have risen so much is because cyber criminals are increasingly viewing it as the simplest and quickest means of making money from compromised networks.
With ransomware, attackers can lockdown an organisation's entire network and demand a bitcoin payment in exchange for the decryption key.
Ransomware attacks are often successful because organisations opt to pay the ransom demand, viewing it as the quickest and easiest way to restore functionality to the network, despite authorities warning never to give into the demand of extortionists.
"The 'beauty' of the ransomware model is you only need to write the ransomware once and its potential to infect is only limited by its reach, which with the internet is unlimited," Ed Williams, EMEA director of SpiderLabs, the research division at Trustwave, told ZDNet.
Stealing financial data is also a potentially lucrative path for cyber criminals, but it arguably involves more work than installing ransomware and demanding a ransom.
The attackers need to make their way into a network, maintain persistence on the network without being uncovered – potentially for a sustained period of time – and then exfiltrate the information without being detected.
All of this takes time, then the criminals need to take additional time and effort to make money from the stolen data. That could either be by using the stolen bank details to commit fraud themselves, or it could be selling the stolen information on to other users on underground forums.
However, such is the proliferation of stolen credit card information on the dark web, it can be difficult to make large sums of money from selling stolen details, so a lot of work could go into what might not be a major reward.
So when ransomware can net attackers hundreds of thousands of dollars in one go, it's easy to see why it has become such an appealing prospect for cyber criminals.
Another factor: many malware attacks rely on the user clicking on a phishing link or downloading a malicious file. However, ransomware is able to exploit the likes of internet-facing ports and Remote Desktop Protocol to infiltrate and spread around the network without the involvement of the user.
WannaCry ransomware is probably the most notorious example of this and, in the years since, cyber criminals have exploited vulnerabilities to crawl around the network and infect everything necessary before pulling the trigger on the ransomware demand – all without the victim needing to be involved.
However, despite the potential damage that can be done by ransomware, it's very much possible to defend against it. Organisations should ensure that networks are patched and up to date, so that ransomware and other malware can't take advantage of known vulnerabilities to take hold.
"The basics are always key; patching, passwords and policy. Making sure all software is running the latest secure version," said Williams.
Organisations should also make sure that any ports that don't have to be facing the outside world aren't doing so as that'll help prevent attackers breaching the network in the first place. Multi-factor authentication should also be applied across the network, so if attacks do attempt to brute force logins to get around the network, there's an additional barrier to stop them.
Finally, organisations should regularly backup the entire network – and store the backup offline – so that if the worst happens, and a ransomware attack is successful, the network can be restored without having to consider the idea of giving into extortion.
MORE ON CYBERSECURITY
- Ransomware: Why cities have become such a big target for cyberattacks - and why it'll get worse
- How ransomware attackers are doubling their extortion tactics TechRepublic
- 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world
- Ransomware froze more cities in 2019 as hackers got smarter CNET
- Ransomware and DDoS attacks: Cybercrooks are stepping up their activities in the midst of coronavirus