Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/5/2019
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Destructive Malware Attacks Up 200% in 2019

Organizations hit with destructive malware can lose more than 12,000 machines and face $200 million or more in costs, IBM X-Force reports.

Businesses around the world are experiencing a rise in destructive malware attacks, which are designed to shut down information access and obliterate system functions on victim machines.

New data from IBM X-Force Incident Response and Intelligence Services (IRIS) shows organizations hit with destructive malware can experience a total cost of $200 million and lose more than 12,000 devices in an attack. Large multinational companies incur an average cost of $239 million per incident, researchers report, citing analysis of publicly disclosed cyberattacks. The cost of remediation, equipment replacement, lost productivity, and other damage makes destructive attacks far pricier than typical data breaches, which average $3.92 million each, according to estimates from the Ponemon Institute.

"When you think about a destructive attack compared to a data breach, that attack process is very similar," says Christopher Scott, global remediation lead for IBM X-Force IRIS. "You have to get in the environment, expand access, get to what you want … and act on that objective." But unlike a traditional data breach, which typically targets intellectual property or other valuable information, a destructive malware attack aims to shut down a target's corporate environment.

Destructive malware, including ransomware that employs a "wiper" element, is on the rise: X-Force IRIS incident response teams helped organizations with 200% more destructive malware cases in the first half of 2019 compared with the second half of 2018. Ransomware packing destructive elements also spiked as new strains of LockerGoga and MegaCortex entered the landscape. Ransomware calls to X-Force IRIS' emergency response line spiked 116% in the first half of 2019.

"While not all ransomware attacks incorporate destructive malware, the simultaneous increase in overall ransomware attacks and ransomware with destructive elements underscores the enhanced threat to corporations from ransomware capable of permanently wiping data," researchers write in "Combating Destructive Malware: Lessons from the Front Lines." They predict criminals' use of destructive ransomware will increase over the next five years.

Half of destructive malware cases targeted the manufacturing industry; other popular targets were in the education or oil and gas sectors. Most attacks the X-Force IRIS team observed targeted victim organizations in the United States, Europe, and the Middle East.

Detecting and Addressing Destructive Attacks
A destructive malware attack can start with a phishing email, credential stuffing, or watering hole attack. Once inside, attackers can elevate credentials and poke around until they have administrative access. "This gives them freedom to move across the environment as they want and plan out their attack," Scott says. Researchers found attackers are often present on a device, asset, or network for weeks or months before they launch a destructive malware attack. In some cases, they dwell for more than four months, taking time for internal reconnaissance.

Access points and key infrastructure are valuable in this phase. With access to critical systems, attackers can keep control of their location for as long as possible. The slow approach lets them do maximum damage, but it also gives businesses an opportunity to locate them beforehand. While PowerShell remains popular for lateral movement, many attackers are targeting privileged accounts and services so they can move throughout the network unnoticed.

The time to remediate varies depending on the severity of an attack. X-Force IRIS incident responders spent an average of 512 hours remediating a destructive malware attack; however, that number can stretch to 1,200 hours or more for significant incidents.

Not Just for Nation-States
Destructive malware has mostly been used by nation-state actors to harm geopolitical opponents by destroying systems or harming key industry organizations. From 2010 to 2018, it was primarily intended to further state interests. Now it's growing popular among cybercriminals.

Researchers hypothesize criminals may be adopting this form of malware to put pressure on ransomware victims: if they don't pay, attackers could irreparably destroy their data. They may also impulsively launch a destructive attack to "lash out" at uncooperative victims.

"By going destructive or even partially destructive, you are even more motivated to pay a ransom," Scott explains. "That way they can recover and get back to business faster." If a cybercriminal wants payment immediately, they can destroy part of the target's environment to show what the damage could potentially be if they don't send the requested payment.

As these attacks continue to increase, businesses are advised to ensure they're prepared by testing their response plan under pressure. X-Force IRIS recommends using a tabletop exercise to determine whether your team knows exactly what to do in critical moments of response.

Organizations should also consider segregating and minimizing privileged accounts and ensuring the same account cannot be used to access every critical system. They should also baseline internal network activity and monitor for lateral movement; alert on unexpected PowerShell callouts; and have, test, and keep offline backups of their systems. If an attacker can destroy a company's backups, paying the ransom is the only way a victim can get its information back.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1927
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
CVE-2020-8144
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
CVE-2020-8145
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
CVE-2020-8146
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
CVE-2020-6009
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.