Rapid7 Says ROI for Ransomware Remains High; Zero-Day Usage Expands
The Rapid7 mid-year review of the threat landscape is not reassuring. Ransomware remains high, basic security defenses are not being used, security maturity is low, and the return on investment for criminality is potentially enormous.
The review is compiled from the observations of Rapid7’s researchers and its managed services teams. It finds there were more than 1500 ransomware victims worldwide in H1 2023. These included 526 LockBit victims, 212 Alphv/BlackCat victims, 178 ClOp victims, and 133 BianLian victims. The figures are compiled from leak site communications, public disclosures, and Rapid7 incident response data.
These figures should be seen as conservative. They won’t include organizations that quietly and successfully pay the ransom as if nothing happened. Furthermore, downstream victims are still being calculated – for example, notes the report, “The number of incidents attributed to Cl0p in this chart is likely to be (significantly) low, since the group is still actively claiming new victims from their May 2023 zero-day attack on MOVEit Transfer.”
Ransomware is successful for two reasons: the very high profit potential for the criminals, and the inadequate security posture of many potential targets. Three factors illustrate the latter. Firstly, nearly 40% of incidents were caused by missing or lax enforcement of MFA (multi factor authentication) – despite many years of exhortations to implement this basic defense.
Secondly, the general security posture remains low for many organizations. Rapid7 consultants have performed multiple security assessments for clients, “with only a single organization so far in 2023 meeting our minimum recommendations for security maturity, as measured against CIS and NIST benchmarks.”
While security for these companies may well improve after the assessment, the figures illustrate that a substantial number of organizations fail to meet minimum standards for security.
Thirdly, and reinforcing the second factor, old vulnerabilities remain successful for the attackers. “Two notable examples from 1H 2023 are CVE-2021-20038, a Rapid7-discovered vulnerability in SonicWall SMA 100 series devices, and CVE-2017-1000367, a…
