By Luke Wilson, vice president of intelligence, 4iQ.
In the wake of COVID-19, my firm, 4iQ, observed an increase in a host of cyber-attacks. This uptick did not come as a surprise, given cybercriminals typically exploit uncertain situations, but it was a wake-up call for organizations that were in the midst of transitioning to full-time remote work.
As the country begins to reopen, we cannot let our guards down – from preventing the spread of this pandemic, or from persistent cybercriminals.
Phishing campaigns were well-documented over these past few months. Scammers spoofed credible institutions, such as the World Health Organization (WHO) and Centers for Disease Control and Prevention (CDC) to lure victims into downloading malware or to capture personal or financial information.
These incidents were so widespread that government agencies, including the CDC, Federal Communications Commission (FCC), and Federal Trade Commission (FTC) published resources on these COVID-19-related scams to alert the public and offer tips on how to spot suspicious activity. Individuals were also at risk of having their identities spoofed, not just organizations.
Cybercriminals leveraged the accounts of executives with public-facing email accounts, usually via keyloggers or phishing attacks, to conduct fraudulent wire transfer payments.
As COVID-19 continued to spread, so did the number of registered suspicious coronavirus-themed domains. We analyzed over 2,400 domain names with COVID-19 themes and found that the most common terms were “virus,” “coronavirus,” and “corona.”
We also saw particular interest in protection gear, test kits, vaccines, and domains that tracked reported coronavirus cases as well as the status of the infected and cured. While some of these sites might have been legitimate, many were scams to distribute malware, inflict financial fraud, or trick victims into purchasing fraudulent COVID-19-related products, such as “vaccines,” which haven’t been evaluated by regulators for safety and effectiveness.
The threat of ransomware being used as a highly effective form of cyber terrorism has been receiving a lot of media attention lately. The story line stems from a recent Lloyds of London report that boldly states a large-scale ransomware attack could cost the global economy $193 billion and impact more than 600,000 businesses worldwide.
The report further speculates that if coordinated and executed properly, a global attack like WannaCry could cause even more severe damage and cost companies significantly more when you factor in all the business disruption and recovery related costs that would follow in the wake of a wide-scale attack.
With doomsday projections like these, it’s easy for people to become numb to the associated cyber security risks. Yet security professionals must always remain objective when assessing the scope of a threat versus the cost of implementing security measures to arrive at a risk-based recommendation.
What is ransomware terrorism?
Terrorism is broadly defined as the use or threat of violence that aims to spread fear in a population, and to advance a political, ideological or religious cause. Ransomware can be used in this context to disrupt the life of individuals and organizations, which depend on the smooth functioning of information technology to maintain operations.
While historically, the main goal of ransomware has been to extract, or extort, money or other valuable consideration from the affected party. NotPetya made us aware that there is a lot more damage an attacker could do with access to an army of computers spread across the globe than just turning them into bricks.
To prevent or avoid the consequences of an attack of terrorism, the defenders must effectively repel every single attempt to perpetrate the crime. Ultimately, the attackers only need to overcome the defenses once in any given situation to prevail.
Exploring the potential impacts of ransomware terrorism
In the proposed scenarios created by the Cyber Risk Management (CyRiM) project and Cambridge Centre for Risk Studies (CCRS), put forth in the report called, “Bashe Attack: Global infection by contagious malware,” a ransomware terrorist attack could be launched through an infected email, which once opened would be forwarded to all stored contacts.
Then within 24 hours, the malware could encrypt all data on 30 million devices worldwide. In the worst case scenario of the event, even the backups would be erased—meaning companies of all sizes would be forced to pay a ransom to decrypt their data or replace their infected devices.
It is easy to conceive that a ransomware attack on this scale would cause substantial economic damage to a wide range of business sectors through reduced productivity and consumption, inaccessible data files, IT clean-up costs, ransom payments and supply chain disruption.
The moral of the story according to Lloyds is that all businesses should pay close attention to systemic risk across all lines of business, not just within the silo of cyber and businesses should buy insurance to help protect against such catastrophic scenarios.