A confidential report from the National Cyber Security Centre (NCSC) in the Netherlands informs that at least 1,800 companies are affected by ransomware across the world.

The report names three file-encrypting malware pieces responsible for the infections that use the same digital infrastructure and considers them "common forms of ransomware."

Big players impacted

The number of victims given by the NCSC is likely conservative since many ransomware attacks go unreported, with organizations recovering from the incident on their own either by restoring files from untainted backups or by paying the ransom.

NCSC did not provide the names of affected companies in the report but informs that the attackers targeted large organizations with revenue streams of millions or billions.

Victims are from various sectors including the automotive industry, construction, chemical, health, food, and entertainment.

At least one entity supplying critical infrastructure (drinking water, internet access, energy) was hit by ransomware. The Dutch Broadcast Foundation (NOS) reports that one such victim is a branch in the Netherlands of a U.S.-based chemical company.

The outlet says that the NCSC suspects the use of zero-day vulnerabilities for these attacks. More often than not, though, access to a company is possible due to poor security.

The ransomware trio

The three ransomware strains named by the NCSC are LockerGoga, MegaCortex, and Ryuk. All of them have been involved in attacks against businesses.

Back in May, we reported about a MegaCortex sample that targeted corporate networks. Another sample of this ransomware emerged in July and it was used in targeted attacks against enterprises.

LockerGoga first appeared on the public radar at the end of January when systems of Altran Technologies, a French engineering consultancy company were infected with ransomware. In March, the ransomware struck Norsk Hydro, one of the largest aluminum producers in the world, forcing a switch to manual operations.

As for Ryuk, its latest victim is Prosegur, a Spanish multinational security company. The attack happened two days ago and resulted in isolating both internal and external systems, essentially shutting off communication with its customers.

Network intruders and ransomware

The fact that the three ransomware pieces relied the same infrastructure suggests that the cybercriminals orchestrating the attacks planted the threat on the victims' netowork using access from a single network intruder.

Experts in breaching corporate networks often find partners in the ransomware business, selling or renting them access. Some actors advertise access to hundreds of corporate hosts for affordable prices. Depending on the level of access, prices can go as high as $20,000.

Professional intruders are well organized and always looking for the best talent. They are willing to pay thousands of U.S. dollars on monthly salaries for services of skilled penetration testers capable to move undetected through compromised networks.

Spreading ransomware on a corporate victim is far from being the worst part of an intrusion. There are cases where file encryption is preceded by data exfiltration, which could be sold to other cybercriminals or for committing acts of sabotage.

The payment the attackers ask to provide the decryption key range from hundreds of thousands of dollars/euros to millions and victims without proper backup procedures are taking the cost.

It is logical for cybercriminals not to stop deploying ransomware as long as there are paying victims. NCSC warns that companies should improve their security posture to avoid cyber incidents. This can be done by covering the basics, which still seems to be a problem.