Frequency of Automated attacks on infrastructure
One of my clients ran a test to see how many cyber attacks they were
preventing. They looked at the number of incoming packets that were rejected
by their firewalls, or which api calls failed, for one of their internet facing B2B systems.
The numbers came out to roughly 6 attacks per second, or 500,000 per day.
When we looked a little deeper, we could see that most of these were
automated scanning of the site - the first step for most external attacks.
I'm sure there were some malformed API requests mixed in too, but these were
few and far between as far as we could tell. To a first approximation, these
numbers appeared accurate.
These measurements didn't take into account any attempted business email
compromise or other attempts to inject malware into their corporate network,
such as by Phishing, Spear-Phishing, or other methods that more or less attack
their staff directly. The 6 attacks per second numbers were simply for the
input to their B2B cloud that their customers use every day. And it's not
a widely known/publicized cloud location.
Ransomware attacks
Ransomware includes all sorts of different 'strategies' employed by the
attackers. Today, many of these include multiple forms of extortion.
Over the last few years, we've seen a rise in criminal 'enterprises', and
even specialization among these criminal groups. Many of these groups now
also have "support" arms, often 2 different ones - one for the other
criminal elements who wish to create the attacks, and another for those
companies, municipalities, etc. who need help acquiring untraceable
cyber-currency to pay off the extortion. Many of these groups operate in
countries where this kind of 'business' is not recognized as criminal.
The attackers view this as a job, and their 'business day' is one factor
experts can use in working to identify which group is behind a given attack.
Types of Cyber-Extortion
Most attacks are based on the attacker getting access to your data, or around
bringing your systems to their knees:
- Extract your data
- Encrypt your data on your systems
- Deny your users access to your systems
The extortion component of an attack can start out with a simple "We've
encrypted your data, pay us $, and we'll give you the key". But if you don't
pay, then they may start layering on further extortion elements. For example,
the second level of extortion they may threaten to tell your customers that
their data has been extracted/breached. Then they may threaten to 'go public'
with enough of your data to prove to the world they have it.
Common extortion avenues include:
- Extort you to decrypt your data
- Extort you to release the fact of the breach to your customers/users
- Extort you to publicly announce the fact of the breach
- Extort you to release your customer's or user's data to the dark web
- Extort you to publicly release private data about your customers/users (basically DOXing)
I've seen reports of up to seven different types of extortion in use by some
attackers.
Closing thoughts
It should be noted that, given that these are mostly criminal enterprises
doing the attacking, they've realized that they need to follow through on
their promise to help you decrypt your data. If they don't, people will stop
paying. Evidence indicates that most attackers do what they've promised if you
pay the ransom.
And, it's estimated that many attacks, across all attack types, including
ransomware attacks where the company does pay the ransom, are being under
reported. The Internet Crime Center, part of the FBI, calculated that the
reported ransomware and other cybercrime accounted for losses in the US of
$12.3 Billion in 2023 alone.
That represents a 22% increase is losses over 2022.
Of these numbers, in 2023, business email compromise accounted for $2.9
billion, and ransomware $59.6 Million.
The others were personal attacks (investment fraud, customer support scams
and elder attacks). Ransomware, specifically, did take a small dip
in 2022, but it was back on the rise in 2023. There is speculation, but little
evidence that this is due to companies paying the ransom and then not reporting
it.
Finally, there is some evidence that if you've been hit once by a ransomware
group, you're likely to be a target again.
The attackers know you'll be ready immediately after the first attack, but
suspect you'll let your guard down over time.
Plan on stepping up security, and then keeping it tight, permanently, after
any attack.
Better yet, simply assume you're already under attack, and keep your defenses
in a high state of readiness before you can suffer a successful attack.
