Ransomware Prevention Saw ‘Massive’ Improvement In 2022: IBM X-Force
A significantly higher percentage of attacks were halted before they could progress to full-blown ransomware deployment last year, IBM X-Force said in a new report.
Findings from a new IBM Security report show a significant improvement on the prevention of ransomware attacks in 2022, a positive sign for cyber defense and its threat detection and response efforts.
The X-Force Threat Intelligence Index 2023 report, released Wednesday, comes from IBM Security’s X-Force unit and leverages the group’s incident response data as well as data from endpoints, network devices and vulnerability databases.
The report reveals a dramatic increase in the percentage of attacks that were stopped before they could progress to ransomware deployment, according to John Dwyer, head of research at IBM Security X-Force.
[Related: 10 Hot XDR Security Companies You Should Watch In 2023]
“It is a win” for cyber defense, Dwyer told CRN. “This is the first time ever where we feel like they’re detecting [attacks] a lot earlier.”
A key stat demonstrating this shift is that 21 percent of attacks were halted at the point of backdoor deployment, one of the initial stages of a typical ransomware attack. A backdoor can allow an attacker to bypass security measures when re-entering a corporate network.
The reason this backdoor stat is so significant, Dwyer said, is that in prior years, X-Force was not even tracking the metric because it was considered an outlier. Previously, the percentage of attacks that were shut down at the backdoor stage was “almost non-existent,” he said.
In other words, detection and response efforts produced a “massive” improvement in catching attacks at the initial backdoor stage in just one year, Dwyer said. The percentage of incidents that actually resulted in ransomware, meanwhile, dropped to 17 percent in 2022 from 21 percent in 2021, according to the report.
“The number and the rate at which ransomware attacks are attempted hasn’t changed,” Dwyer said. “But what we’re seeing is, there are more attacks that are less successful.”
This is “the first time ever we’ve seen defenders make a difference” in this way, he said. For organizations that were able to detect attacks at the backdoor stage — and then bring in X-Force to contain and remove the threat actor from the system — it “prevented that incident from becoming a crisis,” Dwyer said.
Without a doubt, “the technology is getting better and better at finding ransomware attackers as they’re going through their goals and objectives,” he said.
The increased success for detection and response helps to illuminate some of the findings of other cybersecurity firms about ransomware in 2022. Mandiant told the Wall Street Journal that it responded to 15 percent fewer ransomware incidents last year, while CrowdStrike told the media outlet that the average ransom demand dropped 28 percent last year, to $4.1 million.
‘Inflection Point’
Anecdotally, Dwyer said he’d already noticed the improvement on ransomware prevention even before the data was pulled together for the IBM X-Force report. More frequently than in the past, he said, X-Force would receive calls reporting that they’d seen an alert about an attacker in their system.
That’s in contrast to previous years, when the calls would more frequently be along the lines of, “’Oh my god, my entire company has been burned to the ground.’ That’s when they’d call,” Dwyer said. “More often [last year], that phone call was happening much earlier.”
Looking ahead, though, Dwyer said he hopes that the success doesn’t lead to complacency.
“This is an inflection point. As an industry, we could build on this momentum and continue to get better at detection and response, and start making ransomware so expensive for attackers that it doesn’t become worthwhile anymore,” he said. “Or we can rest on our laurels and say, ‘The technology is doing such a good job at catching the backdoor, that we’re good.’”
Initial Access
The IBM X-Force report also provides a look into the favored methods of attackers for gaining initial access into a victim’s systems.
In 2022, phishing remained at the top, with 41 percent of incidents involving phishing, according to the X-Force report. That percentage was on par with 2021, and up from 33 percent in 2020.
Coming in second was exploitation of public-facing applications, accounting for 26 percent of incidents last year, according to the report. That was down from 34 percent in 2021.
Abuse of valid accounts was used to gain initial access in 16 percent of incidents last year.
Partner Impact
For security services providers, especially smaller managed service providers, the fact that prevention tools are working is good news at a time when security obligations continue to rise and talent is in short supply.
“The overall trend is that our responsibilities just keep climbing,” said Michael Kamen, founder and CEO at Edge Solutions Group, a Santa Monica, Calif.-based MSP. “The level of vigilance that we have to have in place, and the constant need to educate the clients, is just increasing.”
In part because of this dynamic, the MSP has found it valuable to deploy security tools that excel at attack prevention on behalf of clients, he said. For Edge Solutions Group, those include ThreatLocker, which offers “application allowlisting” functionality that ensures that malware cannot run in customer IT systems.
All in all, in response to the ever-intensifying threat environment, “we do a lot in the way of preventing something from happening in the first place,” Kamen said.