Cyber attacks on businesses tend to require 24% of total revenue for victims

In recent years, the increasing sophistication of financial crimes has motivated cybercriminals to seek loopholes and carry out increasingly innovative attacks.The promise of substantial financial gains makes these cybercriminals develop new techniques and improve methods already known, resulting in a significant increase in extortion cyber attacks.

According to Verizon's 2024 Data Breach Investigations Report, approximately one-third of all breaches (32%) involved ransomware attacks or some other extortion technique. Pure extortion attacks increased last year and now account for 9% of all breaches. These figures reinforce what has been observed in the past three years: the combination of ransomware and other extortion breaches accounted for nearly two-thirds of financially motivated cyberattacks, ranging from 59% to 66% in that period.

Similarly, in the past two years, a quarter of financially motivated attacks (ranging from 24% to 25%) have involved the pretexting technique, a category of social engineering attacks, when a false narrative or a compelling pretext is created to persuade the victim to reveal personal or sensitive data, most of which have represented Business Email Compromise (BEC) cases, which involve sending false e-mail messages on behalf of the company.

ransomware attacks have a devastating impact on corporations, both financially and technically, as well as severely damaging the image of companies. Although the consequences are grandiose, these attacks often begin with simple execution incidents, such as a leaked credential or a social engineering technique. These initial methods, often ignored by corporations, can open the door to cyber intrusions that result in multi-million dollar losses and loss of trust from” clients, explains Mauricio Paranhos, CCO of Brazilian Apura Cyber Intelligence, which collaborated with the Verizon report.

Paranhos points out that understanding the cyber extortion scenario is a fundamental key for companies like Apura to continue developing a series of solutions and measures to mitigate the action of criminals. Therefore, it is necessary to observe the data and try to extract from them as much information as possible.

One of the easiest costs to quantify is the amount associated with paying the ransom. Analyzing the statistical dataset of the Internet Crime Complaint Center (IC3) of the FBI this year, it was found that the adjusted median loss (after the recovery of funds by the inspection) for those who paid ransom was about US$ 46,000. This figure represents a significant increase from the median of the previous year, which was US$ 26,000. However, it is important to consider that only 4% of extortion attempts resulted in real loss this year, compared to %.

Another way to analyze the data is to observe the ransom demands as a percentage of the total revenue of the victim organizations. The average value of the initial ransom request was equivalent to 1.34% of the total revenue of the organization, with 50% of the demands ranging between 0.13% and 8.30%. This wide variation indicates that some of the most serious cases even require up to 24% of the total revenue of the victim. These ranges of values can help organizations execute risk scenarios with a closer look at the potential direct costs associated with a ransomware attack.

“Although many other factors must also be considered, this data provides a valuable starting point for understanding the financial dimension of ransomware attacks.The increasing incidence of these attacks and the diversity of techniques used by cybercriminals reinforce the need for constant surveillance and robust cybersecurity strategies to mitigate the risks and financial impacts associated with these crimes.”, Paranhos explains.

System intrusion remains the main pattern of breaches, as opposed to incidents, where denial of service (DoS) attacks still reign. Both Social Engineering and Miscellaneous Errors standards have increased significantly since last year. On the other hand, the Basic Web Application Attacks standard has fallen dramatically from its position in the 2023 DBIR. The DBIR report also presents the most relevant MITRE ATT&CK techniques and the respective critical Internet Security Center (CIS) security controls that can be adopted to mitigate several of these standards: system intrusion, social engineering, basic attacks on applications, abuse of assets, abuse of web applications, or assets.

“With this information in hand, organizations can enhance their defenses and be better prepared to meet the challenges posed by cybercriminals, thus ensuring more effective protection against the ever-evolving cyber threats”, says the expert.