If you think you already know what the most common cyberattack vectors are… you’re probably right.
Still, just knowing what the vectors are isn’t the full story.
This article is the second in a series summarizing the findings of our new report:
Today, we’re starting a two-part segment on the statistics surrounding common vectors and shedding light on some important learning points.
This post will focus on two old favorites.
Easily the most common tactic used by cybercriminals is exploiting humans. Today, at least 82% of breaches include what Verizon’s Data Breach Investigations Report (DBIR) calls the human element, mostly in the form of email-based threats such as phishing, pretexting, and compromised email accounts.
For many years, more sophisticated pretexting attacks—where an attacker presents their victim with a legitimate-sounding reason to take an ill-advised action—have outperformed more basic phishing attacks in results. Seeing this, cybercriminals have naturally identified the most convincing pretext: emailing from a compromised email account belonging to an internal user, vendor, or partner. The ready availability of credentials in the cybercriminal economy makes these attacks viable for even low-level criminal groups. It can be hard for even informed employees to recognize malicious intent.
Of course, none of this is new… or is it? Interestingly, a look back at the 2012 DBIR finds that just 7% of breaches included phishing or another form of social engineering. The same year, in Ponemon’s 2012 Cost of Cyber Crime Study: United States, only 38% of U.S. organizations said they had even experienced a phishing or social engineering attack. An unbelievable statistic considering its prevalence today.
Returning to the DBIR, by 2017, social engineering tactics were used in 43% of breaches. Since then, we’ve seen a rapid rise in the use of social tactics, and this isn’t surprising. In years past, most organizations didn’t have robust controls to prevent direct technical compromises (what we might call hacking). Today, they do, making these purely technical attacks less reliable. Predictably, cybercriminals have taken the logical step of attacking the weakest link in the chain: humans.
Ransomware Continues to Wreak Havoc
The 2022 DBIR found that ransomware was present in roughly 13% of all security incidents and 25% of all data breaches. From this, we can deduce over 40% of ransomware incidents resulted in a breach.
Of course, nobody needs to be told that ransomware is a top threat. A 2022 Veeam survey of 1,000 IT leaders found that 76% had suffered a ransomware attack, and 55% had suffered two or more. The most common delivery methods are phishing (44%), infected patches and software (41%), and credential compromise (35%). And interestingly, 32% of respondents said ransomware had entered their environment via an insider threat, such as a disgruntled employee. This suggests malicious insider threats may be more common than the DBIR would have us believe.
Ransomware is increasingly targeting backups, aiming to increase the likelihood of a ransom payment. This makes a lot of sense. Backups have been heralded as the go-to solution for protecting against ransomware, so it’s natural that cybercriminals would look for a way to eliminate them. The Veeam report found 94% of ransomware attacks target backup repositories, and at least some repositories were affected in 68% of ransomware incidents.
So how do these trends compare to past years? Despite being pioneered all the way back in 1989, ransomware was practically non-existent in the DBIR dataset until 2013. Interestingly, that year’s report noted that ransomware attacks were already going after backups, presumably having noted that removing them would improve the chance of ransoms being paid.
Ransomware has really taken off in the last five years. It accounted for around 2% of breaches in 2017, 5% in 2019… and then exploded between 2020 and today.
Of course, breaches don’t tell the full story when it comes to ransomware. Ransomware trojans are present in almost two-thirds of malware incidents—many of which have huge consequences for victims even if no data is compromised. Even when victim organizations can fully recover from an attack, the cost of disruption and recovery can be huge. According to the 2022 Cost of a Data Breach Study, the average cost of a ransomware attack is $4.45 million, not including ransom payments.
Before we move on, the Veeam report referenced above highlighted another important learning point.
Over half of affected organizations paid ransom demands and managed to retrieve their data. However, 24% of affected organizations paid their ransom… but couldn’t recover their data. This highlights the gamble taken when paying ransoms—ransomware trojans are often bought and used by groups without the technical skill to develop them or even reliably alter them. As a result, a group may be unable to restore your access even if it intends to.
Remember, ransomware is a business model. If it becomes known that a particular group (or ransomware variant) doesn’t hold up its end of the bargain, that dramatically reduces the chances that future victims will be willing to pay up.
Get the Full Cybercrime Story
A cybercrime report could be anything from one page to a hundred pages long. As simple as saying, “Cybercriminals go where the money is,” or as complicated as digital forensics and malware analysis.
In our new report, we’ve striven for a happy medium that gives insight into current, past, and possible future cybercrime trends without getting bogged down in unnecessary details. We’ve also included the most important steps to protect against cybercrime over the next decade.
Download the report to learn:
- Why hacktivism and grudge attacks have dropped significantly, and what’s replaced them.
- Why statistics don’t tell the whole story regarding internal vs. external attacks—and why that matters when designing a risk-based cybersecurity program.
- Where cybercrime will definitely go over the next few years—plus longer-term predictions from industry veterans Dr. Zero Trust (Chase Cunningham) and Dan Schaupner.
