Ransomware Attacks Doubled in 2017, Verizon Reports

Verizon's 2018 Data Breach Investigations Report finds that 68 percent of breaches took months for organizations to discover.

Verizon 2018 DBIR

Ransomware attacks grew significantly in 2017, doubling in volume from the year earlier, according to Verizon's 2018 Data Breach Investigations Report, which was released on April 10.

Verizon's 2018 DBIR reveals insights on the state of data breaches, derived from analysis of over 53,000 security incidents and 2,216 breaches.

The doubling of ransomware attacks from the volume reported in last year's DBIR wasn't the only high-level finding in this year’s report. Verizon also noted a spike in financial pretexting attacks, where hackers aim to gain personal information about individual's tax returns. In terms of where breaches are coming from, Verizon reported that 72 percent of attacks were perpetrated by outsiders.

"This year we saw a second year of surging ransomware that was incredible, but not altogether unexpected," Gabe Bassett, senior information security data scientist at Verizon Enterprise Solutions, told eWEEK. "Ransomware doubled in 2016, and it doubled again in 2017."

Ransomware was found in 39 percent of malware-related security incidents examined by Verizon for the 2018 DBIR. Bassett said Verizon somewhat expected ransomware to grow, since it offers a good value proposition for attackers.

"Ransomware is easy to exploit; you just have to get someone to run an attachment," he said. "We know from our phishing data that in any campaign an average of 4 percent of people will click an attachment."

Bassett added the ransomware is relatively easy for hackers to monetize with cryptocurrency and the attack vector has become commoditized with multiple ransomware-as-a-service offerings.

Financial Pretexting

Social engineering attacks are not a new category for Verizon's DBIR, though in 2017, Bassett said there was a rise in an emerging form of attack known as financial pretexting. In a financial pretexting attack, a hacker calls a company claiming to be a corporate executive and asks for a financial transfer. Verizon found that in 2017 there was an increase in financial pretexting going after W2 tax information.

"In the tax information attacks, it's a more subtle attack. You're not asking someone to make a $40,000 transfer; you're just asking for some documents," Bassett said. "But those documents have substantial value for use in tax fraud."

Breach Discovery

A key metric tracked by Verizon is the time to detection for a data breach. Verizon reported that 87 percent of breaches took "minutes or less" for attackers to gain access. In contrast, 68 percent of breaches were undiscovered by organizations for one or more months.

Since 2014, Verizon has identified nine basic attack patterns into which nearly all attacks can be categorized: point-of-sale (POS) intrusions, web application attacks, insider misuse, theft and loss, miscellaneous errors, crimeware, payment-card skimmers, denial-of-service attacks and cyber-espionage. For the 2018 report, the top category for breaches was web applications, followed by miscellaneous errors.


While the data collected by Verizon for its annual DBIR is noteworthy, as it shows trends in the breach landscape, so too is the process and technology used for analysis.

The technology behind Verizon's DBIR is known as the Vocabulary for Event Recording and Incident Sharing, or VERIS, which is a framework for understanding and recording security breaches. In 2014, Verizon first made VERIS publicly available on the GitHub social coding site. Bassett said VERIS has been enhanced significantly in recent years to help automate data collection and analysis.

"We've really evolved from a manual process that several years ago was Excel spreadsheets," Bassett said. "We now have a workflow using Apache Airflow which takes in all the raw data every night, generates the data frame and generates all of our analyses."

Verizon is continuing to make improvements to VERIS that will enable the company to include new types of analysis when the 2019 DBIR is released next year.

"We have started to collect path data, so instead of thinking of data breaches as a single point in time, we're collecting information on the path a breach has taken," Bassett said. "We have a basic capability to do that now, and we're working to improve the underlying data structure to better support that."

Looking Forward

Bassett doesn't expect that the volume of attacks and data breaches will decline in 2018, though he is optimistic that positive changes can occur.

"There are a lot of targets and any attacker can breach someone, and some attackers can reach everyone," he said. "But what's important to remember is that not every attacker has to be able to breach you and your company."

Organizations that implement security best practices and controls can limit their risks and avoid becoming a statistic in the DBIR, Bassett said. That said, he noted that for every organization that does better, there is likely another organization that hasn't done the work and will become a new target for an attacker.

"We'll probably have just as many breaches next year because the attackers are saturated, but your organization doesn't have to be the one being breached; it can be someone else," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.