Ransomware attacks have caused business interruption and other lingering damage to Australian small- and medium-sized business, enough damage that 22 percent have been forced to close after an attack. Ransomware attacks have paralysed business operations so much so that new research has reported that 31 percent of organisations have yet to determine how they were infected.
A Telstra survey of IT professionals from more than 300 Australian companies found 48 percent of those surveyed had experienced a cyber attack in the past 12 months. This is up from 33 percent in 2018. Of those who suffered an attack, 81 percent experienced a ransom incident, and 51 per cent of them paid it.
A yearly study, Malwarebytes Labs State of Malware 2019, has confirmed that potential damage from ransomware attacks extends far beyond the original ransom. Ransomware isn’t the same wide-ranging threat as it was in 2017, however it’s still a sizable problem. Overall trends have shown a drop in volume for the year (Jan – Nov 2018), but an increase in focused, sophisticated attacks aimed at businesses.
Overall ransomware attacks have dropped when measured against attacks in 2017. In 2017 the study recorded 8,016,936 attacks across businesses and consumers globally. Compare that to 2018, where there were 5,948,417 detections recorded—a decline of 26 percent.
Given that businesses house so much more valuable data and critical systems, they are proving to be a more profitable ransomware target for criminals. Not only do they have the potential funds to pay a ransom, they’re also likely to have multiple pressing reasons for wanting to get back to work. Ransomware delays can be incredibly costly, especially when an affected organisation has no backup plan in place and multiple endpoints to remediate. Incident response and digital forensics all add to the cost, which is often a lot more than simply paying the ransom.
You might be wondering which industries are popular targets for ransomware? Which verticals took the hardest hit? Malwarebytes’ data shows that consulting is the top contender, and education is second place. Here are industries listed in order of most targeted to least targeted:
Although there were major stories throughout 2018 regarding healthcare and government ransomware attacks, other industries actually felt the brunt of the ransomware menace.
SamSam caused chaos across medical networks in the US, exploiting and brute-forcing its way into systems to make over $1 million US dollars ($A1445300) for holding systems to ransom. One of its many older variants revamped to be more appealing to criminals, charging victims a more moderate price than alternative recovery methods, making significantly more money as a result. From January to March, SamSam took down everything from hospitals to city services, including departments of transportation and city-facing applications in Atlanta, Georgia. Additional major attacks took place in September, with both the ports of San Diego and Barcelona suffering outbreaks.
Although law enforcement agencies believe they know who is behind these infections, the alleged duo are still at large, and we still continue to see spikes in attacks globally. SamSam will continue to be a strong source of malware infections well into 2019.
GandCrab was also a major player in 2018, making use of various exploit kits shortly after its first appearance in January. Numbers steadied and remained constant for most of 2018, with a huge spike of activity in February, thanks to multiple spam campaigns in Q1. Moving to the Magnitude exploit kit for distribution, GandCrab continued to cause trouble for network admins and home users. This is partly thanks to Magnitude’s unconventional malware-loading methods. Everything from fileless techniques to binary padding (where extra data is added to files to bypass scanning) were used in the race to make it the biggest source of GandCrab.
GandCrab, the top ransomware variant of Q2 2018, is also notable for being the first ransomware to ask its victims for a cryptocurrency payment other than Bitcoin. At a time when business ransomware detections were up by 28 percent, but the overall volume remained low, it became one of the leading sources of malicious ransomware campaigns in 2018.
Although ransomware has lost ground to other malware players, such as cryptominers and Trojans, it still causes quite a bit of damage, and 2018 has been a year of quiet experimentation and reassessment. The public at large are much more aware of such attacks now, and the same old tricks won’t work forever. Expect to see more innovative reworkings of older files and strengthened ties to cutting-edge exploit kits to push ransomware further still in 2019. The Australian Government tracks malware attacks on the Australian Cyber Security Centre for the public to stay updated.
I have known Tim for many years and have worked with him on many projects. Tim is a consummate professional whom I would happily and confidently recommend to anyone in need of his services.