3rd Generation Ransomware – Worst Cyber Threat Yet
Eagle Consulting Partners has been writing about the threats of ransomware for several years. We estimate that at least 25% of our customer base has had at least 1 ransomware incident during this time. Because of this high percentage, and the potential for serious impact, the possibility a ransomware attack has consistently been one of the top risks that we have identified in our security risk assessments and our risk management work. Over the last several months, we have seen continued evolution to what we are calling third-generation ransomware, which makes the risks even more severe. DD Board decision makers need to understand the cyber threat and the potential financial and non-financial impacts, the costs of protection, in order to set budgets for protective measures.
Primitive ransomware has existed for 30 years, but the frequency and impact were minor. Starting in 2012 through 2015, a more sophisticated and damaging generation was spread worldwide, generating millions of dollars for the criminal gangs. The gangs used a “shotgun” approach, using many distribution methods, but most commonly sending millions of “spam” emails with malicious links or attachments. These include the so called “CryptoLocker,” “CryptoWall,” “TeslaCrypt,” and other programs which generally infected a single PC. Most often, they encrypted only the files on that PC, but when a “shared folder” on a server was accessible to that PC, these ransomware programs could encrypt the files on the shared folder. So this first-generation ransomware could and did cause serious disruption for organizations in all sectors worldwide. But the “crown jewel” data for most organizations, typically stored in modern database management systems (DBMS), was rarely affected.
Beginning in Late 2017, we see what we call the second generation of ransomware. These programs are characterized by their ability to spread from computer to computer within a network, which is described by malware experts as a “worm”. The most famous in this category were “WannaCry” and “NotPetya”. The most devastating was NotPetya, which caused an estimated $10B in damages worldwide. Major international companies, including pharmaceutical company Merck, shipping Companies FedEx and Maersk, and food company Mondelez (makers of brands including Nabisco, Oreo and Ritz) fell victim to these cyber attacks. These attacks were often devastating, rapidly encrypting tens of thousands of computers and rendering them unusable.
During 2019, new tactics emerged, the so-called “targeted attack.” Hackers choose a target who has significant financial resources able to pay a ransom from $50,000 to several million dollars. These are very different in that a skilled hacker first gains access to a network, then invests weeks, or even months, navigating through the network to identify all servers, databases, and even backups, planting ransomware on multiple computers. Once ransomware programs are installed throughout the network, the attacker simultaneously initiates them (usually in the middle of the night or on a weekend). Government organizations have paid ransoms in excess of $500,000, often with support from their cyber-insurance companies.