What’s new in ransomware?

Ransomware attacks–and defenses against them–are evolving fast, but enterprises still struggle to keep up.

 In June, South Korean hosting company Internet Nayana, Inc., was hit by a ransomware attack that took down its 153 Linux web servers — home to more than 5,000 customer websites. “I know that negotiations with hackers should not be done,” company CEO Hwang Chilghong said in a statement. “I would not negotiate with a hacker if it was the case that it ended in the damage of my own company alone. However, the scale of the damage was too great and too many people would suffer.”

The company wound up paying nearly 400 Bitcoin to get its data back, which at the time was more than US $1 million. That was just part of the total costs the company incurred. In addition to the time and money spent on the recovery, the company had to give discounts and refunds to affected customers. Not all data could be restored, and the company promised affected customers free hosting for life.

Nayana isn’t alone. Earlier this month, shipping giant Maersk says that a ransomware attack got into the company’s systems via an automatic accounting software update. The cyber attack affected users and applications in 500 locations, the company says. While no data was lost, the recovery and loss of revenues is estimated to cost Maersk between $200 and $300 million.

And in a July earnings call, global pharmaceutical giant Merck admitted that a ransomware attack the previous month disrupted worldwide operations, including manufacturing, research and sales, and that some manufacturing operations still weren’t restored.

Altogether, more than a million computers were infected by WannaCry, Kryptos Logic CEO Salim Neino told Congress earlier this summer. According to Cybersecurity Ventures, global ransomware costs will exceed $5 billion this year, up from just $325 million in 2015.

The reason? The attackers, seeing the potential for massive payouts, have been innovating furiously. The security industry has also been working hard to improve defenses, but it’s hard for individual enterprises to stay up to date. As a result, the situation is likely to get worse before it gets better, experts say.

WannaCry, Petya and Shadow Brokers, oh my

Dominating this year’s headlines was the damage caused by the WannaCry and Petya ransomware attacks, and of the Shadow Brokers leak of NSA hacking tools such as the EternalBlue exploit that these two ransomware attacks used.

“There are new variants every day,” says Brian Bartholomew, senior security researcher, Global Research and Analysis Team at Kaspersky Lab ZAO. “It’s more than a full-time job just to keep track of all the families out there.”

Ransomware attackers don’t just use new malware variants. They are also launching attacks that require no software downloads at all. Instead, the attackers take advantage of the tools and software that already exist on the victim’s machine, or that just run in memory.