7 Threat Trends from the 2022 RSA Conference

It’s a pretty common sequence of events. Someone posts a zero-day or proof of concept exploit on the dark web, and initial access brokers immediately start using it on vulnerable targets. Now they have an inventory of breached networks to sell to ransomware groups and other cybercriminals, and naturally they sell the most valuable ones first. 

“That high-value inventory is going to be the larger organizations that can pay large ransoms,” notes Shier, of Sophos. “Those sell right away.”

SMBs, by contrast, are both worth less to an attacker and less likely to discover a breach, so brokers often end up waiting longer before selling them too.

We’re talking a lot longer. According to Sophos, “dwell time”—the span between when an intrusion occurs and when it’s detected—averaged 19 days in organizations with over 5,000 employees last year and about 51 days in victims with up to 250 employees.

Interestingly, there’s often so little data worth encrypting or stealing in SMB environments that attackers use them surreptitiously for cryptomining bitcoin and other digital currencies instead.

“It’s the easiest sort of low hanging fruit,” notes Hammond, of Huntress. “They’re not only making money, but breaking into someone else’s machine to do it.” Better yet, he adds, their victim is covering the electrical bill. “It’s a win-win.”

But not a big win, notes Wuest. “There is money to be made, but not that much,” he says of cryptojacking. A typical laptop used for cryptomining purposes might mint one or two cents worth of cryptocurrency per day, which at an SMB with a few dozen laptops adds up to a buck or two.

“That’s not really going to get you your Hollywood-style beach vacation,” Wuest notes.