Businesses around the world are experiencing a rise in destructive malware attacks, which are designed to shut down information access and obliterate system functions on victim machines.
New data from IBM X-Force Incident Response and Intelligence Services (IRIS) shows organizations hit with destructive malware can experience a total cost of $200 million and lose more than 12,000 devices in an attack. Large multinational companies incur an average cost of $239 million per incident, researchers report, citing analysis of publicly disclosed cyberattacks. The cost of remediation, equipment replacement, lost productivity, and other damage makes destructive attacks far pricier than typical data breaches, which average $3.92 million each, according to estimates from the Ponemon Institute.
"When you think about a destructive attack compared to a data breach, that attack process is very similar," says Christopher Scott, global remediation lead for IBM X-Force IRIS. "You have to get in the environment, expand access, get to what you want … and act on that objective." But unlike a traditional data breach, which typically targets intellectual property or other valuable information, a destructive malware attack aims to shut down a target's corporate environment.
Destructive malware, including ransomware that employs a "wiper" element, is on the rise: X-Force IRIS incident response teams helped organizations with 200% more destructive malware cases in the first half of 2019 compared with the second half of 2018. Ransomware packing destructive elements also spiked as new strains of LockerGoga and MegaCortex entered the landscape. Ransomware calls to X-Force IRIS' emergency response line spiked 116% in the first half of 2019.
"While not all ransomware attacks incorporate destructive malware, the simultaneous increase in overall ransomware attacks and ransomware with destructive elements underscores the enhanced threat to corporations from ransomware capable of permanently wiping data," researchers write in "Combating Destructive Malware: Lessons from the Front Lines." They predict criminals' use of destructive ransomware will increase over the next five years.
Half of destructive malware cases targeted the manufacturing industry; other popular targets were in the education or oil and gas sectors. Most attacks the X-Force IRIS team observed targeted victim organizations in the United States, Europe, and the Middle East.
Detecting and Addressing Destructive Attacks
A destructive malware attack can start with a phishing email, credential stuffing, or watering hole attack. Once inside, attackers can elevate credentials and poke around until they have administrative access. "This gives them freedom to move across the environment as they want and plan out their attack," Scott says. Researchers found attackers are often present on a device, asset, or network for weeks or months before they launch a destructive malware attack. In some cases, they dwell for more than four months, taking time for internal reconnaissance.
Access points and key infrastructure are valuable in this phase. With access to critical systems, attackers can keep control of their location for as long as possible. The slow approach lets them do maximum damage, but it also gives businesses an opportunity to locate them beforehand. While PowerShell remains popular for lateral movement, many attackers are targeting privileged accounts and services so they can move throughout the network unnoticed.
The time to remediate varies depending on the severity of an attack. X-Force IRIS incident responders spent an average of 512 hours remediating a destructive malware attack; however, that number can stretch to 1,200 hours or more for significant incidents.
Not Just for Nation-States
Destructive malware has mostly been used by nation-state actors to harm geopolitical opponents by destroying systems or harming key industry organizations. From 2010 to 2018, it was primarily intended to further state interests. Now it's growing popular among cybercriminals.
Researchers hypothesize criminals may be adopting this form of malware to put pressure on ransomware victims: if they don't pay, attackers could irreparably destroy their data. They may also impulsively launch a destructive attack to "lash out" at uncooperative victims.
"By going destructive or even partially destructive, you are even more motivated to pay a ransom," Scott explains. "That way they can recover and get back to business faster." If a cybercriminal wants payment immediately, they can destroy part of the target's environment to show what the damage could potentially be if they don't send the requested payment.
As these attacks continue to increase, businesses are advised to ensure they're prepared by testing their response plan under pressure. X-Force IRIS recommends using a tabletop exercise to determine whether your team knows exactly what to do in critical moments of response.
Organizations should also consider segregating and minimizing privileged accounts and ensuring the same account cannot be used to access every critical system. They should also baseline internal network activity and monitor for lateral movement; alert on unexpected PowerShell callouts; and have, test, and keep offline backups of their systems. If an attacker can destroy a company's backups, paying the ransom is the only way a victim can get its information back.