In recent years, the increasing sophistication of financial crimes has motivated cybercriminals to seek vulnerabilities and carry out increasingly innovative attacks. The promise of substantial financial gains causes these virtual criminals to develop new techniques and improve already known methods, resulting in a significant increase in cyber extortion attacks.
According to the 2024 Data Breach Investigations Report by Verizon, approximately one-third of all breaches (32%) involved ransomware attacks or some other extortion technique. Pure extortion attacks increased last year and now account for 9% of all breaches. These numbers reinforce what has been observed over the past three years: the combination of ransomware and other extortion violations was responsible for nearly two-thirds of financially motivated cyberattacks, ranging from 59% to 66% during this period.
Similarly, in the last two years, a quarter of financially motivated attacks (ranging from 24% to 25%) involved pretexting, a category of social engineering attacks in which a false narrative or convincing pretext is created to persuade the victim to reveal personal or sensitive data, with the majority of these representing cases of Business Email Compromise (BEC), which involve sending fake email messages on behalf of the company.
“Ransomware attacks have a devastating impact on corporations, both financially and technically, in addition to seriously damaging the company’s image. Although the consequences can be huge, these attacks often start with simple execution incidents, such as a leaked credential or a social engineering technique. These initial methods, often ignored by corporations, can open the door to cyber intrusions that result in multimillion-dollar losses and loss of customer trust,” explains Maurício Paranhos, CCO of the Brazilian company Apura Cyber Intelligence, which collaborated on the Verizon report.
Paranhos emphasizes that understanding the cyber extortion landscape is a key factor for companies like Apura to continue developing a range of solutions and measures to mitigate the actions of criminals. Therefore, it is necessary to observe the data and try to extract as much information as possible from it.
One of the easiest costs to quantify is the amount associated with the ransom payment. Analyzing the statistical data set from the FBI's Internet Crime Complaint Center (IC3) this year, it was found that the median adjusted loss (after funds recovery by authorities) for those who paid ransom was about $46,000. This amount represents a significant increase compared to the previous year's median, which was $26,000. However, it is important to consider that only 4% of extortion attempts resulted in actual loss this year, compared to 7% last year.
Another way to analyze the data is to observe rescue demands as a percentage of the total revenue of the victim organizations. The average initial withdrawal request value was equivalent to 1.34% of the organization's total revenue, with 50% of the demands ranging between 0.13% and 8.30%. This wide variation indicates that some of the most severe cases can require up to 24% of the victim's total income. These value ranges can help organizations run risk scenarios with a closer look at the potential direct costs associated with a ransomware attack.
“While many other factors must also be considered, this data provides a valuable starting point for understanding the financial dimension of ransomware attacks. The increasing incidence of these attacks and the diversity of techniques used by cybercriminals reinforce the need for constant vigilance and robust cybersecurity strategies to mitigate the risks and financial impacts associated with these crimes,” explains Paranhos.
System intrusions continue to be the main pattern of breaches, as opposed to incidents, where denial-of-service (DoS) attacks still prevail. Both Social Engineering patterns and Miscellaneous Errors have increased significantly since last year. On the other hand, the Basic Web Application Attacks pattern dropped drastically from its position in the 2023 DBIR. The DBIR report also presents the most relevant techniques from MITRE ATT&CK and the corresponding critical security controls from the Internet Security Center (CIS) that can be adopted to mitigate various of these patterns: system intrusion, social engineering, basic attacks on web applications, various errors, DoS, theft or loss of assets, privilege abuse.
“With this information in hand, organizations can improve their defenses and be better prepared to face the challenges posed by cybercriminals, thus ensuring more effective protection against constantly evolving cyber threats,” says the expert.
