60%


the attacks observed by the CERT-Wavestone are ransomwares

90%


victims have irretrievably lost their data but ransom payments are decreasing

Increasingly quicker attacks: a minimum of 3 days and an average of 25 days between intrusion and blocking

On the launch of the European Cybersecurity Month and for the Assises de la Sécurité (from 13 to 16 October 2021), Wavestone unveils the new edition of its benchmark of cybersecurity incidents.  To this end, we reviewed the interventions of the CERT-Wavestone crisis management team between September 2020 and October 2021.

This represents 60 major security incidents that led to business interruption or advanced IS compromise in a diverse sector:  industry, public sector, agri-food, information technology, finance, etc. The objective of this benchmark is to shed light on and show the evolution of the state of the cyber threats, whilst also providing the keys for better anticipation and reaction.

A strong preponderance of ransomware in the panorama of cyberattacks

Ransomware accounts for 60% of the cyberattacks encountered by CERT-W for our customers. Furthermore, attackers are becoming increasingly more organized and skilled at carrying out more effective attacks

Gérôme Billois

Gérôme Billois

Partner Cybersécurité

Cybercriminal groups have succeeded in their digital transformation and their organization into a platform has made it possible to majorly make their attacks more efficient and faster

Beyond the simple blocking of the IS, the combination with data theft is becoming more and more present. Indeed, 30%of the ransomware attacks observed  include combine the blocking of the IS and the theft of data,  the latter being an additional lever to obtain financial gains.

Faster and more targeted ransomware attacks

We see a reduction in the average time between initial access and deployment of ransomware in the system with a minimum of 3 days for the fastest attack and an average of 25 days on managed cases. Attackers are becoming more and more determined to harm their victims.  Indeed, they now go so far as to target and destroy the backup mechanisms  in order to force the payment of the ransom  (21% of  cases).

We also find that in 90% of cases data has been irretrievably lost. It should be noted that  we are seeing a significant decrease in ransom payments this year (from 20% the previous year to 5% of cases). Multiple factors can  explain  this decrease, between the better understanding of the low interest to be paid  (the payment of the ransom does not accelerate the time of resolution of the crisis), the actions of awareness  and pressure on the payment intermediaries by the different authorities.

Other types of attacks are still raging in the background

The ransomware threat should not make us forget the attacks of data theft, fraud and the gain in attack capacity that remain well present (25%) even if they are less frequent.

When it comes to accessing channels to break into systems, the main gateways are still the use of valid accounts (23%), fraudulent emails,  phishing  to obtain information (20%) and remote access services using security vulnerabilities or configuration defects  (18%).

How not to be an easy target? Some tips from CERT-W

56% of victims did not anticipate being the potential target  of a  cyberattack. They  did not have an incident response contract or a cyber insurance and 42% of  victims had not thought about  their resilience in the event of an attack

Nicolas Gauchard

Nicolas Gauchard

head of CERT-W

Even if diplomatic and judicial actions have weakened the cybercriminal ecosystem, it is not a question of stopping efforts, we must prepare now thanks to simple actions to put in place

The most important actions are known:

  1. Identify and protect the most critical systems and data, including mention technical systems such as Active  Directory
  2. Improve the efficiency of attack detection with a specialized 24/7 service
  3. Know how to manage a major crisis by training through crisis management exercises
  4. Strengthen backup security and practice rebuilding immediately
  5. Subscribe to a cyber insurance and a contract with a specialized service in case of crisis