The business world is changing fast. The shift to hybrid or remote models and the rapid adoption of cloud services are allowing employees to work from anywhere, while giving the companies they work for the chance to increase innovation and stay ahead of their competition.
The cybersecurity industry has changed as well, with those same innovations creating new challenges for IT and security teams. There was no way to accurately predict the changes that took place over the last few years, just as there’s no way to accurately predict what the business world—and the cybersecurity industry—will look like a decade from now.
But we can make one prediction with complete confidence: Cybercriminals will still be doing all they can to steal your data and your dollars.
In 2023, here are the current top three favorite attacks, as well as strategies you can use to improve and enhance your ability to fight back against today’s biggest cybersecurity threats.
The Biggest Cybersecurity Threats
The threat of ransomware and targeted attacks are top of mind for nearly every business. In 2021 alone there were an estimated 700 million attacks using ransom or extortion. No wonder, then, that in Arctic Wolf’s The State of Cybersecurity: 2022 Trends report over 70% of IT professionals surveyed identified it as their top concern in 2022.
What is Ransomware?
Ransomware is a type of malicious software (malware) that prevents the end user from accessing a system or data. The most common form is crypto ransomware, which makes data or files unreadable through encryption, and requires a decryption key to restore access. Another form, locker ransomware, locks access rather than encrypting files. In order to decrypt files or restore access, attackers typically request a ransom payment, often in the form of cryptocurrency like Bitcoin, which is loved by cybercriminals for the anonymity it offers and the difficulty it presents in tracing payments back to hackers.
A Brief History of Ransomware
Ransomware got its start in 1986 when two brothers, Basit and Amjad Farooq Alvi, created a special “ransom” message tied to software that instructed users to call them if they saw the warning. The goal at the time was to prevent piracy. However, hackers transformed the tactic into a devastating form of malware.
The first known case of malicious ransomware was disseminated in 1989 via floppy disks labeled “AIDS Information Introductory Diskette.” The ransomware, called PC Cyborg/AIDS, would encrypt the C drive after you inserted the disk into the floppy drive. The victim was then prompted to send $189 to a post office box in Panama. Upon receipt of payment, the attackers would send an email instructing the person how to decrypt the files.
While the basic bones of ransomware remain the same—lock or encrypt data until payment is made—the methods have become much more sophisticated in the intervening decades.
Ransomware can be embedded in malware— malicious software that spreads via an email attachment or a link to a malicious website— or in malicious advertising (“malvertising”), masquerade as browser updates, or exploit vulnerable remote desktop protocols. Some strains use macros, which automate certain functions in productivity software like Microsoft Word or Excel. An unsuspecting user may download a seemingly harmless document, run the macro, and then fall victim to an attack.
Why Ransomware Is a Prolific Threat
The conniving way ransomware is disseminated—via click-bait links and download schemes that infect machines—is by itself problematic, but what makes it worse is that there are few remedies once an infection has occurred.
Victims have three options:
- Pay the ransom
- Restore from a backup
- Forfeit their data forever
With these being the only options once a ransomware attack has been executed, you can see why studies show that more than half of all organizations victimized by ransomware opt to pay the ransom. Restoring from a backup requires that said backup is updated often to ensure minimal loss of data upon restoration, and it also needs to be air-gapped from your network, meaning it can’t have any physical or virtual connection to a network or a network-connected device. This means proper backup procedures, while crucial, can be costly and time-consuming.
And no organization wants to accept the last option. Permanent loss of data can catastrophically damage your business and your reputation, especially if the cybercriminals opt to steal and sell your data once you refuse to pay the ransom.
For many people, especially in a bring-your-own-device (BYOD) environment, forfeiture of data can also mean the permanent loss of personal documents or family photo albums. That means ransomware can have emotional and mental impacts on employees as well as on an organization’s systems.
Not to mention, there’s little honor among thieves. Paying a ransom won’t necessarily ensure the safety of your files. Once cybercriminals know you’re willing to pay, they may come back and ask for a second, higher ransom. Or they may decide to steal and sell your data on the dark web to the highest bidder.
In fact, the newest ransomware variants are designed to do just that. Research shows that data exfiltration takes place in as many as half of all ransomware attacks. This new capability has led to a new tactic aiming to increase the pressure and compel victims to pay up—double extortion. Essentially, this means that not only will bad actors lock your data, but they will also threaten to release it to the outside world if the ransom isn’t paid.
Ransomware schemes continue to evolve and grow each year. Verizon’s 2022 Data Breach Investigation Report found a 13% increase in ransomware attacks over last year—an increase greater than the past five years combined. And it’s not just the rate of ransomware that’s climbing, it’s the payouts, too. 2021 saw some of the highest ransom demands on record, with one financial institution paying $40 million to decrypt its data. And while that sky-high number may be an outlier, any ransomware attack will have significant costs. According to IBM, the average cost of a ransomware attack in 2021 was over $4.6 million.
Even organizations able to avoid payments experience major disruption. Last year, ransomware crippled hospital operations (reducing healthcare workers to paper and pens), halted classroom instruction for schools, and was such a huge threat to both the public and private sectors that the Cybersecurity and Infrastructure Security Agency (CISA) launched an education campaign in early 2021 to help organizations reduce their risk.
Best Practices to Defend Against Ransomware
While ransomware is undoubtedly one of the top cybersecurity challenges organizations face—so dangerous it could actually destroy your business—with the right security solutions in place to detect ransomware early and respond to it immediately, you stand an excellent chance of defending your organization against this cyber threat. Here’s how:
- Perform regular vulnerability scans to minimize your attack surface. This is especially important for your internet-facing devices and systems.
- Conduct due diligence to ensure devices have the proper configurations.
- Proactively close unnecessary open ports, disable weak protocols, and use other security features that minimize the number of entry points.
- Patch and update all your software and devices regularly, which will prevent attackers from exploiting security weaknesses.
- Consider an intrusion detection system or other security tools that detect command-and-control activities.
- If you don’t have the staff or budget to build and maintain and in-house security operations center (SOC), consider outsourcing to a security operations solutions provider, who can provide 24×7 monitoring of your networks, endpoints, and cloud.
- Educate your users about phishing, social engineering, and other security practices that help defend against ransomware and other threats. Verizon found that 82% of breaches involve the human element. But these aren’t malicious insiders scheming against you. These are hard-working employees who make mistakes because they don’t have the knowledge and training to avoid them.
Ransomware’s rise to infamy would have been all but impossible without the help of a vastly different kind of cyber threat: phishing.
What is Phishing?
Social engineering is any tactic that strives to manipulate individuals into divulging authentication credentials, sensitive information, funds, and other valuable items. Phishing is a form of social engineering that occurs online, typically via email, with the intent of stealing login credentials or getting a user to download malware or share sensitive information.
Phishing campaigns often take advantage of current events to lure potential victims. The COVID-19 pandemic presented many such opportunities for cybercriminals. In one campaign, for example, bad actors sent phishing emails with fake offers of masks and other personal protective equipment.
In many cases, phishing is only the first stage of an attack. Lapsus$, a new gang of cybercriminals that emerged in late 2021, use phishing attacks to gain access to networks. Once inside, they exfiltrate an organization’s data for potential dark web sale, steal source code, or simply delete files, spreading chaos without securing much profit for their efforts.
Phishing is the most prolific type of targeted attack (in 2022 there were over 300,000 reports of phishing victims), and the costs are growing more severe. According to Ponemon Institute, the average annual costs associated with phishing attacks have more than tripled in the past seven years, from $3.8 million in 2015 to $14.8 million in 2021.
How Phishing Has Evolved
While phishing has been around for a long time, the cybercriminals who use it continue to find new ways to innovate. Phishing schemes have advanced to an extraordinary level of sophistication that blindsides even the most vigilant, tech-savvy individuals.
Types of Phishing Attacks
Business Email Compromise (BEC)
These attacks—also known as spear fishing— specifically target executives or VPs in organizations in an attempt to gain access to more sensitive data or larger sums of money. The latest BEC attacks take advantage of Microsoft Outlook’s “out of office” autoresponders or read-receipts to subvert email filtering tools.
Messaging apps are also a favorite for cybercriminals. Smishing uses the medium of texting individuals to trick people into following links and/or downloading apps that can be especially dangerous.
This type of malware hides within macros inside of Word Docs or Excel spreadsheets sent as attachments via email. Upon enabling the macro to run, the user is infected with any variety of malware strains. This scam is especially problematic for financial institutions.
Getting ensnared by a phishing attack isn’t necessarily the result of carelessness or unsavory internet behavior. Typically, the employees getting their corporations sucked into these schemes are intelligent, often high-level employees who are just trying to do their jobs. That’s why organizations must take proactive steps to fight these threats.
How to Defend Against Phishing Attacks
To counteract phishing attempts, organizations must have a system in place to detect phishing scams early. For example, can you tell if an unusual program is trying to execute on a network computer? Can you trace the IP address of an email message that appears to be sent from a higher-up but may be sent from half-way around the world? Do you have a way to see where your users are logging in from, and whether they’re logged into multiple machines at once?
Being able to spot these and other signs of phishing requires strong threat detection in your company’s network. It might not keep you from falling prey to phishing scams altogether, but it will substantially curtail the potential for loss once one occurs.
Adopting multi-factor authentication (MFA) and other identity and access management tools will limit the attackers’ access in the event of compromised credentials. And technology that filters email, blocks access to known malicious sites, and detects viruses and malware, can also help you thwart a phishing attack. But these are all reactive moves.
An even better, proactive place to start is teaching users how to spot potential threats before they fall prey to them. An ongoing managed security awareness program should not only educate employees about recognizing and avoiding phishing, but also promote other secure behaviors. The programs will also include mock phishing campaigns, using real-world phishing examples as simulation exercises to gauge employee engagement and awareness.
3. Data Breaches
Data breaches are somewhat unique in that the damage they cause to an organization isn’t as immediate. Organizations may not detect a data breach for weeks, months, or—in some cases—years. And by the time they do, it’s already too late. Data breaches typically result in the stolen data being posted on the dark web by cybercriminals either looking to turn a profit or cause some chaos.
The Growing Cost of Data Breaches
Consider the massive unemployment fraud scheme conducted by a Nigerian crime ring. The fraudsters used stolen identities—probably found on the dark web from past data breaches—to file unemployment claims estimated to total $36 billion across the United States.
One of the earliest victims, Washington state, paid out $600 million in 122,000 known fraudulent claims (eventually recovering $351 million). Later, the state itself became the victim of data breach after the state auditor’s office investigated the unemployment fraud scheme. That breach of a vendor Washington state used to transfer files in the investigation exposed the personally identifiable information (PII) of an estimated 1.6 million actual state residents who filed for unemployment claims last year.
Now, the state will also have to pay for credit monitoring for those residents, not to mention other mitigation costs.
Washington’s double-whammy case may be a bit unusual, but it shows that while ransomware and phishing scams are the most prolific and expensive, data breaches are the most silent and unpredictable. As the Nigerian unemployment scam proved, the long-term damage of a data breach goes far beyond immediate data loss and is not even limited to the organization that was originally breached.
Why Data Breaches Are So Costly
In early January 2021, hackers breached the defenses of SocialArks—a Chinese data-management startup with shockingly lax security policies—and exposed the personal information of around 214 million social media users, many of whom had no idea the company even existed. SocialArks initially scraped the contact information from leading social sites such as Facebook, LinkedIn, and Instagram, and did little to protect it. Time will, unfortunately, tell us the full extent of the damage wrought by this massive data breach.
That’s the chief reason data breaches can cause so much long-term damage. Once a person’s identity is compromised, guarding against fraud becomes very difficult. For instance, if an organization has its human resources department breached, resulting in thousands of compromised Social Security numbers, names, addresses, and contact information, these individuals could be at risk of having to deal with their information floating around the dark web for many years to come.
The Difficulty of Detecting Breaches
Many high-profile breaches in the past few years were not one-and-done deals. It’s not quite as simple as movies would have you believe—with hackers punching in some code, saying “we’re in,” punching in more code, and then having everything they need in a matter of minutes.
More often than not, cybercriminals live in the network that they compromise for quite some time, siphoning information when they think no one is looking, or conducting other activities to gain deeper access.
The unprecedented SolarWinds supply chain attack, which impacted numerous companies, including U.S. government agencies and large security vendors, is a case in point. Though technically no data was leaked, this breach had wide-reaching implications. The hackers prowled inside the SolarWind’s Microsoft Outlook email system for at least nine months, compromising at least one account by December 2019. But preparations began even earlier—the registration of a domain associated with the attack dates back to August 2019.
Even in cases of overt data theft where information is stolen over time, an organization will rarely catch the event the moment it happens. In fact, the average number of days to identify and contain a breach in 2021 was 287, according to IBM. Sometimes, the breached organization won’t catch the incident, but will be told by the FBI or another law enforcement agency that it occurred. In other cases, banks will notify a business that an unusually high number of credit card fraud victims can be traced back to the company.
The reason that data breaches are so difficult to detect is fairly simple. Unlike ransomware, the goal of a data breach is to get in and out quietly, and to leave no traces behind that might lead back to the perpetrators. The methods for achieving this vary wildly, and may include the use of phishing scams, malware, and other malicious tactics.
If there’s a silver lining, it’s that nothing that occurs on a network is invisible. All activity is traceable, and all of it is logged. At the end of the day, everything you need to beat a data breach is accessible to you. It’s really just a matter of knowing how to interpret it and being able to filter out the information that doesn’t matter, so you can detect signs of malicious network activity before it can harm your business.
Getting Ahead of Top Cyber threats
These three may top the list of cybersecurity threats, but they are far from the only ones modern organizations face. As businesses continue to innovate and evolve, so will cybercriminals and the methods they use to attack. The stakes have never been higher, and hackers aren’t taking their foot off the gas anytime soon. The problem of protecting your data is only going to get more challenging.
Defending against ransomware, phishing, and data breaches is a matter of having the right people, processes, and tools in place. But many organizations struggle with at least one, if not all, of those components. That’s why more organizations are turning to manage security operations solutions.
Arctic Wolf can help you stay safe from cyberthreats with 24×7, eyes-on-glass security delivered from our Concierge Security® Team. Leveraging the Arctic Wolf® Platform, which processes more than 2 trillion events each week, our Concierge Security Team works with you on an ongoing basis to make your security operations more efficient and improve your security posture.
Learn more about how to protect your organization from cybersecurity threats.