A 2021 ransomware attack on a major US gasoline pipeline company may have come as a shock to drivers faced with a few days of short supplies and long lines, but those observing cybercrime and ransomware trends saw it coming.
“We may not have known who the next victim would be, but we knew that ransomware was becoming far more common in the energy sector,” says Alex Pinto, a senior security analyst in Verizon Business Group’s Threat Research Advisory Center and lead author of Verizon’s Data Breach Investigations Report (DBIR). “Manufacturers and companies in mining, oil and gas extraction, as well as utilities, came under significant ransomware attacks in 2020. And we don’t see it slowing down anytime soon.”
More troubling: ransomware is increasingly leading to actual data breaches instead of just locking a company out of its data. Attackers are now demanding a ransom payment to release encrypted data and threatening to leak the very same private or sensitive data to the public. “A company can easily find itself in a hostage and blackmail situation at the same time,” says Pinto. “That’s not where you want to find yourself at 3 AM.”
Ransomware trends
The Verizon DBIR analyzes data from research partners and law enforcement agencies in more than 80 countries. The report sheds light on ransomware trends, emphasizing the need for all organizations to have a ransomware response plan. Furthermore, the report shows that ransomware attacks have been trending upwards since 2016, and notes the following:
- An estimated 10 percent of data breaches where data is actually stolen now involve ransomware.
- While no industry is immune to ransomware attacks, Manufacturing has seen a particularly sharp increase in the number of ransomware-related malware incidents.
- Data provided by the FBI Internet Criminal Complaint Center (IC3) shows that money lost by a victim from a ransomware attack ranges between $70 and $1.2 million per incident.
A layered ransomware defense can make the difference
Defending an organization against the growing threat of ransomware attacks means knowing how the ransomware gets in in the first place, and which controls—from technology and business process refinement to employee training—are needed.
How the ransomware gets on a system varies. Oftentimes it is the result of direct install of ransomware or installation through desktop sharing apps with threat actors using stolen credentials or ‘brute force’ tactics. Ransomware may also get on a system through email, network propagation and ‘downloaded by other malware’, where servers are targeted.
Preventing all ransomware attacks may be close to impossible, but there are ways to reduce the risk. For example, an effective ransomware response plan includes security controls from the Center for Internet Security, which are considered industry-standard for building a comprehensive security program.
Incident planning and a ransomware response plan can lessen the impact
If ransomware does strike, experts suggest that your organization better have a plan in place to manage the crisis.
“A ransomware attack forces organizations to make some very tough decisions,” says Jim Meehan, Senior Investigations Manager in Verizon’s cybersecurity practice.
Meehan, a former member of the U.S. Secret Service who fought crime and cybercrimes for more than two decades, explains: “Should we pay? How much is too much? Who approves the payment, and where do we get the money? And what if the hacker takes the payment but leaks our data anyway? You have to have a specific ransomware contingency plan and policy in place, well before such an attack, because you don’t want to be making those decisions in real time. The longer an incident goes on, the more damage it will do to the company.”
Meehan advises business leaders and security teams to collaborate regularly to ensure their ransomware response plans are up to date. Third-party security assessments and regular testing can also help measure company readiness.
Additionally, organizations can take advantage of certain cyber security technologies and services to help proactively detect and respond to ransomware attacks before they become major disruptions. These include endpoint detection and response (EDR), security incident and event management (SIEM), user and entity behavior analysis (UEBA), and advanced deception.
When it comes to ransomware trends, those who produce the DBIR expect the trend of taking data hostage and stealing it to remain popular among attackers.
Learn more about how Verizon can help you better secure your business.