Destructive malware attacks double as attackers pair ransomware with disk wipers

IBM Security’s X-Force Incident Response and Intelligence Services (IRIS) team reported this week that it witnessed a 200 percent increase in destructive malware attacks over the first half of 2019, compared to the second half of 2018.

These malware attacks typically incorporated a disk wiper component to them. Wipers are historically associated with nation-state-sponsored attacks against politically strategic targets. However, the activity that the IRIS team encountered largely consisted of financially-motivated attacks that combined ransomware’s malicious encryption capabilities with disk wiper functionality, in order to create even more dire consequences for victims who fail to pay the ransom demand. Malware strains exhibiting these dual functionalities include LockerGoga and MegaCortex.

“Now you have to not only recover the data that you lost, but you have to recover the entire operating system along with that and that’s a larger effort for a company to work with,” said Christopher Scott, global remediation lead at X-Force IRIS, in a video interview with SC Media at Black Hat in Las Vegas. And that places more pressure on impacted organizations to acquiesce to the attackers’ demands.

According to a newly released IBM Security white paper and corresponding blog post, an analysis of the X-Force IRIS team's incident response data found that destructive attacks are costing multinational companies an average of $239 million and necessitate an average of 512 hours of incident response and remediation. Moreover, a single attack destroys an average of roughly 12,000 machines.

IBM researchers also noted that the attackers demonstrated a particular affinity for attacking chemical and manufacturing companies. This observation jibes with widely circulated reports this year of ransomware attacks affecting such chemical and manufacturing companies as Norsk Hydro, Hexion, Momentive and Aebi Schmidt. Attacks on such businesses can threaten not only IT infrastructure, but also OT systems, which can lead to dangerous consequences. “There’s a lot of security aspects to those systems and there’s a lot of safety aspects,” said Scott.

One of the cases that Scott and the X-Force IRIS team responded to involved an energy and manufacturing company with about 20,000 users. In this instance, the attackers had established administrative access to the company's network in less than a week, but then waited a full 120 days before enabling the malware's destructive capabilities. This gave them time to initially conduct reconnaissance, map out the systems and develop a strategy for how to pull off a successful attack.

"As we worked through the remediation of that system, we focused on some pretty key concepts to prevent the attack. One of the major ones there was multifactor authentication for  online services to make sure attackers weren’t able to come through the system. The other was really layered controls and that defense in depth that still works very well, especially within administrative ranks," said Scott.