Deepfake, extortion add sting to ransomware attacks

Close to two-thirds (65%) of defenders say that cyberattacks have increased since Russia invaded Ukraine in February 2022, according to the eight edition of annual Global Incident Response Threat Report fro VMware.

The report also identified emerging threats such as deepfakes, attacks on APIs, and cybercriminals targeting incident responders themselves. 

VMware conducted an online survey about trends in the incident response landscape in June 2022, and 125 cybersecurity and incident response professionals from around the world participated.

“Cybercriminals are now incorporating deepfakes into their attack methods to evade security controls,” said Rick McElroy, principal cybersecurity strategist at VMware. 

“Two out of three respondents in our report saw malicious deepfakes used as part of an attack, a 13% increase from last year, with email as the top delivery method,” said McElroy. 

He said cybercriminals have evolved beyond using synthetic video and audio simply for influence operations or disinformation campaigns. Their new goal is to use deepfake technology to compromise organisations and gain access to their environment.

Additional key findings show that cyber pro burnout remains a critical issue, with 47% of incident responders saying they experienced burnout or extreme stress in the past 12 months, down slightly from 51% last year. 

Of this group, 69% (versus 65% in 2021) of respondents have considered leaving their job as a result. Organisations are working to combat this, however, with more than two-thirds of respondents stating their workplaces have implemented wellness programs to address burnout.

Also, ransomware actors incorporate cyber extortion strategies, often buttressed by e-crime groups’ collaborations on the dark web. More than half (57%) of respondents have encountered such attacks in the past 12 months.

Two-thirds (66%) of respondents have encountered affiliate programs and/or partnerships between ransomware groups as prominent cyber cartels continue to extort organisations through double extortion techniques, data auctions, and blackmail.

APIs are the new endpoint, representing the next frontier for attackers. As workloads and applications proliferate, 23% of attacks now compromise API security. 

The top types of API attacks include data exposure (encountered by 42% of respondents in the past year), SQL and API injection attacks (37% and 34%, respectively), and distributed Denial-of-Service attacks (33%).

Further, lateral movement is the new battleground, seen in 25% of all attacks, with cybercriminals leveraging everything from script hosts (49%) and file storage (46%) to PowerShell (45%), business communications platforms (41%), and .NET (39%) to rummage around inside networks. 

Despite the turbulent threat landscape and rising threats detailed in the report, incident responders are fighting back with 87% saying that they are able to disrupt a cybercriminal’s activities sometimes (50%) or very often (37%). 

They’re also using new techniques to do so. Three-quarters of respondents (75%) say they are now deploying virtual patching as an emergency mechanism. In every case, the more visibility defenders have across today’s widening attack surface, the better equipped they’ll be to weather the storm.