Verizon DBIR: Ransomware still a major threat, despite reports

The 2019 Verizon Data Breach Investigations Report challenges the wisdom that cryptomining attacks replaced ransomware as the dominant malware threat last year.

Verizon said the reports of ransomware's decline have been greatly exaggerated.

Several cybersecurity vendors and service providers published research over the last year that showed ransomware attacks declined significantly in favor of cryptomining attacks. The 2019 Verizon Data Breach Investigations Report (DBIR), however, still ranked ransomware as one of the most prevalent threats of last year.

Among security incidents that involved specific malware functionality, the Verizon DBIR found 24% exhibited ransomware functionality, which was second only to command-and-control functionality (47%).

"Ransomware is still a major issue for organizations and is not forced to rely on data theft in order to be lucrative," the report stated.

Dave Hylender, senior risk analyst at Verizon and a contributor to the 2019 DBIR, said ransomware incidents had "gone down slightly" compared to the previous year's report, which ranked ransomware first in terms of recorded malware functionality. But Hylender said the decrease wasn't significant or prolonged enough for Verizon to consider it a trend.

"There's an impression that ransomware has sort of run its course," Hylender said. "It hasn't. I don't think ransomware is 'back' this year, because I don't think it ever left."

Ransomware vs. cryptomining

The Verizon DBIR's take is a departure from other recent cybersecurity reports that noted a steep decline in ransomware activity last year, as cybercriminals embraced other approaches, such as cryptojacking. Several of the reports were published by vendors that partnered with Verizon and provided data for the 2019 DBIR.

Editor's note: Cylance, McAfee, Zscaler and Check Point contributed data to the Verizon DBIR; IBM did not.

BlackBerry Cylance's 2019 Threat Report, for example, found ransomware incidents per enterprise customer dropped 26% last year, while "malicious coinminers" surged 47%.

Other vendors published similar research. In Check Point Software Technologies' 2019 Security Report, researchers saw ransomware attacks "fall sharply" last year, only affecting 4% of organizations, compared to a surge in cryptominers that affected 37% of organizations. The 2019 IBM X-Force Threat Intelligence Index reported ransomware incidents on X-Force-monitored systems declined 45% between the first and fourth quarters of last year, while cryptojacking attacks jumped 450% over the same period.

McAfee also saw a shift away from ransomware in 2018. Christiaan Beek, lead scientist and principal engineer at McAfee, said the vendor observed more activity around cryptomining starting in June of last year.

"The general trend for cybercriminals is to get cash as fast as possible. To make a spam ransomware campaign successful, it took a lot of efforts for the criminal," Beek said. "With the trends around cryptojacking, they saw, 'Hey, I don't have to put in a lot of effort to get a lot of bitcoins.' If they could steal a wallet or actually do cryptomining over a lot of machines, it was more lucrative and faster and less risky for them to get the money."

Deepen Desai, vice president of security research and operations at cloud security vendor Zscaler, based in San Jose, Calif., said his company saw cybercriminals shifting their focus slightly toward cryptomining attacks last year.

"One of the major trends in the beginning of 2018 was coin miner malware payloads, where existing malware authors [for code] like njRAT started incorporating coin-mining modules [and] cryptowallet stealers," Desai said. "Either they were mining or they were trying to steal the existing wallets." 

Both Desai and Beek said their companies saw a shift back to ransomware by the end of 2018, as cryptocurrency values dropped.

However, the 2019 Verizon DBIR cast doubt on the trend of cryptomining attacks replacing ransomware as "the next big thing" in the 2018 threat landscape.

"The numbers in this year's data set do not support the hype, however, as this malware functionality does not even appear in the top 10 varieties," the report stated.

Divergent ransomware results

Not all research showed a drop-off in ransomware incidents in 2018. Accenture's ninth annual Cost of Cybercrime Study found ransomware attacks on organizations increased 15% from the previous year. The study, conducted by the Ponemon Institute, analyzed 355 enterprises.

Symantec's 2019 Internet Security Threat Report, meanwhile, cited an overall decrease in ransomware infections in 2018 by 20% year over year, but a 12% increase in ransomware attacks against enterprises.

I don't think ransomware is 'back' this year, because I don't think it ever left.
Dave HylenderSenior risk analyst, Verizon

Hylender said it's challenging to determine the scope of the ransomware problem, because many organizations don't disclose attacks. The 2019 Verizon DBIR stated that, because of U.S. regulations, healthcare companies disclose ransomware attacks as though they were confirmed data breaches, while most other industries do not. The report also noted that, for the second straight year, ransomware accounted for more than 70% of malware attacks in the vertical.

"I think there's probably just as many ransomware attacks in many other industries as there are in healthcare," Hylender said.

Despite differing views on ransomware in 2018, most security vendors and researchers appear to agree it's still a major threat to enterprises this year, and threat actors are focusing their efforts.

"What we're noticing in 2019 is that ransomware attacks are becoming more targeted in nature," Desai said. "The attackers are targeting industry verticals like healthcare domain, retail sector and especially larger organizations where the chances of them paying the ransom [are] significantly higher because they cannot afford any kind of downtime."

Beek said McAfee has observed the same trend.

"The criminals groups are really going after high-value targets, and it's no longer the spam campaigns," he said, adding that cybercriminals have embraced new coding techniques and distribution methods for ransomware this year.

Justin Harvey, managing director and global incident response lead for Accenture Security, said he's seen a change in strategy, as well, where some threat actors have integrated cyberextortion into their ransomware attacks.

"My team is seeing a shift," Harvey said. "We've started to work cases this year where an adversary used conventional means to penetrate the organization. But, instead, the best cybercriminals are pivoting from asset identification and exfiltration to asset identification and encrypting in place."

Harvey said instead of risking detection through exfiltration or alerting threat intelligence analysts monitoring the dark web, savvy cybercriminals are simply encrypting valuable data in place and demanding ransom payments.

Hylender said, based on 2018 data, as well as observations from activity early this year, all enterprises should consider ransomware a serious threat to their organizations and have a plan in place to respond to it.

"We saw a great deal of ransomware across all industries from multiple sources," he said. "So, we do not believe it is going away anytime in the near future."

Dig Deeper on Threats and vulnerabilities