leowolfert - Fotolia

Ransomware, cloud attacks more than doubled in 2019

New research by Trustwave shows 2019 saw huge increases in ransomware and cloud services attacks, as well as a big shift from spam toward business email compromise.

Enterprises saw big increases in ransomware and cloud services attacks in 2019, according to new research by Trustwave.

The managed services security provider Wednesday released a report, titled "2020 Trustwave Global Security Report," that determined cloud attacks more than doubled, jumping from 7% of all incidents the vendor analyzed in 2018 to 20% last year. Ransomware attacks quadrupled and accounted for the biggest share of incidents Trustwave tracked in 2019.

The vendor analyzed data from approximately a trillion logged security and compromise events, as well as network vulnerability scans, penetration tests and hundreds of breach investigations that the company conducted in 2019 across 16 countries.

According to Trustwave senior threat intelligence manager Karl Sigler, an uptick in ransomware was expected.

"It disappeared for a little while, but last year it came back full force," Sigler said. "It's something that's immediately financially monetized for criminals. With pretty much any other cyberattack, maybe you're stealing personally identifiable information, you have to sell it in order to make money. With ransomware, you're just holding their most valuable data ransom and they'll pay, or they won't pay. Plus, with the slight stabilization of cryptocurrency and their ability to get paid in cryptocurrency most of the time, it's a criminal match made in heaven."

In addition to ransomware making a comeback, Trustwave said it was also the first year in 12 years of publishing the annual report that ransomware outpaced stolen financial data in the category of "Compromises by data type targeted."

"The primary reason [for the increase] is that the criminals can control a wide net and they are instantly getting paid. There's no reselling. Typically, there's not much money laundering. They cut out the middleman and go straight for the cash," Sigler said.

While ransomware saw a huge jump, the report determined that cloud services saw the biggest increase as a threat vector. As with the spike in ransomware, Trustwave noted the jump in cloud attacks last year was unsurprising as more organizations have embraced Amazon Web Services, Microsoft Azure and Google Cloud Platform, as well as SaaS offerings.

"The trend in cloud service attacks closely correlates to increased cloud adoption by businesses. Criminals and attackers will always follow where the data goes, because that is where the money is," Sigler said. "More organizations across all industries are adopting cloud services so that is becoming a bigger target for criminals."

Spam down, BEC attacks up

Amid all the observed increases, there was one threat that saw a decrease: spam, which went from 45.3% of inbound email analyzed by Trustwave in 2018 to 28.3% in 2019.

According to the report, "This decrease although positive, supports findings cybercriminals are shifting tactics opting for more targeted and personal attacks known as business email compromise (BEC). Trustwave saw the average volume of BEC messages captured at the gateway rise to an average of 60 messages per day, up from 20 messages the previous year."

Executing a BEC attack takes a slightly more sophisticated attacker, Sigler said.

"Mass spam relies on casting a wide net to reach as many potential targets as possible. Because of that very nature the messages need to be very general and generic, which makes them easier to spot with security controls," Sigler said. "BEC, on the other hand, takes more effort and requires some reconnaissance and research in order to pull off the attack. Often the payoff is worth the additional work."

For example, in 2019 more cyberinsurance payouts happened because of BEC than ransomware, and half of cybercrime losses were BEC alone, according to the FBI.

Email security vendor Proofpoint has also seen a rise in BEC attacks and an evolution of tactics from threat actors.

"Over the last couple of years, cybercriminals have diversified their tactics and now there is a universe of tactics that are all about impersonation, pretending to be you, and another set that are all about just becoming you by taking over cloud accounts," said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint. "They [BEC and EAC] have become effectively the most expensive problem in all of cybercrime."

Another trend observed in the report is an increase in data breaches hitting the retail industry.

"That's where the money is," Sigler said. "We've seen shifts in attack vectors, it used to be a lot of point of sale malware, but that's pretty much disappeared, almost 100% due to the introduction in the United States of chip readers. But whenever you have security protections to protect against one attack, the criminals just move their techniques to a different area, so we've always seen a focus on retail, but now we see it more focused on e-commerce. Basically, it's nothing more than criminals going to where the money is and adapting to security protections we put in place."

The shift to BEC, as well as an increase in cloud attacks and other major trends observed in the report, have continued into the first part of 2020.

"Obviously the biggest story in 2020 is COVID-19, and sure enough we've seen techniques that have been used successfully in the past, like BEC, updated to take advantage of the pandemic," Sigler said.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing