IBM’s X-Force Incident Response and Intelligence Services (also known as IRIS) has issued a report, detailing the growth of destructive malware that infected the corporate space. The cybersecurity arm of Big Blue has disclosed that 12,316 corporate Internet-connected devices were rendered offline, costing $239 million to replace and reconfigure in an average malware attack for a typical multinational firm. Full recovery from a virus infection does not only entail reimaging of affected devices, but rather the long-term effect of such negative publicity against the company’s brand, products, and services. It is fairly difficult to assess the damages absorbed by an organization when it comes to restoring the faith of its customers to its products and services, which usually takes decades to build through passion and quality. Employees that are totally dependent on their devices for work will experience severe productivity lost until the equipment and computers are either repaired or replaced.
The IRIS team focused on the motivation of malware authors in launching cyber attacks, why they just wipe the data clean, instead of just stealing some for their own purpose. Ransomware that had their command and control centers (C&C servers) already shut down by authorities creates a strain of malware that encrypts user data, without a chance for recovery. It takes a lot of effort for malware authors to maintain and keep the command and control servers to be up, receiving the decryption key necessary for unlocking the user files for a fee. As law enforcement authorities continue to hunt and shutdown ransomware, this creates orphaned ransomware still floating in the Internet looking for the next victims, but this time, there is no longer a facility to process ransom payments.
This creates a new variant of malware, that X-Force calls wiper viruses, with nothing to do but to destroy data at its wake (by encryption). Both the victims and even the malware authors themselves cannot decrypt the data, due to the destruction of the C&C servers. For 2019, the team saw the rise of at least three new aggressive ransomware (possibly replacing the orphaned ransomware): OlympicDestroyer, MegaCortex, and LockerGoga. LockerGoga is designed to attack the manufacturing sector’s computers; OlympicDestroyer is specifically targeting Korean computers assigned for organizing the Olympics, while MegaCortex is a new strain focusing on cyber attacks against North American and European vulnerable computers.
“While not all ransomware attacks incorporate destructive malware, the simultaneous increase in overall ransomware attacks and ransomware with destructive elements underscores the enhanced threat to corporations from ransomware capable of permanently wiping data,” explained the IRIS team.
As companies with established brands and operate in multiple locations globally have efficient backup architecture. It can easily reverse the bad results of ransomware encryption of user data, its destructive wiper capability is very handy for other purposes other than ransom money. “For incidents involving destructive malware to which X-Force IRIS has responded, the average number of hours needed to remediate the incident was 512, stretching to 1,200 hours or more for significant events. This number includes cases where the malware was not deployed, cases where equipment simply needs to be replaced with limited remediation options,” concluded the IRIS team.