{"id":2891,"date":"2025-04-24T03:58:33","date_gmt":"2025-04-24T03:58:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2891"},"modified":"2025-04-24T03:58:33","modified_gmt":"2025-04-24T03:58:33","slug":"ransomware-the-most-pervasive-threat-to-us-critical-infrastructure-in-2024-says-fbi","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2891","title":{"rendered":"Ransomware the most pervasive threat to US critical infrastructure in 2024, says FBI"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Despite successful operations against ransomware gangs in 2024, ransomware was still the most pervasive threat to critical infrastructure in the US last year, according to the FBI\u2019s latest Internet Crime Report<\/a>.<\/p>\n

The agency received more than 4,800 cyber threat complaints from critical infrastructure firms in 2024, with the most reported incidents from those providers dealing with ransomware and data breaches. Ransomware reports to the FBI from this sector went up 9% last year compared to 2023.<\/p>\n

Covered in the report are all incidents, both from organizations and individuals, reported to the FBI\u2019s\u00a0 Internet Crime Complaint Center (IC3). For the past five years, IC3 has averaged more than 2,000 complaints every day.<\/p>\n

\u201cLast year saw a new record for losses reported to IC3, totaling a staggering $16.6 billion,\u201d the report said. Fraud represented the bulk of reported losses in 2024.<\/p>\n

The leading complaint was phishing\/spoofing (193,407 complaints), followed by extortion (just over 86,000), and personal data breach (just over 64,800). Business email compromise scams, for example, where a scammer pretends to be a business partner of a firm and asks that the firm change the bank account to which it sends payments to one under the scammer\u2019s control, ranked seventh, just below tech support scams.<\/p>\n

Ransomware ranked way below, with 3,156 complaints and an estimated $12.473 million in losses, compared to over $2 billion in business email compromise losses and $70 million in phishing\/spoofing losses.<\/p>\n

However, the report noted that the ransomware losses don\u2019t include estimates of lost business, lost time, lost files, or the cost of third-party remediation, and, it added, the figures may be low because some organizations don\u2019t report ransomware losses to the FBI.<\/p>\n

In addition, the numbers may be understated because they only include incident reports to the IC3, and not ransomware incidents reported to FBI field offices.<\/p>\n

Initial attack vectors<\/h2>\n

Security firm Mandiant\u2019s annual M-Trends report summarizing attacks it investigated around the world, also released on Wednesday<\/a>, contained additional insights into the state of ransomware.<\/p>\n

The most common way organizations were initially breached in 2024 was through exploiting new or unpatched vulnerabilities, the initial infection vector in one-third of investigations, it said. In fact, exploits overtook phishing as the leading initial infection entry point.<\/p>\n

However, when it came to ransomware incidents, the most commonly observed initial infection vector, when the vector could be identified, was a brute-force credential attack. These included password spraying, virtual private network (VPN) devices compromised through default credentials, and high-volume Remote Desktop Protocol (RDP) login attempts.<\/p>\n

Number of successful attacks rose<\/h2>\n

The FBI and international law enforcement partners scored some big wins against ransomware gangs last year, including the takedown of the LockBit gang\u2019s infrastructure<\/a> and exposing its leader<\/a>. \u201cWe dealt a serious blow to LockBit, one of the world\u2019s most active ransomware groups<\/a>,\u201d the FBI report said at one point. However, there are reports the group is reviving<\/a>.<\/p>\n

Despite these successes, the IC3 recognized 67 new ransomware variants last year. The most reported of these new variants were FOG<\/a>, Lynx, Cicada 3301<\/a>, DragonForce <\/a>and Frag.<\/p>\n

Roger Grimes, data-driven defence evangelist at KnowBe4, pointed out in an email to CSO that, despite the FBI\u2019s best substantive efforts to defeat ransomware with real tangible wins, the number of successful ransomware attacks<\/a> rose, and overall reported losses increased by 33%. \u201cThis is despite very robust efforts to combat [them] and far less victims paying the ransom than ever before,\u201d he said. \u201cIs that a victory?\u201d<\/p>\n

Fighting ransomware<\/h2>\n

\u201cThe FBI\u2019s report has always gotten the percentage of crimes occurring\u00a0due to social engineering and phishing wrong,\u201d Grimes added. \u201cThey undercount it by a mile.\u201d He pointed out that many of the FBI\u2019s named threats are actually the result of social engineering and phishing.<\/p>\n

\u201cRansomware isn\u2019t how you got compromised,\u201d he added. \u201cIt\u2019s the result of you getting compromised, usually due to social engineering and phishing. \u2026 If the FBI added up all the threats that happened because of social engineering and phishing it would likely account for 90% of the threats they report.\u201d<\/p>\n

Grimes argued that social engineering is involved in at least 70% of all successful\u00a0data breaches and at least half of ransomware cases, although, he added, exploits due to unpatched software and firmware have been increasing.<\/p>\n

\u201cEvery other way you could be compromised, added up all together, only accounts for about 10% of ransomware cases. So, clearly the most effective things you could be doing are fighting social engineering and making sure you patch things that are being\u00a0exploited (using CISA\u2019s Known Exploited Vulnerability Catalog list),\u201d he said.<\/p>\n

To fight social engineering attacks, CISOs should implement defense-in-depth policies, technical defenses, and training, he said. \u201cMost people have the right policies and technical defenses, flawed as they may be,\u201d\u00a0he added. \u201cThe best thing most organizations can do to fight ransomware is to do aggressive human risk management and in particular, great security awareness training, including monthly training and simulated phishing.\u201d<\/p>\n

Unfortunately, he said, most companies don\u2019t spend 5% of their IT\/IT security budget to fight social engineering and patching their software and firmware. \u201cThat is exactly why all hackers, malware, and in particular, ransomware, continue to be so successful long-term,\u201d he said.<\/p>\n

Resources available<\/h2>\n

There is a huge number of resources on the internet to help CISOs fight ransomware. A good place to start is with the\u00a0reports of the Institute for Security and Technology\u2019s Ransomware Task Force<\/a>, particularly its\u00a0Blueprint for Ransomware Defense<\/a>.<\/p>\n

Joshua Corman, a member\u00a0of the institute who focuses on the impact of cyber attacks on lifeline critical infrastructure like hospitals and utilities, found the FBI report alarming. Health care providers are among the top targets of ransomware gangs, he noted.<\/p>\n

\u201cIt should disturb everybody that some of the most time-sensitive [providers of critical infrastructure], like water and access to emergency care, are also the least prepared to take a punishment\u201d from a cyber attack, he said.<\/p>\n

Corman runs a pilot project called\u00a0UnDisruptable27<\/a>, aimed at helping providers of life-affecting critical providers become more resilient.<\/p>\n

He pointed out that many CISOs may see ransomware as a regulatory or privacy violation covered by insurance, but while insurance may cover that, as well as ransom payments for data and IT recovery, \u201cinsurance doesn\u2019t cover loss of life.\u201d Nor, he said, does insurance cover insufficient cash flow a provider may suffer after a cyber attack that leads to its closure.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Despite successful operations against ransomware gangs in 2024, ransomware was still the most pervasive threat to critical infrastructure in the US last year, according to the FBI\u2019s latest Internet Crime Report. The agency received more than 4,800 cyber threat complaints from critical infrastructure firms in 2024, with the most reported incidents from those providers dealing […]<\/p>\n","protected":false},"author":0,"featured_media":2892,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2891","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2891"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2891"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2891\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2892"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}