Destructive attacks have left their mark over the past few years, wiping data and rendering millions of enterprise devices inoperable at companies around the world. A new report today from IBM X-Force Incident Response and Intelligence Services (IRIS) shows that these attacks have been on the rise, posing a growing threat to a wide variety of businesses that may not consider themselves an obvious target.

In the past, destructive malware was primarily used by sophisticated nation-state actors, but new analysis from X-Force’s incident response data has found that these attacks are now becoming more popular among cybercriminal attackers, with ransomware attacks including wiper elements to increase the pressure on victims to pay the ransom. As a result of this expanding profile, X-Force IRIS noted a whopping 200 percent increase in the amount of destructive attacks that our team has helped companies respond to over the past six months (comparing IBM incident response activities in the first half of 2019 versus the second half of 2018).

The evolving trend of destructive malware attacks also means that organizations of all shapes and sizes may find themselves a target in the near future — and must prepare accordingly.

Destructive Attacks — By the Numbers

An analysis of real-world incident response data from X-Force IRIS paints a picture of the devastating effects of these attacks on companies. A few of the key findings include:

• Massive destruction, massive costs: Destructive attacks are costing multinational companies $239 million on average. As a point of comparison, this is 61 times more costly than the average cost of a data breach ($3.92 million).
• The long road to recovery: The debilitating nature of these attacks requires a lot of resources and time to respond and remediate, with companies on average requiring 512 hours from their incident response team. It’s also common for organizations to use multiple companies to handle the response and remediation, which would increase hours even further.
• RIP laptops: A single destructive attack destroys 12,000 machines per company on average — creating quite a tab for new devices in order to get companies’ workforce back in action.

This new white paper delves deep into the evolving nature of these attacks, their implications and ways companies can protect themselves. In this blog, we will touch on just some of the takeaways from that paper.

A Tool for Nation-States and Cybercriminals Alike

X-Force IRIS defines destructive malware as malicious software with the capability to render affected systems inoperable. Often this malware has wiper capabilities, whether it’s state-affiliated or criminal malware.

From 2010 until 2018, we primarily observed nation-state actors employing destructive malware to further state interests, often to cause harm to a geopolitical opponent, keeping some plausible deniability on their side. With infamous strains such as Stuxnet, Shamoon and Dark Seoul making headlines, these attacks left a trail of destruction in their wake.

Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cybercriminals increasingly incorporate destructive components, such as wiper malware, into their attacks. This is especially true for cybercriminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.

A Growing Threat to Businesses of All Types

As a result of the shift in attacker motivation, the variety of industries targeted by destructive malware has expanded over time, impacting companies in all market verticals. X-Force IRIS data suggests that destructive malware is becoming more prevalent for companies worldwide, with our incident response teams assisting with 200 percent more destructive malware cases in the first half of 2019 (compared to the second half of 2018). Half of these destructive malware cases were in the manufacturing industry, and destructive attacks also significantly targeted the oil and gas and education sectors. Most of the destructive attacks we have observed are in Europe, the U.S. and the Middle East.

X-Force IRIS Lessons Learned

In the course of remediating destructive malware attacks, X-Force IRIS has learned several important lessons about this genre of attack. Attackers wielding destructive malware tend to be cunning and careful. Often, they are present in compromised devices or networks for weeks or months before launching the destructive attack.

Destructive malware adversaries often gain initial entry into systems through phishing emails, password guessing, third-party connections and watering hole attacks. We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.

What Can Companies Do to Reduce the Risks From Destructive Malware Attacks?

• Test your response plan under pressure. Use of a well-tailored tabletop exercise and a cyber range can ensure that your organization is ready at both tactical and strategic levels for a destructive malware attack.
• Use threat intelligence to understand the threat to your organization. Each threat actor has different motivations, capabilities and intentions, and threat intelligence can use this information to increase the efficacy of an organization’s response to an incident.
• Engage in effective defense in depth. Incorporate multiple layers of security controls across the entire Cyberattack Preparation and Execution Framework.
• Implement multifactor authentication (MFA) throughout the environment. The cost-benefit of MFA is tough to overstate, providing significant cybersecurity benefit in reducing the value of stolen or guessed passwords dramatically.
• Have backups, test backups and offline backups. Organizations should store backups apart from their primary network and only allow read, not write, access to the backups.
• Consider an action plan for a quick, temporary business functionality. Organizations that have been able to restore even some business operations following a destructive attack have fared better than their counterparts.
• Create a baseline for internal network activity and monitor for changes that could indicate lateral movement (more details on this approach in a podcast here.)