Sophos Threat Report 2024: SMEs in the crosshairs

Cybercrime is a challenge for organizations of all sizes, but it hits small businesses the hardest and often under the public's radar. While cyberattacks on corporations and government agencies make up the bulk of news coverage, small businesses are generally more vulnerable and suffer proportionally more from the consequences of cyberattacks. A lack of experienced security personnel, insufficient investment in cyber security and overall lower budgets for information technology contribute to this vulnerability. SMEs are no small matter. According to the World Bank, more than 90 percent of companies worldwide are small and medium-sized organizations and they account for more than 50 percent of global employment.

Keylogger, spyware and stealer in 50 percent of attacks

Keyloggers, spyware and so-called stealers, i.e. malware for stealing data and access data, are used in almost half of all attacks on SMEs. Cyber criminals later use this stolen information for further actions such as unauthorized remote access, blackmail or the installation of ransomware.

The Sophos report also analyzes so-called IABs, or initial access brokers. These criminals specialize in breaking into computer networks. The report shows that cyber criminals use the dark web to offer their services specifically to SME networks. They also sell instant access directly to SMEs that they have already hacked.

Cybercrime has only one goal: data

Christopher Budd, Director Threat Research at Sophos X-Ops, categorizes the findings as follows: "The value of data as a currency has grown exponentially among cybercriminals and this is especially true for SMBs as they tend to use one service or application per function for the entire organization. An example: Attackers use an infostealer on a target network to steal access data. A password for the entire company's billing software falls into their hands. They could now gain access to the company's financial data and transfer funds to their own accounts. There's a reason that 90 percent of all cyberattacks Sophos investigated in 2023 involved data or identity theft - either through ransomware attacks, data extortion, unauthorized remote access or outright data theft."

Ransomware remains the biggest threat for SMEs, LockBit is number 1

Even though the number of ransomware attacks against SMEs has remained the same, they still represent the biggest cyber threat to companies with fewer than 500 employees. According to the Sophos Incident Response team, which intervenes in acute attacks, LockBit was the ransomware group with the greatest potential for chaos. Akira and BlackCat follow in second and third place. Attacks by older or less well-known ransomware, such as BitLocker or Crytox, have also occurred recently.

Remote encryption increases by 62 percent

The report also shows that criminals are maintaining their strategy of constantly changing the tactics for their ransomware attacks in order to remain successful. This currently manifests itself in the increased emergence of encryption activities via remote access and the targeting of MSPs (Managed Service Providers) as attack surface multipliers. Between 2022 and 2023, the number of ransomware attacks with remote encryption increased by 62 percent. The Sophos Managed Detection and Response (MDR) team also responded to several cases in 2023 where SMBs were attacked via vulnerabilities in their MSP's remote monitoring and management (RMM) software.

Social engineering and business communication: attackers are becoming more penetrating

Scam emails aimed specifically at companies, known as business email compromise (BEC), were among the second most common attacks after ransomware in 2023. These and other social engineering attacks involve an increasing level of sophistication: Instead of simply sending an email with a malicious attachment, criminals now engage more closely with their victim and send a whole series of email messages or even call them. In an attempt to evade traditional spam tools, attackers are now experimenting with new formats for their malicious content, such as embedding images with malware or malicious attachments in OneNote or archive formats. In one case, Sophos discovered that the fraudsters sent a PDF document with a blurred, unreadable thumbnail of an "invoice". The download button then contained a link to a malicious website.

"Our latest report shows once again that there is no shortage of threats for SMEs, and the complexity of these attacks is often comparable to those on large organizations," says Christopher Budd. "This is because while the expected ransom or extortion sums are lower than for a larger organization, the criminals easily make up for this 'shortcoming' through the sheer volume of attacks and due to the often laxer cyber security precautions. Attackers count on the fact that smaller companies are less well protected and do not use modern, sophisticated tools to protect their users and assets."

Source: www.sophos.de