As ransom demands surge 20% year-over-year to $600,000, there are concerning signs that 2024 will be especially volatile, according to Arctic Wolf Labs’ 2024 Threat Report.
“As ransomware groups expand their list of targets and explore new pressure tactics in response to increasingly effective international law enforcement efforts and the growing momentum of refuse-to-pay initiatives,” 2024 is set to be a particularly volatile year, states the report.
Ransomware vs. Business Email Compromise
“Ransomware is 15 times more likely than business email compromise to lead to an incident response engagement,” the report states. “Ransomware attacks are feared by organizations large and small, and with good reason—the damage and disruption they cause is responsible for immense losses [beyond] the ransom itself.” Furthermore, “Attempts to recover these losses through cyber insurance often lead to formal incident response (IR) engagement, as insurers seek to understand the details of an attack.”
Despite FBI reports showing that business email compromise (BEC) incidents outnumber ransomware incidents by a factor of 10, “nearly half (48.6%) of IR engagements conducted by Arctic Wolf are in response to ransomware. In fact, combining the FBI’s figures with our own suggests that a ransomware incident is 15 times more likely than a BEC incident to lead to an IR engagement.”
Although ransomware makes more headlines, BEC incidents “are effective and much easier to execute,” according to the report. “Plus, only the most severe BEC incidents—for instance, those with account compromise or other intrusion actions—typically lead to a full IR engagement.” Nevertheless, “BEC incidents accounted for 29.7% of the total incidents investigated by Arctic Wolf Incident Response during the reporting period, underscoring how much of an everyday threat they remain for today’s organizations.”
How Attackers Succeed
“Most BEC incidents—whether involving account compromise or limited to spoofing or masquerading—can be traced to phishing, while 46.3% of non-BEC attacks are driven by credential reuse. More specifically, 39% of non-BEC incidents Arctic Wolf investigated involved an attacker using credentials to log into an external remote access application, while another 7.3% of non-BEC incidents leveraged previously compromised credentials to gain direct access to a victim’s environment via other asset types.”
Attackers also succeed, the report states, by exploiting two-year-old vulnerabilities. “In 29% of non-BEC incidents Arctic Wolf investigated, the attack exploited a vulnerability. Notably: nearly 60% of these incidents exploited a vulnerability identified in 2022 or earlier, meaning organizations had anywhere from months to years to patch the affected system or remove (or further safeguard) its external access; [and] only 11.7% of these non-BEC incidents—or 3.4% of incidents, overall—featured a zero-day exploit.”
Experts Weigh In
“Whether a ransom incident or a business email compromise, we have seen the increase in these incidents result in further downstream problems for companies in the form of third-party claims—particularly in the form of class action litigation,” say CLM members Brian Middlebrook and Joseph Salvo, partners, and Justin Holmes, Of Counsel, of the Gordon Rees Scully Mansukhani, LLP (GRSM) Cyber Litigation Team. “Unfortunately, regardless of the size of the organization, or the manner or size of the incident, companies in every sector of the economy have continued to be targeted by the plaintiffs’ class action bar.
“While undoubtedly correlated with the surge in ransomware and related demands, these claims add insult to injury given the high likelihood that an organization will be faced with related litigation. This is further complicated by the fact that, while incidents involving business email compromise may be less discussed, plaintiff’s attorneys are quick to highlight the often-enhanced negligence claims derived from such an attack.”
Managing and Mitigating Threats
The Arctic Wolf Labs report states, “A robust cybersecurity strategy is one that is not only tailored to each organization’s needs, but that also includes both proactive and reactive strategies to limit the number and severity of incidents while providing a strong recovery capability.” Arctic Wolf Labs suggests developing a solid understanding of one’s overall attack surface; ensuring one has broad visibility into one’s environment and assets; enforcing strong identity controls; employing a zero-trust security strategy; taking control of the cloud; establishing a culture of security; and lowering cyber insurance costs through stronger security.
“Our Litigation Team’s advice to victimized companies is to keep in mind, and plan for, the future associated litigation risks, even while dealing with the immediate problems such a data security event may cause,” conclude Middlebrook, Salvo, and Holmes.