How destructive ransomware attacks could represent the future of cyberwarfare

Nation-state hacking campaigns could masquerade as common criminals conducting ransomware attacks - but their goal would be pure destruction rather than extorting bitcoin, warns a new report.
Written by Danny Palmer, Senior Writer

The increasingly destructive capabilities of ransomware attacks could provide nation-state hacking operations with a means of attacking infrastructure – and the ability to plausibly deny any sort of involvement in campaigns.

For cyber criminals, ransomware is all about making money and, in order to achieve that goal, they aim to gain access to as many PCs and servers as possible before deploying their ransomware. They then demand a ransom payment in exchange for the decryption key. Unfortunately, these campaigns of extortion are proving successful because cyber criminals can make hundreds of thousands of dollars in one go if the target organisation decides to pay.

Some variants of ransomware, such as LockerGoga and Ryuk, have such powerful encryption that the network can be effectively rendered useless if an organisation falls victim to an attack.

It's therefore possible that nation-state-backed hacking campaigns with the goal of pure destruction could turn to ransomware as an attacking tool in the realm of cyberwarfare, according to a new report by researchers at cybersecurity provider Dragos.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

The advantage for state-backed hacking operations is that they can masquerade as cyber criminals claiming to demand a ransom with a variant of known ransomware, while never actually having the intention to make money off the scheme, but rather use it for pure destruction.

And because the attacks could use modified variants of ransomware commonly used by cyber criminals, it creates the possibility that the real culprit for the attack and the motives behind it will remain forever hidden.

"The combination of a modification of existing ransomware, increased disruption impacts from such malware, and targeting and timing specification, provide a blueprint for how a state-directed adversary could utilize criminal tooling to execute deniable, but effective, disruptive operations," said Joe Slowik, principal adversary hunter at Dragos and author of the LockerGoga Revisited report, which examines the ransomware attack against Norwegian aluminimum producer Norsk Hydro in March last year.

LockerGoga played havoc with Norsk Hydro's systems, with the encryption throughout the network forcing many automated operations to become manual and stopping or slowing down almost all of the Norwegian firm's output until the network was restored from backups.

No payment was made to the hackers behind the ransomware attack – and the company received much praise because of how open and transparent it was about the incident and its aftermath.

However, even if the organisation had gone against advice from law enforcement and decided to pay the ransom, it might not have even been possible because researchers suggest the way the ransom note was deployed at the end of the attack process meant even looking at it required forensically imaging the affected machines.

"While viewing the ransom information is certainly possible, such items seem curious and counter-productive for efficient monetization," said Slowik.

There's already been a number of hacking campaigns conducted with the aim of destruction over the past few years – including the likes of the Stuxnet and Shamoon campaigns – but by deploying modified forms of ransomware commonly used by cyber criminals, be it LockerGoga, Ryuk, Revil or something else, it could easily be used to hide any potential attribution when disrupting systems.

Similarly the NotPetya ransomware attack of 2016 – was effectively wiper malware disguised as ransomware.

"NotPetya may have served as an initial example of such activity, but a combination of poorly implemented encryption functionality and over-zealous propagation made this event relatively easy to attribute to its state-based roots," said Slowik.

SEE: FBI: BEC scams accounted for half of the cybercrime losses in 2019

It's therefore highly likely that nation-state-backed hacking operations are examining how they can use destructive ransomware attacks to their own advantage when it comes to disrupting infrastructure in rival countries.

"Malicious state-directed entities now have a new and valuable option for future disruptive operations," Slowik explained. "The combination of efficacy, deniability, and specificity enables selective and controlled targeting of entities for disruption and effective IT-based destruction".

One way organisations can attempt to protect themselves from ransomware attacks is by ensuring that all operating systems and software on the network have been patched with the latest security updates, therefore preventing cyber criminals from exploiting known vulnerabilities to gain access to the network and drop ransomware.

Organisations should also regularly backup the network – and store those backups offline – so that if the worst happens, the business can restore the network without giving into the demands of malicious hackers.


Editorial standards