Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/5/2019
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Destructive Malware Attacks Up 200% in 2019

Organizations hit with destructive malware can lose more than 12,000 machines and face $200 million or more in costs, IBM X-Force reports.

Businesses around the world are experiencing a rise in destructive malware attacks, which are designed to shut down information access and obliterate system functions on victim machines.

New data from IBM X-Force Incident Response and Intelligence Services (IRIS) shows organizations hit with destructive malware can experience a total cost of $200 million and lose more than 12,000 devices in an attack. Large multinational companies incur an average cost of $239 million per incident, researchers report, citing analysis of publicly disclosed cyberattacks. The cost of remediation, equipment replacement, lost productivity, and other damage makes destructive attacks far pricier than typical data breaches, which average $3.92 million each, according to estimates from the Ponemon Institute.

"When you think about a destructive attack compared to a data breach, that attack process is very similar," says Christopher Scott, global remediation lead for IBM X-Force IRIS. "You have to get in the environment, expand access, get to what you want … and act on that objective." But unlike a traditional data breach, which typically targets intellectual property or other valuable information, a destructive malware attack aims to shut down a target's corporate environment.

Destructive malware, including ransomware that employs a "wiper" element, is on the rise: X-Force IRIS incident response teams helped organizations with 200% more destructive malware cases in the first half of 2019 compared with the second half of 2018. Ransomware packing destructive elements also spiked as new strains of LockerGoga and MegaCortex entered the landscape. Ransomware calls to X-Force IRIS' emergency response line spiked 116% in the first half of 2019.

"While not all ransomware attacks incorporate destructive malware, the simultaneous increase in overall ransomware attacks and ransomware with destructive elements underscores the enhanced threat to corporations from ransomware capable of permanently wiping data," researchers write in "Combating Destructive Malware: Lessons from the Front Lines." They predict criminals' use of destructive ransomware will increase over the next five years.

Half of destructive malware cases targeted the manufacturing industry; other popular targets were in the education or oil and gas sectors. Most attacks the X-Force IRIS team observed targeted victim organizations in the United States, Europe, and the Middle East.

Detecting and Addressing Destructive Attacks
A destructive malware attack can start with a phishing email, credential stuffing, or watering hole attack. Once inside, attackers can elevate credentials and poke around until they have administrative access. "This gives them freedom to move across the environment as they want and plan out their attack," Scott says. Researchers found attackers are often present on a device, asset, or network for weeks or months before they launch a destructive malware attack. In some cases, they dwell for more than four months, taking time for internal reconnaissance.

Access points and key infrastructure are valuable in this phase. With access to critical systems, attackers can keep control of their location for as long as possible. The slow approach lets them do maximum damage, but it also gives businesses an opportunity to locate them beforehand. While PowerShell remains popular for lateral movement, many attackers are targeting privileged accounts and services so they can move throughout the network unnoticed.

The time to remediate varies depending on the severity of an attack. X-Force IRIS incident responders spent an average of 512 hours remediating a destructive malware attack; however, that number can stretch to 1,200 hours or more for significant incidents.

Not Just for Nation-States
Destructive malware has mostly been used by nation-state actors to harm geopolitical opponents by destroying systems or harming key industry organizations. From 2010 to 2018, it was primarily intended to further state interests. Now it's growing popular among cybercriminals.

Researchers hypothesize criminals may be adopting this form of malware to put pressure on ransomware victims: if they don't pay, attackers could irreparably destroy their data. They may also impulsively launch a destructive attack to "lash out" at uncooperative victims.

"By going destructive or even partially destructive, you are even more motivated to pay a ransom," Scott explains. "That way they can recover and get back to business faster." If a cybercriminal wants payment immediately, they can destroy part of the target's environment to show what the damage could potentially be if they don't send the requested payment.

As these attacks continue to increase, businesses are advised to ensure they're prepared by testing their response plan under pressure. X-Force IRIS recommends using a tabletop exercise to determine whether your team knows exactly what to do in critical moments of response.

Organizations should also consider segregating and minimizing privileged accounts and ensuring the same account cannot be used to access every critical system. They should also baseline internal network activity and monitor for lateral movement; alert on unexpected PowerShell callouts; and have, test, and keep offline backups of their systems. If an attacker can destroy a company's backups, paying the ransom is the only way a victim can get its information back.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4245
PUBLISHED: 2019-12-11
Orca has arbitrary code execution due to insecure Python module load
CVE-2013-4593
PUBLISHED: 2019-12-11
RubyGem omniauth-facebook has an access token security vulnerability
CVE-2013-6495
PUBLISHED: 2019-12-11
JBossWeb Bayeux has reflected XSS
CVE-2013-7370
PUBLISHED: 2019-12-11
node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
CVE-2019-18935
PUBLISHED: 2019-12-11
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...