Corvus Insurance, a specialist in Cyber Risk insurance, has observed a shift in tactics employed by threat actors aiming to compromise their victims with ransomware.

The analysis of claims data for 2023 indicated a notable increase in attacks that exploited vulnerabilities, marking a departure from the previous trend of relying on phishing emails. This shift in approach reflects evolving tactics among threat actors, as revealed through the insurer's examination of current threat landscape dynamics.

In terms of the frequency of claims, traditionally the firm state that the emphasis has previously been placed on social engineering, but that organisations shouldn’t overlook the significance of ransomware and other extortion attacks. These forms of cyber threats incur substantially higher costs, averaging 20 times more than the typical social engineering claim, and inflict greater impact on organisations.

According to data from Corvus, in 2022, spearphishing – the act of targeting specific individuals with tailored messages, often through email attachments containing malware - was the predominant method for ransomware used by threat actors to gain initial entry.

However, a notable shift occurred last year. If the observed trend persists, exploits targeting external vulnerabilities will likely emerge as the primary method of initial entry for ransomware attacks this year. In practical terms, this signifies attackers gaining access through vulnerabilities, including zero-day vulnerabilities - security flaws unknown to the software's vendors until exploited.

Zero-day vulnerabilities, marked by their urgency, constituted a significant portion of extortion attacks last year, comprising nearly a third of cases where data on the method of initial entry is available. This is a notable increase from the near-zero occurrences in the second half of 2022.

Noteworthy examples of exploited vulnerabilities in 2023 include the one discovered in MOVEit file transfer software in June and another found by Fortra in its GoAnywhere file transfer solution.

Key Indicators of Initial Access Methods:

• Ransomware attacks, while much rarer than Social Engineering, cost 15x more on average
• Spearphishing efforts were for a long period the most common method threat actors gained access to systems to deploy ransomware
• Recently, exploits of external software vulnerabilities have spiked, now being the method of initial entry for 1 in 3 ransomware attacks (among those for which we were able to determine the method)

Given the success threat actors have experienced with zero-day vulnerabilities, particularly in file transfer software, ongoing vigilance should be maintained to anticipate and mitigate their continued techniques and tactics in finding and exploiting vulnerabilities in the future.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).