Ransomware, the malware that blocks thousands of companies annually

share post


Definition

The fight between cyberattacks and cybersecurity does not stop, which is why cybersecurity can never lag behind hackers.

To start understanding what Ransomware is, how it works, its types, etc, we want to start with a brief definition.

So what is Ransomware? It is a type of malware, or malicious software, that hijacks files and sometimes entire computers or mobile devices.

We can define it according to this behavior: hackers request a ransom payment in exchange for decrypting your files and thus giving you back access to them.

When an organization is attacked, it will immediately realize that, due to how it acts, access to the infected device(s) will be cut off and, normally, the documents chosen by the attacker will be encrypted.

After realizing it, you will probably not be able to access vital data and even the privacy of workers may be affected. The cybercriminals will contact the company representative to put their demands on the table.

They usually promise to unlock the affected computer or documents if a ransom is paid. 

Only in the last year this type of Malware it has grown more than 700% if we compare it with the data collected in 2019, according to the cybersecurity company Kaspersky.

Why is it called that?

Ransomware is formed by joining the words "ransom" (from English, ransom) and "ware" (product or merchandise, in English). 

Once the criminal encrypts the data, he demands a ransom from the victim, via a message or pop-up window, performing a virtual hijack. 

This threatening-tone message warns the victim that the only way to decrypt their files, recover their system, or avoid possible information leakage is to pay a ransom. 

They usually include a time limit to pay, before the total destruction of the hijacked files occurs, their publication or an increase in the value of the ransom, if it is not paid on time. Generally, the ransom is requested through some cryptocurrency (virtual currency) such as bitcoins. They often use "mules", which are intermediaries who transfer the money 

In exchange for payment, cybercriminals promise to provide the mechanism to unlock the computer or decrypt the files. However, this does not guarantee 100% that cybercriminals comply with the agreement; for this reason, it is recommended not to pay the ransom to prevent the proliferation of such threats. 

Bailout in cryptocurrencies, why?

Cryptocurrencies are virtual currencies that allow almost anonymous payment between individuals, which makes it difficult to trace them.

They are accessible from the anonymous Tor network; There, the funds from different portfolios are mixed, carrying out a kind of laundering of the cryptocurrency that makes it difficult to follow the trail of transactions. This makes it easy for cybercriminals to extort money from their victims without the police being able to immediately track them down. 

How does the infection occur?

As with other types of malware, cybercriminals use one or more of these routes to infect the victim; They take advantage of security holes (vulnerabilities) in computer software, operating systems, and applications. 

Types and action

Each type of Ransomware acts and penetrates security differently, although they are all based on the same characteristic. From minor to major importance we can classify them in: 

Hoax ransomware: It simulates encryption using social engineering techniques to extort money from the user, demanding payment to recover their files or prevent them from being deleted.  

Scarware: uses the lure of fake software or support. It usually appears in the form of a pop-up ad reporting a suspected virus infection and provides a quick and easy solution by downloading a cleaning program that is almost always malware. 

Screen lockers: They prevent the use of the device by displaying a window that occupies the entire screen and cannot be closed. Two types of messages may appear in the window: on the one hand, the file encryption and the procedure to recover them are reported, but the files are intact. On the other, a message from the security forces appears indicating that illegal activities have been detected and a penalty is requested to unlock the computer. It is also known as the police virus.

Encrypting Ransomware: considered the most dangerous of all. Its main objective is the encryption of information to demand a ransom. Cybercriminals make use of the latest advances in encryption from 2 Ransomware.

Within this variant there is a call wiper, it doesn't return access to the files, it just deletes them.

There is also the variant doxware that uses a technique known as "doxing", this consists of threatening the user with making the extracted personal data public. 

Prevention / Think like a hacker:

Many experts affirm that the best prevention for Ransomware is to put yourself in the shoes of hackers and think as they would. To prevent and anticipate it is necessary to put on the mask. For many companies it is not a shame to hire ethical hackers or ex-hackers to improve the security of their company.

    1. Awareness and training of employees and users.
  • Updated antivirus.
    1. requests dangerous pop-up installation.
  • Click on links.
    1. downloads of applications of unknown sources.
  • Backups.
    1. Update of the operating system and applications.
  • Control of privileges.
    1. anti phishing solution for email.
  • action plan

With this real-time map created by Kaspersky, all kinds of attacks (including Ransomware) can be observed in real time. 

Awareness is the first step to prevention, which is why Ransomware is not one of the largest cyberattacks numerically, although seeing the increase per second is shocking.

Spain is the 9th most attacked country according to the graphs obtained by Kaspersky. With this graph we can also see the global need for cybersecurity.

Do I have to pay the ransom?

From an objective point of view, the requested ransom should never be paid, since due to the payment, which is usually in the millions, the progress of the organizations that are generating these attacks is being financed. 

In addition, paying a ransom is falling into the trap of cybercriminals since no one can guarantee that the information will be recovered and even the extortion can continue after the payment. Even so, there are many companies that decide to pay the ransom. 

The European Union is considering the implementation of a new law, prohibiting and sanctioning companies that pay the requested extortions.

In the event of being attacked, the best way to recover business activity and data is by going to a professional or specialist in cyberattacks so that they can advise you.

Most of the ransoms are paid with the famous cryptocurrency Bitcoin (BTC). 

This modus operandi has been established among hackers because cryptocurrencies allow the anonymity of the recipient and can easily disappear with the money.

Why is it important not to pay the ransom?

The reason is because paying does not offer a guarantee of data access recovery. In addition to this, by agreeing to pay the ransom you will probably become the target of other attacks, since cybercriminals already know that you are willing to offer your financial resources.

Attack response plan:

It is very important to have a plan of action or response to incidents.

The first thing we must take into account is who has to manage incidents within the company, then where is the necessary documentation on the systems and networks used in the organization. 

It will be necessary to define what is the normal activity that allows us to detect suspicious activities that are indications of incidents. 

It is also essential to know who we will have to contact in the event of an incident. For example, in the case of outsourced services, the supplier is responsible. 

In this type of situation, every second counts, so if we have a well-structured plan with all the necessary information, we can move quickly.

Recent attacks:

Kasey:

On Friday, July 2, 2021, the Ransomware attack on the Kaseya software distributor occurred. This not only affected the company, but also some 1,500 companies that worked with it, as sensitive data from all of them was leaked.

The attackers demanded a ransom of 70 million dollars through the Bitcoin cryptocurrency. Kaseya claimed through her networks that she refused to pay the ransom, taking three weeks to figure out where the vulnerability was on her system, in this case a universal decryptor from a third party.

The fact that Kaseya, a pioneer in its sector, has not paid the ransom in the face of the hackers' intended consequences should serve as an example of how to deal with these situations for companies.

Colonial Pipelines:

Another attack that occurred this year 2021 was on the Colonial Pipeline. 

It is a company that the United States depended on because of reduced refining capacity in the Northeast for oil and gas. 

This organization transported three million barrels of fuel a day from Texas to New York over more than 8,800 kilometers.

The hacker organization that attacked the pipeline is the so-called DarkSide who asked for 4.4 million dollars in ransom.

figures 

According to ITSM 4U through a survey of more than 5000 IT managers in medium-sized organizations in 30 countries around the world, it reveals that the 37% of organizations experienced a ransomware attack in the last 12 months. The same report reveals that the financial impact of these attacks has increased going from 700,000 dollars on average during 2020, to $1.85 million in 2021.

The average cost of recovery from a cyber attack on Spanish companies has doubled compared to previous years, going from 260,000 euros in 2020 to an average of 500,000 euros in 2021; according to ISTM 4U.

More than 1 million licensed users

More than 5 million recipients 

Contact us for more information: [email protected]

More articles