Ransomware attacks are increasingly targeting organizations. However, over time, organizations are able to detect such attacks faster and easier as the total median stay time, that is, between the start of a cyberattack and its detection, was 56 days. This average is 28% lower than the 78-day average observed in 2019, according to FireEye.
Experts attribute this trend to the fact that organizations want to improve their detection programs while changing the behavior of intruders. For example, there is an increasing number of catastrophic attacks, such as ransomware and miners cryptocurrency, which often have shorter residence times than other types of attacks.
Internal and external detection times have also been reduced. The average length of stay for organizations that learned of an external party attack is estimated at 141 days, down 23% from its previous report. M-Trends which was 184 days. At the same time, the average residence time for organizations that detected the attack is estimated at 30 days, down 40% on a year-over-year basis, from 50,5 days ago. While the internal residence time has reached its maximum level of improvement, 12% of surveys still have a residence time of more than 700 days.
Although the residence time for attacks internally detected by organizations has been reduced, the overall percentage of self-reported security incidents against external sources has also decreased. Specifically, there was a 12 percentage point decrease in the percentage of internally detected intrusions, year by year. This comes after a steady increase in internal crawls since 2011. 2019 is the first time in four years that external alerts, when an external entity informs an organization that it has been compromised, outnumbered internal crawls. This may be due to a number of reasons, such as increases in law enforcement and cybersecurity alerts, changes in public disclosure standards, and changes in the form of attacks. The ability of organisms to detect intrusions is unlikely to deteriorate, as measurements show continuous improvements in organizational crawling and response.
In 2019, hundreds of new malware families were observed, of which 41% had never appeared before. In addition, 70% belonged to one of the five most frequently observed families, which are based on open source tools with active development. New malware families are proving, among other things, that cybercriminals are looking for ways to make money faster. Also, the majority of young malware families were affected Windows and other platforms. Whereas the new malware families affected it exclusively Linux or the Poppy, this activity remains in the minority.
Of the attacks detected, 29% were motivated by direct financial gain. This includes extortion, ransom, card theft and illegal transportation. 22% of the attacks were related to data theft most likely in support of ultimate intellectual property or espionage. Successful monetization of ransomware attacks and the availability of ransomware as a service have contributed to an increase in overall ransomware incidents. Well-established cybercrime groups targeting personal information and credit card information are increasingly turning to ransomware as a secondary means of monetization. Given the ease with which ransomware attacks can be carried out and the continued financial success for attackers, it is expected that ransomware will continue to be used as a secondary means of monetizing victims.