Industry Best Practices:
The DBIR and how to
protect against
ransomware attacks


 

Introduction


How to protect against ransomware attacks effectively is a challenge not only for the world's largest organizations, but for businesses of all sizes. No industry is immune, but some are targeted more often. According to Forbes, “Rather than continue trying to gain access to major enterprises, ransomware gangs have changed tactics by focusing on small- and medium-sized businesses (SMBs). Once considered too small to justify a ransomware attack, these mid-sized targets now allow hackers to stay under the radar and extract smaller payments without drawing government or media attention.” Ransomware can cause significant financial and reputational damage. And with the ever-evolving landscape of cyberthreats, it’s a lot for any single entity to capture.

Data Breach Investigations Report (DBIR)


That’s why Verizon’s Data Breach Investigations Report, the DBIR, contains data contributed from 87 organizations. This year marks the report’s 15th anniversary where 23,896 security incidents were reviewed, 5,212 breaches were analyzed and 12 industry sectors along with four regions were spotlighted. The DBIR takes a deep look into how ransomware attacks and ransomware detection techniques have evolved since the report's inception.

2022 Data Breach Investigations Report

Gain vital insights into security strategies and how to minimize vulnerability to cyber attacks. Read our in-depth analysis of 23,896 incidents from organizations around the world.

 

Arguably, the first documented ransomware virus dates back to the era of the floppy disk. In 1989, the AIDS Trojan, also known as the PC Cyborg virus, was literally distributed by hand via approximately 20,000 infected disks labeled “AIDS Information - Introductory Diskettes” to attendees of the World Health Organization’s AIDS conference. Attendees, without considering the risk, loaded the floppy discs into their hard drives causing the virus to encrypt files on their C-drives. To regain access, victims were instructed to mail $189 for a year’s “lease” or $378 for a lifetime “lease” to a PO box in Panama.

Ransomware attacks have grown exponentially in maturity and complexity since 1989. A recent example includes WannaCry, a global ransomware attack that spread from computer-to-computer using Microsoft Windows operating system (OS), which demanded Bitcoin payment for the safe return of data (no stamps required). Another example is the Colonial Pipeline hack of 2021 which was deemed a national security threat. For several days mass panic ensued because the Colonial Pipeline supplies approximately half of the fuel for the east coast of the United States, causing a gas crisis and even airlines to shut down.

“From very well publicized critical infrastructure attacks to massive supply chain breaches, the financially motivated criminals and nefarious nation-state actors have rarely, if ever, come out swinging the way they did over the last 12 months,” according to the authors of the Data Breach Investigations Report (DBIR).

Financial Impact


Ransomware accounted for 25% of breaches last year, which is a shocking 13% year-over-year increase, and is greater than the previous five years combined. Almost four out of five breaches were attributable to organized crime. Their number one motive was financial gain followed by espionage. And it's important to note, attacks are not limited to particular industries

And according to the FBI's Internet Crime Complaint Center (IC3):

And those figures are just in the U.S. The true scale of global attacks and their financial impact is nearly impossible to quantify. Especially because, until recently, and depending on the type of compromised data, many organizations were not compelled (or, in many cases, required) to report incidents. But with industry, organizations, and governments working together, that is starting to change.
Project lead speaking to group of colleagues

Shockingly, the total cost of a breach is approximately seven times higher than the actual extortion request. Using data provided by the FBI, the 2021 DBIR found the median amount of money lost due to ransomware was $11,150, however, some losses were in the million dollar range. And it’s important to note that the average cost of remediation is calculated at $1.4 million per attack.

Interestingly, 90% of confirmed cases did not result in losses. But costs are not limited to the financial gain obtained by the bad actor, they can negatively impact your organization in many ways. For example:

  • Business operation interruption 
  • IT overtime to remediate the incident
  • Hiring of third-party forensics and investigations experts
  • Legal costs
  • Loss of C-level talent and employees
  • Damage to brand and reputation
  • Temporary business closure leading to lost sales/productivity decline
  • Fines

The cost of these attacks come in many forms, sometimes even in the form of human tragedy. A ransomware attack on a U.S. hospital may have resulted in the fatality of an infant after computer systems were taken offline for several days. And with the rise of organized crime, it’s no surprise that the U.S. Government has urged hospitals and health systems to take immediate steps to harden their networks’ cyber defenses.

According to government data, 14 out of 16 U.S. Critical National Infrastructure (CNI) sectors have been attacked in the past. Additionally, ransomware is judged by the U.K.'s cyber security agency to be the number one cyber threat for both SMBs and enterprises. Attacks on major brands grab the headlines, but according to one estimate, 82% of attacks impact organizations with under 1,000 employees. It’s important to harden your security posture no matter the size or industry, especially as the cost of how to protect against ransomware outweighs the detriment.

 

  • Understanding ransomware

    Defending an organization against the growing threat of ransomware means knowing how ransomware spreads in the first place, and which controls – from technology and business process refinement to employee training – are needed.

    Here is the typical progression of an attack:

1. Compromise: Attacker often gains initial access into the system via phishing, unauthorized Remote Desktop Access (RDA), or vulnerability exploitation.

2. Control: Attacker uses established connection to deploy tools to stay hidden.

3. Delivery: Attacker deploys ransomware payload.

4. Theft: Attacker steals sensitive data.

5. Encryption: Attacker triggers ransomware to encrypt victims data.

6. Extortion: Victim is sent a ransom demand.

7. Threat: Attackers may threaten to leak data or resort to other measures of force:

  • a. Double extortion: Attacks that feature ransomware encryption and data theft.
  • b. Triple extortion: Additional use of distributed denial-of-service (DDoS) attacks to force payment.
  • c. Quadruple extortion: Attackers communicate directly with customers, partners and journalists to put extra pressure on the victim organization to pay.

 


Payment of the ransom doesn't necessarily mean you get your data back. And if payment is made (typically via digital currency), the money is likely to be subsequently laundered. This is in addition to the loss of operations and reputational damage.

No matter the attacker’s motivation, it's paramount to prepare your organization with the right strategy—built around adequate preparedness and rapid detection, response and recovery—so your organization can avoid compromise altogether, or at least minimize the impact of an attack, and learn how to protect against ransomware attacks.

According to the 2022 DBIR, about two-thirds or 66% of breaches involved phishing, stolen credentials and/or ransomware. Here are the top ways ransomware actors typically gain initial access to their victims:

envelope icon

Phishing emails

These use tried-and-tested social engineering techniques to trick an employee into clicking on a malicious link or opening a booby-trapped attachment. The resulting malware installation is usually covert, enabling attackers to access the corporate network and reach key assets within.

walkie talkie icon

Remote Desktop Access (RDA) compromise

RDA is used by organizations to enable employees to remotely connect to their corporate desktops/applications. It saw a surge in use during the pandemic, which also gave threat actors the perfect opportunity to take advantage of poor cyber hygiene. In most cases of RDA compromise, attackers use previously breached or stolen credentials, or use "brute force" to open accounts using automated software. This provides them with network access.

laptop hackers icon

Vulnerability exploitation

2021 held another record for published common vulnerabilities and exposures (CVEs). Attackers often take advantage of the fact that organizations are behind the curve on patching all of these bugs. They particularly target applications that are designed to be accessed from outside the corporate network, like RDA or VPNs. Sometimes, the applications are run by third-party supply chain partners and have privileged access to corporate networks, as witnessed in a 2021 attack involving IT management vendor Kaseya.


1.

Better security and incident preparedness to help prevent an attack.

2.

Confidence in their incident & response plan and ability to recover.


Like what you're reading?

If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know..

Try us out

How to protect against ransomware


Preventing ransomware attacks may be difficult, but there are still ways to protect systems and reduce the risk. To help organizations combat ransomware, the DBIR links its findings to a series of security controls from the Center for Internet Security that can be enacted by an organization and are considered industry-standard for building an effective security program.

It's impossible for any organization to be 100% breach-proof, especially in a world of increasingly determined threat actors. Gain protection from a wide array of online threats with automated updates to help shield you from the latest online dangers. And by honing your ransomware detection techniques, your organization will be enabled to spot suspicious activity early on in order to minimize the impact of potential compromise.


Signature-based detection via anti-malware can help identify known malware.


Intrusion detection system (IDS) and behavioral detection looks for the tell-tale signs of ransomware activity.


Detecting suspicious traffic uses network detection and response (NDR)-based tools.

 

In addition to anti-malware software, intrusion detection systems (IDS), NDR tools, and ransomware detection techniques, organizations can gain visibility into suspicious activity by setting up honeypots and using other deception tools. Micro-segmentation will also help block any unusual lateral movement, containing the blast radius of an attack and ensuring threat actors can't get to your prized assets.

Cyber insurance


Investing in cyber insurance can help the organizations prepare for the threat of ransomware. In the past, insurers have come under pressure from critics who claimed that easy coverage disincentivized organizations to spend more on security and encouraged threat actors to carry out more attacks—knowing ransoms would be covered by premiums.

That is now changing, with insurers reducing coverage and increasing premiums, especially for organizations in high-risk sectors and those without baseline security controls in place.

Gallagher reported that cyber premiums increased across the board, regardless of the industry sector or size of the organization, and claimed that customers lacking specific data security controls have seen rates spike by 100-300%. If you have put proactive security measures in place but want to hedge the risk of a ransomware breach, insurance is still a useful option.

Beginning quotation mark  Customers lacking specific data security controls have seen rates spike by 100-300%.”

Ransomware prevention best practices


One small mis-step could undermine an organization’s security posture, and per the 2022 DBIR, this year 82% of breaches involved the human element. Whether that was by use of stolen credentials, phishing, misuse, or simply human error, people continue to play a very large role in incidents and breaches alike.

There are several best practices that can help organizations mitigate the risk of compromise. According to the 2022 DBIR, “40% of Ransomware incidents involve the use of desktop sharing software and 35% involve the use of email. There are a variety of different tools the threat actor can use once they are inside your network, but locking down your external-facing infrastructure, especially RDP and Emails, can go a long way toward protecting your organization against ransomware.”

These include:

  • Risk-based patch management programs designed to fix any vulnerabilities affecting critical systems. These should cover all IT and operational technology systems including Internet of Things (IoT) endpoints and remote worker laptops
  • Advanced email security featuring artificial intelligence (AI) capabilities to spot and quarantine suspicious emails
  • Endpoint management software designed to apply patches and security controls across corporate and remote worker devices and machines
  • Multi-factor authentication (MFA) for RDA endpoints, to mitigate the risk of password compromise
  • Disabling unused RDA ports and monitoring RDA logs for suspicious activity
  • Tightening access controls according to least privilege/zero trust principles
  • Improving password hygiene by requiring all password-protected accounts to have strong, unique credentials stored in a password manager
  • Security training for employees
  • Continuously reviewing the security posture of third-party vendors to prevent supply chain attacks

 

Work with a dedicated team of experts to create a proactive incident response plan customized to your cyber-risk profile. Here are the steps your organization can take to help employees be prepared for a possible attack and know how to help prevent ransomware attacks. Strengthen your security and manage compliance using industry standards and best practices.

Training

Cyber security awareness-raising programs will help teach staff how to spot phishing attempts.

  • Tabletop exercises test how well the organization is prepared for an attack.
  • Ransomware simulations, which offer a more immersive experience than tabletop exercises, are built to test various aspects of company security and assess the level of readiness to face Ransomware threats.
  • Red team operations will help to identify weaknesses in technical infrastructure and staff awareness/security training. These cybersecurity assessments use simulated attacks to gauge the effectiveness of the customer’s threat detection, response and containment capabilities.


Simulations

Exercises and simulations should include all key stakeholders identified from across the business and feature different scenarios. These may include the three typical initial access vectors outlined above and the possibility that all of your organization's systems are encrypted and highly sensitive and regulated data is stolen. The best response plans are powered by threat intelligence tailored to an organization's specific risk profile.


Ransomware recovery


If you manage to catch an attack in the early stages of the cyber kill chain, it's possible your organization could escape a ransomware attack without any data stolen and no systems encrypted. However, even organizations that did suffer some kind of data encryption got at least some of their data back in 99% of cases. How early an attack was caught will have an impact on how expensive recovery is. The average cost of remediation is calculated at $1.4 million per attack.

Consider these tips to improve your chances of successful recovery:


Beginning quotation mark  Only 4% of organizations that pay receive their data back.”

1.

Don't pay the ransom. Just 4% of those that paid got all their data back, and there's no guarantee the threat actors will not still try to monetize their breach.

2.

Report the attack immediately to law enforcement. Many agencies have access to decryption keys, which can accelerate recovery times significantly.

3.

Engage a third-party forensics expert if necessary to understand the extent of the attack.

4.

Remove all traces of the attack by thoroughly cleansing systems.

5.

Restore data from backups only once all signs of the attack have been expunged.

Group of business colleagues having a group discussion in conference room

Carrying out a postmortem

Once the dust has settled, it's a good idea to understand what lessons can be learned from an incident to enhance resilience ahead of the next attack. Stakeholders from across the business should be involved, including legal, human resources, security, IT ops, and relevant board representatives.

Postmortems typically contain an executive summary and key highlights for business leaders but also drill down into the technical detail for IT stakeholders.

Questions to be answered via this process include:

  • What happened? Create a timeline plotting all key events.
  • What worked?
  • What didn't?
  • What could have been improved and how?
  • Who contributed to the ransomware response effort?

Consider including all events from initial access (and, if relevant, threat actor reconnaissance) to remediation. Lessons learned should span people, processes and technology. The right security assessment can help determine how effectively your security program is performing against expectations. After completing the post mortem, it’s time to put those findings into action. An Incident Response report can help train operations teams to learn to identify and mitigate risks in a proactive manner.

The landscape of cyber extortion is growing in volume, sophistication like ransomware as a service (Raas) or its taking many adjacent forms like Distributed Denial of Service (DDoS) attacks.

Other Concerns


Ransomware-as-a-service (RaaS)

Much of the recent increase in ransomware attacks comes down to a new business model that has allowed a new wave of ransomware: Ransomware-as-a-Service (RaaS). Just as Software-as-a-Service (SaaS) popularized the delivery of software from the cloud, RaaS has streamlined the management and deployment of ransomware attacks.

Bad actors, typically referred to as affiliates, pay RaaS operators/developers a monthly fee for the use of malware. Affiliates receive an off-the-shelf ransomware starter kit including ransomware payload and attack infrastructure. It's down to the affiliate to gain initial access to their victim and perform lateral movement inside the network. Often access is bought from initial access brokers (IABs), which, in combination with the RaaS model, has opened the door to a large number of less technically proficient cyber criminals. The RaaS operators can receive up to 80-85% share of the total payout.

Cyber security specialists monitoring data in a control room
Female network technician working from a tablet while in a server room

Distributed Denial of Service (DDoS) for ransom

The merging of DDoS attacks and demands for ransom payments should not come as a surprise, while DDoS attacks for ransom are technically not breaches and data is not compromised, they can shut down entire operations. Likely inspired by the rise of ransomware, cybercriminals have started adopting similar tactics by demanding a payment to stop their DDoS attacks. Given denial of service attacks account for almost half of all recorded incidents in the DBIR, the rise of DDoS ransom attacks adds an extra complicating element to modern cyber security. While understanding how to protect against ransomware, many of the same security best practices will be beneficial to your organization.

Conclusion


As long as organizations keep paying and hostile nations continue to shelter cyber crime actors, ransomware will remain a threat. The most successful groups are highly organized and spend millions annually on salaries, tools and services. With that kind of money, it's predicted they may be inclined to hire zero-day exploits to compromise "big game" targets.

There's also a geopolitical dimension. The U.S. authorities have warned repeatedly of possible attacks on Western organizations from international cyber crime groups as the world enters a new era of geopolitical instability. As these threats evolve, organizations will also need to adapt in order to find new ways to understand how to mitigate ransomware effectively.

The security team that brought you the Verizon 2022 Data Breach Investigations Report can also help with security assessments and other tools to help strengthen your organization against potential attacks.

Learn how Verizon can help protect your data, assets and reputation.

This content was authored by the Verizon Security Team in partnership with a paid contributor.

Verizon is named a leader by 2022 Omdia Universe for Global IT Security Services.

Verizon is recognized as a leader in the latest Omdia Universe Global IT Security Services Universe Report. Market Leaders offer the most comprehensive, well-integrated, end-to-end cybersecurity solutions available globally. Leaders also have above-average customer experience scores.

Let's get started.