The Verizon Data Breach Investigations Report found that out of 5,258 breaches analyzed in the past year, 10% involved ransomware -- twice that of last year.
The Data Breach Investigations Report (DBIR) took data from public and private sector organizations around the world in order to find trends relating to data breaches and other security incidents. This year's report, published Thursday, featured analysis of 29,207 security incidents and 5,258 data breaches in 2020 from organizations in 88 countries.
The 119-page report focused on everything from threat actor motivations to how said threat actors gain access, but a primary point of interest was ransomware. For example, the representation of ransomware in overall breaches doubled over last year's report.
The Verizon DBIR attributed this directly to name-and-shame tactics, where ransomware operators both encrypt data and threaten to publish it if the victim doesn't pay.
"As mentioned in last year's report, we saw ransomware groups begin pivoting to take a copy of the data for use as leverage against their victims prior to triggering the encryption," the report read. "This began with the Maze Group, and as they enjoyed success, other groups jumped onto the bandwagon. Now it has become commonplace, with many of the Ransomware groups having developed infrastructure specifically to host these data dumps."
As for attack vectors, the report pointed to the use of stolen credentials or brute forcing into systems as those leading the charge. In addition, 60% of ransomware incidents involved either direct installation of the ransomware or installation through desktop sharing applications.
Outside of these primary vectors, the rest that Verizon analyzed "were split between email, network propagation and downloaded by other malware, which isn't surprising as we found in our web proxy detections dataset that 7.8% of organizations attempted to download at least one piece of known ransomware last year," the report read.
Verizon also discussed how threat actors target organizations with ransomware, saying attackers are likely to target data that will impact operations more than solely targeting customer payment data. "This will increase the likelihood that the organization will pay up in a ransomware incident," Verizon wrote.
The section dedicated to social engineering included some of the more notable non-ransomware findings. Social engineering attacks, like last year's Twitter breach, typically involve a threat actor deceiving someone within an organization to gain access; examples include phishing, business email compromise and tech support scams, where a threat actor claims to be someone from "tech support" and asks either for remote access or something like a VPN login.
A majority of social engineering incidents analyzed by Verizon for the 2021 DBIR were discovered externally -- like law enforcement and the attacker disclosing themselves -- and that majority gets even larger when security partners are factored in. Only a small number of social engineering attacks are discovered from an employee within the company after the fact.
Overall, 85% of breaches analyzed involved some kind of human element.
The Verizon DBIR isn't the only research of late to show a marked increase in ransomware activity. The severity of attacks continues to rise, according to a recent report from Coveware. However, the response to ransomware has also gotten more aggressive, with the recent formation of ransomware task forces led by both public sectors and private sectors, as well as President Joe Biden's recent executive order modernizing cyber defenses.
Alexander Culafi is a writer, journalist and podcaster based in Boston.