Ransomware attacks were the dominant cyber security threat of 2017, with names like Petya and WannaCry commanding headlines. Though it never went away, over the course of 2018 cyber criminals started showing an increased preference for crypto-mining attacks that offered greater profit potential with lower risk and a lower profile.
While it’s too early to say that ransomware attacks are back on top, they are certainly experiencing a major revival in early 2019. A number of new attacks have targeted high-profile businesses and demanded ransoms that are larger than usual. Norsk Hydro, Verint, The Weather Channel and Arizona Beverages are among the biggest names that have fallen victim to this new wave of ransomware attacks in recent weeks.
While all of these ransomware attacks were serious, aluminum manufacturing giant Norsk Hydro experienced the greatest amount of financial damage. The company lost at least $40 million USD in revenue and recovery costs as the attack shut down most of their production for a week.
The Norwegian aluminum producer was hit with ransomware in late March, falling victim to the LockerGoga strain that first appeared in January of this year. LockerGoga changes user passwords and logs out network connections before encrypting all of the files on the target system, then demands payment in Bitcoin. It is a particularly dangerous strain as it has been shown to be able to break out of virtual machines and sandboxes in an infected system. It is also unusual in that it seems to specifically target industrial operations – it has also struck French industrial consulting firm Altran and two chemical manufacturers (Momentive and Hexion) in the United States. It does not yet have the ability to self-propagate between different businesses, but security researchers have noted that whoever is responsible for it seems to be actively adding new abilities.
The ransomware crippled Norsk Hydro’s automated production, forcing the company to switch to manual operations for several days. In this case, the ransom demanded was irrelevant.
LockerGaga is an unusual example of ransomware in that it is so thorough in removing access to the system that the victims sometimes cannot even access the ransom note. After user passwords are locked out, Windows boot files are encrypted such that the system cannot be reset. This may have been the case at Norsk Hydro, as the company opted to simply restore their systems from backups rather than paying the ransom. Nevertheless, the company took a substantial hit in lost production and inability to access customer orders for days.
The Weather Channel
The ransomware attack on The Weather Channel took the TV network off the air for about an hour and a half on April 18 during a live broadcast. The attack came during the Thursday
morning hours in the United States, while the network was providing live coverage of a major snowstorm in the northeastern states. The company was unable to continue with the live morning show during the attack, opting to air a rerun of the show “Heavy Rescue” instead.
Very few details about this incident have been released to the public. The strain of ransomware used is not known at this time. The Weather Channel’s response appears to be a model for other businesses, however; the fact that they were able to fully re-establish their systems and restore live programming quickly indicates that they had proper backups and a solid disaster recovery plan at the ready.
Leading cybersecurity firm Verint Systems experienced an attack on their Israeli offices on April 17. The attack was timed to coincide with a meeting of company executives in Italy, but the in-house cybersecurity team detected it early and appears to have been very successful in containing it.
As with the Weather Channel attack, very few details have been released to the public but the company appears to have rebounded quickly. Verint confirmed that they experienced relatively little damage from it, a response one would expect from one of the world’s leading security firms.
The company responsible for Arizona Iced Tea did not fare as well. They experienced a malware attack in early March. The attack on the network was significant, locking up 200 computers and servers at the company and preventing the sales division from operating for days. It ended up taking two weeks for the company’s security teams to make a full recovery.
The success of these ransomware attacks can be attributed to outdated hardware and security policy. The company was apparently running quite a few badly outdated Windows systems that were not being kept up to date with patches. The on-site backups experienced issues, a process that took the company five days to discover before they turned to an external incident response team to regain access. The company estimated it ended up spending hundreds of thousands of dollars in recovery and in building out an entirely new network.
The world’s largest purveyor of canned iced tea beverages was hit by iEncrypt on March 21, which was believed to have been delivered by way of a malware infection that had compromised the company about two months beforehand. iEncrypt began appearing in ransomware attacks in late 2018. It deletes Windows shadow volumes and system restore points in addition to encrypting files.
Ransomware Attacks are Becoming More Costly
The ransom amounts demanded in all of these cases are unknown; all of the companies instead opted to restore from backups. However, information security researchers have determined that the current trend in ransomware attacks is to go after high-value targets such as these and make bigger ransom demands than were typical in the past in the hopes that companies will decide to pay to make the problem go away.
A recent survey from the security experts at Coveware has found that the average ransomware amount paid in Q1 of this year peaked at $35,000 USD and averaged out at $12,762, nearly double the amount seen in Q4 of 2018. The study also noted that iEncrypt attacks are among those that make the highest demands, and that the average cost of downtime was $64,645 across all targets. iEncrypt is not one of the more commonly used ransomware methods at present, however; Dharma, GandCrab and Ryuk are seen much more often. Ryuk is associated with extremely large targeted ransomware demands and sophisticated operators, while Dharma is generally deployed by criminals who are not as familiar with ransomware attacks.
One smaller but noteworthy form of ransomware to appear on the scene recently is Robbinhood. This malicious software attack locks entire networks rapidly, and usually begins with some obscene ransom demand. It is set to automatically increase this demand by $10,000 every day starting with the fourth day after ransom notes are received.
Recovering from ransomware
While there is a very high rate of recovery of encrypted files when ransomware operators actually deliver a decryption method, there is no guarantee they will actually do so once paid. Whether or not the victims pay the ransom to resolve the matter, they can expect the cost of being caught by ransomware attacks to be in the tens of thousands of dollars at absolute minimum.
As illustrated by The Weather Channel’s rapid recovery from their ransomware infection, the best protection against ransomware is an adequate protocol for regular online and offline backups as well as a well-developed disaster recovery plan. And as the Arizona Beverage attack demonstrated, it is absolutely vital for small businesses to keep their operating systems up to date and supplied with the latest security patches to avoid falling victim to cyber attacks of all types.