Ransomware was the most commonly detected malware in data breaches and related security incidents last year, climbing from fourth overall in 2016 and all the way from the 22nd spot five years ago, according to Verizon’s just released 2018 Data Breach Investigations Report.

Based on its research data, Verizon recorded 53,308 security incidents in 65 countries during the period of Nov. 1, 2016 to Oct. 31, 2017 – over 11,000 more events than the previous annual period. Verizon also registered 2,216 data breaches over the past year’s worth of data collection, compared to 1,935 the previous year.

Malware was involved in a far smaller share of breaches this time around, compared to the previous year – 30 percent versus 51 percent, respectively – but when malware was found, ransomware was determined to be the culprit a leading 39 percent of the time. What’s worse, Verizon noted ransomware attacks increasingly targeted critical systems and data centers, rendering entire businesses inoperable while strengthening cybercriminals’ leverage and ballooning their ransom demands.

“Ransomware remains a significant threat for companies of all sizes,” said Bryan Sartin, executive director, security professional services at Verizon, in a press release. “It is now the most prevalent form of malware, and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom – the cybercriminal is the only winner here!”

Itsik Mantin, head of data security research at Imperva, said in comments the proliferation of ransomware is “anything but surprising,” considering that the ransomware economy is “going through industrialization, allowing attackers to [launch] campaigns from building blocks they purchase or obtain in dark net forums…”

Christian Vezina, CISO at VASCO Data Security, agreed that ransomware was an “important issue” in 2017, but “rogue cryptocurrency mining will probably surpass ransomware in terms of revenues for cybercriminals this year.”

Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, also believes ransomware could soon take a back seat, if only temporarily. “We are likely to see a see a reprieve before the next storm of ransomware attacks,” said Hahad. “Some threat actors are dipping their toes into the cryptocurrency pond to see if they can make a decent return on what is perceived as a lesser crime, namely cryptocurrency mining. Other threat actors will probably get pulled into the market of hacking for political actors, be it nation states or groups with political interests. This will lead to an increase in attacks like DDoS or destructors disguised as ransomware, and the targeting [of] critical infrastructure.”

Outside of ransomware, other tactics used to facilitate breaches were hacking ( the leading category, representing 48 percent of breaches), followed by errors (17%), social engineering attacks (17%), privilege misuse (12%) and physical actions (11%).

Verizon found users are three times more likely to be breached via social engineering tactics than through vulnerabilities – a data point that underscores the need for employee security hygiene training. Indeed, incidents of pretexting – the act of obtaining information from someone by adopting a false identity or narrative – increased by a factor of five since the 2017 report, with 88 of these scams specifically targeting human resource departments in order to acquire enough data to file a fraudulent tax return.

“Employees should be a business’s first line of defense, rather than the weakest link in the security chain,” continued Sartin in the release. “Ongoing training and education programs are essential. It only takes one person to click on a phishing email to expose an entire organization.”

According to Verizon, in a typical organization, 78 percent of employees subjected to phishing simulations did not fail a phishing test all year, but an average of four percent of the workforce population would fall for any given test. And what’s worse, the more phishing emails an individual clicks, the more likely he or she is to be fooled again in the future.

Based on the phishing simulation data, it takes only an average 16 minutes until someone in an organization first clicks on a phishing email, while it takes an average of about 28 minutes before an sharp-eyed employee reports the scam.

And that’s not the only scenario in which the clock favors the cybercriminal. According to Verizon, 87 percent of examined breaches took just minutes or less to happen, but only three percent were detected just as quickly. Conversely, 68 of the breaches took months or longer to be discovered.

Verizon also reported more than 43,000 breaches – over 13,000 in the U.S. alone – that were performed automatically by botnets that target organizations’ customers by infecting their devices with malware that captures log-in credentials – an attack method that is so high in frequency that it’s counted separately so as not to skew the report’s numbers.

Other notable statistics from the report:

  • 76 percent of breaches were financially motivated; espionage was the next most common motive.
  • Organized criminal groups were responsible for half of all breaches; 12 percent were the work of nation-states or their proxies.
  • 24 percent of breaches affected health care organizations – more than any other industry, followed by hospitality and the public sector.