Historically, cybercriminals have been happy to stick with proven tactics for as long as possible. After all, it's a business to them—if it ain't broke, why fix it?
However, this is not to suggest they don't innovate. As organizations have collectively raised their cybersecurity profile over time, cybercriminals have responded by improving and streamlining their tactics and even developing entirely new threats.
In this post, we'll take a look at three of the most significant cyber threats from the last couple of years and explain how they have evolved to remain profitable.
BEC and Other Pretexting Attacks
Pretexting is the use of a fabricated story to convince a victim to take an undesirable action, such as sharing privileged information, installing malware, or sending money to an attacker. Targeted social engineering attacks have relied on pretexting tactics for decades, often supplementing convincing stories with other "proof points" such as spoofed email addresses and impersonating individuals.
To pull off a BEC scam, a criminal group uses social engineering to trick an employee into sending money directly to them.
The precise details of these scams vary, but common tactics include:
- Posing as the target organization's CFO or CEO
- Requesting "urgent" payments (and providing fictional justification)
- Requesting changes to the account details of an established vendor
- Impersonating company attorneys
- Sending emails from compromised legitimate accounts (email account compromise)
In recent years, it has become common for cybercriminals to attempt to intercept payments intended for legitimate vendors. To do this, cybercriminals post as a known vendor and send a payment reminder to settle the "owed amount" along with a pay-now option.
These scams are speculative, as attackers usually won’t know if a payment is due or how much is owed. Still, this has proven an effective way to trick payment staff into sending large payments to the wrong recipient—and the mistake generally isn’t noticed until the real vendor chases their invoice.
BEC and other pretexting scams are ever-popular with cybercriminals because they are the most direct way to profit from cybercrime and require little (if any) technical ability. These scams are the simplest of all cybercrimes—so simple, in fact, they barely constitute "cyber" at all.
The Perks of Non-Technical Attacks
One reason why cybercriminals favor "non-technical" vectors like pretexting is the difficulty organizations have in detecting them.
99% of email-based threats that successfully land in employee inboxes are impersonation scams—many of which are BEC. These attacks are hard to block because they don't contain malware or links that can easily be identified as malicious. Cybercriminals are also good at cycling their infrastructure frequently, making it tough to block them based on sender reputation.
So, as cybercrime grows more “professional,” we’d expect to see these attacks growing in frequency. And… that’s exactly what’s happened. According to DBIR figures, pretexting incidents have doubled in the last year and grown by around 800% since 2016—and BEC scams make up a hefty proportion.
According to the Internet Crime Complaint Center’s Internet Crime Report, BEC scams skyrocketed by 81% in 2022, costing US victims a total of USD 2.7 billion. This is significantly higher than the total cost of ransomware, despite what you might guess from media headlines.
Meanwhile, the FBI describes BEC as "one of the most financially damaging online crimes" and even produced a Congressional report on BEC, which estimated the worldwide cost of BEC scams between 2016 and 2021 at over $43 billion.
Ransomware
There have been some interesting and significant developments in ransomware over the last year that are worth discussing.
We’ve established ransomware is still a big deal, accounting for roughly a quarter of all breaches—a similar figure to last year. And, just like last year, ransomware is disproportionately damaging, accounting for 15.5% of incidents but over 24% of breaches.
Other sources tell a similar story—the Sophos State of Ransomware 2023 report found the proportion of organizations hit with ransomware remained identical to the previous year at 66%.
However, this is not to say the threat of ransomware has remained static. The 2023 CoDB found that the average cost of a ransomware breach rose by a remarkable 13% in 2023, coming in at $5.13 million. Remarkably, whether or not affected organizations chose to pay the ransom had little bearing on the overall cost of recovery.
Organizations that paid the ransom achieved only a small difference in total recovery cost, at $5.06 million compared to $5.17 million, a cost reduction of just 2.2%. And that’s not the full story, because those figures don’t include the cost of the ransom itself. The Sophos report mentioned above identified the median value of ransom payments during 2023 was $400,000, and 40% of reported ransom payments exceeded $1 million. All told, that means organizations choosing to pay ransoms typically ended up spending considerably more overall to recover.
Paying a ransom is often seen as a quick fix for recovery, but it's not ideal. These figures likely reflect that most organizations are capable of restoring encrypted files from backups but choose to pay their ransom in the hope of recovering faster. This is often a misguided approach.
The primary costs of a ransomware attack stem from disruption, response, and recovery—not just the ransom. While paying the ransom might seem like a logical way to expedite the recovery process, Sophos found that those who paid the ransom actually took longer to recover.
Granted, organizations choosing to make ransom payments may do so because they have nonfunctional or inefficient recovery processes. However, the takeaway here is clear: if you’re hit with ransomware, it is both cheaper and faster to recover from backups if the option is available.
Even so, 24% of organizations recovering from backups took between 1-6 months to fully recover.
How to Minimize Damage from Ransomware Attacks
What’s the most important action to minimize the cost and disruption of a ransomware attack? The 2023 CoDB has the answer: involve law enforcement.
Organizations that involve law enforcement in their ransomware recovery process reduce costs by 9.6% on average (or about half a million dollars). Law enforcement involvement also helps shorten the time to identify and contain ransomware breaches—the mean time to contain is 23.8% faster with law enforcement involvement, at 63 days compared to 80 days without.
Notably, in their Ransomware Prevention and Response for CISOs guide, the FBI advises against paying ransoms in most cases, citing cases where:
- Victims have paid ransoms but never received a decryption key (or the key didn’t work).
- Victims who paid were identified as “soft targets” for further ransomware attacks.
- After paying a ransom, victims were asked for further payments.
Combined, these factors explain why organizations are increasingly opting not to pay ransoms.
Supply Chain Attacks
Supply chain attacks are an extreme case of cybercriminals seeking the path of least resistance.
What do you do if a desired target has a sufficiently strong security profile to make a direct compromise challenging? Simple: find a partner organization that already has privileged access to your target's infrastructure and go through them.
IBM’s 2023 CoDB report divides supply chain attacks into two categories:
- Business partner supply chain attacks - these originate with an attack on a partner organization. In 2023, 15% of breaches began with a business partner compromise.
- Software supply chain attacks - where an attacker infiltrates a software vendor’s network and compromises the software before the vendor sends it to its customers. In 2023, 12% of breaches began with a software supply chain compromise.
Combined, these two vectors account for more than a quarter (27%) of breaches in the latest CoDB report. To make matters worse, both vectors typically lead to breaches that take longer to detect and contain and cost more overall to recover from:
- Business partner supply chain breaches are 11.8% more costly for affected organizations and take 12.8% longer to detect and contain than other breaches.
- Software supply chain breaches are 8.3% more costly and take 8.9% longer to detect and contain.
These are significant increases. The average breach already takes 270 days to detect and contain and costs around $4.23 million—and these figures rise to 307 days and $4.76 million for business partner supply chain breaches.
But… Why does all this matter?
As recently as the 2021 CoDB report, supply chain attacks were so uncommon they didn’t even warrant a mention. They didn’t play a meaningful role in the DBIR dataset until 2022. And yet, today, they account for over a quarter of all data breaches—and, according to an Identity Theft Resource Center Report, may even account for more data compromises than malware.
This is a classic example of cybercriminals identifying a tactic that achieves their primary objectives and quadrupling down on it.
We can expect to see a lot more supply chain attacks in the coming years. Juniper research placed the global cost of supply chain attacks at $46 billion in 2023 and predicts a rise to $80.6 billion by 2026. Snyk's estimates go further, predicting annual global costs of $138 billion by 2031.
Get the Full Cybercrime Story
In our latest report, we provide a detailed analysis of the year's top evolving cyber threats—without unnecessary fluff. The findings implore the critical need for robust cybersecurity measures and how cybersecurity professionals can combat the ever-evolving threats.
Download the report to learn:
- How AI threatens to raise the threat of cybercrime even further than it already is.
- Cybercrime group priorities and how they are reflected in their tactics.
- The four basic ways cybercriminals make money.
- Insights and predictions from industry veterans.
- And more!
April 11, 2024