World events and local events bring with them opportunists who want to take advantage of evolving or impactful situations.
The ongoing pandemic is no different, with cybercriminals focusing on phishing, ransomware, Android malware and business email compromise as ways of generating ill-gotten gains.
According to our most recent report, the 2021 Webroot BrightCloud Threat Report, every threat type saw significant fluctuations, and often growth, in 2020 as people shifted to doing traditional in-person activites, like shopping and working, online.
Some threats are down, but the trends are generally going up
The report findings are generated from BrightCloud Threat Intelligence that continuously and automatically captures data from over 285 million real-world endpoints and sensors. It presents a unique, firsthand look at the threats and attack trends we saw globally in 2020.
The year brought a notable update to a trend we’ve observed over the past five years: the number of new malware and Windows infections has decreased. This of course is a good thing in and of itself but this decrease also points to a few positive factors influencing change. First, it shows continued evolution and improvement of our threat intelligence, allowing us to prevent infections before they even reach the endpoint. Another positive factor was the significant security updates to Windows 10 in 2020. But as always, we saw changes in tactics by threat actors influence the infection rate, namely that they are now using living off the land binaries (LOLbins) to carry out attacks.
Of PCs that get infected with malware, we found about half will get infected more than once, and 17 per cent more than five times. Part of this can be attributed to Windows 7 but we also see infection rates vary based off region and end user habits and awareness.
On average, 18.8 per cent of consumer PCs were infected Africa, Asia, the Middle East, and South America. That compares to 8.2 per cent for Australasia, Europe, Japan, and North America. The rate for business PCs was lower, with those in the first group outlined having an infection rate of 11.2 per cent, and the latter group around three per cent.
Another interesting trend detailed in the report was the shifting infection rates by industry and vertical, as some were surprised to see where decreasing amount of infections occurred. Health Care and Social Assistance, down 41.4 per cent from the YoY average, led in terms of industries with the lowest infection rates, while the highest industry infection rates were seen by Wholesale Trade, Mining/Oil/Gas and Manufacturing. The latter is increasingly of interest considering the significant, recent ransomware attacks on JBS and Colonial Pipeline.
Ransomware threats and models are evolving
It’s no longer enough for criminals to infect business networks with ransomware, encrypt their data and wait for the payoff. Now, those same criminals are engaging in extortion by not only holding the data for ransom, but also threatening to release it publicly if the ransom isn’t paid.
Worse, the amount of money being demanded, often in bitcoin, has skyrocketed over the last few years. In 2018 the average ransom payment was around $6,700 USD, and $84,000 in 2019. In 2020, the peak average ransom was $233,000 while the end of the year average fell to $154,000. However, 2021 has again seen rising levels with the average payment being $220,000.
What’s worth bearing in mind is that ransomware isn’t the beginning of a compromise. It’s actually the end state where criminals cash in. By the time ransomware is discovered on a company network, the criminals have often been there for a long time, watching and waiting. They’ve had the time and resources to plan advanced stages of an attack and have even checked out a company’s financials to know how much ransom to demand.
BEC and the importance of user training
Business email compromise (BEC) also continues to plague organisations of all sizes and geographies. These are emails that look like they come from someone in authority within a company and ask a user to transfer funds to an account. Or they ask for login credentials or other identifying information that can be used in related attacks or to reach more potential victims.
While technological solutions are one part of the answer to these socially engineered threats, the most important piece of the puzzle is security awareness training (SAT) for staff so they can help defend the business. One component of proper SAT is conducting phishing simulations that reflect the topics and timeliness of real-world phishing lures like those related to COVID-19, return to work initiatives, etc. By educating staff through a phishing simulation campaign and varied exposure to realistic phishing emails, the click-through rate in which users will click an actual, harmful phishing link can drop by as much as three quarters, or 72 per cent. It’s important to conduct training on an ongoing basis, to alert people to new threats and keep existing threats at the top of mind.
The last year certainly tested the adaptability and strength of defenses for businesses of all sizes, but with challenges come opportunities for progress and improvement. Moving forward, businesses need to ensure they are protected from the multitude of threats facing them. This includes investing in threat intelligence technologies, endpoint and network-level security, and proper, consistent employee education. Businesses should also have a good back up strategy, data recovery and roll back plans in place as part of an encompassing cyber resilient strategy.