Ransomware - a type of malware that infiltrates and infects a user or company’s system and encrypts their data, holding the organisation to ransom until a large sum of money is paid in return for a decryption key to unlock it - is more pervasive than ever. However, the emergence of a new type of ransomware strain late in 2017 showed a sinister new face to the already destructive malware. Rather than having their data recovered when they paid their ransom, the victims of the attack found their data completely and irretrievably wiped, even after paying large sums of money to recover their information.
Whereas ransomware, in the traditional sense, seeks to make its perpetrators wealthy, the new strain seeks to destroy. It mimics ransomware and operates in a very similar fashion, accessing victim’s computers through an infected link or attachment, encrypting the data on the machine and any other servers it can spread to. However, the new strain is also able to elevate user access, meaning it can obtain user credentials and move laterally – undetected - between systems. The effects of such a wave can be catastrophic, with devastating financial and reputational consequences.
This new type of data wiping ransomware begs the question: who are the new cybercriminals intent on malicious sabotage of information, what do they stand to gain, and has ransomware evolved to be called “destructionware”, given its tendency to destroy rather than hold to ransom? We take a look at the possible motives behind “destructionware” purveyors, and how South African businesses can protect themselves from falling victim.
Cybercrime as a business
In cybercrime circles, what has been a simple get-rich-quick scheme for individual hackers and hacker syndicates, has evolved into a lucrative business. Ransomware-as-a-service (Raas) is increasingly being offered by industrious syndicates, who make a cut from their customers’ use of the code that they provide. However, as evidenced by the “destructionware” outbreak, money is no longer the primary objective of the cybercriminal world, and more sinister motives appear to be at play.
One potential motive is sheer bragging rights. Cybercriminals, or hackers, inhabit the Darkweb, an underground Internet used for nefarious purposes, and many develop reputations among their peers based on their expertise. It’s safe to say that a malware such as “destructionware” would launch the hacker or syndicate, responsible into the limelight, giving them a level of fame in cybercriminal circles.
The bragging rights that “destructionware” gives its makers effectively allows them to name their price for services such as RaaS, going forward. They also obtain that which every hacker seeks: the respect of their peers for bringing a large portion of global business to its knees with a few simple tweaks of an already prevalent malware.
Of course, there are those who would seek the services of such hackers or syndicates, for their own malevolent reasons. Former employees who bear a grudge against previous employers; activists who protest an organisation or government’s business practices; terrorist groups who want to add cyberterrorism to their arsenal; victims of lost investments; or even merely jealous individuals who wants to destroy that which they cannot, or do not, have.
RaaS has made ransomware – and now “destructionware” - accessible to anyone who wants to create and capitalise on the havoc it generates. One thing is certain: with ransomware and “destructionware” being so readily available, the likelihood of further and more evolved attacks occurring is high, and business owners need to take the necessary steps to protect themselves as best as possible.
Protecting yourself and your business
If organisations do not already have a comprehensive 360-degree security strategy, then the time is right to do implement one. A comprehensive strategy incorporates preventative security controls in the form of the necessary Operating System (OS) patches, effective anti-malware solutions, complete system protection, end point security, data centre security, perimeter and access control, and more.
New developments in cyber security are using data analytics and AI to scour patterns an identify anomalies which could pre-empt or signify attack, with the goal of shutting shown systems connected to the infected device to prevent the malware from spreading. As cybercrime evolves, so does cyber security, however evolving cyber security also creates new challenges that hackers are only too eager to crack. As such, a cycle of ongoing cybercrime versus cybersecurity measures is born.
A truly effective security strategy needs to be underscored by education. Users within an organisation must be educated on cybercrime and safe browsing habits. When employees understand what to look out for and how to safely navigate all Internet enabled services, they automatically reduce the risk of infection and attack. Ransomware and “destructionware” cannot succeed without willing participation of the victim in that he or she needs to physically click on the infected link or attachment in order to download the malware.
In an environment that is increasingly reliant on Internet connected devices and where Bring-Your-Own-Device (BYOD) is a fairly common practice, even with a comprehensive security strategy there can be vulnerabilities. Users who understand the risks of clicking on unknown attachments or links are less likely to do so without carefully researching and understanding the source of the link or attachment.
Education also encourages users to practice safer browsing habits outside of their office, leading to less likelihood of an infected device entering the organisation’s environment.
Security needs to be tackled from multiple angles, and not simply opted for as a necessary evil. When profits and reputations are at risk, businesses simply cannot afford not to invest in security, and the value of having a comprehensive system in place to prevent malware attacks must not be underestimated – just ask any one of the 65 or more large companies who were hardest hit by “destructionware” and may never recover their losses.
Paul Jolliffe, Lead DSM: Security, T-Systems South Africa