Following a cyberattack, an organization can quickly lose access to critical assets and data. Similar to an incident involving ransomware, when malware spreads, organizations are faced with countless challenges from a claims perspective. There is evidence — initially observed towards the end of February — that suggests a new wave of destructive data-wiping malware is circulating. How can we ensure history doesn’t repeat itself?
This new wave of data-wiping malware in part uses compromised servers to spread legitimate disk management software. In turn, this is used to corrupt data on storage media devices rendering that system irreparable using traditional disk recovery techniques. Once deployed, the destructive malware allows its authors to spread laterally through the corrupted network before causing irreparable damage to all the targeted systems within it. Although initially aimed at specific networks, this malware tends to escape beyond the confines of the original designated target — resulting in widespread collateral damage. Destructive malware of this type can present a direct threat to operations by preventing access to critical assets and data.
The origins of this malware remain unconfirmed. Research has not yet been able to attribute it to a single group or known threat actor due to the lack of similarities in code structure when compared to other malware seen in the past.
Future best practices
The rise in cybersecurity incidents over the past several years is alarming and will only continue. For organizations worldwide, it’s essential to understand the impact of — and plan for — potential data-wiping malware incidents. Building awareness and creating a plan can protect innocent parties. It’s recommended to:
- Implement multi-factor authentication for all external access points.
- Review the level of spam filtering to reduce the potential of phishing emails reaching users.
- Make sure that antivirus and antimalware programs are up to date and automatically conduct regular scans of the device.
- Check that all application and operating system security updates and patches have been applied.
- Identify backup strategies and ensure that backups are protected from corruption/malicious actions. Implement an air gap or other strategic effort to protect backups.
- Test data backups to assure the organization that backups can be used to reinstall system compromised data and architecture should they be targeted.
- Join your industry’s Information Sharing and Analysis Center (ISAC) – there’s one for most organizations: for example, the FS-ISAC services the insurance and financial industries.
- Monitor threat intelligence sources and ensure that any indicators of compromise (IOCs) are blocked proactively.
With evolving threats, a swiftly changing market and a constantly growing knowledge base, cyber is guaranteed to remain a hot topic. In addition to emerging risks, we continue to hear concerns about coverage and capacity in the cyber space. Sedgwick’s experts remain connected and ready to consult with clients as they pursue strategies for prevention, explore policy language and limits, and prepare for known and unknown risks.