Brief: New risks rising for companies

This article wants to draw your attention on 2 relatively new risks which target companies:

• Ransomware are now designed to attack companies,
• Destroying IT systems with “wiper” malware is becoming a common practice.

Ransomware designed to attack companies

In the past, the ransomware have primarily targeted individuals. For examples, the “fake antivirus” attacks (see our article published in 2009), or the “Police themed virus” seen in 2012 (also known as “Reveton”, see this F-secure article) were aimed to extort few euros to individuals. Similarly the first large crypto ransomware attacks (eg CryptoLocker in October 2013) were designed to lure public at large. Of course some companies have also be impacted by these attack waves, but they were not the primary targets.

Since the beginning of 2015, this situation has changed:

• In early 2015, a first crypto-ransomware that attacks databases has been seen (see this article from SecurityWeek.com and this other one from EmergingThreats.info),
• In the middle of 2015, some of the Dridex attack campaigns were themed to specifically address companies (with fake invoices sent by email)
• In early 2016 a crypto-ransomware that uses GPO (the Windows “Group Policies” which are typically used in company’s IT) has been seen (see this SecureWorks.com article as well as this other one).

The fact that a malware uses GPO clearly indicates that attacker want to propagate the infection within the affected company. With GPO, the malware can infect all the workstations belonging to the company’s Windows domain. If the malware then encrypts all the documents on the infected workstations, this will result in a major incident and will block the whole IT system of the affected company.

These 3 elements show that cyber-criminals are now trying to target companies. In the past, it has been seen blackmails where cyber-criminals asked for ransom, threaten to freeze the company with a DDOS attack. It also has been seen cases where attacker threaten to disclose data they have stolen from the company. It can be expected now cases of blackmails where cyber criminals threaten company to destroy all the company’s computers (they already infected with a malware) or other forms of attacks that specifically target companies.

Destroying IT systems with “wiper” malware

The second phenomenon on which we wish to draw your attention is the rise of destructive attacks. We already mentioned this trend in our annual report for attacks seen in 2015 (see chapter 2.4) and in the headlines of the April 2015 issue of our monthly bulletin. The attacks that affected Sony Picture Entertainment in late 2014, or the French TV TV5-Monde in April 2015, both resulted in the attacker putting out of order all the computers he was able to infect within the company (thanks to a malware that overwrote the MBR of computer hard disks), which caused a major incident in these companies (lose of a large set of IT systems). The companies should therefore take into account this risk. To address this risk, we recommended in our April 2015 Bulletin to use network segregation (to limit the spread of the intrusion), and to ensure that recovery procedures were designed to also cover the case where the incident was caused by a malicious attacker.