IBM finds defenders are becoming more successful in detecting and preventing ransomware

SECURITY

International Business Machines Corp.’s annual X-Force Threat Intelligence Index report released today finds that although ransomware’s share of incidents has declined slightly, defenders were more successful in detecting and preventing ransomware.

The report details various aspects of cyberattacks, including how the deployment of backdoors that allow remote access to systems emerged as the top action undertaken by attackers last year. About two-thirds of those backdoor cases were related to ransomware attempts, where defenders could detect the backdoor before the ransomware was deployed.

According to the report, the uptick in backdoor deployments can be partially attributed to their high market value. X-Force observed threat actors selling existing backdoor access for as much as $10,000, compared with stolen credit card data, which can sell for less than $10 today.

“The shift toward detection and response has allowed defenders to disrupt adversaries earlier in the attack chain – tempering ransomware’s progression in the short term,” explained Charles Henderson, head of IBM Security X-Force. “But it’s only a matter of time before today’s backdoor problem becomes tomorrow’s ransomware crisis. Attackers always find new ways to evade detection.”

The IBM Security X-Force Threat Intelligence Index report tracks new and existing trends and attack patterns, pulling from billions of data points from network and endpoint devices, incident response engagements and other sources.

Key findings in the report include that the most common impact from cyberattacks in 2022 was extortion, primarily achieved through ransomware or business email compromise attacks. Europe was the most targeted region for this method, representing 44% of extortion cases observed, as threat actors sought to exploit geopolitical tensions.

Cybercriminals were found to be weaponizing email conversations, with thread hijacking seeing a significant rise in 2022. Attackers were observed using compromised email accounts to reply within ongoing conversations posing as the original participant, with the rate of monthly attempts increasing by 100% compared with 2021 data.

Not surprisingly, legacy exploits continued to be a thing last year, but the numbers are improving somewhat. The report found that the proportion of known exploits relative to vulnerabilities declined 10 percentage points from 2018 to 2022 thanks to the number of vulnerabilities hitting another record high in 2022.

The report also details how cybercriminals often target the most vulnerable industries, businesses and regions with extortion schemes, applying psychological pressure to force victims to pay. Manufacturing was the most extorted industry in 2022, the most attacked industry for the second year running, since they’re an attractive target for extortion, given their extremely low tolerance for downtime.

As for ransomware, the report notes how more prevalent making stolen data more accessible to downstream victims has become. Operators increased pressure on the breached organization by bringing customers and business partners into the mix.

Image: IBM Security