The increasing sophistication of ransomware attacks
Ransomware attacks have become a worrying threat in our increasingly digital world. As cybercriminals use sophisticated techniques to exploit vulnerabilities, the consequences are felt by individuals, companies, and even entire countries. In this blog post, we delve into the dark side of today’s ransomware attacks, exploring the troubling trends and consequences that accompany these malicious activities.
Over time, ransomware attacks have evolved into more complex and sophisticated operations. Cybercriminals are now using sophisticated tactics to increase their influence. Phishing, where attackers carefully craft personalized emails to trick victims into revealing sensitive information or downloading malware, has become a common method. Additionally, zero-day exploits that target software vulnerabilities unknown to the vendor give attackers an advantage.
The encryption algorithms used by ransomware are also becoming increasingly sophisticated, making it extremely difficult for victims to recover their data without paying a hefty ransom. The complexity and persistent nature of these attacks made them a formidable threat.
Devastating impact on individuals and companies
The consequences of ransomware attacks are devastating for individuals and businesses alike. Personal files, sensitive data, and intellectual property can be permanently encrypted or stolen, causing significant financial loss and emotional distress to individuals.
Businesses, on the other hand, face even more serious consequences. Outages caused by ransomware attacks can bring critical processes to a halt, resulting in significant financial losses. In addition, reputational damage from an attack can have long-lasting effects, causing a loss of customer confidence and potential bankruptcy.
Here are some notable examples of destructive ransomware strains seen in recent years:
CryptoLocker (2013): CryptoLocker emerged in September 2013 and wreaked havoc until it was neutralized by an international cyber security task force in May 2014. Its spread was facilitated by the sprawling Gameover ZeuS botnet.
Petya (2016) and NotPetya (2017): The Petya ransomware family first appeared in 2016, but it was the destructive strain of NotPetya that gained widespread attention in 2017. NotPetya has caused more than $10 billion in damages in Europe and the United States.
WannaCry (2017): In May 2017, the WannaCry ransomware launched a powerful attack, infecting more than 230,000 computers in 150 countries in a single day. Damages and cleanup costs are estimated at $4 billion.
DarkSide (2020): In 2020 and 2021, DarkSide gained notoriety for its RaaS model, which led to significant ransomware attacks and ransom demands. Although they claimed to avoid attacks on government and medical facilities, the group was responsible for the 2021 attack on the Colonial Pipeline that disrupted fuel supplies on the US East Coast.
Nvidia (2022): In 2022, Nvidia, the semiconductor giant, was hit by a ransomware attack. Credentials and employee data leaked online. Hacker group Lapsus$ claimed responsibility, demanding a $1 million ransom and a percentage of the royalties.
By highlighting these significant ransomware cases, it is clear that this form of cyber threat has evolved over time, becoming more sophisticated and influential.
Focus on critical infrastructure
Complexity of critical infrastructure
Critical infrastructure, such as power generation and distribution, is becoming increasingly complex and dependent on networks of connected devices. A few decades ago, power grids and other critical infrastructure operated in isolation. They are now much more interconnected both geographically and across sectors.
As the US power grid scenario highlights, the failure of one critical infrastructure can lead to a devastating chain reaction, Edry says.
Not surprisingly, the vulnerability of critical infrastructure to cyber attacks and technical failures has become a major concern. And recent events confirmed the fears.
In December 2015, the world witnessed the first known blackout caused by a malicious cyber attack. Three utility companies in Ukraine were affected by the BlackEnergy malware, which left hundreds of thousands of homes without power for six hours.
According to cybersecurity firm Trend Micro, the malware targeted utility companies’ SCADA (supervisory control and data acquisition) systems and likely began as a phishing attack.
Two months after the blackout, news emerged that Israel’s National Electricity Authority had suffered a major cyber attack, although the damage was mitigated after the Israel Electricity Corporation shut down systems to prevent the spread of the virus.
Industry sectors vulnerable to cyber attacks
The energy sector is one of the main targets of cyberattacks on critical infrastructure, but not the only one. Transport, public sector services, telecommunications and critical manufacturing sectors are also vulnerable.
In 2013, Iranian hackers breached the Bowman Avenue causeway in New York City and took control of the locks. Oil rigs, ships, satellites, airliners, airport and port systems are believed to be vulnerable, and the media has reported breaches.
Cyberattacks on critical infrastructure and key manufacturing industries have increased, according to U.S. cybersecurity officials at the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a U.S. government agency that helps companies investigate ICS attacks and corporate networks.
In 2015, the number of cyber investigations increased by 20%, and the number of attacks on critical US industries doubled.
Over the years, a wide range of sectors have become more reliant on industrial control systems such as SCADA, programmable logic controllers (PLCs) and distributed control systems to monitor processes and control physical devices such as pumps, valves, motors, sensors. etc.
The most high-profile example of a cyberattack on critical infrastructure is the Stuxnet computer virus. A worm targeting PLCs disrupted Iran’s nuclear program by damaging centrifuges used to separate nuclear material.
The incident raised concerns because Stuxnet could be adapted to attack SCADA systems used by many critical infrastructure businesses and manufacturing industries in Europe and the US.
In one of the few public examples of a SCADA attack, a German steel plant suffered significant damage after a cyberattack caused a furnace shutdown, Germany’s Federal Information Security Agency reported in 2014. Attackers have used social engineering techniques to gain leverage. management of domain systems.
Infrastructure cyberattacks target control systems, not data
According to the Organization of American States and Trend Micro, cyberattacks on critical infrastructure and manufacturing are more likely to target industrial control systems than to steal data.
Their research found that 54% of 500 US critical infrastructure vendors surveyed reported attempts to control systems, while 40% experienced attempts to shut down systems. More than half said they had seen an increase in attacks, while three-quarters believed these attacks were becoming more sophisticated.
According to Edri, hackers are increasingly interested in operational technologies, the physical connected devices that support industrial processes. “Vulnerability and lack of knowledge about operational technology is the most dangerous thing today,” he says.
As an example, he cites a cyberattack on an office building in New York, in which a hacker gained access to building management systems that can monitor power, communications, security systems and the environment through a connected vending machine. The building’s closure resulted in a $350 million loss in lost business, he said.
The dark side of ransomware attacks extends beyond individual targets to critical infrastructure. In recent years, cybercriminals have shown increased interest in hospitals, energy networks, transportation systems, and government institutions. The motivation behind these attacks is not only to compromise sensitive data, but also to endanger lives and disrupt essential services. The consequences of successful attacks on critical infrastructure can be dire, underscoring the urgent need for robust cybersecurity measures to protect these vital systems.
Critical infrastructure sites are high-value targets for state cyber espionage and asymmetric warfare, as well as for active ransomware criminal groups. Thanks to rapid digitalization, 2020 was characterized by a significant increase in the activity of cybercriminals, in particular ransomware attacks. But could ransomware groups disrupt electricity supplies and other critical services in their growing quest for bigger rewards?
Consider what we know:
Back in 2015, a highly thought-out group showed the world that cybercriminals can cause disruptions in the power supply of citizens, companies and infrastructure in real life, effectively disabling parts of the Ukrainian power grid.
A year later, a related group launched and tested malware specifically designed to hijack industrial control systems in even more critical components of the power grid, which could shut down power to entire regions of Ukraine if the group chose to do so.
Several ransomware groups claim to have access to critical infrastructure, including a nuclear power plant.
In 2021, ransomware groups attacked numerous industrial facilities, including wastewater treatment plants, factories, and even a strategic pipeline operator in the US. The attack on the pipeline led to fuel shortages in a wide region for gas stations, airports, the military and even heating homes.
The capacity for serious and large-scale destruction is quite obvious. Indeed, all of our core services are increasingly at risk, as a successful cyber attack on critical infrastructure can:
disrupt the operation and supply of electricity, oil, gas, water, waste management and transport
worker and public safety are further threatened as dependent services, including emergency services and medical facilities, are shorted or compromised as collateral damage
impact revenue, damage reputation, and result in litigation or regulatory consequences for service failure
bring the economy to a standstill in a severe and prolonged scenario due to the domino effect described earlier and the possibility of civil unrest and unrest
be used to weaken a country’s government and essential services in preparation for a conventional military attack by another nation state.
The ransomware landscape
The large-scale consequences of a ransomware attack on a pipeline operator in the US in May 2021 were not the first. A year earlier, Taiwan’s largest domestic electricity supplier suffered a ransomware incident that disrupted many of the country’s gas stations, part of a series of targeted attacks on critical infrastructure.
Ransomware groups have now firmly established global critical infrastructure and launched so-called “big game hunting” campaigns, which accounts for the 500% increase in attacks against industrial organizations from 2018 to 2020. Meanwhile, we’re also seeing a rise in ransomware that includes features specifically targeting industrial control systems.
Why are ransomware attacks so successful?
By denying access to core systems, ransomware can cause an organization to run its operations in a severely compromised state. In addition to the increasing sophistication of ransomware groups, changing expectations have increased the risk to critical infrastructure. To meet stakeholder demands for simplicity, efficiency and value while meeting budget constraints, organizations are increasingly embracing digitalization, including the convergence of IT with operational technologies (OT) and the use of cloud and Industrial Internet of Things (IIoT) technologies.
In addition, the pandemic has forced many organizations to quickly enable remote access for their OT staff. These changes are making OT environments more vulnerable to increasingly powerful cyber threats.
Ransomware as a Service (RaaS)
The emergence of ransomware as a service has further exacerbated the threat landscape. Cybercriminals now offer ready-to-use ransomware packages for novice attackers, allowing them to carry out sophisticated attacks without advanced technical skills.
Such comification of ransomware has greatly contributed to its widespread distribution and increase in the number of potential attackers. The availability of RaaS lowers the entry barrier for cybercriminals and creates a challenge for law enforcement and cybersecurity professionals.
Development of payment methods and cryptocurrencies
To facilitate ransom payments while maintaining anonymity, cybercriminals have turned to cryptocurrencies such as Bitcoin. These decentralized digital currencies allow transactions to be carried out without being easily traced. The use of cryptocurrencies makes it difficult for law enforcement because traditional financial institutions have limited access to these transactions. The relative anonymity offered by cryptocurrencies allows cybercriminals to operate with less risk of detection and apprehension, exacerbating the challenges that authorities face in combating ransomware attacks.
Collateral damage and hidden costs
Beyond the direct impact of ransomware attacks, there are hidden costs and collateral damage that organizations face. The financial burden associated with incident response, recovery, and potential lawsuits can be significant. In addition, the loss of customer trust and reputation in the market can have long-term consequences for the business, compounding the damage caused by these attacks. Restoring trust and business after an attack can be a long and expensive process.
Urgent need for cooperation on cyber security and preventive measures
Today’s sophisticated ransomware attacks pose a serious and growing threat to individuals, businesses and critical infrastructure. The dark side of these attacks includes the increasing sophistication of techniques, the devastating impact on victims, the targeting of critical infrastructure, the availability of ransomware as a service, the use of cryptocurrencies, and the hidden costs incurred.
To mitigate this threat, it is imperative to prioritize cybersecurity measures, stay abreast of emerging threats, and foster collaboration to combat this growing cyber threat landscape. Preventive measures such as regular software updates, training employees on cybersecurity best practices, and robust incident response plans are essential for organizations to defend against these ever-evolving ransomware attacks.