IBM Security Finds Remote Backdoors Replace Ransomware as Top Attack Vector

Remote access backdoors have replaced ransomware as the top attack vector in 2022, according to new data from IBM Security. IBM’s annual X-Force Threat Intelligence Index 2023, released on Wednesday, points to a slight decline in ransomware incidents.

According to the new survey, ransomware attacks occurred in 17% of incidents, down from 21% last year. Remote access backdoors topped ransomware, thanks to improved detection, according to John Hendley, head of strategy for IBM’s X-Force threat intelligence and incident response business. While Hendley noted that the improved detection may have headed off more ransomware incidents, attackers were still gaining access.

IBM’s John Hendley

“For the first time since at least 2020, ransomware was not the No. 1 attack or action,” Hendley told Channel Futures. “The nearly 70% of backdoors that we saw were actually failed ransomware attacks, which proves in my mind that the cyber community shift towards detection response is paying off.”

Despite the decline in ransomware incidents, defenders have little to celebrate. Successful ransomware attacks now take less time to complete. Threat actors can complete the average ransomware attack in less than four days. That’s far less than the two-month average attackers needed a year earlier.

Also, Hendley warned that the decline in ransomware attacks could be temporary.

“Once adversaries innovate and adjust their tactics, techniques and procedures to evade detection, today’s backdoor failures will become tomorrow’s ransomware crisis,” he said.

Hendley said ransomware incidents take less time to complete because attackers are 94% faster than they were in the past.

“In the time that it used to take them to deploy one attack, they could now deploy 15,” he said. “This speaks to the operationalization of ransomware groups and the improvement of their business processes. The way they work with their affiliates, the way that they work with those initial access brokers, they’re getting much more efficient in those processes.”

Moreover, Hendley said remote access backdoors could be lucrative to attackers. IBM’s telemetry from its X-Force offering shows that cybercriminals are selling backdoor access for as high as $10,000. That’s exponentially more profitable to them than stolen credit card data, now worth less than $10.

Email Thread Hijacking Rises

Meanwhile, credit card numbers are less appealing to attackers because of the short amount of time they are useful. Cybercriminals are playing the long game,” Hendley said. “They’re ditching that credit card data that previously was so valuable to them to target personal information instead. So, email addresses, phone numbers, and even home addresses, which can offer bigger payouts in the future, have a longer shelf life than credit cards.”

Hendley emphasized that email thread hijacking is also on the rise. Attackers are finding ways to infiltrate email accounts, where attackers work their way into existing email threads. The technique can be successful because victims are unaware they are engaging with an attacker. Hendley said thread hijacking attacks increased 100% last year.

Some highlights of IBM’s report appear in the slideshow above.