Destruction of service: How ransomware attacks have changed

The latest wave of ransomware attacks, including WannaCry, Petya and NotPetya, show not only an increase in sophistication of these types of attack, but also a change in motivation. Although NotPetya is ostensibly a ransomware variant, the threat actors appeared to have no interest in making money, and were more concerned about damaging companies by disrupting operations.

Now dubbed destruction of service, this latest trend is something I’ve been concerned about for a while, having tested many companies’ internal networks and witnessing firsthand how vulnerable they are.

A different kind of ransomware

Getting malicious software inside a company’s network is quite easy — an email phishing attack usually works.

However, NotPetya also appears to have spread by compromising M.E.Doc, a Ukrainian financial services software maker, and then altering an automatic update to include NotPetya, delivering it to every client. The vast majority of antivirus and antimalware software was unable to detect the malicious content. It then restarted the victims’ machines, encrypting the data, and then overwriting the master boot record with its own custom loader. Once this process was completed, the data on the machines was unrecoverable unless it could be restored from backup.

For a hacker who is concerned with destroying data and causing as much damage as possible, the next step is to give the ransomware variants the ability to spread.

Read more details here.

Author: Rob Shapland