Three ransomware infect 1,800 Businesses, reports Netherlands NCSC

At least one entity supplying critical infrastructure (drinking water, internet access, energy) was hit by ransomware.

The decryption key price now ranges from hundreds of thousands of dollars to millions.

National Cyber Security Centre (NCSC), Netherlands have released a report on three common forms of ransomware that affected over a thousand companies across the world, and are still a threat.

What happened?

According to the confidential report, at least 1,800 Victims from various sectors including the automotive industry, chemical, health, construction, food, and entertainment were hit by the ransomware.

The report did not reveal the names of victim companies but confirmed that the list includes large organizations with revenue streams of millions or billions.

LockerGoga, MegaCortex, and Ryuk are the three file-encrypting malware pieces; they are known to use the same digital infrastructure.

Discussing the impact

It’s not clear what could be the actual numbers of the victims as many ransomware attacks go unreported. And, some organizations undertake the recovery process on their own without making the breach/attack public. The recovery is either by restoring files from untainted backups or paying the ransom to the attackers.

At least one entity supplying critical infrastructure (drinking water, internet access, energy) was hit by ransomware, Dutch Broadcast Foundation (NOS) reported.

A U.S.-based chemical company, which has a branch in the Netherlands, was also affected by the attackers.

The NCSC surmised the use of zero-day in these attacks and, of course, poor security could have played a critical role in complying with the adversaries.

A background on ransomware used

Back in May, Cyware reported about a MegaCortex sample that mainly used Windows domain controllers in the victim’s network, and targeted corporate networks. Other versions of this ransomware emerged in July, and then in November.

LockerGoga, which first appeared in the last week of January, has also made it in the list for “major attacks that hit manufacturing in 2019.” In March, the ransomware struck Norsk Hydro, one of the largest aluminum producers in the world, forcing some of its operations to a manual mode.

Ryuk is popular for initiating highly-targeted campaigns in enterprise environments. Its latest attack on a Spanish multinational security company—Prosegur, was two days ago. The attack isolated internal and external systems, while shutting off communication with its customers.

An analysis on the intruders

Since the attackers used the same infrastructure, it looks like a work of professional and well-organized invaders, who also deals only with the best talent. They can pay thousands of dollars to say penetration tester to move undetected through compromised networks.

The decryption key price now ranges from hundreds of thousands of dollars/euros to millions. Those without a concrete backup plan are paying price.

NCSC has warned companies with caution to improve their security posture and at least cover the basics to avoid cyber incidents, which still seems to be a challenge.