When it comes to predictions in any industry, it’s easy for futurists to say that the core aspects and processes will be the same as today, but in coming years everything will be faster, bigger, more interconnected and — as a result — more complex. This is exactly what is happening in the IT world. We see multiple digital transformations and trends like increased investments in cloud, big data, high performing computing, automation, integration of IoT/OT/IT systems and running projects with DevOps approach.
With these rapid changes in IT, companies also need to rapidly adjust their security in all these layers. Why? Because they must ensure business resilience, business continuity, and enable the organization to react rapidly to coming disruption.
Below, we will outline what we see changing in cyberattacks and how it can evolve based on the current global geopolitical crisis. As a contributor to the Verizon DBIR (Data Breach Investigation Report) Atos encourages readers to review that report in detail to obtain more facts and figures.
Ransomware attacks (and the costs of ransom) will keep growing
Ransomware attacks increased at a rate of 25% last year. In 2022, we have already observed many ransomware attacks, with peak of occurrence in Q4. We believe the growth will continue. The first root cause is the global crisis and problems on the cryptocurrency market, so many criminal groups will be looking for additional sources of income. The second root cause is the war in Ukraine, which most likely triggers more ransomware attacks against organizations and countries in Europe, Asia and the Americas which oppose Russia’s invasion of Ukraine.
In the report from SOPHOS, The State of Ransomware in Retail 2022 (fig.1), we can conclude that paying ransom is not the cheapest solution. Based on feedback from nearly 1,000 responders, the global average ransom payment was approximately $800,000, but in the manufacturing, energy and utilities industries, the average ransom was on the level of $2,000,000. Also, paying the ransom does not mean getting your data back. Forbes reported that even after paying the ransom, only 65% of data was restored. As we expect more ransomware in 2023, the rising costs of ransoms and the risk of permanent data loss means that companies urgently need to build their anti-ransomware defenses.
The cost of downtime is getting worse
Next to ransoms, we also should count company downtime and production line disruption, which according to Statista, averaged around 22 days in 2021 (fig.2). These 22 days of business interruption should be multiplied by the cost of downtime, and here we strongly recommend reviewing the 2022 Data Protection Trends Report prepared by Veeam, which is based on over 3,000 responders. According to the survey, the average downtime cost is $88,000 per hour. If we extrapolate that hourly rate to 22 days of downtime, we arrive at the significant sum of $46,000,000. This is just an average, but many critical infrastructure organizations claim that only a few minutes of downtime can cost their businesses millions of dollars, which shows the magnitude of the risk.
Combining all of the above facts, we can predict that in the next year, threat actors will target production systems like Operational Technology (OT) and Internet of Things (IoT) more intensely. Therefore, we strongly recommend checking the end-to-end cyber resilience of production systems — from the perspectives of identify, protect, detect, respond and recover.
Supply chain attacks will stick around
Cyberattacks through the supply chain will not grow significantly, but will surely pop-up regularly. According to Verizon’s DBIR report, supply chain was responsible for 62% of system intrusion incidents in 2021. Most of our readers are familiar with past incidents like SolarWinds or Kaseya. In the case of the Kaseya hack, which was used for a broad ransomware attack, it is estimated that over 1,000 organizations were impacted. In the SolarWinds hack which took place in 2020, it is estimated that 18,000 companies were affected by the breach because of vulnerable software. Threat actors will definitely be constantly looking for such opportunities for lateral movement across bigger ecosystems — not limiting themselves to one organization but seeking big impact opportunities with many.
Considering that cyber espionage targeting both private and public sectors is also on the rise, companies should check and test their readiness for zero-day attacks and implement improvements in their cyber resilience, including additional audits of third parties.
Post attack remediation, time to recover
To simplify this analysis, we can divide organizations into two general groups:
Those who have already invested in cyber resilience and have many cybersecurity services running
Those who will invest in cybersecurity resilience, probably after some crisis like ransomware
Based on our experience from dozens of crisis emergencies managed by Atos CERT, we have observed that Group A is mature from a security perspective and can react, remediate and recover fairly quickly. These companies have already implemented solutions like: MFA (multi-factor authentication), PAM Privilege Access Management), EDR (Endpoint Detection and Response), MDR (Managed Detection and Response). In the next steps, they will develop further with incident response plans with CSIRT, enriching it with Threat Intelligence, Threat Hunting, External Attack Surface Management (EASM) and Red Teaming as a Service (RTaaS). This focus on continual improvement ensures cyber resilience for these organizations, which results in shorter detection time, shorter recovery time and in the end, shorter downtime. In Group B, there are a significant number of organizations that haven’t yet considered many of the above security improvements. At the same time, threat actors become more sophisticated each year, so it will be harder to detect complex, targeted attacks. Therefore, we can expect that such organizations with lower security maturity will have poor detection and remediation times, and as a result, the average cost of recovery from cyberattacks will be higher. In fact, the SOPHOS report referenced earlier found that the estimated average cost of post-attack recovery from ransomware in 2021 was $1,400,000 as compared to $750,000 in 2019.
Fast technology development gives hackers a wider spectrum of new TTPs, meaning that blue teams must continually adjust their use cases, playbooks, correlation rules and processes to react quickly to security events and incidents. Additionally, cyberattacks will become more sophisticated and more impactful, so it will require stronger partnerships and alliances in order to utilize cyberthreat intelligence and broader telemetry during emergency security incidents.
To assure cyber resilience, let’s be #StrongerTogether.
About the author
Global Head of Atos CERT
Cyber Security Manager, Architect, Transformer and Enabler having over 15 years of experience in various IT and Security global roles in operations, transitions, designs, strategies and continual improvements. Having DevOps principles at heart, constantly focused on creating value for clients – supporting them reactively in difficult times during cyber-attacks and proactively in calm times during security transformations and builiding cyber resilience.
In the current role, accountable for CERT domain covering services Digital Forensics, Incident Response, Threat Intelligence, Vulnerability Management and Red Teaming.