IBM X Force Dissect The Destructive Power Of Malware

Destructive malware that disables access to data or destroys system functions has been expanding across geographies and industries over the past few years. Organisations previously thought safe from this form of cyber aggression increasingly finds themselves affected, either directly or indirectly. 

IBM has produced a Report called Combating Destructive Malware, which explains the significant effects and the lessons learnt.

The cost of a destructive malware infection can be significant for an organisation. In fact, IBM X-Force Incident Response and Intelligence Services (IRIS) estimates that victimised organisations on average experience a total cost of over $200 million and have more than 12,000 devices destroyed in an attack. Recovery from destructive malware can also require hundreds of hours to remediate and rebuild environments that have been destroyed. 

The NotPetya malware that hit organisations across the globe is a stark example of the costly damage that destructive malware can leave in its wake. According to a White House assessment, NotPetya caused serious business disruption across geographies and resulted in more than $10 billion in total damages. 

IBM X-Force IRIS’ team of veteran intelligence and response specialists have amassed data and real-world experience from responding to and analyzing a variety of destructive malware incidents. 

What is Destructive Malware? 
Destructive malware is malicious software with the capability to render affected systems inoperable and challenge reconstitution. Most destructive malware variants cause destruction through the deletion or wiping of les that are critical to the operating system’s ability to run. 

In a few cases, such as the Stuxnet worm, destructive malware used by nation-state actors and was designed to destroy industrial equipment by sending tailored messages to turbines that caused them to malfunction and become inoperable. 
Historically, destructive malware such as Stuxnet, Shamoon, and Dark Seoul, was primarily used by nation-state actors. However, especially since late 2018, cybercriminals have been incorporating wiper elements into their attacks, such as with new strains of ransomware like LockerGoga and MegaCortex. 

Who uses Destructive Malware, and why? 
Between the years 2010 and 2018, destructive malware was primarily used by nation-state actors to further state interests. A classic intent of destructive malware is to cause harm to a geopolitical opponent. Some examples include the destruction of nuclear centrifuges in Iran, or debilitating operations of key industry organisations worldwide. 

Cybercriminals may be adopting these destructive elements to add pressure to their demands that victims pay the ransom, adding irreparable data destruction to encryption as a potential repercussion. Alternatively, criminals may be using wiper malware to lash out at victims if they feel wronged, using destructive attacks more impulsively rather than strategically. 

The impact and cost of Destructive Malware 
The amount of damage companies experience in a destructive malware attack can be difficult to quantify, but X-Force IRIS has assembled some informed estimations based on IBM’s analysis of several publicly disclosed attacks. 

On average, large multinational companies appear to incur costs around $239 million, per incident, according to our analysis of several publicly disclosed attacks. 

This number is 61 times greater than the cost of a typical data breach, which the Ponemon Institute places at $3.92 million on average for companies worldwide, underscoring the significant cost destructive malware attacks can incur. Yet it is apparent that the actors behind the activity are still human, and not robots.

IBM have tracked changes in behavior by destructive malware attackers when they find incident responders are conducting detection and containment work on networks they have compromised. They lose composure, unwittingly reveal their actions, and react in ways that can prevent them from accomplishing their objectives. 

Where is destructive malware going next? 
Based on data from our incident response teams, managed security services, and open source information, IBM X-Force IRIS assesses that destructive malware attacks are continuing to grow in popularity and effectiveness. As we move into the second half of 2019, additional cyber-criminal groups, particularly those intent on conducting ransomware attacks, are recognising the utility of having a wiping mechanism built into their tools. 

This type of mechanism can provide adversaries with additional options to pressure victims, while simultaneously increasing the risk of an attack that will require disaster recovery. 

This trend leads us to believe that more financially-motivated cybercriminal groups are likely to explore destructive malware as an option to incorporate into current attacks, a task made easier when dark web markets provide these tools at relatively humble costs. 

These tactics suggest that, at least at present, destructive malware tends to lay in the hands of the most advanced cybercriminal groups or nation-state actors. However, if the popularity of these tools continues to grow, destructive malware capabilities may become a reality for groups we tend to associate with lower levels of sophistication, such as some hacktivist groups or even terrorists. 

In terms of geographical focus, IBM anticipate that the effects of destructive malware attacks are likely to grow. 
For example, targets located in the United States and Europe are increasingly falling victim to destructive malware attacks using destructive ransomware such as LockerGoga and MegaCortex. 

Destructive malware attacks in the Middle East and Asia are likely to continue, and have the potential to spread to other geographies as well. It is wise to prepare for the scenario of a destructive attack in all parts of the globe. 

IBM-X-Force

You Might Also Read:

Malware Attacks Drop As Encrypted Attacks Increase

Alarming Trends In Data Theft:

 

« Five New Security Trends Relevant To Your Business
FBI Turns To Social Media To Track Shooters »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Rubicon Workflow Solutions

Rubicon Workflow Solutions

Rubicon is a leading provider of managed IT support and strategic services, specialising in creative and mixed platform environments.

Netsparker

Netsparker

Netsparker provide a web application security scanner to automatically find security flaws in your websites, web applications and web services.

CyberDefcon

CyberDefcon

CyberDefcon is an independent organization dedicated to the pursuit of making the internet a safer place.

Intertek Group

Intertek Group

Intertek Group provides Assurance, Testing, Inspection and Certification services. Activities include cybersecurity testing and certification.

Science Applications International Corporation (SAIC)

Science Applications International Corporation (SAIC)

SAIC is a premier technology integrator in the technical, engineering, intelligence, and enterprise information technology markets. Services and solutions include Cybersecurity.

GOVCERT.lu

GOVCERT.lu

GOVCERT.lu is responsible for the treatment of all computer related incidents jeopardising the information systems of the government and defined critical infrastructure operators in Luxembourg.

RCMP National Cybercrime Coordination Unit (NC3)

RCMP National Cybercrime Coordination Unit (NC3)

As set out in the Government of Canada's National Cyber Security Strategy, the RCMP has established the National Cybercrime Coordination Unit (NC3).

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling & Data Destruction

Sadoff E-Recycling and Data Destruction protect the environment and your data with proven and trusted electronics recycling and data destruction services.

Armenia Startup Academy

Armenia Startup Academy

Armenia Startup Academy is a pre-acceleration program for selected Armenian tech companies and startups in areas including cybersecurity.

CyberAcuView

CyberAcuView

CyberAcuView is a company dedicated to enhancing cyber risk mitigation efforts across the insurance industry.

Delinea

Delinea

Delinea is a leading provider of cloud-ready privileged access management (PAM) solutions that empower cybersecurity for the modern, hybrid enterprise.

Fletch

Fletch

Fletch’s AI tracks the evolving cybersecurity threat landscape by reading and interpreting every threat article every day and matching those threats to a company’s exposure.

Port-IT

Port-IT

Port-IT is a leading partner in cybersecurity solutions tailored for the maritime industry.

MIS Solutions

MIS Solutions

MIS Solutions is a managed cloud and IT security partner making technology work for you.

Thoropass

Thoropass

Thoropass (formerly Laika) helps you get and stay compliant with smart software and expert services.

SafeAeon

SafeAeon

SafeAeon is a leading Cybersecurity-as-a-Service provider, offering 24x7 premium Managed Security Services with AI-powered and Human-driven 24x7 SOC.