In the 2024 edition of the Threat Report, Sophos analyzes the cyber threats faced by SMEs last year, highlighting the primacy of malware as responsible for the theft of data and credentials. Titled “Cybercrime on Main Street”, the report highlights that 50% of the malware detected in 2023 in the SME perimeter involved keyloggers, spyware and stealers. That is, varieties of malware that are used to steal data and credentials that attackers exploit subsequently to carry out unauthorized access, practice extortion, install ransomware and more.
Cybercrime – the modus operandi of the IAB
The report also analyzes the so-called Initial Access Brokers (IABs), i.e. criminals specialists in accessing computer networks. IABs advertise their capabilities and services on the dark web by offering to enter networks belonging to SMEs. Or even reselling turnkey access to SMEs that have already been breached.
Cybercrime – the basis of all the value of data
Christopher Budd, director of Sophos X-Ops research di Sophos
The value of data as a currency has grown exponentially among cybercriminals. And this is especially true for SMEs who for a certain function tend to use a specific service or a specific software application in all their operations. Let’s take the example of a cybercriminal who introduces an infostealer into a victim’s network to steal their credentials and obtain the password access to the company’s accounting software.The attacker could then access the company’s financial functions and divert funds into an account controlled by them. There’s a reason why more than 90% of all cyberattacks reported to Sophos in 2023 involved the theft of data or credentials, whether through ransomware attacks rather than extortion, unauthorized remote access, or outright theft.
Ransomware is still in pole position
Cybercrime – As far as the number of ransomware attacks against SMBs has stabilized, this particular issue continues to represent the main threat to small and medium-sized businesses. Of all the SMB ransomware cases managed by Sophos Incident Response (IR), LockBit was the gang that hit the hardest. Akira and BlackCat are in second and third position respectively. The SMEs analyzed also had to face attacks from old lesser-known, but still persistent ransomware such as BitLocker and Crytox.
Cyber threats faced by SMEs
The report also highlights how ransomware gangs continue to modify theirs tactics. For example using remote encryption and targeting Managed Service Providers (MSPs). Remote encryption refers to when the attacker uses an unmanaged device on the victim’s network to encrypt files residing on other systems on the same network. Between 2022 and 2023, the number of ransomware attacks that exploited remote encryption increased by 62%. Additionally, last year, the Sophos Managed Detection and Response (MDR) team responded to 5 cases involving small businesses attacked via a vulnerability of the RMM software adopted by the respective MSPs.
Criminals are also experimenting with new formats
As per the report, Business Email Compromise (BEC) attacks are the most numerous after ransomware among those managed by Sophos IR in 2023. BEC attacks and other social engineering campaigns contain an increasing level of sophistication. Rather than simply sending an email message with a malicious attachment, attackers increasingly establish a dialogue with victims by sending a series of emails to start a conversation or even call them on the phone.
Cyber threats faced by SMEs in 2023 in the Sophos report
In an attempt to bypass traditional tools antispam, cybercriminals are experimenting with new formats for their content. For example, using images that integrate the dangerous code within themselves or attaching it in OneNote or archive formats. In one case handled by Sophos, attackers sent a PDF document with a blurry and illegible preview of a supposed “invoice.” The button that should have allowed it to be downloaded instead contained a link to a dangerous website.