‘I’m going to drop in, release, and let it go wild.’
A single destructive malware cyber attack can destroy over 12,000 devices in one attack, cost an organisation more than £164 million – and worryingly, with such attacks on the rise, over half now target the manufacturing industry.
This is according to a new report from IBM’s X-Force IRIS incident response team, which found that so-called destructive malware attacks designed to disable access and destroy system functions are up 200 percent in 12 months.
The team definesdestructive malware as software that has the capability to “render affected systems inoperable and challenge reconstitution”.
The definition includes malware types that overwrite the Master Boot Record (MBR), as well as “faux-ransomware”: file-wiping attacks that are not recoverable. Ransomware attacks have also risen sharply, IBM says, highlighting the rise of the LockerGoga and MegaCortex malware strains this year.
Destructive Malware: Attacks Costing Large Business £196 Million
In a report published today, the team said: “Destructive malware that disables access to data or destroys system functions has been expanding across geographies and industries over the past few years. Organizations previously thought safe from this form of cyber aggression increasingly find themselves affected.
“Historically, destructive malware such as Stuxnet, Shamoon, and Dark Seoul, was primarily used by nation-state actors. However, especially since late 2018, cybercriminals have been incorporating wiper elements into their attacks, such as with new strains of ransomware like LockerGoga and MegaCortex.”
“Low and Slow…”
Threat actors in general don’t just appear out of the blue in a network, often they have already compromised some part of the system so they can gain access to a targeted environment. More than once IBM’s X-Force team have encountered hackers who have been squatting in a network for over four months.
This time allows them to undertake reconnaissance of the targeted network and give them time to move latterly towards the desired asset or target, before they decide to deploy a destructive payload.
Christopher Scott Global Remediation Lead at IBM X-Force IRIS commented that: “There are two forms of targeted attacks in the destructive world: ‘I need to be low and slow until I gather the information I need and plan out my attack‘. . .or, ‘I’m going to drop in, release, and let it go wild.’”
Attacks still typically start with a phishing campaign. The more sophisticated of phishing campaigns send out documents that contain malicious macros that appear to be legitimate as they use similar document and language to the selected target. Watering hole attacks, which infect pages regularly visited by the organisation, and password brute-forcing are also rising, the report notes.
The IBM team is also warning that a lot of attackers leverage third-party the access that third-party suppliers have into an organisation’s network. They state that: “Since we see threat actors leveraging third-party access to break into targeted networks, it is imperative to further implement isolation of critical systems from potential third-party infections.”
The company recommends well-honed tabletop exercises and a cyber range simulation to help ready for any such attacks. “Playbooks can sometimes crack under pressure, and
that is when muscle memory becomes important—your team must know what to do automatically and respond decisively in the critical moment.”
Backups are always handy, too…