Sobering Lessons from the KraussMaffei Ransomware Attack

The recent cyberattack on KraussMaffei, a German manufacturer of molding machinery for plastics and rubber, provides another reminder of the growth, persistence and destructiveness of ransomware. For those unfamiliar with it, ransomware is a type of malware that targets and infects servers, workstations and mobile devices, encrypts all the data it finds, and then presents a note demanding an online payment for the key necessary to unlock the files.

Both businesses and consumers are vulnerable to ransomware attacks: cybercriminals have used it to extort billions of dollars from victims in recent years, and are projected to net another $11.5 billion from them in 2019.  

The ransomware variant that attacked KraussMaffei was a particularly virulent one, likely based on the so-called Motet strain. As with most such attacks, this sophisticated cyber weapon makes its initial incursion via a phishing email. A user, reading an email that has been crafted to look like it is from a trusted source, opens an attachment or clicks on a link that lets the initial Trojan onto their PC, tablet or phone.

Motet has polymorphous capabilities, a sort of adaptive camouflage that lets it evade detection by most anti-virus programs. Initially, the malware collects information about the system’s configuration and relays it to an external command-and-control server, which analyzes the target’s defenses and vulnerabilities. The C&C server then downloads whatever malware it concludes will work most effectively on the victim’s machine.

In the case of the KraussMaffei attack, Motet chose to attack with ransomware instead of other weapons like a password stealer. It then activated the Trojan’s worm capabilities to spread ransomware to other systems on the network, exploiting a vulnerability in the Microsoft file- and printer-sharing protocol known as SMB.  All it took was one unwary employee to open one malicious email attachment, and ransomware quickly spread throughout KraussMaffei’s Munich headquarters.

The immediate response of KraussMaffei’s IT group was to shut down various servers throughout the 1,800-employee facility. But ransomware encryption had already locked up critical servers used to control production and assembly processes.

The result so far has been a drastic, costly and embarrassing two-week reduction in the plant’s operations. As of this writing, the plant is only “back on the path to normalcy”, so its actual return to full production remains undetermined. This is not uncommon among victims of ransomware attacks that are caught without any preparations. For example, the City of Atlanta (Georgia, USA) took months to recover from a ransomware attack at the cost of tens of millions of dollars.

There are several sobering but useful lessons to take away from the KraussMaffei attack:

• At a minimum, businesses need to implement a robust data protection regimen with short recovery points in order to resume operations quickly after a successful ransomware incursion. In short: back up your systems regularly, store some backup copies offsite so that a ransomware infection that spreads on the network cannot corrupt all of your backups, and do it frequently enough so that when you must restore systems from backups, your data losses are not too costly. The fact that KraussMaffei’s Munich plant is still not back to full production after two weeks suggests that they did not even have this basic safety net in place.
• Users remain a critical weak link in the fight against ransomware. With more employee security awareness training, that guileless KraussMaffei worker might have been more alert to the possibility that he was being phished, and so not opened the infected attachment or link. Train your colleagues to be alert to malware threats, especially the most popular entry route for ransomware, by regarding email attachments and embedded links with a very wary eye.
• Businesses must recognize the limitations of legacy anti-virus solutions that rely on signature-matching to detect malware threats. These defenses look at any new process that attempts to run on a system and compares it to a database of known software before allowing it to execute. This approach is ineffective against brand-new threats that have not yet been identified elsewhere, nor against polymorphous malware like Motet. Ransomware developers are also adept at churning out new variants at such a rate that anti-virus vendors cannot keep up. This means that anti-malware defenses must be reinforced with measures that can spot ransomware by how it behaves, not by its signature. Acronis Active Protection does exactly this, using artificial intelligence and machine learning to quickly identify and terminate ransomware attacks, even zero-day (previously unknown) strains.

The bottom line is that ransomware remains the world’s fastest-growing malware threat. It may have receded from the headlines in recent months in favor of new threats like cryptojacking, but it is still the cyber weapon of choice for online criminals around the world. The drop-off in press accounts may be attributable to the fact that there hasn’t been a recent global ransomware epidemic like the notorious WannaCry outbreak of 2017.

Businesses may also be getting smarter about keeping ransomware incursions out of the spotlight, correctly fearing the resultant loss of reputation, stock price, and customer trust that can accompany news of a successful attack. But report after report from tech security researchers confirm that ransomware still tops the list of active malware threats today.

For every KraussMaffei shutdown that you read about, there are doubtless dozens of others from which businesses are quietly, desperately trying to recover. To keep your business from becoming one of those casualties, you consider Acronis Backup. With Acronis Active Protection built in, it delivers total cyber protection -- making it the most secure business backup available.