Ransomware is the most common type of malware organizations are likely to face today, according to the latest annual analysis of global incidents and data breaches by Verizon Communications.
The company’s 2018 Data Breach Investigations Report, released this morning, notes that ransomware was found in 39 per cent of malware-related data breaches – double that found in last year’s report. Ransomware is also moving from PCs into business critical systems by encrypting file servers or databases. That inflicts more damage on organizations and commands bigger ransom requests.
The 11th annual report uses data collected from 67 security organizations across the world on 53,000 incidents and 2,216 breaches in 65 countries.
Usually the report shows many similar patterns. “But this year it really feels like things really do change,” said Gabe Bassett, Verizon’s senior information security data scientist and a co-author of the report. “We’re seeing almost Darwinistic, Origin Of the Species-type specialization for the industries, where attackers are attacking where it makes sense, where it’s not just an easy attack but a high return on investment.
“Not only are we seeing ransomware increase– it doubled last year [covering 2016] and it doubled again this year — but we’re seeing things like the targeting of databases, which increased about three-fold. About 12 per cent of ransomware targeted databases. We’re also seeing an increase in ransomware targeting backup systems.”
Criminals are turning to ransomware because it gets money more easily than stealing credit cards. It’s not hard for a criminal to buy or event rent ransomware as a cloud service, Bassett pointed out, and it doesn’t have to be targeted. “The hardest part of ransomware is the cryptography, and that’s been commoditized.”
And there’s a lot of incentive to pay, he added, if the demand is for $30,000 to get decryption keys compared to paying millions in damages.
UPDATE: Barracuda Networks today published a blog on a new attempt to distribute ransomware and password stealers through the Quant Trojan, which spreads when users click on a malicious email.
Security experts say the best defence against ransomware is having a tested backup and restore strategy. Isn’t that message getting through? “I doubt it,” Bassett replied. “I used to work at a very large Fortune 500 company. The amount of time it would take to put in a backup solution, even of a sub-set of that company’s significant assets, would take a lot of time. It’s not an easy or cheap thing to do. A small company has small resources (to do it.) It’s not a fun decision to make. So I don’t think anyone is ignoring the warnings, but when it comes time to rack and stack what to do, backup is a large and hard thing to do.”
And many in the C-suite just assume their organization backs up all data, he added. “It’s not uncommon for an organization to think it’s data is backed up, when it isn’t.
Still, Verizon insists that the best way to stop ransomware is at the network edge. Malware will enter the company either through email or a Web site attack. Almost 80 per cent of employees don’t click phishing email, he notes the report points out. The phishing problem is with the four per cent who regularly will fall for it. They should be targeted for training, Bassett said, or given a specialized defensive solution — for example, a sandboxed PC or a tablet.
As usual, the report is filled with overall and industry-specific statistics that could help CISOs with their strategies.:
–outsiders are behind 73 per cent of breaches ;
–internal actors are behind 28 per cent of breaches. This is roughly consistent with findings in previous years;
–two per cent of breaches involved partners;
–50 per cent of breaches investigated involved criminal groups;
–12 per cent involved nation states or were state-affiliated;
–17 per cent were caused by human error;
–17 per cent were “social attacks”;
–12 per cent involved privilege misuse;
–58 per cent of victims were small businesses;
There are other insights spinkled throughout the report. “Even given all the vulnerabilities out there, credential attacks are still the number one means the attackers attempt to get all up in your servers,” it notes. “It’s time to get your asset inventory in order. Dust off that segmentation project proposal, because no matter how well you do in your external vulnerability scans, if you mix clients and servers, you’re going to give the attackers the shot they’re looking for.”
Sixty-eight per cent of breaches took months or longer to discover, even though 87 per cent of the breaches studied had data compromised within minutes or less of the attack taking place. Verizon’s advice on what to do:
1. Stay vigilant – log files and change management systems can give you early warning of a breach.
2. Make people your first line of defense – train staff to spot the warning signs.
3. Keep data on a “need to know” basis – only employees that need access to systems to do their jobs should have it.
4. Patch promptly – this could guard against many attacks.
5. Encrypt sensitive data – make your data next to useless if it is stolen.
6. Use two-factor authentication – this can limit the damage that can be done with lost or stolen credentials.
7. Don’t forget physical security – not all data theft happens online.
The importance of patching isn’t new. Asked about why the message seeming isn’t getting through Bassett said the data shows patches are being applied disproportionately and in different areas. User devices are patched faster that servers, he notes, which are patched faster than network devices and embedded devices not at all. There’s also evidence that once an upatched devices passes an organization’s cycle — which perhaps could be every three months– it won’t get the latest patch. Organizations aren’t looking at why that is, he said. It’s an asset management problem, he suggested. “No one looks back and asks, ‘What didn’t get covered and why.'”