Around the world, hundreds of thousands of employees in thousands of companies receive an email from the company’s payroll department. It contains a PDF attachment with the details of the employees’ end of year bonuses. Some, the more cautious among them, delete the email, sensing that it could be a phishing attack. Others open the attachment, and release the worst cyberattack in history. 43% of the world’s devices are affected, all of their files encrypted. The cost of this attack reaches a staggering $85 billion.
Fortunately, the world is yet to see anything of this kind. However, according to a study by the Cyber Risk Management (CyRiM) project in Singapore, this is a scenario that we could well experience. The investigation was carried out to illustrate the catastrophic consequences that an incident of this type could have on the economy. It describes an advanced ransomware attack, called Bashe, in detail, along with the devastating effects that it could have.
The study describes several scenarios: the “best case”, in which 43% of the world’s devices are encrypted, causing costs of $85 billion; and the “worst case”, where 97% of devices are encrypted, and costs spiral to $193 billion.
Development of a large-scale attack
The study describes how the developers of the ransomware are recruited to create this malware and design the attack. One of the cybercriminals’ goals is to avoid the pitfalls of previous global attacks. As such, the Bashe attack is designed to use a vulnerability without a patch, and efforts are made to ensure that there is no possibility of an online kill-switch being discovered, as happened with WannaCry.
As with so many other malware campaigns, it is delivered inside attachments, in this case a PDF with the subject “Year-End Bonus”. The malware is able to imitate the email domain of the victim, and thus spoof the ‘sent from’ part of the email header. In this way, the email seems to be coming from someone in the victim’s company.
Once the attachment is opened, the malware is executed, downloading the ransomware worm, encrypting all the data on all the computers that share the network with the infected device. It demands a ransom of $700. To make sure the ransomware spreads as far as possible, the worm automatically forwards the malicious email to all the victim’s contacts. .
In 24 hours, Bashe has encrypted the data on around 30 million devices all around the world.
Companies start to respond
The study explains that the worst hit industries would be retail, healthcare, and manufacturing. In the retail sector, the costs stem from encrypted payment systems, and the collapse of e-commerce thanks to inoperative websites. The healthcare sector is affected due to its heavy reliance on antiquated systems, just as we saw with the WannaCry attacks. As for manufacturing, the encryption of infrastructure and machines necessary for their activity, along with possible problems in shipping networks, logistics, and inventory would be the main problems caused by this kind of attack.
Many companies rely on IT systems to carry out their day-to-day business; this leads around 8% of them to pay the ransom in order to return to normality as quickly as possible. The criminal organization makes between $1.14 and $2.78 billion this way. Smaller companies are most likely to pay the ransom, given their limited capacity to manage disasters of this kind.
Beyond the economic costs detailed above, one of the most immediate outcomes is an increase in distrust of connected devices, along with stricter controls on the use of corporate email.
Another repercussion of the Bashe attack is a dramatic increase in the demand for IT security. Companies want to protect their corporate networks and their assets in order to avoid similar attacks in the future. Cybersecurity training becomes mandatory for employees, and cyberrisk management courses a requirement in order to get an IT security insurance policy.
How to protect yourself against advanced attacks
Although an attack on the same scale as Bashe is unlikely, any kind of cyberattack can have extremely serious repercussions for a company, regardless of its size:
1.- Employee training. We’ve said it time and time again, but one of the most important steps in protecting against the most advanced cyberthreats is awareness. Companies mustn’t wait until an incident like this one occurs to start to train employees in cybersecurity.
2.- Careful with emails. Email plays a key role in the cataclysmic scenario we’ve just seen. And it is far from being the only kind of threat that uses email as an attack vector. In fact, 87% of IT security professionals have admitted that their company has had to deal with some kind of threat that came via email. If you have even the slightest doubt about where and email has come from, the best course of action is to contact the company’s security team.
3.- Advanced security solutions. An IT security suite such as Panda Adaptive Defense can help to detect any attempted attack that tries to get in via email. It does so by using of cognitive intelligence and a real-time detection system. What’s more, it includes a managed Threat Hunting service, which actively searches for the most advanced threats, so that your network is always protected.