The Evolution of Cybersecurity: The Rise of Ransomware

Pretty much everyone was stuck at home for the majority of 2020 – including hackers – so it wouldn't be surprising if you thought that data breaches were on the rise last year.

As it turns out, you would be wrong.

The Identity Theft Resource Center’s 15th annual Data Breach Report shows that the number of data breaches in the U.S. was down 19% last year, falling to 1,108 from 1,473 in 2019. The number of people affected by breaches was down 66% year over year.

It’s actually the second year in the last four to post declines in the number of breaches. And the ITRC says it expects that trend to continue, as hackers interest has increasingly turned toward tactics including ransomware and phishing attacks directed at organizations.

“Cybercriminals are simply shifting their tactics to find a new way to attack businesses and consumers,” said Eva Velasquez, president and CEO of the ITRC, a nonprofit that assists identity theft victims. “It is vitally important that we adapt our practices, and shift resources, to stay one step ahead of the threat actors.”

It’s worth noting that the December hack of SolarWinds by suspected Russian intelligence operatives that infiltrated 18,000 government agencies and private sector companies is not included in the ITRC’s count, since (at present) there’s no indication consumer data was compromised.

The decline in breaches is no reason for businesses – or consumers – to relax. While the percentage of individuals who were impacted tumbled last year, it still topped 300 million – the third highest count in the past six years.

“Now is not the time for consumers to think their risk has evaporated,” said Velasquez. “There are still hundreds of millions of records exposed each year and consumers need to understand this is a continuing risk that can have real impacts on their lives.”

Other security experts agree.

“The pandemic actually forced businesses and individuals to focus on cybersecurity to successfully work from home, and fast tracked our collective understanding of the critical need for cyber security,” said Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of internet enforcement at the MPAA. “We may be on our way to convincing the C-suite why cyber security budgets are as important as marketing budgets. That said, never, ever let your guard down.”

Businesses, meanwhile, need to learn new methods of protecting their data – and fast.

Cybercriminals make more money via ransomware and phishing schemes than they do on the sale of consumer personal information. Those attacks also generally require less effort and can be automated.

Ransomware is nothing new. For years, hackers have taken control of systems and tried to force companies to pay to unlock them. Most businesses, though, learned to have backups of their information, which they would restore and move forward – ignoring the demand. In the past few years, though, hackers have instead threatened to release that information publicly. Since affected companies don’t know precisely what information was taken, they are forced to engage with the hackers.

The average ransomware payout has grown to nearly $234,000 per event, according to cybersecurity firm Coveware. Just two years ago, the average payout was just a few thousand dollars. Then the thieves realized the potential of the particular weapon of exposure.

“The disequilibrium within the cyber extortion industry was evident when attackers discovered that the same tactics, techniques, and procedures (TTPs) that work on a 500-person company can work on a 50,000-person company and the potential payoff is substantially higher,” the company said.

It's possible, added Coveware, that the influx of work-at-home employees dialing into a central system could have given criminals a new entry point for ransomware that didn’t exist before.

Professional Services firms are targeted the most frequently – more than 25% of the time. (Health care is third at 11.3%.) And it’s an especially big problem for small businesses. Just over 40% of all companies targeted by ransomware hackers have 100 or fewer employees.

The average ransomware attack results in 19 days of downtime, according to Coveware. And the threat isn’t just to businesses.

A ransomware attack on Blackbaud last year resulted in the theft of information for 475 of the company’s business customers, including the personal information of over 11 million people.

The criminals claimed to have destroyed the data when Blackbaud paid the ransom, but there’s no way to ascertain that definitively. And that means consumers have to remain vigilant.

“Ransomware remains a major threat to consumers especially since criminals are recognizing that the threat of ransomware is in itself enough to get consumers to pay up,” said Nigam. “Consumers need to focus on continuously backing up their devices and using the latest anti-malware and anti-phishing solutions, and keeping them up to date at all times.”

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics

Cybersecurity Technology