U.S. Markets open in 2 hrs 29 mins

Ransomware attacks targeting local infrastructure, new research shows

Ben Munster


Ransomware attacks fleecing victims of thousands of dollars’ worth of fiat and cryptocurrency grew “more focused and sophisticated” in the second and third quarters of 2019, research from cybersecurity firm Emsisoft has shown. 

Ransomware infects and freezes computers, forcing users to pay a fee to free them up. Whereas attackers used to primarily target small-time “retail” users, they are increasingly targeting large businesses and government infrastructure, according to an Emseisoft report published Tuesday. 

“The ransomware threat is extremely high,” Emsecurity CTO Fabian Wosar, who analyzed reports from over 230,000 victims, told Decrypt. While Wosar doubts there will be another attack on the scale of WannaCry, the ransomware assault that ground global IT infrastructure to a halt in 2016, he notes that “bad actors are relying less on the spray-and-pray tactics of the past and instead launching high-impact attacks on governments and companies.”

Among the most deadly exploits discovered were “STOP,” “Ryuk” and “Sodinokibi.” STOP, which affected some 76,000 users and accounts for 56 percent of the total attacks, hides in file-torrenting software, which lets people download paid content for free. It then encrypts files and “instructs the victims to pay a ransom of $490 worth of Bitcoin in exchange for decryptor software and a private decryption key,” according to Emsisoft. “After 72 hours, the ransom demand doubles to $980.”

Sodinokibi, meanwhile, accounts for only 4.5 percent of attacks, but was involved in several high profile attacks, “including a coordinated mass attack on multiple Texas local governments,” according to Emsisoft. The exploit, which propagates itself through “affiliates” and is able to evade complex security measures, reportedly affected twenty-two government entities, crippling payment processors and government printing devices. 

Similarly damaging against local infrastructure was Ryuk, operated by the hacker collective “Grim Spider,” which spreads itself using spam email campaigns. A Ryuk attack on the city of Riviera Beach, Florida, forced the local government to cough up $600,000 to decrypt the frozen files. 

Ransomware up, crypto-jacking down

As ransomware attacks intensify, other forms of exploit are on the wane, said Wosar. (Recent research somewhat corroborates this.) For instance, crypto-jacking—whereby hackers hijack victims’ computational power to mine cryptocurrency, often resulting in meltdown—isn’t profitable at the moment, because its effectiveness relies on rising crypto prices. “Unless the mining is more profitable than the ransom, these attacks happen less frequently,” said Wosar. “And that’s the case at this point in time.”

But ransomware attacks remain a threat, he said. “For businesses and public entities, it’s very much a case of prepare now or pay later.”