On the first day of Cybersecurity Awareness Month in the U.S., research has revealed that the number of significant global cyber attacks in 2024 will be double that of 2020.
A new report from insurer QBE, Connected Business: digital dependency fuelling risk, predicts that organisations will be hit by 211 disruptive and destructive cyber attacks this year.
Disruptive incidents are reversible and only impact data availability, integrity, or access — such as distributed denial-of-service attacks. Conversely, destructive attacks are irreversible and aim to have a physical impact on people, like the Triton malware, which disabled safety systems at petrochemical plants.
The number of disruptive and destructive cyber attacks in 2020 was 103, indicating a potential 105% increase in just four years.
The data for the report was collected by the consultancy Control Risks. They indexed a selection of “strategically important” open-source and incident response cases rather than data loss or simple device compromise type incidents.
Examples of these significant attacks from the last four years include the:
- 2021 Colonial Pipeline incident.
- 2022 attack on European oil port terminals.
- 2023 MOVEit data leaks.
- 2023 LockBit ransomware attack.
- 2024 ransomware attacks against a supplier to the U.K. NHS.
SEE: Ransomware Cheat Sheet: Everything You Need To Know In 2024
However, QBE told TechRepublic that the true figures for disruptive and destructive attacks are likely far higher than what is reported.
“As technology interdependencies grow, we expect more cyber incidents to disrupt many companies in a single attack, meaning businesses are more likely to experience a disruptive cyber event,” the authors wrote.
“Malicious actors can also target specific companies to cause greater damage, whether they’re extorting ransoms or destabilising geopolitical rivals.”
Ransomware attackers target operational tech and large companies for bigger paydays
The report finds that operational technology operators and large organisations are prime targets for ransomware attackers.
As well as having strict uptime requirements, OT organisations managing critical infrastructure are known for relying on legacy devices, as replacing technology while maintaining normal operations is both challenging and costly.
Evidence from NCC Group submitted for a U.K. government report on the threat of ransomware to national security found that “OT systems are much more likely to include components that are 20 to 30 years old and/or use older software that is less secure and no longer supported.”
This makes OT companies both accessible and likely to pay a ransom, as downtime will have severe consequences. Indeed, the QBE report claimed that ransomware attacks against industrial sector organisations surged by 50% from 2022 to 2023.
SEE: U.K., U.S. and Canadian Cyber Authorities Warn of Pro-Russia Hacktivist Attacks on Operational Technology Systems
Another group likely to concede to an attacker’s demands are the executives of large companies, as they view operational disruption as more costly. According to QBE, an average of 61% of organisations with annual revenues of $5 billion payout ransoms after an attack, compared with 25% of those with annual revenues under $10 million.
These tactics have proven lucrative. The average ransomware payout of 2023 was $2 million, a five-fold increase over 2022. The report’s authors say that successful law enforcement operations — for example, the LockBit, BlackCat, and Hive takedowns — have led attackers to hone in on wealthier targets so they can maximise ransom payments before they stopped.
Furthermore, now that takedowns are becoming more frequent, experts say that ransomware groups may view government retaliation as “inevitable,” and therefore have no reservations about targeting large or critical organisations.
Researchers behind the QBE report predict that the number of ransomware victims will rise by 11% from 2023 to 2025, with manufacturing, healthcare, IT, education, and government sectors most at risk.
Another ransomware technique the report highlights that attackers use for maximum impact is targeting IT supply chains. One reason is due to the number of companies reliant on their services making uptime more critical, as with CNI. But the other is because they create the opportunity to hit many organisations across sectors through a single attack.
Over three-quarters of third-party incidents in 2023 are attributable to just three supply chain vulnerabilities, the report finds.
Artificial intelligence as a source of both fear and hope for U.K. enterprise security
As well as the new report, QBE also surveyed 311 IT decision makers in the U.K. in September about their security concerns, with AI, of course, being the hottest topics.
It revealed that a small, but significant, 15% portion thought AI would elevate the risk of cyber attack. This is important, as 69% of medium-to-large U.K. businesses said they had already faced disruption from cyber events in the past year.
In June, HP intercepted an email campaign spreading malware with a script that “was highly likely to have been written with the help of GenAI.” AI can lower the barrier to entry for cyber crimes, as less-skilled criminals can use it to generate deepfakes, to scan networks for entry points, for reconnaissance, and more.
At the start of the year, a finance worker in Hong Kong paid out $25 million to hackers that used AI to impersonate the chief financial officer. They mimicked the executives voice during phone calls to authorise the transfer.
SEE: Report Reveals the Impact of AI on Cyber Security Landscape
On the other hand, 32% of U.K. businesses told QBE that they feel AI will improve their cyber protection, and the Control Risks researchers said it will boost the efficiency of security and defensive activities.
David Warr, the QBE Insurance Portfolio Manager for Cyber, said: “AI is both a hindrance and a help to the cyber landscape. As AI becomes more widely accessible, cybercriminals and cyber activists can launch larger-scale attacks at a faster pace. This increased capability in scale and speed brought on by AI could threaten the cyber domain. However, controlled and managed use of AI can also help detect cyber vulnerabilities.
“Companies in the U.K. and around the world both big and small should be building up their resilience to both mitigate against cyber threats and be prepared to act in the event of a cyber-attack.”