Verizon data breach investigations report (DBIR) showed that ransomware is the third most popular action between the breaches. “It is startling,” the author of the report, Phil Langlois, said during a webinar.
Verizon analyzed almost 80k incidents, of which 5,3k were confirmed breaches, samples from 88 countries worldwide. Researches highlight that there’s a difference between the incident and a breach. An incident is a security event that compromises an information asset’s integrity, confidentiality, or availability. Meanwhile, a breach is an incident that results in the confirmed disclosure of data to an unauthorized party.
Researchers bucket the incidents and breaches they observe into eight core patterns representing the vast majority of events. When we talk about breaches, social engineering, basic web application attacks, and system intrusion are the most popular patterns. Phil Langlois briefly covered these three patterns.
Three most common types of breaches
Social engineering. Researchers found that about 85% of breaches that they analyzed involved the human element. “Someone clicking a link, misconfiguring a firewall, or something along those lines,” Langlois illustrated. Researchers also saw a relatively significant increase in phishing. Previously, it accounted for ¼ of data breaches, and now it lingers around 36%.
Basic web application attacks are those with a small number of steps or additional actions after the initial Web application compromise. They are very focused on direct objectives, ranging from getting access to email and web application data to repurposing the web app for malware distribution, defacement, or future DDoS attacks.
“We are talking about single step attacks in which adversaries are leveraging often compromised credentials, weak passwords, and sometimes vulnerabilities,” Langlois said.
He called it internet noise – researchers continuously see credentials being used and brute-force attempts.
System intrusion involves an advanced attacker. This pattern represents a dedicated actor using a combination of hacking and malware techniques to achieve their objective. Three main components of system intrusion are ransomware, general advanced threats (some nation-states fall under this category), and magecart attacks when threat actors inject malicious javascript into an application to steal credit card information.
For example, Sansec, the e-commerce security provider, reported the Lazarus Group had been attacking the U.S. and E.U. e-tailers using Magecart payment card skimming.
Ransomware, Langlois emphasized, grew and now accounts for 10% of their analyzed breaches. “It is a pretty dramatic rise,” he said.
He elaborated that because cybercriminals changed their tactics and approaches, we hear about ransomware more often.
“Previously, they would encrypt the data, hold the data ransom, and the organization may pay the ransom, or may not, and no one will know about it. Nowadays, a lot of these actors have public websites where they go and post that their victims have been compromised,” he explained.
When he started working on the DBIR, he initially thought that there might be misinformation in the media about the rising ransomware numbers. The fact that we hear about it more often doesn’t mean that it is rising. But when Langlois started looking at the data, he saw a relatively significant increase.
“Ransomware now is the third most popular action between the breaches. It is a startling thing. (…) It has become very financially beneficial, and it’s a good way of making money,” the researcher explained.
How much does it cost to break into a network?
Initial access brokers certainly are giving rise to ransomware. These are criminals looking for data to buy and also selling data and access on the dark web. The top targeted industries are retail, financial services, industrial goods, healthcare, and the technology sector.
Researchers are examining various illicit marketplaces. Since 2020, they have seen 500 different listings of network access for sale. It means that if you have an unsecured network, there may be a chance that it is out there for sale, too.
According to the digital risk protection company Digital Shadows, on average, it costs $7,200 for cybercriminals to get into a network.
Remote desktop protocol (RDP) access is the most common type of access listed, with an average price of $9,874.
Virtual private network (VPN) access cost around $2,871 on the dark market, domain admin – $8,187.
More from CyberNews:
XXI century mafia: criminal enterprises at the heart of ransomware
New ransomware group Hive leaks Altus group sample files
The evolving ransomware landscape
Multiple US energy firms attacked with ransomware in the past 12 months – report
The rise of makeshift ransomware: what is Epsilon Red and should you worry about it?
Subscribe to our newsletter
