Freely subscribe to our NEWSLETTER

– 0% of attacks observed by CERT-Wavestone are ransomware attacks
– 30% of ransomware attacks combine both IS locking and data theft
– 90% of victims suffer irretrievable data loss but ransom payments are declining
– 56% of victims did not anticipate being potential targets of cyber attacks
– Increasingly rapid attacks: a minimum of 3 days and an average of 25 days between the intrusion and the ransom demand

Ransomware accounts for the lion’s share of cyber attacks

Ransomware was responsible for 60% of cyber-attacks observed by CERT-W at clients. Increasingly numerous, these attacks are also more organized and better equipped, leading to greater efficiency in such attacks. 

“Cybercriminal groups have succeeded in their digital transformation and their platform-based organization means they can pool efforts for faster and more efficient attacks” underlined Gérôme Billois, Cybersecurity Partner.

Apart from merely freezing an Information System, attacks are increasingly accompanied by data theft. Indeed, 30% of ransomware attacks observed combined IS locking with data theft, with the latter providing additional leverage for financial gain.

Faster and more targeted ransomware attacks

Our analysis reveals a decline in the average time between initial intrusion and the deployment of the ransomware in the system, with a minimum of 3 days for the fastest attack and an average of 25 days for managed cases. Attacks are increasingly designed to cause harm to their victims. Indeed, at present, they increasingly target backup systems to make them unusable and force payment of the ransom (21% of cases).

The Benchmark shows that in 90% of cases data is irretrievably lost. Note the significant decline in ransom payments this year (from 20% of victims last year to 5%). Numerous factors can explain this decline: better understanding of the lack of appeal of paying the ransom (payment of the ransom does not in any way, accelerate the time of resolution of the crisis) and awareness raising actions as well as pressure on payment intermediaries from various authorities.

Other types of attack are also taking place in the background…

The threat of ransomware should not distract from other attacks involving data theft, fraud and gains in attack capability which remain high (25% of cases) although frequency is decreasing.

Regarding access gateways to break into Information Systems, the main access channels remain using valid accounts to enterthe IS via password theft/reuse (23%), fraudulent emails/phishing to gain access (20%) and remote access services exploiting security vulnerabilities or configuration flaws (18%).

How to avoid being an easy target? Some advice from CERT-W

56% of victims did not anticipate being a potential cyberattack target… They did not have an incidence response contract nor cyber insurance and 42% of victims had not considered their resilience in the case of unavailability of their Information Systems.

“Even though diplomatic and legal efforts have weakened the cyber-criminal ecosystem, this does not mean we can stop there, we must get ready now with simple action plans to implement.” underlines Nicolas Gauchard, Senior Manager at CERT-W.

The main action plans to implement are now well known:

– Identify and protect the most critical systems and data without forgetting technical systems such as the Active Directory;

– Improve the efficiency of attack detection with a specialized 24h/7 service;

– Learn how to manage a major crisis by practicing crisis management exercises;

– Strengthen the safety of backups and learn to work without Information Systems and to rebuild systems urgently;

– Subscribe to cyber insurance and a contract with a specialist service provider in the event of a crisis.