Various Dutch companies have been hit by advanced hostage software. This appears from a confidential report from the National Cyber Security Center, which is in the hands of the NOS.
Which companies are involved is unknown, as is the number of affected Dutch companies. Worldwide there are at least 1800 affected companies and the number of Dutch companies is a relatively small part, writes the NCSC. But the consequences can be huge.
The actual number of affected companies is probably much larger than the figures indicate, the NCSC also writes.
Critical infrastructureThe attackers focus on large companies, for example in the automotive industry, construction, and chemistry, but also on hospitals, chain stores, and entertainment companies. It usually concerns companies with millions or billions of sales.
Dutch branches of multinationals have also been hit, including those of an American chemical company. Moreover, that company is an important supplier of critical infrastructure in the Netherlands. This includes, among other things, drinking water, internet access, and energy.
"We conducted this investigation following disruptive ransomware attacks abroad," a spokesperson for the NCSC confirms. The attack campaign probably started in July last year.
The NCSC suspects that the attackers had access to so-called zero-day vulnerabilities. These are powerful digital weapons, for which there is not yet a good solution and which are therefore very effective.
"That indicates that it is a professional criminal organization," says cybersecurity expert Frank Groenewegen of Fox-IT. "In terms of level, they are comparable to drug criminals who have their own rocket launchers. By the way, they don't need those digital rocket launchers in many cases, because the security of many companies is so poor."
What is hostage software?
Hostage software, also known as 'ransomware', is software that locks files. The files will only be made accessible again after payment. The ransomware is often so well organized that the files are actually not accessible until payment is made.
The NCSC considers it 'not unlikely' that the government and the critical infrastructure will eventually suffer from the conscious ransomware attack. In other countries, these sectors have already been targeted, but the government and critical infrastructure could also suffer from ransomware at suppliers.
IngeniousThe attackers work ingeniously and sometimes have been in the network for months until they are noticed. In some cases, companies failed to track down the attackers, even after they knew they had been hacked.
In an unknown number of cases, the NCSC was able to inform an affected organization in time; he could then intervene before the ransomware was activated. In other cases, it was too late and victims were forced to pay. This sometimes involved millions of euros. Such amounts have also been paid in the Netherlands.
If companies do not pay, the financial damage can occur. Companies standstill and cannot produce anything while the bills keep coming in.
Which ransomware?
In the NCSC study, three ransomware types have used that use the same digital infrastructure. These are Lockergoga, Ryuk, and MegaCortex. These are common forms of ransomware.
There is a fear that the attackers will focus on more than just the spread of ransomware. At some affected companies, a lot of data was channeled away; this could involve corporate espionage or other forms of espionage. It is also possible to break in to subsequently commit sabotage.
Entry resoldExactly who is behind the attacks is unknown. The authors of the confidential report suspect that Russian criminal groups are behind the attacks, but also note that insight into those groups is limited.
The NCSC suspects that it concerns several criminal groups. One group then breaks into a company or organization and penetrates the network. This 'access' is then resold ready-made to others, who can then distribute ransomware or commit espionage.
"You see that more often because cracking a network and subsequently distributing ransomware are really two different sports," says McAfee security researcher John Fokker.
Whoever they are, the researchers suspect that the attackers will not stop for the time being. It seems that the attacks are very profitable for the criminals.
According to the NCSC, companies must, therefore, be more alert. "Companies still do not take all basic measures," a spokesperson said via email. "Run updates, make sure your staff are aware of the digital threats and make backups."
source - translated from Dutch
