It may not be fair, but cyber crime is cheap. How cheap? You can buy ransomware for as little as $66, or hire a threat actor for $250. And if you look hard enough, you can even get a phishing kit for free on underground forums. Although these illicit methods may not be expensive, the damage they inflict can be substantial.

The low cost of cyber crime is one of the reasons the number of incidents has increased. This should raise the concern of any business or organization with an online presence. Let’s unpack how companies can protect themselves.

They’ve All Gone Phishing

Phishing has become more popular than ever. According to the FBI’s Internet Crime Complaint Center, the number of phishing complaints more than doubled in 2020 to 241,342 cases compared to the prior year. From there, attacks doubled again as phishing reached a monthly record in Q3 2021, according to a recent report from the Anti-Phishing Working Group (APWG).

The total number of incidents (reported & unreported) must be higher. A record 2 million phishing sites were reported in 2020, the most in a decade. This comes as no surprise, as phishing kits are so cheap.

Anyone Can Get a Phishing Kit

Phishing kits are .zip files with all the scripts required to deploy an attack. These kits enable anyone with minimal programming skills to unleash massive ransomware campaigns. In 2019, the average price of a phishing kit totaled $304, with the prices ranging between $20 and $880.

Recently, Microsoft discovered a campaign that used 300,000 newly created and unique phishing subdomains in one massive run. Microsoft also identified a phishing-as-a-service organization known as BulletProofLink. It resembled any other software-as-a-service brand, with tiered service levels, email and website templates, hosting, a newsletter and even 10% off your first order.

Meanwhile, even attackers get targeted. Some phish kits have been unlocked and posted for free on dark web forums.

Average Cost of a Ransomware Attack

On the other hand, suffering attacks is expensive. According to the IBM Cost of a Data Breach report, in 2021 the average cost of a ransomware attack totaled $4.62 million (not including the ransom, if paid). Compare that to the $66 attackers can pay for a ransomware kit.

Before you quit your day job to become a threat actor, be aware that the law is also ramping up investigative efforts. There’s even some evidence that the FBI can now track and recover funds paid for in cryptocurrency.

Bigger, More Sophisticated Threats

While ransomware makes the headlines, other, more sophisticated attacks reveal just how far threat actors will go to steal from you. Consider the case of Evaldas Rimasauskas, who, along with his co-conspirators, set up an actual company in Lithuania to mimic Quanta Computer, a Taiwan-based business partner of Google and Facebook.

From there, the imposter company sent phishing emails with fake invoices attached. Before they got caught, they fooled Google and Facebook into paying more than $100 million to bank accounts in Latvia and Cyprus.

Ransomware Prevention

Cyber crime continues to increase in scope and depth. Inexpensive phishing attacks lead to higher attack volumes. And phishing accounts for ransomware infections 42% of the time. Another 42% of ransomware attacks occur via exposed remote desktop protocol (RDP) services. RDP service attacks use brute force, weak credentials or phishing to gain access to legitimate usernames and passwords.

Due to the sheer volume and sophistication of attacks, piecemeal security measures are increasingly inadequate. That’s why security experts have also been hard at work to provide viable and effective solutions.

One way organizations are responding is by moving towards a zero trust approach. We can think of it this way: when someone rings your doorbell at home, you check to see who it is before you open the door. Zero trust runs on the same basic premise. Every user, device and connection must be verified, every time.

Zero Trust

As the threat landscape becomes more treacherous, better defenses are required. Zero trust incorporates some of the most advanced security methods to keep the growing tsunami of attacks at bay. Some of the methods used in zero trust strategies include:

  • Encrypt and back up your most valuable data
  • Embed artificial intelligence with analytics and deep learning for proactive protection and more accurate detection
  • Add threat response automation and analysis for a faster response
  • Collaborate with hundreds of thousands of users to detect and alert about emerging threats and vulnerabilities as early as possible
  • Identity Access Management (IAM) – Centralized workforce and consumer identity and access management in a single, cloud-native identity solution
  • Secure access service edge (SASE) – A framework that converges network and network security functions into a single cloud service model. Helps authenticate and authorize users anytime, anywhere using a least privilege model.

Fear the Future or Seize the Day?

While no business enjoys having to deal with growing security concerns, modern solutions can also enhance business function. If we take a closer look at SASE, we can see how this win-win scenario unfolds.

Since companies need anytime, anywhere access from any device for their users and third parties, organizations are moving away from virtual private networks. We all want low latency and seamless user experiences. Reliable, real-time context and secure application access to the public cloud are critical for IT and business teams today. This is made possible by SASE, which, in turn, beefs up security.

So yes, threat actors are busier than ever. They have access to cheap attack methods, or they cook up complex schemes. But solid, robust security responses exist as well. They can even be good for business in many other ways. And that’s good news.

more from Incident Response

X-Force 2022 Insights: An Expanding OT Threat Landscape

This post was written with contributions from Dave McMillen. So far 2022 has seen international cyber security agencies issuing multiple alerts about malicious Russian cyber operations and potential attacks on critical infrastructure, the discovery of two new OT-specific pieces of malware, Industroyer2 and InController/PipeDream, and the disclosure of many operational technology (OT) vulnerabilities. The OT cyber threat landscape is expanding dramatically and OT…