Ransomware and Business Email Compromise (BEC) Account for 70% of Breaches
Ransomware and business email compromises (BEC) topped the list of the types of attacks on organizations in the past year, making up 70% of the total number, according to the 2022 Unit 42 Incident Response Report from Unit 42 by Palo Alto Networks, a cybersecurity consultancy within the company. The firm compiled its report findings based on approximately 600 incident responses between May 2021 and April 2022.
While these two attack types are the primary ways threat actors can monetize illicit access to networks, attackers have and use nearly countless other strategies for financial gain or simply to harm the organization. Cybercriminals have increasingly paired extortion with encryption (sometimes including added threats of informing customers or the press or conducting a distributed denial-of-service attack). As Ransomware-as-a-Service (RaaS) continues to emerge and even script kiddies (laymen or non-technical folks) can buy malware on the dark web to make a few dollars the number of attacks is likely to increase.
Unit 42’s Summary of Incident Response Findings
- 77% of intrusions are suspected to be caused by three initial access vectors – phishing, exploitation of known software vulnerabilities, and brute-force credential attacks focused primarily on remote desktop protocol.
- The report also found that more than 87% of positively identified vulnerabilities fell into one of six major categories – the ProxyShell and ProxyLogon flaws in Exchange Server, the Apache Log4j vulnerability, and vulnerabilities in Zoho ManageEngine ADSelfService Plus, Fortinet, and SonicWall.
- 50% of the compromised organizations lacked multifactor authentication (MFA) on key internet-facing systems such as corporate webmail, virtual private network (VPN), and other remote access solutions.
- The seven most targeted industries accounted for over 60% of the cases; they included finance, professional and legal services, manufacturing, healthcare, high-tech, wholesale, and retail.
Ransomware in particular has been a focus area for many in the cybersecurity industry because of the impact on targeted organizations and those who depend on them. Ransomware threat actors gain control over critical data and resources and then leverage this control to coerce payments from their victims. Unfortunately, these attacks have been made even easier with the rise of ransomware-as-a-service (RaaS) offerings. There is an interesting blog post that I just read about the rise of Ransomware-as-a-Service (RaaS) which explains how the threat is emerging.
Patching vulnerabilities, implementing multifactor authentication, and fixing misconfigurations may not be exciting, but these foundational steps reduce an organization’s attack surface and ensure it is not an easy target.
Unit 42 said that attackers may focus on certain industries such as finance and healthcare because they store, transmit, and process high volumes of monetizable sensitive information and because they make widespread use of certain software with known vulnerabilities.
What is Business E-mail Compromise?
Phishing attacks may aim at “business email compromise;” which is can often be a crime that targets businesses that send wire transfers, often to foreign suppliers, with the goal of fraudulently directing payments from the company whose defenses they have breached to accounts they control. BEC is the leading and still growing attack tactic, with victim losses increasing by over 100% last year.
What is a Ransomware Attack?
Ransomware attacks on the other hand typically do not aspire to the level of social engineering often involved in phishing or “spear phishing” attacks. This is when a hijacked e-mail is often used to communicate with lower-level employees in an organization (as the criminal’s spoof or directly control the e-mail of higher-level executives of a firm) to siphon funds out of the company fraudulently. Instead, ransomware attacks use control of elements of a company’s IT network to lock down the company’s vital data via sophisticated encryption methods. Victims of such attacks are given a choice between paying the attackers ransom to, hopefully, unfreeze their data or losing the ability to access it.
Either type of attack can cause severe damage, whether by draining significant sums of money or by necessitating payment of a ransom or the exertion of significant time, effort, and expense to replicate the data or replace the systems that have been infected. With the scope of remote work increasing substantially in the wake of Covid, it has become more important than ever to do everything possible to defend against malicious e-mails designed to gain control over or encrypt an organization’s system or data.
The Log4j/Log4Shell Impact on Incidents
Unit 42 researchers monitored hits on the Apache Log4j Remote Code Execution Vulnerability Threat Prevention signature, which allowed us to gain visibility into exploitation attempts. Between Dec. 10, 2021, and Feb. 2, 2022, they observed almost 126 million hits triggering the Log4j signature. While the largest number of hits occurred in days immediately following public knowledge of the vulnerability (Dec. 12-16), spikes of hits continued to take place throughout that entire period.
When they investigated what would have happened had the hits on their Threat Prevention signature been successful, they observed a wide range of attempted activities: vulnerable server identification via mass scanning, the installation of backdoors to exfiltrate sensitive information and to install additional tools, the installation of coin mining software for financial gain, and many more.
Before long, incident response cases also began to appear. Log4j accounts for 14% of cases where responders positively identified the vulnerability exploited by the threat actor—despite only being public for a few months of the time period they studied.
SecureOps wrote 3 Case Studies on the Log4j/Log4Shell vulnerability that documented how we helped our clients implement vulnerability management/patching best practices to mitigate the threat.
- The Log4j Vulnerability is Likely to be a Significant Threat for Years – https://secureops.com/blog/log4j-vulnerability/
- Assessing and Mitigating the Log4j Vulnerability – https://secureops.com/blog/log4j-vulnerability-management/
- Lessons Learned in Defending Against the Log4j Vulnerability – A Case Study – https://secureops.com/blog/log4j-a-case-study/
Insider Threats and Disengaged Employees
It’s not always about the money, according to the report. Grudges matter, too. Insider threats made up just 5.4% of the incidents Unit 42 handled, “but they can be significant because they involve a malicious actor who knows exactly where to look to find sensitive data,” the report said. What’s more, 75% of insider threat cases involved a disgruntled ex-employee who left with company data, destroyed company data, or accessed company networks after their departure.
This typically is exacerbated during a recession, as layoffs and frustrations rise. Researchers predict that declining economic conditions could push more people into cybercrime as a way to make ends meet.
“Right now, cybercrime is an easy business to get into because of its low cost and often high returns,” said Wendi Whitmore, SVP, and head of Unit 42 at Palo Alto Networks, in a statement. “As such, unskilled, novice threat actors can get started with access to tools like hacking-as-a-service becoming more popular and available on the dark web.”
Ransomware and Small Businesses
Ransomware can target sensitive organizations, such as hospitals, and can put even more pressure on organizations with threats of releasing sensitive information if the ransom is not paid. Unit 42 has been tracking at least 56 active “ransomware as a service” groups operating since 2020.
“RaaS is a business for criminals, by criminals, with agreements that set the terms for providing ransomware to affiliates often in exchange for monthly fees or a percentage of ransoms paid,” the report said. “RaaS makes carrying out attacks much easier, lowering the barrier to entry for would-be threat actors, and expanding the reach of ransomware.”
Unit 42 reported that ransomware demands have been as high as $30 million over the past year, and some clients have paid ransoms of over $8 million. Unit 42 noted that threat actors attempt to access financial information when they have unauthorized access to a victim organization and calculate ransom demands based on the perceived revenue of the organization being extorted.
Predictions and Advice from Unit 42
Unit 42 asked its incident responders to look ahead to the cyber threats on the horizon and provide some predictions. Here are some of the predictions they shared:
- The window of time to patch high-profile vulnerabilities before exploitation will continue to shrink.
- Widespread availability attack frameworks and hacking-as-a-service-based platforms will continue to increase the number of unskilled threat actors
- Reduced anonymity and increased instability with cryptocurrency could lead to a rise in business email compromise or payment card-related website compromise.
- Declining economic conditions could push more people into cybercrime as a way to make ends meet.
- Hacktivism and politically motivated attacks will increase as groups continue to hone their ability to leverage social media and other platforms to organize and target public and private sector organizations.
Ransomware attacks tend to dominate the headlines because of their overt nature, however, attackers are increasing attacks to compromise business emails through phishing and other techniques for financial gain through stealing and selling sensitive information including Social Security numbers and credit card information. The U.S. Federal Bureau of Investigation calls BEC the “$43 billion scam,” referring to statistics for incidents reported to the Internet Crime Complaint Center from 2016-2021.
Techniques for business email compromise can vary. Some threat groups gain access to targeted accounts through brute-force credential attacks. However, social engineering, including phishing, is the easiest and certainly the most cost-effective way to gain access to a system and move laterally through the environment while keeping the risk low of being discovered.
Unit 42 documented and we have seen in many cases, cybercriminals are simply asking targets to hand over their credentials through phishing e-mails or watering hole sites —and getting them.
As we have said and what seems clear in the Unit 42 findings is that employee training concerning social engineering awareness would benefit organizations considerably. No matter how much IT security spends on cybersecurity technology, it is nearly impossible to stop an attack on an unwitting employee who mistakenly downloads malware or turns over their credentials to an imposter.
To Learn More About How to Protect Yourself from Ransomware and Phishing Attacks Please Call Us – as Always We Are Happy to Help – 1 (888) 982-0678