Advanced attacks -- dynamic developments
The overall threat landscape -- including new malware programs, enhanced types of attack or targeted approaches directed against businesses and government agencies by perpetrators -- is monitored by the BSI on a daily basis. Most recently, the experts working in the BSI's Situation Centre and in CERT-Bund have increasingly had to deal with sophisticated attack methods. These new kinds of advanced attacks represent a significantly more serious type of potential threat if they manage to infiltrate a corporate network, for example.
Digital extortion with ransomware
The various types of ransomware attacks typically involve targeted attempts to encrypt user data. The perpetrators' approach here is one of the advanced attacks whose development the BSI has been monitoring for a number of years. Once data has been encrypted, a ransom is demanded. The data is only unlocked following payment of this (typically digital) ransom money. A wide variety of organisations -- from mid-sized businesses and multinationals to hospitals -- have already fallen victim to ransomware and ensuing extortion attempts.
Widespread damage due to Emotet
The malware program Emotet offers one potential attack vector. This program is capable of gleaning contact details from mailboxes and then automatically sending out a flood of authentic-looking spam mails. As a result, Emotet simultaneously manages to achieve a high degree of propagation and a comparatively high rate of success in infecting corporate networks. Emotet (along with the malware payloads it then downloads) has thus caused serious losses to victims in business and government and also regularly appears with new functions that aim to cause damage with further techniques and malicious code.
Regular malware 'updates'
Characteristically, advanced attacks are capable of deploying the kinds of malware functionality that used to be initiated manually for selected attacks as part of a broad-based, semi-automated approach. The sheer variety of malware functionality available means that advanced variants represent a significantly greater threat. Alongside the rapid proliferation achieved by malware like Emotet and its increasingly sophisticated spam mails, perpetrators in many cases are now engaging in phased attacks. Until fairly recently, single computers were encrypted and ransom money was demanded for each individual encrypted PC. Now, however, affected corporate networks are first reconnoitred by perpetrators. Data is often extracted at this stage in order to create a profile of the intended victim. The perpetrators then tailor their ransom demands to the affected organisation. The encryption is frequently highly targeted and may extend to available data backups. As a consequence, a company's entire network is often compromised. The data extracted previously is often deployed to pressure the victim into taking action, with threats being made to publish the data or offer it for sale if the ransom fee is not paid. Depending on the size of the network affected, a full network clean-up can take months to complete. In several recent cases, the perpetrators not only threatened to publish stolen data in the event of non-payment, but actually made good on some of these threats.
In light of these circumstances, systematic preventive action has never been more important. In the following documents, the BSI provides a high-level assessment of the situation and covers some key preventive measures.
The BSI has compiled numerous first aid measures to be taken if an IT security incident has already occurred.
