Ransomware may be waning, but wiper malware is growing

This story was originally publish on Jan. 20, 2023 in my weekly IoT newsletter.

Ransomware payments are dropping even as there’s been a shift in hackers’ tactics toward using wiper malware to delete data rather than ransom it, according to data released in two reports issued this week. First up, Chainalysis, which tracks cryptocurrency payments to and from known hackers’ accounts, says ransomware groups extorted $311 million less in 2022 compared to the $768 million they scored from victims in 2021.

That’s quite a drop! And while Chainalysis is undoubtedly missing some payments, the BBC article cited above quotes negotiators and insurers who note that victims are refusing to pay hackers or are negotiating payments down. This may be one reason Nozomi Networks, a security company, writes in its latest security report that hackers are “shifting tactics from data theft and Distributed Denial of Service (DDoS) attacks to leveraging wiper malware to cause disruptive attacks on critical infrastructure.”

The Nozomi report blames the growth in wiper attacks on hacktivists who aren’t focused on money so much as disrupting operations of a company or government utility.  For me, the real value of this report is in the details on how hackers are getting in and the tools they use to do so. For example, it’s clear that weak passwords or default passwords are still a huge problem in many industrial settings, and hackers are taking advantage of them.

Based on data from select Nozomi customers, more than 4 million intrusion alerts in the second half of the year were attributed to weak or cleartext passwords.  The report also notes a two- to three-fold increase in the number of attempts to use default passwords to gain access to a system, leading Nozomi researchers to think hackers were botnets repeatedly trying popular default credentials to get on a network.

The good news is that many new devices don’t use default passwords, and most IT (and even OT) personnel are aware that default passwords are a problem. Still, the problem will remain in existing networks for decades, as much of the existing equipment is long-lived and expensive to replace. In that case, security professionals recommend making note of the problematic equipment, separating it out onto its own network if possible, and ensuring it has monitoring no matter what.

Unfortunately for those of us in the internet of things, the most vulnerable systems remain manufacturing and healthcare, where devices on both the OT and IT networks are vulnerable. On the IT side, Nozomi found Trojan malware is still the most common by far on enterprise networks, whereas remote access tools are most commonly used to access OT networks.

As I said in the previous story, I believe we’ve come a long way in the years since Mirai first hit when it comes to cybersecurity. We now have laws that forbid default passwords, mechanisms to track vulnerabilities as they arise, and government guidelines to help companies take steps to make their networks more secure. However, because many of the older devices are still out there and vulnerable, cleaning up the cybersecurity mess will take time.

And as the reports out this week show, hackers will continue to shift tactics as vulnerabilities are closed. One trend Nozomi foresees is using ChatGPT and other AI language services to generate compelling social engineering attacks to get employees to download malware onto the network. This means I’ll have to keep my eye on these reports for the foreseeable future.