Cash-strapped Over Coronavirus, Crime Organizations Unload Cyberattacks

Cyberattacks in Israel are up 20 percent alone this year and some say digital ransom attacks are up 715 percent worldwide. With workers exposed at home, hackers are forming cartels and upping the stakes

Amitai Ziv
Send in e-mailSend in e-mail
FILE PHOTO: A hacker tries to access and alter data from an electronic poll book during a hacker convention in Las Vegas, Nevada, July 29, 2017.
FILE PHOTO: A hacker tries to access and alter data from an electronic poll book during a hacker convention in Las VegasCredit: Steve Marcus/ REUTERS
Amitai Ziv

Earlier this month, the Israeli chip maker Tower Semiconductor reported an unusual cyberattack. Not only were the company’s IT systems damaged, but it was forced to shut down some of its real-world production systems. The latter, also called OT, is considered a hacker’s holy grail.

Tower is a publicly traded company that reported second-quarter revenues of $310 million. Thus a gross estimate of the cost of losing a single day of work due to such an attack would be around $3.4 million.

The attack on Tower was a ransomware attack, in which the hackers encrypt files on the victim’s computer and demand ransom for the key needed to decrypt them and resume normal operations. This isn’t a new type of attack; it has been around for at least five years. But over the last year, there has been a steep rise in the number of such attacks, and the attackers’ capabilities have improved. Tower responded to the attack by paying the ransom, which wasn’t cheap. 

“Its insurance company encouraged paying the ransom, which is estimated at several million dollars,” Einat Meyron, who advises companies on cybersecurity and is well acquainted with this attack, wrote on the Telegram group Cyber Resilience. “It definitely wasn’t $250,000, as has been reported in several places.”

Tower Semiconductor was hit with a cyber attack, 'its insurance company encouraged paying the ransom, which is estimated at several million dollars'
Tower Semiconductor was hit with a cyber attack, 'its insurance company encouraged paying the ransom, which is estimated at several million dollars'Credit: Eyal Toueg

The attack on Tower is an extreme case that made it into the media. But such incidents happen in Israel on a daily basis.

In early September, for instance, a ransomware gang known as NetWalker reported a hack of the Israeli software company Panorama on its Twitter account. The hackers even published a screenshot ostensibly showing the encrypted documents, which contain information about the company’s employees and customers. 

NetWalker’s Twitter account also reported how many employees Panorama has (170) and its annual revenues ($31 million). The company didn’t respond.

According to the Israel National Cyber Directorate, “There were 120 ransomware incidents in the first half of 2020, compared to 200 for all of 2019.” Assuming that trend continues, that would mean a total of 240 attacks this year – an increase of 20 percent.

Breakdown of cyberattacks: Ransom, wire fraud, email theft, other
Breakdown of cyberattacksCredit:

And those are only the attacks reported to the directorate. For various reasons, attacked companies often choose not to inform the authorities about the breach.

Shay Simkin, the global head of cyber insurance for the Howden insurance company, said that “2019 was a very difficult year for ransomware attacks. The insurance industry as a whole paid out a lot of money. But 2020 has already exceeded it, by a lot.”

In Israel, only large companies buy cyber insurance. Yet Simkin said there are dozens of insurance claims per year in Israel alone. Given the rise in the number of attacks and the fact that the size of the ransoms has also climbed, he expects premiums on cyber insurance to rise by up to 25 percent.

The information security firm Bitdefender said there has been a 715 percent rise in ransomware attacks worldwide this year. The insurance firm Coalition said that claims related to ransomware attacks rose by 260 percent in the first half of this year compared to the same period last year. It also said that ransomware attacks account for the plurality of all claims submitted to it (41 percent).

Cybercrime pays
Does cybercrime pay? Credit:

‘Criminals are also switching to digital’

“One hypothesis is that in recent months, a great many people have been working from home, but a lot of organizations haven’t protected the end stations of people working from home,” said Eddy Bobritsky, CEO of Minerva Labs, a cybersecurity start-up that specializes in protecting end stations, or individual computers. “After all, the employer isn’t interested in what I do with my computer after work hours. So organizations protect the connection to the organization’s network, which will be encrypted, but the personal computer remains exposed.”

Bobritsky theorized that hackers have taken advantage of the last several months of working from home to, for instance, steal passwords, and are now trying to use them to penetrate organizational networks. “These are evasive viruses, because the hacker knows that the more of the network he encrypts, the higher the chances of getting more money,” he said.

In other words, he argues that the “battlefield” has grown. Working from home has given hackers more opportunities for attack. 

Incidentally, remote access programs have also proven to be a weak link. Some attacks have exploited weaknesses in VPN (virtual private network) programs and other tools used in remote work.

“The fact that organizations have become more digital makes ransomware that much more effective, so the attackers can ask for more,” said Ofer Maor, chief technology officer at Mitiga, a start-up that manages cyber incidents after a breach has already occurred. 

“There are different levels of ransom, but we know that the powerful attackers study the business of the organization they attack and know how much it can realistically pay. If the ransom demand of a medium-sized organization used to be tens of thousands of dollars, today it is already hundreds of thousands of dollars. 

“But even though the battlefield has grown, there’s also an increase in attacks because the attackers have stepped up their efforts,” Maor added. “Just as the whole industry is growing and switching to digital, the criminals are also switching to digital. They see that it’s easy and it pays, and they embrace cyber.”

The criminals Maor is talking about are traditional organized crime rings, whose “traditional” earnings have also suffered a blow during the coronavirus era. For instance, drug cartels have seen their supply and distribution chains seriously damaged. 

Thus some of these groups are thought to have moved their efforts online. And thanks to waves of layoffs by tech companies, the organizations have been successful in recruiting engineers.

“The first development the ransomware business underwent in 2019 was the transition from attacking companies that work with consumers (B2C) to attacking companies that market to businesses (B2B), which have traditionally been bigger,” said Alon Arvatz, chief product officer of Intsights, a start-up that specializes in cyber threat intelligence. “That makes it possible to demand millions of dollars per attack, as in the destructive attack suffered last year by the fitness watch company Garmin, which was forced to pay a ransom estimated at $10 million.”

Like Maor, Arvatz said that organized crime rings in Latin America have gone digital and are now working with experienced hackers both to carry out attacks and to launder money.

“In 2019, hackers also started to organize in groupsgenuine organized crime,” he added. “The most well-known of them is Maze.” Maze created a hacker cartel in which the hackers share knowledge and help each other to extort money.

Another change that began then was an increase in the amount of pressure attackers put on the organization. Instead of merely encrypting files, they also started stealing them.

“They threaten that if someone doesn’t pay the ransom, they’ll publish his information online,” Arvatz said. “Think about a public company, and they’re threatening to publish all its information on the web. The attackers frequently start releasing samples of the information in their possession to the web, and that enables them to collect a lot of money.”

The fourth business development that Arvatz noted is known as RaaS, or ransomware as a service.

“We’ve run into such systems, which effectively enable you to connect to them, open a user account and start a campaign of attacks,” he said. “The company attacks for you in exchange for a percentage of the ransom.”

There’s even a price list for the service provider’s cut, which ranges from 16 to 20 percent of the ransom. Such services have naturally lowered the barriers to perpetrating a ransomware attack, essentially making such attacks possible for anyone.

“Once could say that ransomware has matured into a business, including orderly chats with the victims, a system of negotiations, commitment to a level of service and so forth,” Arvatz said. For instance, members of the Maze cartel promise (each other) that they’ll always restore the files of someone who pays.

'Destroy or neutralize'

“You have to understand how they penetrated your system,” said Boaz Dolev, CEO of the cyber threat intelligence firm ClearSky. “Otherwise, they’ll penetrate you again within a month. We’ve been to an organization in North America that has already been encrypted six times.”

Dolev, incidentally, isn’t convinced that paying the ransom is the right solution. 

“Even if the criminals are scrupulous about handing over the encryption keys, the encryption process is brutal, and sometimes, even usually, the databases don’t get through it intact and the files are damaged in the restoration process,” he said. “The result is that the process fails even if you paid, so buying the keys doesn’t work.”

What can you do against a ransomware attack? Aside from equipping yourself with the usual defenses, an antivirus program and a firewall, one of the simplest measures is backing up files so that they can quickly be replicated even after the originals are encrypted.

“But it must be good backup, which is carefully defined and can’t be destroyed,” Maor stressed. “Because one of the things the attackers do is look for the backups and destroy or neutralize them.”

Another piece of advice is to take out cyber insurance. It’s ridiculously cheap compared to the cost of the hours of work by a forensic specialist who will be called in to deal with the incident (which is therefore likely to result in a rise in premiums).

According to Simkin, “The most important things is to practice – to understand that such an incident can happen one day and decide in advance, through a simulation, who will handle it and what they’ll do, from the IT to the legal department.”

Comments