Destructive attacks have left their mark over the past few years, wiping data and rendering millions of enterprise devices inoperable at companies around the world. A new report today from IBM X-Force Incident Response and Intelligence Services (IRIS) shows that these attacks have been on the rise, posing a growing threat to a wide variety of businesses that may not consider themselves an obvious target.

In the past, destructive malware was primarily used by sophisticated nation-state actors, but new analysis from X-Force’s incident response data has found that these attacks are now becoming more popular among cybercriminal attackers, with ransomware attacks including wiper elements to increase the pressure on victims to pay the ransom. As a result of this expanding profile, X-Force IRIS noted a whopping 200 percent increase in the amount of destructive attacks that our team has helped companies respond to over the past six months (comparing IBM incident response activities in the first half of 2019 versus the second half of 2018).

The evolving trend of destructive malware attacks also means that organizations of all shapes and sizes may find themselves a target in the near future — and must prepare accordingly.

Destructive Attacks — By the Numbers

An analysis of real-world incident response data from X-Force IRIS paints a picture of the devastating effects of these attacks on companies. A few of the key findings include:

  • Massive destruction, massive costs: Destructive attacks are costing multinational companies $239 million on average. As a point of comparison, this is 61 times more costly than the average cost of a data breach ($3.92 million).
  • The long road to recovery: The debilitating nature of these attacks requires a lot of resources and time to respond and remediate, with companies on average requiring 512 hours from their incident response team. It’s also common for organizations to use multiple companies to handle the response and remediation, which would increase hours even further.
  • RIP laptops: A single destructive attack destroys 12,000 machines per company on average — creating quite a tab for new devices in order to get companies’ workforce back in action.

This new white paper delves deep into the evolving nature of these attacks, their implications and ways companies can protect themselves. In this blog, we will touch on just some of the takeaways from that paper.

A Tool for Nation-States and Cybercriminals Alike

X-Force IRIS defines destructive malware as malicious software with the capability to render affected systems inoperable. Often this malware has wiper capabilities, whether it’s state-affiliated or criminal malware.

From 2010 until 2018, we primarily observed nation-state actors employing destructive malware to further state interests, often to cause harm to a geopolitical opponent, keeping some plausible deniability on their side. With infamous strains such as Stuxnet, Shamoon and Dark Seoul making headlines, these attacks left a trail of destruction in their wake.

Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cybercriminals increasingly incorporate destructive components, such as wiper malware, into their attacks. This is especially true for cybercriminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.

A Growing Threat to Businesses of All Types

As a result of the shift in attacker motivation, the variety of industries targeted by destructive malware has expanded over time, impacting companies in all market verticals. X-Force IRIS data suggests that destructive malware is becoming more prevalent for companies worldwide, with our incident response teams assisting with 200 percent more destructive malware cases in the first half of 2019 (compared to the second half of 2018). Half of these destructive malware cases were in the manufacturing industry, and destructive attacks also significantly targeted the oil and gas and education sectors. Most of the destructive attacks we have observed are in Europe, the U.S. and the Middle East.

X-Force IRIS Lessons Learned

In the course of remediating destructive malware attacks, X-Force IRIS has learned several important lessons about this genre of attack. Attackers wielding destructive malware tend to be cunning and careful. Often, they are present in compromised devices or networks for weeks or months before launching the destructive attack.

Destructive malware adversaries often gain initial entry into systems through phishing emails, password guessing, third-party connections and watering hole attacks. We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.

What Can Companies Do to Reduce the Risks From Destructive Malware Attacks?

  • Test your response plan under pressure. Use of a well-tailored tabletop exercise and a cyber range can ensure that your organization is ready at both tactical and strategic levels for a destructive malware attack.
  • Use threat intelligence to understand the threat to your organization. Each threat actor has different motivations, capabilities and intentions, and threat intelligence can use this information to increase the efficacy of an organization’s response to an incident.
  • Engage in effective defense in depth. Incorporate multiple layers of security controls across the entire Cyberattack Preparation and Execution Framework.
  • Implement multifactor authentication (MFA) throughout the environment. The cost-benefit of MFA is tough to overstate, providing significant cybersecurity benefit in reducing the value of stolen or guessed passwords dramatically.
  • Have backups, test backups and offline backups. Organizations should store backups apart from their primary network and only allow read, not write, access to the backups.
  • Consider an action plan for a quick, temporary business functionality. Organizations that have been able to restore even some business operations following a destructive attack have fared better than their counterparts.
  • Create a baseline for internal network activity and monitor for changes that could indicate lateral movement (more details on this approach in a podcast here.)
Download the report: “Combating Destructive Malware: Lessons from the Front Line”

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today