Getty Images/iStockphoto

Verizon 2023 DBIR: Ransomware remains steady but complicated

Chris Novak, managing director of cybersecurity consulting at Verizon Business, said 2023 was a "retooling year" for ransomware threat actors adapted to improved defenses.

Ransomware attacks plateaued last year, according to the 2023 Verizon Data Breach Investigations Report, though the telecom giant said the reality of the situation is a bit more complicated.

Verizon published Tuesday its 2023 DBIR, a report covering insights gained by Verizon's security team from the 16,312 incidents and 5,199 confirmed data breaches it analyzed between Nov. 1, 2021, and Oct. 31, 2022. Key themes covered in the 2023 report included ransomware, social engineering attacks and Log4j exploitation.

The telecom giant said that while ransomware continues to be exceedingly popular among threat actors, the share of breaches involving ransomware held steady year-over-year at 24%. While a number of vendors and researchers have observed either a stagnation or even slight decline in various aspects of the ransomware ecosystem, the reality of the situation appears more complicated.

Chris Novak, managing director of cybersecurity consulting at Verizon Business and manager of the DBIR, characterized the story of ransomware this past year as one where threat actors retooled their tactics to adjust to the improving security postures of victims thanks to security technology getting better and organizations more effectively responding to and containing breaches.

"I think what we're starting to find is, threat actor groups are recognizing that [defenders improving] impacts their ability to make money, so they're retooling their technology," he said. "They're finding other ways to get their ransomware further into the environment and into more sensitive parts of the business in order to be able to better extract larger sums of ransom payments."

Security vendors and government agencies alike have observed ransomware gangs shifting tactics to exclusively data theft and extortion to avoid detection. Meanwhile, threat actors are attacking sensitive institutions like hospitals in large numbers over the past year despite contradicting promises made by threat actors early on in the COVID pandemic. Novaksaid there was a possible connection between the two trends, noting a rise in breaches against healthcare organizations in this DBIR.

"I think part of it is that the ransomware threat actors are feeling the squeeze," he said. "For the target industries that normally threat actors would go after, they're finding that what they're going after is getting smaller and smaller as those organizations are implementing better defenses. And now as a result, I think [the organizations] that were once off limits are now the softest parts to hit. They're the easier targets to go after. And I hate to say it this way, but there's leverage there that is hard to bargain with."

The 2023 DBIR noted that the healthcare industry continues to be a popular target for ransomware gangs, though threat actor tactics have shifted somewhat. "While the number of ransomware incidents peaked in this industry in 2021, the last three years have seen a jump in data breaches (where the data is confirmed to have been stolen as well as the encryption triggered) caused by ransomware," the report said.

Social engineering threats

Ninety-five percent of breaches in the year tracked by the DBIR were financially motivated. However, Novak said increasing geopolitical tensions, such as Russia's invasion of Ukraine last year, have led to attacks where inflicting pain, distress or chaos in an environment is the goal.

A significant portion of the 2023 DBIR involved the "human element," which Verizon defines as breaches caused by social engineering attacks, stolen credentials, error or misuse such as insider threats. Last year 74% of breaches involved the human element, down from 82% in 2021. While Novak considered it good news somewhat, he said it is still a large contributing factor to the breach landscape thanks to issues like poor password hygiene and password reuse.

Social engineering attacks accounted for 17% of breaches and 10% of incidents overall. This is an increase over the previous year, which Verizon said was largely due to pretexting attacks -- in which one party lies to another to gain access, such as impersonating an organization's IT department or chief executive -- doubling year over year.

Novak said social engineering is having a moment now in particular because organizations attempt to solve security issues by upgrading their products and services. But people remain "the squishy, soft spots of the organization." Although solutions like user education and awareness training might help, he said, they can only do so much to correct bad habits like re-using passwords or creating weak, easy-to-remember ones for convenience.

"A lot of organizations, I would say, rely almost a little bit too heavily on the fact that they do web-based training once a year to tell people about security and what not to do," Novak said. "Most organizations assume that once they do the training, people get it, and it sticks. But they don't realize that when people go out into the outside world, they're kind of being untrained every day. I think a lot of these interactions that we have day to day have untrained us faster than businesses can train us."

The 2023 Verizon DBIR showed ransomware has rapidly increased in recent years to become the top threat action in confirmed data breaches.
Verizon's 2023 DBIR showed ransomware activity in breaches plateaued at 24%.

Log4Shell effects

The report also touched on Log4j exploitation that occurred in the wake of the catastrophic Log4Shell flaw disclosed in December of 2021,which is within the 2023 DBIR's reporting window. More than 32% of all Log4j scanning activity occurred within 30 days of the flaw's release, with the largest spike occurring within 17 days.

"Log4j was so top-of-mind in our data contributors' incident response that 90% of incidents [featuring vulnerability exploitation] had 'Log4j,' or 'CVE-2021- 44228' in the comments section," the report read. "However, only 20.6% of the incidents had comments."

The DBIR found the Log4 vulnerability was cited in 0.4% of security incidents, or just under 100 cases worldwide. However, the report also noted that in 26% of those cases, the vulnerability was exploited as part of ransomware attacks.

While the number of Log4Shell attacks was small, Novak said the hype also played a role in mitigating some of the potential damage.

"I do think it'll be a gift that keeps on giving. I think it'll be something that will continue and be persistent for a while," he said. "I think in terms of it being the asteroid coming for Earth, I think that didn't materialize. And I think part of that was because there was so much hype behind it, a lot of organizations that might not have been tracking it otherwise paid attention to it."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities