i Table of contents 210

NCC Group plc Annual Report 2022

Unlevel playing field The ransomware victim is in the firm grip of its attacker – not just because of the operational seizure but because the attacker knows more about the victim than the victim knows about the attacker, even down to how much might be paid if all goes well. Still, the playing field is not as uneven as it may initially appear. Criminals are after money and a victim which pays less than the amount originally requested is still better for the criminal than a victim which does not pay at all. The latter would be a waste of the time, effort and resources the attacker had to invest to launch the ransomware attack in the first place. So it is in the criminals’ interest to negotiate with their victims. Moreover, the attackers are people and people can be influenced and make mistakes. More than 50% “discount” Negotiations should yield maximum profit for the attacker, while the victim is after paying as little as possible. The researchers saw that after negotiating, victims managed to get between 10% and 90% “discount” – the term used by the attackers. In two-thirds of the cases examined, this discount was more than 50%. Moreover, once payment had been received, the ransomware groups under investigation adhered to the negotiated agreement, even if, in one of every two cases, their decryptors did not work well enough. Our researchers also found that the same attackers did not come back to the same victim to “try again”. The importance of time In addition to money, time is also of the essence to both the victim and the attacker. Pressure is applied to the victim to pay as soon as possible – with threats of leaking documents or doubling the ransom. However, in many of the cases investigated, the attacker remained willing to extend the deadline – giving more time to the victim to respond. Double extortion The research findings also apply to negotiations in case of other forms of extortion – the “double extortion” – where there is not only encryption of data, but also the threat of publication or selling of stolen data. In that case, the attacker has a stronger trump card than with ransomware alone.

Strategic Threat Intelligence

Our Strategic Threat Intelligence practice develops software solutions for a broader, more insightful look at current threat landscapes and the way they impact organisations around the world. Developing a web scraper, they gather data on ransomware data leaks on the dark web in real time to provide regular insights into who are the most recent ransomware victims. By recording this data and classifying the victims by sector, we can derive additional insights highlighting the sectors that have been targeted, and how current ransomware threats compare to previous months. Find out more about how to subscribe to our monthly threat intel pulse reports here: campaign.cybersecurity.nccgroup. com/threat-pulse. Facts • Ransomware attacks almost doubled in 2021, rising by 92.7% in 2021. • The most targeted regions were North America (53% of attacks) and Europe (30% of attacks). • Throughout the year, attacks were most commonly targeted at the public (19.35%) and industrial sectors (19.35%), followed by consumer cyclicals (16.13%). Read our 2021 Annual Threat Report here: campaign.cybersecurity.nccgroup.com/annual-threat-monitor Many of the dangers which we first identified at the start of the pandemic snowballed in 2021, revealing a developing threat landscape with ransomware attacks on the rise. ” Matt Hull Global Lead for Strategic Threat Intelligence, NCC Group

NCC Group plc — Annual report and accounts for the year ended 31 May 2022

21

Made with FlippingBook Online newsletter maker