The number of ransomware attacks on Korean companies, organizations and schools is on the rise and hackers are using more sophisticated techniques to exploit vulnerabilities in security systems, the country’s state-run cybersecurity body warned.

Ransomware refers to malware that infects computer and mobile devices by exploiting system vulnerabilities, and threatens to destroy data unless a ransom is paid.

According to the Korea Internet & Security Agency, 78 ransomware attacks on Korean targets were reported in the first half of this year. The number of ransomware attacks was just 22 in 2018, before going up to 39 in 2019 and 127 in 2020, in line with the explosive growth of similar attacks worldwide.

Cybersecurity firm Check Point Research said the number of organizations affected by ransomware surged by 102 percent around the world in the first half of this year, compared from a year earlier. The damage caused by ransomware will reach $20 billion this year, a 57-fold increase from 2015, according to data from Cybersecurity Ventures.

“Hackers are expanding the scope of targets from individual PCs to small companies with weak security systems and social infrastructure,” said Lee Jae-kwang, chief of KISA’s Profound Analysis Team.

Lee said hackers used to focus on encrypting a victim’s database but have now switched to extracting large amounts of sensitive data and threaten to publish them, forcing organizations to pay ransom demands -- a technique known as “double extortion.”

But the full picture on the growing ransomware threats remains murky as companies are reluctant to disclose the attacks for fear of hurting their brand and losing revenue as a result.

Cybercriminals across the globe are developing more lethal methods, with the attacks evolving from simple email phishing to highly targeted and more damaging network-wide infections.

KISA’s Lee said that a growing number of disparate Ransomware-as-a-Service (RaaS) brands, which eliminates the time-consuming phase of development on the part of hackers, is contributing to the wider spread of attacks. Hackers pay in cryptocurrency to purchase such tools on the dark web, or encrypted sites that are not indexed by conventional search engines.

“With the use of RaaS, even cybercriminals who do not have expertise in security solutions can orchestrate ransomware attacks,” Lee said. “It is also very difficult to track and trace such RaaS-based attacks.”

Lee said that recent ransomware attacks have turned to target computers of system managers who do not check their security regularly. This is because system managers have access to the central network and key solutions, serving as a gateway for large-scale targeted intrusions known as APT, or advanced persistent threat.

“To carry out APT attacks on companies, a hub is needed, and PCs connected to the key systems are becoming the main targets,” Lee said.

Cutting off the system manager’s PC from the central management solutions is one way to minimize damage when a ransomware attack is attempted, while the overall system needs regular security updates to fix vulnerabilities in advance. In addition, two-factor authentication for the system manager’s PC is highly recommended, according to KISA.

To resolve security-related issues, the Ministry of Science and ICT recently announced it would implement a nationwide information security consulting and solutions support project, offering 15 million won ($13,000) of financial support each to 600 small- and medium-sized companies.

Some companies tend to mismanage their data backup systems, resulting in greater damage. Setting up data backup systems and updating antivirus vaccines are important, but are not enough to fight off all attacks.

“When computer virus vaccine programs detect malware programs, some people believe their systems are safe, but it is often a warning signal that their systems are under attack,” said Lee. “Companies must fix the vulnerable points indicated by vaccine programs as fast as possible.”

IT managers should also refrain from formatting their systems immediately after they come under attack, KISA said. Conducting a post-attack analysis first would help identify infiltration routes and other potential weak points.

When ransomware attacks happen, it takes around one month to fully restore the database even when companies have prepared a backup. KISA said many Korean companies do not know it takes such a long period of time to recover their systems, and they need to take careful measures to safeguard their businesses and minimize service disruptions.

Citing its own analysis of actual cases, KISA said many ransomware attacks on Korean companies were prepared over an average period of one year. Over that period, hackers attempt to infiltrate the system, secure a strategic point, explore vulnerabilities to which IT managers do not pay much attention and finally mount a lethal attack that paralyzes the entire system.

KISA said the yearlong period in which ransomware attacks are planned and attempted means two things for Korean firms. First, companies tend to ignore their security warnings even after warning signs surface. Second, they have enough time to minimize or prevent damage if they do regular and thorough checkups on the vulnerable points of their networks and computers.