Skip to main content

Ransomware: Prepare for hackers launching even more destructive malware attacks


The 'wiper' ransomware used in state-backed attacks like NotPetya is gaining round among cyber criminals, warns EU law enforcement annual cybercrime report.
The threat from ransomware continues to grow and it's possible that the file-encrypting malware attacks could become far more destructive as cyber criminals evolve and change their tactics.
European law enforcement agency Europol's annual cybercrime report – the Internet Organised Crime Threat Assessment (IOCTA) – lists ransomware as the most widespread and financially damaging cyber attack, despite a decline in the number of ransomware incidents.
However, cyber criminals are becoming more efficient, picking and choosing their targets with the aim of causing the highest amount of damage possible to organisations in order to demand much higher ransomware. To emphasise this – although without providing specific examples - the report details how in some cases, the ransom demanded is in excess over one million Euros.
But while ransomware in its current state is predominantly a means of making money for cyber criminals, the Europol report warns there's a risk of cyber criminals deploying ransomware attacks as a means of pure sabotage, something private companies are growing fearful of.
The NotPetya attacks of 2017 showed how much damage can be done by a destructive cyberattack of this kind: in some cases it led to large companies having to almost entirely restore their network from scratch, suffering large amounts of downtime and large financial costs as a result.
NotPetya looked like ransomware but the group behind it had no interest in receiving ransom payments, the motivation behind the attack was pure destruction. The target for this destruction was Ukraine, but the attack got out of control and spread around the world.
This kind of attack has predominantly been associated with nation-states – the Russian military has been accused of being behind NotPetya - however, the report warns that cyber criminals are increasingly incorporating wiper-style attacks as part of their campaigns.
A form of this ransomware attack emerged earlier this year. Named GermanWiper the ransomware hit organisations across Germany with attacks which didn't encrypt files, but rewrote the files to destroy them.
Ultimately, it meant that even if a user paid the ransom, they wouldn't get their files back at all – unless they had offline back-ups
Ransomware itself may have changed but the methods for distributing it have stayed the same over the last year: phishing emails and remote desktop protocols (RDPs) are the primary infection vectors of the malware.
Often, the attackers pushing ransomware are doing so with the aid of known vulnerabilities for which vendors have already issued security updates. Because of this, Europol stresses the importance of patching, especially when it comes to critical vulnerabilities.
The report notes that almost one million devices still haven't been patched against the powerful BlueKeep vulnerability, leaving networks open to attacks using the exploit.
The message from Europol is clear – ransomware and other cyber attacks won't be disappearing any time soon, especially if cyber criminals are able to take advantage of known vulnerabilities and old attacks.
"This year's IOCTA demonstrates that while we must look ahead to anticipate what challenges new technologies, legislation, and criminal innovation may bring, we must not forget to look behind us," said Catherine De Bolle, executive director of Europol.
"New threats continue to emerge from vulnerabilities in established processes and technologies. Moreover, the longevity of cyber threats is clear, as many long-standing and established modi operandi persist, despite our best efforts. Some threats of yesterday remain relevant today and will continue to challenge us tomorrow," she added.
There is one threat which appears to have almost dropped off the radar compared with its position in last year's report: cryptomining. The 2018 IOCTA warned about the rise of cryptocurrency mining malware, even suggesting that it "may overtake ransomware as a future threat".
However, while cryptomining attacks still do occur the number of attacks has declined – especially since the closure of Coinhive in March this year. Now, aside from exceptional cases, cryptomining is described as "a low-priority threat for EU law enforcement" moving forward as other current and future threats are combated.
"The global impact of huge cybersecurity events has taken the threat from cybercrime to another level. At Europol, we see that key tools must be developed to keep cybercriminals at bay. This is all the more important, considering that other crime areas are becoming increasingly cyber-facilitated," said De Bolle.

Comments

Popular posts from this blog

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....

Microsoft Teams Phishing Attack Targets Office 365 Users

  Up to 50,000 Office 365 users are being targeted by a phishing campaign that purports to notify them of a “missed chat” from Microsoft Teams. Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic  — making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday. “Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis . The initial phishing email displays the name ...