Computer-killing malware is making a comeback, and businesses should wake up to this reality.
Destructive attacks are back in the headlines following the Sony hack in November 2014 and subsequent US government alerts to businesses. Details and the provenance of the malware are still hotly debated, with Washington pointing the finger at North Korea and others theorising an insider was involved.
The malware that was targeted at Sony Pictures – sometimes called wiper malware – is not new and gained notoriety during the Saudi Aramco attack of 2012.
Wiper malware overwrites the master boot record, making it impossible for the affected machine to reboot and rendering the hardware unusable. The use of wiper malware is relatively uncommon, with attackers generally preferring to remain on the network and spy on traffic rather than destroying data and hardware.
This kind of malware is somewhat different to ransomware, such as Cryptolocker and Cryptowall, where the attacker holds data for ransom forcing the victim to pay up or lose the data.
- Security Think Tank: Mitigation strategies for data-wiping malware
- Security Think Tank: Sony attack a reminder to protect company data
- Security Think Tank: Monitoring and response capabilities key to mitigating cyber attack
- Security Think Tank: How to prepare for computer-killing malware
- Security Think Tank: How to deal with wiper malware
Recovering from destructive attacks is expensive, both in terms of reputation as well as time and investment in replacing or re-imaging affected hard drives. The best offence is a good defence. Some starting points include the following:
- Implement baseline security controls, such as those covered in the Information Security Forum Standard of Good Practice for Information Security, the Cyber Essentials scheme, the Sans Institute top 20, the Australian Defence Signals Directorate top 35 and the UK government's 10 steps to cyber security;
- Create and regularly test robust business continuity plans;
- Ensure network shares are secured and, where possible, open shares are prohibited;
- Implement rigorous identity and access management based on data rather than applications;
- Restrict admin rights access on the network;
- Prevent write access to executable files in the system file folder;
- Conduct penetration tests to find and remedy vulnerabilities;
- Monitor the network for abnormal activity.
The impact of these attacks can be catastrophic for an organisation, especially one which does not have Sony’s level of resources, and accurately predicting an attack is impossible. Organisations can, however, reinforce their defences and prepare for the potential fallout of destructive attacks.
Victoria Melvin is a senior research analyst with the Information Security Forum.