Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024, with groups targeting sectors like Construction and Healthcare, often exploiting weak VPN credentials.
By compiling data from several different companies, Corvus determined the likelihood of a security incident based on whether or not a company was using a VPN solution, and if so, if they were utilizing a high-risk or low-risk VPN.
As the U.S. went into lockdown in the wake of the COVID-19 pandemic, enterprises found themselves with a new security challenge: a geographically diffuse workforce. Whereas 5% to 7% of Americans worked from home pre-pandemic (according to Businesswire), 35% to 40% of these roles were predicted to become at least partially remote by 2021.
Enter Virtual Private Network (VPN) technologies.
With the sudden locational shift of the workforce came a higher demand for VPNs in order to meet the new security requirements for remote workers. Despite this preparation, threat actors have nevertheless found ways to exploit those very technologies in order to attack the networks they were made to protect. According to a Tetra Defense report, compromised VPNs made up 12.73% of attacks with identifiable cause during Q1 2022.
In 2021, solving this security issue became a priority for the Corvus Insurance Data Science team, and they began collecting data on VPNs. In 2022, we now have enough data to break down VPN risk.
The purpose of VPNs for businesses is twofold: to provide remote employees access to internal resources, and to ensure they can do it securely over an encrypted channel.
However, while a VPN is an important step for a secure connection, they are not immune to being hacked themselves. VPNs act as a bridge between the Internet and a company’s internal network, making them a tempting target for threat actors. Also, just like with any other software, a VPN’s code can contain vulnerabilities.
It is important, therefore, to understand how a VPN might affect risk and policy. Not all VPNs provide the same level of security, and in a worst case scenario, vulnerabilities in VPN technology can provide attackers a point of entry for an ongoing attack.
Recognizing the critical role that VPNs play in our clients’ cyber infrastructure, Corvus set out to include them in our updated ransomware score.
The score scans for critical attack vectors, critical software vulnerabilities, and non-critical vulnerabilities in both software and remote access tools like VPNs. Scores range from 1 to 100, with final values ultimately corresponding with risk level. Any score less than 80 is considered a non-bindable policy.
By using ransomware incident data, the Data Science team have modeled the impact that various VPNs have on the probability of a successful ransomware attack by categories that include high, medium, and low. This new score takes into account an organization's VPN technology and helps Corvus determine which ones to underwrite. By monitoring the composition of VPNs in our risk capital partner portfolio, we can ensure that they are protected against high-risk software as well as diversified against catastrophic losses.
New data sources and augmented ETL (Extract, Transform, Load) and BI (Business Intelligence) capabilities can now be utilized to allow our Risk + Response team to quickly and accurately identify clients with specific VPN technologies. The Data Science team is also working towards detecting a wider range of VPNs currently available in the scan.
Thesis: A new ransomware score delivers data and security-driven insights on VPNs, helping our underwriters identify and reduce VPN technologies that create an insecure cyber infrastructure while prioritizing lower risk VPNs.
Which risk category a VPN is initially placed in is determined by the number of vulnerabilities it has, and its history with exploitation by threat actors. Corvus also periodically revisits these VPN risk classifications to ensure that they remain accurate over time.
Using the scans from numerous companies, we discovered that organizations using a high-risk VPN solution are three times more likely to have a security incident than those without a VPN, and five times more likely than those with a low-risk provider.
Our recommendation to policyholders to improve their scores and strengthen their security has been to implement a Zero Trust Network Access (ZTNA). This emerging technology minimizes their external footprint by removing digital assets from public visibility and securely tying authentication to their users. Implementing a ZTNA solution significantly reduces the surface area for attack and validates users and devices, which enables secure remote access to organizational resources.
With VPNs more in-demand than ever, it is important for us to scan for risks within these solutions. By differentiating between high- and low-risk VPNs, we can provide more accurate ransomware scores to policyholders along with recommendations that can help improve their cybersecurity, no matter where in the world the workforce goes next.
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.