kras99 - stock.adobe.com

IBM: Ransomware defenders showing signs of improvement

According to IBM X-Force's Threat Intelligence Index report, a smaller percentage of threat actors executed a ransomware attack after gaining access in 2022 than in 2021.

Ransomware continues to be a major problem for organizations around the world, but defenders seem to be getting better, according to new research published by IBM's X-Force.

IBM on Wednesday released its 2023 Threat Intelligence Index, an annual report dedicated to the findings of IBM's X-Force threat intelligence team during its incident response engagements the previous year. The 58-page report covers research from across the security landscape, including industry and geopolitical trends as well as ransomware activity.

One category tracked in the report is "action on objective," referring to the specific actions a threat actor took against a victim organization's network. Establishing backdoors was the most common action at 21%, followed by ransomware at 17% and business email compromise at 6%. Ransomware's share represents a 4% drop from the previous year.

Additionally, two-thirds of the backdoor activity tracked by IBM had the markings of a potential ransomware attack. But the malware deployment was successfully thwarted by security teams and incident responders before it could progress to that stage. IBM noted that initial access brokers, which have become a common part of the ransomware ecosystem, often plant backdoors inside organizations and auction that access to other cybercriminals for $5,000 to $10,000.

IBM X-Force head of research John Dwyer told TechTarget Editorial that ransomware's drop is the first the company has seen in five years. Although other activity like backdoors can represent early-stage ransomware activity, it's a small improvement that shows defenders are improving.

"Defenders are getting good," Dwyer said. "It's just a little tip, so it's not like we've solved the problem. But it's the first data point that shows that things are getting a little bit better."

Dwyer stressed that this positive trend shouldn't be used as a reason for organizations to rest on their laurels, as "ransomware still drives a massive piece of the cyber crime ecosystem." Not all trends from the past year were positive.

The report called attention to an X-Force report from last June that noted a 94.34% drop in ransomware attack duration between initial access and deployment -- from over two months to just under four days -- between 2019 and 2021.

Dwyer called 2023 an "inflection point" for ransomware because the innovations of both threat actors and defenders made 2022 a particularly interesting year.

"We could look back on this and be able to see that 2017 to 2021 was the golden age of ransomware," he said. "We start to see organizations take it more seriously, invest in cybersecurity and [prioritize] threat detection and response. Or are we going to say, oh, [2022] was just an anomaly? That's why it's so interesting. It's like we're truly living history right now in cybersecurity."

The top initial access vectors in 2022 according to the IBM X-Force 2023 Threat Intelligence Index.
Over 40% of the top initial access vectors in 2022 involved spear phishing, according to IBM X-Force's 2023 Threat Intelligence Index.

One such innovation made by ransomware actors, according to the report, was making organizations' stolen data more accessible to downstream victims through their leak sites. For example, threat researchers found that the Alphv ransomware group, also known as BlackCat, launched a website where employees and customers of a victim organization could search a database to see if their personal or financial information was compromised in an attack.

"By making it easier for secondhand victims to identify their data among a data leak, operators seek to increase the subsequent pressure on the organization targeted by the ransomware group or affiliate in the first place," the report said. "In 2023, X-Force expects to see threat actors experimenting with enhanced or novel downstream victim notification to increase the potential legal and reputational costs of an intrusion."

A notable non-ransomware data point from the report involved manufacturing, which X-Force found was the top-attacked industry in 2022. 24.8% of attacks tracked by IBM involved the manufacturing sector, and 58% of IBM's operational technology (OT) engagements were manufacturing related. Similarly, OT security vendor Dragos published a research report last week which mentioned that 72% of all OT ransomware attacks it tracked in 2022 involved the sector.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threat detection and response