Verizon: When Ransomware Attacks Cost, They're Costing MoreRansom Payment Amounts Drop as Cleanup Costs Rise, Finds Annual Data Breach Report
Criminals are continuing to wield stolen credentials, ransomware and social engineering attacks to earn an illicit payday, Verizon found in its latest annual analysis of data breaches and how they happened.
See Also: 2022 Unit 42 Incident Response Report
Verizon's 2023 Data Breach Investigations Report is based on 5,199 confirmed data breaches out of 16,312 reported security incidents that happened from November 2021 through the end of October 2022. More than 60 organizations contributed data.
Major trends highlighted in this year's report include:
- Top tactics: The most prevalent attacker tactics or tools involved in data breaches, when known, were stolen credentials, followed by ransomware, social engineering and vulnerability exploits.
- Social engineering: Business email compromise attacks nearly doubled, now comprising about half of all social engineering attacks.
- Ransomware: One-quarter of all breaches analyzed for the report involved ransomware.
- Human element: Seventy-four percent of all breaches trace to some human element, be it human error, misused credentials or falling victim to social engineering.
- External risk: Eighty-three percent of incidents involve external attackers, and 97% of all breaches appear to have a financial motive, as opposed to drivers such as espionage.
Last year's report highlighted a concerning surge in ransomware attacks causing data breaches.
In this year's report, Verizon found that ransomware was tied to 16% of all incidents - about double compared to its previous report - and that ransomware continued to be a factor in 24% of all data breaches, which was unchanged from last year. In a video interview with Information Security Media Group, however, Alex Pinto, senior manager at the Verizon Threat Research Advisory Center and lead report author, said ransomware attacks may not be growing as quickly but added, "I wouldn't count them out yet."
For 93% of security incidents involving ransomware, victims reported no financial losses, based on information submitted to the FBI's Internet Crime Complaint Center, or IC3, which shared the data with Verizon.
The remaining 7% of victims reported to IC3 a median loss of $26,000, or double what victims reported two years prior. Despite the increase in costs, ransomware watchers have said that since 2021, when victims opt to pay a ransom, on average, they're paying less than before.
"What this suggests is that the overall costs of recovering from a ransomware incident are increasing even as the ransom amounts are lower," the report states. "This is a result we have been expecting to see due to the increase of automation and efficiency of ransomware operators."
This is conjecture, Verizon emphasizes, since IC3 didn't share company size or complete ransom payment information with its victim data.
Another notable change concerns pretexting, a form of social engineering that involves attackers fabricating stories or pretexts that are directly relevant to a victim, as opposed to less complex, generalized phishing attacks.
"They use this invented scenario to play on your emotions and create a sense of urgency," Verizon says in its report. Fraudsters often practice pretexting by pretending to be a family member or - in the case of BEC attacks or CEO fraud - a boss in urgent need of a cash transfer.
Verizon reports that while phishing remains more prevalent than pretexting as a cause of data breaches, for security incidents involving social engineering, pretexting is now more common than phishing.
One ancillary risk flagged by some security experts is that attackers may increasingly use artificial intelligence to create even more compelling types of pretexting, including audio or video that pretends to be someone a victim knows. In recent weeks, for example, police in China have warned of a surge in attacks that appear to involve AI, in some cases to appear on a video chat to be someone the victim knows, The Wall Street Journal recently reported.
Breach Report Caveats
Every look at data breaches carries big caveats, owing to victims not always discovering security incidents, at least in a timely manner, or being able to determine if data was stolen. When an organization falls victim to a hack attack, they might not tell anyone. Legally speaking, organizations don't always have to report a breach to authorities. Even when they do, governments doesn't always release the information publicly.
Data breach notification rules don't guarantee transparency. In recent years, U.S. organizations that issued public data breach notifications have been, on average, less likely to include details such as how they got hacked or what type of data was exposed.
Detailed post-breach reports such as the Verizon DBIR help organizations learn how to better avoid becoming tomorrow's victim. "This report aims to take a look at the times when things did not work as intended - not to point fingers but to help us all learn and improve," the report's introduction says. "In a time where almost everyone, corporations and individuals alike, is looking at ways to do more with less, we believe a close analysis of when our defenses failed can be very beneficial."
Data contributors to the report include cyber insurer Coalition, ransomware incident response firm Coveware and cybersecurity giant CrowdStrike; computer emergency response teams from the EU; Malaysia's cybersecurity agency; and the U.S. Secret Service, Cybersecurity and Infrastructure Security Agency, and IC3.
The report includes a call to arms from CISA Director Jen Easterly, who wrote that driving down the prevalence of breaches demands that organizations deploy multifactor authentication more widely, given its ability to block stolen credentials from being used to breach organizations. "In particular, it's critical that 'high-value targets' like system administrators and software-as-a-service (SaaS) staff use phishing-resistant MFA," Easterly wrote.
Verizon's report authors offer their own takeaways too, including that preparation pays, not least when ransomware - aka "your next unscheduled encryption event" - is involved. "It's fair to say that an ounce of prevention is worth a pound of cure, so we cannot emphasize enough the need of having a plan and/or incident response resources at the ready," the report says.