Once the preserve of sophisticated nation-state actors, it appears as if financially motivated cyber-criminals are now getting in on the act, which is bad news for a range of organizations, according to the Incident Response and Intelligence Services (IRIS) report.
Analyzing incident response data from the first six months of the year, the report claimed that such attacks now cost multi-nationals on average $239m — 61-times more than the industry average of around $3.9m.
They also take a long time to respond to and remediate — on average 512 hours — with many victim organizations using multiple companies to assist them, further increasing the time taken.
Most concerning for organizations caught out by a destructive attack: on average a single blitz destroys 12,000 machines per company.
Destructive attacks have most commonly been associated with sophisticated malware such as Stuxnet, DarkSeoul and Shamoon, as nation-states go after geopolitical rivals, explained IBM X-Force in a blog post introducing the research.
“Since 2018, however, we have observed the profile of these attacks expanding beyond nation-states as cyber-criminals increasingly incorporate destructive components, such as wiper malware, into their attacks,” it added.
“This is especially true for cyber-criminals who use ransomware, including strains such as LockerGoga and MegaCortex. Financially motivated attackers may be adopting these destructive elements to add pressure to their victims to pay the ransom, or to lash out at victims if they feel wronged.”
Half of these attacks — centered around the US, the Middle East and Europe — targeted manufacturing during the reporting period, with oil and gas and education sectors also hit hard.
Hackers are often inside networks for weeks or months before launching their attacks, IBM said.
“We observe them taking care to covertly preserve access to privileged accounts or critical devices for the destructive phase of their attack, using them alongside legitimate remote command services within the targeted environment, such as PowerShell scripts, to move laterally through the victim’s network.”
Defense-in-depth is the answer, with MFA, well-tested incident response plans, network monitoring, threat intelligence and regular offline back-ups essential, IBM recommended.