Following YES24 and SGI Seoul Guarantee, the Welcome Financial Group has also recently suffered ransomware hacking attacks, raising security concerns. Ransomware attacks, which demand money after stealing important information, are rampant across various sectors including manufacturing, distribution, healthcare, and finance.
According to the Korea Internet & Security Agency (KISA) on the 19th, the number of ransomware infection reports among corporations in the second quarter of this year increased by about 10% compared to the first quarter. The total number of reported ransomware infections in the first half of this year was 82, of which 23 cases involving medium-sized enterprises increased by 21% compared to the same period last year. Recently, the internet bookstore YES24 and the Welcome Financial Group, which suffered two ransomware attacks, are also medium-sized enterprises.
A KISA official noted that "it has been identified that damage is concentrated on the groupware servers of nonprofit organizations and network-attached storage (NAS) used in manufacturing, IT companies, etc., due to a lack of security investment or personnel."
Ransomware is a compound word of ransom and software, and refers to cyber attacks that hack personal or corporate computers and servers or encrypt data, demanding money in exchange for recovery. According to the cybersecurity firm Cybersecurity Ventures, the damage from ransomware infections worldwide is expected to increase from $57 billion (about 77 trillion won) this year to $275 billion (about 373 trillion won) by 2031, nearly a fivefold increase. The security firm Akamai stated, "More than half of all data breach incidents that occurred in the Asia-Pacific region this year were due to ransomware attacks."
The reason domestic corporations and institutions are increasingly becoming targets of ransomware attacks is that ransomware has evolved into a business model known as 'Ransomware as a Service (RaaS),' making it more accessible and impactful. In the past, only experts capable of creating malware could conduct ransomware attacks, but with the emergence of RaaS, even non-experts can carry out ransomware attacks just by paying money. Ransomware organizations that have developers capable of creating sophisticated malware lend their attack tools and infrastructure to customers or affiliate hacker groups, who then execute the actual attacks. Ransomware organizations collect a commission of 20-40% from the revenue generated by these attacks.
As ransomware organizations become cartels, they are also expanding in scale, sophistication, and services. Some ransomware organizations offer 24-hour customer support, regular updates, and negotiation services. For instance, the ransomware group Dragonforce has recently allied with another organization, RansomHub, to grow its influence and is expanding its affiliates by offering a commission of about 20%, which is roughly 10% lower than existing RaaS groups.
Attack methods are also evolving in more sophisticated and destructive directions. Previously, ransomware attacks extorted money by threatening to publish stolen data after encrypting it, but recent attackers use a 'quadruple extortion' method, using DDoS (Distributed Denial of Service) attacks and pressuring clients, partners, and media as external stakeholders to exert greater pressure on victims, industry officials explained.
Attack methods that make data recovery impossible have also emerged. According to the security company East Security, Anubis ransomware has embedded a 'Wiper' function in its malware that permanently deletes data, making recovery impossible even if the victim pays the ransom. East Security explained that this maximizes psychological pressure in negotiations.
Lee Dong-geun, head of the Digital Threat Response Headquarters at KISA, stated, "Most domestic corporations that have recently been affected are storing backup data on the same network, increasing the severity of the damage," and emphasized, "Important data must be stored off-site (cloud, external storage, offline) and access management to the system needs to be strengthened."