New research from NCC Group and Abnormal Security shows clouds and a bit of silver to line them: Ransomware attacks declined last year, but business email compromises increased — massively for smaller businesses — and a third of toxic emails got through their human gateways.
Ransomware attacks were down last year
According to risk management firm NCC Group, there was a 5% drop in ransomware attacks last year — from 2,667 attacks in 2021 to 2,531 attacks in 2022 — although between February and April there was an uptick due to LockBit activity during the Russia-Ukraine war.
In its just-released 2022 Annual H1 Threat Monitor, which follows incidents identified by its managed detection and response service and global cyber incident response team, the NCC Group reported:
- The Industrials sector was the most targeted by criminal gangs for a second year running.
- North America (44% of attacks) and Europe (35%) were the most targeted regions.
- There were 230,519 DDoS events across 2022 with 45% targeted at the U.S., 27% of which occurred in January.
- LockBit was responsible for 33% of the ransomware attacks (846) monitored by NCC.
The consultancy said an early 2022 surge in DDoS attacks and botnet-led breaches is due in part to greater turbulence within the wider cyberthreat landscape, thanks largely to the Russia-Ukraine war.
“DDoS continues to be weaponized by both criminal and hacktivist groups as part of the conflict, alongside disinformation campaigns and destructive malware, to cripple critical national infrastructure in Ukraine and beyond,” the report said.
LockBit leads the rogues gallery
Thanks partly to the war in Ukraine, LockBit and other players were more active than usual:
- LockBit was responsible for 33% of the ransomware attacks (846) monitored by NCC, a 94% increase compared to its 2021 activity, peaking in April with 103 attacks. The firm noted that this spike was ahead of the introduction of LockBit 3.0.
- BlackCat accounted for 8% of the total attacks last year, averaging 18 attacks each month with a peak of 30 incidents in December.
- Conti, a threat actor affiliated with Russia, was the busiest attacker in 2021, responsible for 21% of all attacks. It reduced its attack levels to 7% of all recorded attacks last year.
Industrials a consistent target
According to NCC Group, the most targeted sectors in 2022 were: industrials, with 804 organizations hit, constituting 32% of attacks; consumer cyclicals, attacked 487 times for 20% of attacks; and the technology sector, targeted 263 times for 10% of all attacks.
Notably, hotels and entertainment enterprises, specialty retailers, homebuilding and construction supply retailers, and financial services dominated cyclicals targets. Meanwhile, software and IT services were the most targeted sector within technology.
In the report, Matt Hull, NCC Group’s global head of threat intelligence, said significant numbers of DDoS and malware attacks deployed by criminals, hacktivists and other nations were consequent to the conflict between Russia and Ukraine.
“Though perhaps not the ‘cybergeddon’ that some expected from the next big global conflict, we are seeing state-sponsored attacks ramp up with cyber warfare proving to be critical in this hybrid cyber-physical battlefield,” he said.
BEC attacks succeed by tricking a third of employees
Last year, social engineering attacks were big news after Cisco was compromised by phishing exploits and Microsoft, Samsung, NVIDIA and Uber were breached by Lapsu$. Already this year, Mailchimp and Riot Games have also been victims.
Business email compromises are making their way through human barriers: Nearly a third of employees are opening compromised emails, according to AI-based security platform Abnormal Security, whose new H1 2023 Email Threat Report looks at email threat landscape with a special interest in risks posed by employees.
The study, which looked at social engineering statistics and based on data aggregated between July and December last year, also found that those employees replied to 15% of BECs, on average. Some 36% of replies were initiated by employees who had previously engaged with an earlier attack.
Only 2.1% of known attacks were reported to security teams by employees. Crane Hassold, director of threat intelligence at Abnormal Security said several factors explain this phenomenon.
“One reason is the Bystander Effect, when employees assume that they aren’t the only target of an attack and therefore don’t need to report the email because surely a coworker already has” he said. “Some employees may believe that as long as they don’t engage with the attacker, they’ve done their duty, even though it eliminates the opportunity for the security team to warn other employees about the attack.”
Additional findings from the report include:
- 84% of employee reports to phishing mailboxes are either safe emails or graymail.
- Employees in entry-level sales roles with titles like Sales Associate and Sales Specialist read and reply to text-based BEC attacks 78% of the time.
- Nearly two-thirds of large enterprises experienced a supply chain compromise attack in the second half of 2022.
- From the first to the second half of 2022, BEC attacks targeting SMB organizations grew by 147%.
Hassold said the “graymail” phenomenon constitutes what is essentially a side effect of security awareness training, which has caused a significant amount of questionable or unwanted mail to get reported to an organization’s SOC team.
“While we’ve tried to condition employees to report malicious messages to a security team, the unintended consequence is the teams that are triaging these reports are now frequently overloaded reviewing non-malicious emails,” he said.
He added that the vast increase in SMB attacks reflects an overall rise.
“We’re looking at the ratio of BEC attacks per 1,000 mailboxes,” Hassold said, “Even though SMBs do make up a vast majority of businesses, the reasoning for this datapoint likely has to do with the overall increase in BEC attacks in the second half of the year and SMBs being more susceptible to these attacks, since they aren’t able to invest as much into defenses that would stop them.”
Looking ahead to 2023
NCC’s Hull said bad actors will focus their attention on compromising supply chains in 2023, bypassing multi-factor authentication and taking advantage of misconfigured APIs.
“The threat will persist,” he said. “Organizations must remain vigilant, understand how they could be exposed and take steps to mitigate any risk.”