10 Scary Cyber Security Facts [Cybersecurity Awareness Month]

October is the time for all things scary, and it’s also CyberSecurity Awareness Month. In the spirit of Halloween goosebumps, here are ten of the most frightening cybersecurity spooky facts (on earth) in our humble opinion.

Let’s dig in!

1: 4 minutes and 9 seconds is the average time it takes for LockBit to encrypt a system after execution-Splunk

Yes, in order of disturbing facts, this one takes the biscuit.

Cybersecurity researchers oveer at Splunk measured the encryption time for various malware groups to test just how speedily real-life attacks can occur and the results were very telling. Out of 10 samples analyzed for each malware group from Avaddon, Babuk, BlackMatter, Conti, DarkSide, LockBit, Maze, Mespinoza (PYSA), REvil and Ryuk, LockBit (a gang with strong ties to Russia) took the crown.

Cyber attacks are steadily becoming more difficult to detect until they’re not.

In general large scale cyber attacks can be planned months in advance with the collection of data on targets, credentials, entry points, and even recruiting help on the dark web. Your best bet is to interrupt a hacker’s data supply by using a Dark Web Monitoring or Account Takeover Prevention tool to identify threats early (and prevent horror stories!) in your SOC team.

CISA data reviews the Rise of the Russian ransomware gang, LockBit. Read more about their analysis.

2: The average cost of a ransomware attack service is only $66. – Altas VPN

Ghouls and ransomware groups have a lot in common it seems.

In 2024, the average ransom payment increased to $2 million, up from $400,000 in 2023 – a 500% increase according to our data.

Ransomware as a Service has helped to increase cyber attacks globally. This “going retail” has allowed anyone to finance cyberattacks with monthly payments, upfront payment, or even a “no money down” option in return for a cut of the proceeds. This has helped increase the size and scope of ransomware attacks.

3: 66% of supply chain attacks focused on the suppliers’ code in order to further compromise targeted customers. – ENISA

Nation-state actors and cyber criminal groups are a turning global supply chain struggle into a horror movie.

The MOVEit Transfer data breach of 2023 is a prime example of a widespread ransomware attack affecting multiple organizations through a single vulnerability. The Cl0p ransomware group exploited a zero-day vulnerability in the MOVEit file transfer software, impacting hundreds of organizations globally, and costing a reputed $10 billion in costs.

Our CISO Todd Carroll reviewed this incident in our 2024 State of the External Attack Surface Report, which has plenty of scary facts for you and your SOC team.

4: The average time to identify and contain a data breach in 2024 was 283 days.– 2024 IBM Cost of a Data Breach Report

Data breaches are slow-moving disasters, a black hole if you will. Typically networks and data will be exposed for well over 9 months before someone notices (a truly scary story!). By then, data has been extracted, repurposed, or resold on the dark web.

CybelAngel’s 24/7 scanners tirelessly search for threats and exposures, significantly reducing the Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR) to days or even hours, unlike the months typically taken by in-house solutions. A solid Dark Web Monitoring tool can help find stolen company data by identifying it before a breach is recorded.

5: Microsoft observed the password “admin” used in IoT devices over 20 million times.- Microsoft Digital Defense Report

A fun fact about default credential passwords is that many devices come with simple default passwords like “admin” or “password.” Credential attacks can feel like mount everest to CISOs especially when default credentials are used for connected devices like light bulbs, wifi routers, thermostats, hazard scanners, home nests, and more…

Here is another scary fact, an Avast survey found that 83% of Americans are using weak passwords. Simply horrifying! Many of these devices never have their original credentials changed, leaving them easy prey for exploitation.

6: A cyber attack occurs every 39 seconds, or 2,244 times per day. – Clark School at the University of Maryland

Whatever way you look at the above data, some of the more creepy facts on this list surround the frequency of attacks.

97 people became a data breach victim every hour of 2023.

One in five US companies has faced a ransomware attack, and nearly all have experienced some form of phishing or business email crime. Hackers have become more and more enterprising, automating AI to locate and automatically enter unsecured servers.

7: Human error is the primary cause of cybersecurity breaches, accounting for 68% of all data breaches. -Verizon Data Breach Investigations Report

“Human error” within cybersecurity breaches is a consistent horrifying fact. So what does this look like? It could mean opening a phishing email, entering credentials to a spoofed domain, or forgetting the last privacy setting, all fall under human error.

8: The IT industry is the #2 most impacted industry due to ransomware.-CybelAngel 2024 State of the External Attack Surface Report

As you can gather from these horrifying facts, ransomware attacks are increasing in frequency.

In 2023 CybelAngel has identified and tracked 62 active ransomware groups involved in over 5,000 known and reported attacks across 132 countries. Name a company, an organization, or a government that does not rely on IT services? These are the second most ransomed organizations responsible for handling our data, storing our secrets, and maintaining our machines.

Yes, this is quite a stark piece of trivia for Halloween.

9: The average cost of downtime is 24 times higher than the average ransom amount. – Retarus

If you’ve worked for any business, you know pricing can be a considerable part of your success. The same applies to ransomware. While prices for ‘enterprise’ customers and small to medium businesses vary, the average ransomware payment is about $571,000, with demands averaging $5.3 million.

Industry-specific costs vary significantly but here is an idea from Uptime Robot of what it can run up to:

Retail	Around $10,000 per minute
Finance and Banking	Approximately $12,000 per minute, with some estimates as high as $9.3 million per hour
IT industry	About $5,600 per minute, or $145,000 to $450,000 per hour

10: You can purchase someone’s account credentials for $1 on the dark market. – RSA

Cybercrime exists in a strange paradoxical state. It costs companies and people billions of dollars per year but getting someone to commit cybercrime is very cheap. Anyone can purchase a person’s online identity for only a few dollars. An X/Twitter account can cost you $2. The cost of a Facebook account is $9. Items like bank accounts or credit cards might run you anywhere from $25 -$250.

That is it for this list of very spooky and creepy fun facts for Halloween.

Scary facts aside, we’re here for you all year round

If spooky cyber threats are haunting you this Halloween, remember that the CybelAngel team is here to help all year round. After all, growing external threats are more than neat trivia titbits.

Find out how we deal with the creepiest threats on a daily basis. Follow our social media channels: LinkedIn, YouTube, X/Twitter, and Facebook.