- 60% of attacks observed by CERT-Wavestone are ransomware attacks
- 30% of ransomware attacks combine both IS locking and data theft
- 90% of victims suffer irretrievable data loss but ransom payments are declining
- 56% of victims did not anticipate being potential targets of cyber attacks
- Increasingly rapid attacks: a minimum of 3 days and an average of 25 days between the intrusion and the ransom demand
As part of European Cybersecurity month and Les Assises conferences on Cybersecurity (October 13-16, 2021), Wavestone unveils the new edition of its Benchmark on cybersecurity incidents. The information contained herein is the result of a comprehensive review of interventions by the CERT-Wavestone team, in charge of supporting victims of cyber-attacks, carried out between September 2020 and October 2021… In other words, 60 major security incidents that led to locking or serious disruption of the Information System, in very different sectors: industry, the public sector, agri food, information technology, finance, etc. The goal of this Benchmark is to provide keys to understanding the issues and a snapshot of current cybersecurity threats in France.
Ransomware accounts for the lion’s share of cyber attacks
Ransomware was responsible for 60% of cyber-attacks observed by CERT-W at clients. Increasingly numerous, these attacks are also more organized and better equipped, leading to greater efficiency in such attacks.
“Cybercriminal groups have succeeded in their digital transformation and their platform-based organization means they can pool efforts for faster and more efficient attacks” underlined Gérôme Billois, Cybersecurity Partner.
Apart from merely freezing an Information System, attacks are increasingly accompanied by data theft. Indeed, 30% of ransomware attacks observed combined IS locking with data theft, with the latter providing additional leverage for financial gain.
Faster and more targeted ransomware attacks
Our analysis reveals a decline in the average time between initial intrusion and the deployment of the ransomware in the system, with a minimum of 3 days for the fastest attack and an average of 25 days for managed cases. Attacks are increasingly designed to cause harm to their victims. Indeed, at present, they increasingly target backup systems to make them unusable and force payment of the ransom (21% of cases).
The Benchmark shows that in 90% of cases data is irretrievably lost. Note the significant decline in ransom payments this year (from 20% of victims last year to 5%). Numerous factors can explain this decline: better understanding of the lack of appeal of paying the ransom (payment of the ransom does not in any way, accelerate the time of resolution of the crisis) and awareness raising actions as well as pressure on payment intermediaries from various authorities.
Other types of attack are also taking place in the background…
The threat of ransomware should not distract from other attacks involving data theft, fraud and gains in attack capability which remain high (25% of cases) although frequency is decreasing.
Regarding access gateways to break into Information Systems, the main access channels remain using valid accounts to enterthe IS via password theft/reuse (23%), fraudulent emails/phishing to gain access (20%) and remote access services exploiting security vulnerabilities or configuration flaws (18%).
How to avoid being an easy target? Some advice from CERT-W
56% of victims did not anticipate being a potential cyberattack target… They did not have an incidence response contract nor cyber insurance and 42% of victims had not considered their resilience in the case of unavailability of their Information Systems.
“Even though diplomatic and legal efforts have weakened the cyber-criminal ecosystem, this does not mean we can stop there, we must get ready now with simple action plans to implement.” underlines Nicolas Gauchard, Senior Manager at CERT-W.
The main action plans to implement are now well known:
- Identify and protect the most critical systems and data without forgetting technical systems such as the Active Directory;
- Improve the efficiency of attack detection with a specialized 24h/7 service;
- Learn how to manage a major crisis by practicing crisis management exercises;
- Strengthen the safety of backups and learn to work without Information Systems and to rebuild systems urgently;
- Subscribe to cyber insurance and a contract with a specialist service provider in the event of a crisis.
This Benchmark is the result of consolidation of data covering 60 incident responses carried out by CERT-Wavestone between September 2020 and October 2021 with 50 organizations belonging to the Top 200 French companies, from 10 different sectors of activity: Banking, Insurance, Retailing, Industry, Public sector, Health, Services, Sport, Telecoms, Transport. The data used in the Benchmark have been anonymized: data collection is solely for statistical purposes.
In a world where knowing how to change is the key to success, Wavestone’s mission is to enlighten and guide large companies and organizations through their most critical transformations with the aim of creating a positive outcome for all stakeholders. We call it “The Positive Way.”
Wavestone has over 3,400 employees in eight countries. It is one of the leading independent consulting firms in Europe and is the top independent consulting firm in France.
Wavestone is listed on the Euronext in Paris and is certified as a Great Place To Work®.
For further information, consult www.wavestone.com // @wavestoneFR
Contact CERT-W: firstname.lastname@example.org