The threat from ransomware continues to grow and it's possible that the file-encrypting malware attacks could become far more destructive as cyber criminals evolve and change their tactics.
European law enforcement agency Europol's annual cybercrime report – the Internet Organised Crime Threat Assessment (IOCTA) – lists ransomware as the most widespread and financially damaging cyberattack, despite a decline in the number of ransomware incidents.
However, cyber criminals are becoming more efficient, picking and choosing their targets with the aim of causing the highest amount of damage possible to organisations in order to demand much higher ransoms. To emphasise this – although without providing specific examples - the report details how in some cases, the ransom demanded is in excess of one million Euros.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
But while ransomware in its current state is predominantly a means of making money for cyber criminals, the Europol report warns there's a risk of cyber criminals deploying ransomware attacks as a means of pure sabotage, something private companies are growing fearful of.
The NotPetya attacks of 2017 showed how much damage can be done by a destructive cyberattack of this kind: in some cases it led to large companies having to almost entirely restore their networks from scratch, suffering large amounts of downtime and large financial costs as a result.
NotPetya looked like ransomware but the group behind it had no interest in receiving ransom payments, the motivation behind the attack was pure destruction. The target for this destruction was Ukraine, but the attack got out of control and spread around the world.
This kind of attack has predominantly been associated with nation states – the Russian military has been accused of being behind NotPetya – however, the report warns that cyber criminals are increasingly incorporating wiper-style attacks as part of their campaigns.
A form of this ransomware attack emerged earlier this year. Named GermanWiper, the ransomware hit organisations across Germany with attacks that didn't encrypt files, but rewrote the files to destroy them.
Ultimately, it meant that even if a user paid the ransom, they wouldn't get their files back at all – unless they had offline back-ups.
Ransomware itself may have changed but the methods for distributing it have stayed the same over the last year: phishing emails and remote desktop protocols (RDPs) are the primary infection vectors of the malware.
Often, the attackers pushing ransomware are doing so with the aid of known vulnerabilities for which vendors have already issued security updates. Because of this, Europol stresses the importance of patching, especially when it comes to critical vulnerabilities.
The report notes that almost one million devices still haven't been patched against the powerful BlueKeep vulnerability, leaving networks open to attacks using the exploit.
The message from Europol is clear – ransomware and other cyberattacks won't be disappearing any time soon, especially if cyber criminals are able to take advantage of known vulnerabilities and old attacks.
"This year's IOCTA demonstrates that while we must look ahead to anticipate what challenges new technologies, legislation, and criminal innovation may bring, we must not forget to look behind us," said Catherine De Bolle, executive director of Europol.
"New threats continue to emerge from vulnerabilities in established processes and technologies. Moreover, the longevity of cyber threats is clear, as many long-standing and established modi operandi persist, despite our best efforts. Some threats of yesterday remain relevant today and will continue to challenge us tomorrow," she added.
SEE: Ransomware: 11 steps you should take to protect against disaster
There is one threat that appears to have almost dropped off the radar compared with its position in last year's report: cryptomining. The 2018 IOCTA warned about the rise of cryptocurrency mining malware, even suggesting that it "may overtake ransomware as a future threat".
However, while cryptomining attacks still do occur the number of attacks has declined – especially since the closure of Coinhive in March this year. Now, aside from exceptional cases, cryptomining is described as "a low-priority threat for EU law enforcement" moving forward as other current and future threats are combated.
"The global impact of huge cybersecurity events has taken the threat from cybercrime to another level. At Europol, we see that key tools must be developed to keep cybercriminals at bay. This is all the more important, considering that other crime areas are becoming increasingly cyber-facilitated," said De Bolle.