Cyber-attacks: Ransomware, the No. 1 threat in France
October 2021 by Wavestone
As part of European Cybersecurity month and Les Assises conferences on Cybersecurity (October 13-16, 2021), Wavestone unveils the new edition of its Benchmark on cybersecurity incidents. The information contained herein is the result of a comprehensive review of interventions by the CERT-Wavestone team, in charge of supporting victims of cyber-attacks, carried out between September 2020 and October 2021… In other words, 60 major security incidents that led to locking or serious disruption of the Information System, in very different sectors: industry, the public sector, agri food, information technology, finance, etc. The goal of this Benchmark is to provide keys to understanding the issues and a snapshot of current cybersecurity threats in France.
0% of attacks observed by CERT-Wavestone are ransomware attacks
30% of ransomware attacks combine both IS locking and data theft
90% of victims suffer irretrievable data loss but ransom payments are declining
56% of victims did not anticipate being potential targets of cyber attacks
Increasingly rapid attacks: a minimum of 3 days and an average of 25 days between the intrusion and the ransom demand
Ransomware accounts for the lion’s share of cyber attacks
Ransomware was responsible for 60% of cyber-attacks observed by CERT-W at clients. Increasingly numerous, these attacks are also more organized and better equipped, leading to greater efficiency in such attacks.
“Cybercriminal groups have succeeded in their digital transformation and their platform-based organization means they can pool efforts for faster and more efficient attacks” underlined Gérôme Billois, Cybersecurity Partner.
Apart from merely freezing an Information System, attacks are increasingly accompanied by data theft. Indeed, 30% of ransomware attacks observed combined IS locking with data theft, with the latter providing additional leverage for financial gain.
Faster and more targeted ransomware attacks
Our analysis reveals a decline in the average time between initial intrusion and the deployment of the ransomware in the system, with a minimum of 3 days for the fastest attack and an average of 25 days for managed cases. Attacks are increasingly designed to cause harm to their victims. Indeed, at present, they increasingly target backup systems to make them unusable and force payment of the ransom (21% of cases).
The Benchmark shows that in 90% of cases data is irretrievably lost. Note the significant decline in ransom payments this year (from 20% of victims last year to 5%). Numerous factors can explain this decline: better understanding of the lack of appeal of paying the ransom (payment of the ransom does not in any way, accelerate the time of resolution of the crisis) and awareness raising actions as well as pressure on payment intermediaries from various authorities. Other types of attack are also taking place in the background…
The threat of ransomware should not distract from other attacks involving data theft, fraud and gains in attack capability which remain high (25% of cases) although frequency is decreasing.
Regarding access gateways to break into Information Systems, the main access channels remain using valid accounts to enterthe IS via password theft/reuse (23%), fraudulent emails/phishing to gain access (20%) and remote access services exploiting security vulnerabilities or configuration flaws (18%).
How to avoid being an easy target? Some advice from CERT-W
56% of victims did not anticipate being a potential cyberattack target… They did not have an incidence response contract nor cyber insurance and 42% of victims had not considered their resilience in the case of unavailability of their Information Systems.
“Even though diplomatic and legal efforts have weakened the cyber-criminal ecosystem, this does not mean we can stop there, we must get ready now with simple action plans to implement.” underlines Nicolas Gauchard, Senior Manager at CERT-W.
The main action plans to implement are now well known:
Identify and protect the most critical systems and data without forgetting technical systems such as the Active Directory;
Improve the efficiency of attack detection with a specialized 24h/7 service;
Learn how to manage a major crisis by practicing crisis management exercises;
Strengthen the safety of backups and learn to work without Information Systems and to rebuild systems urgently;
Subscribe to cyber insurance and a contract with a specialist service provider in the event of a crisis.