In the long history of computer crime, the players, goals and tactics have changed a lot.
Early computers were fairly isolated systems reserved for niche applications, mainly in academic environments. The first cases of security attacks were examples of bungling that went too far rather than malicious activity.
Today’s world is different. Computers determine many aspects of our daily lives. They are faster than ever and strongly connected to each other. They are in our pockets, homes and offices, as well as our toothbrushes and refrigerators. They even power our critical infrastructure. This now widespread dependence on computers (and the data they process) is attracting new types of malicious actors.
Over time, computer-based crime has become organized. What started as low-tech scams and cons, or clever technical feats by small groups, have gradually been replaced by more professionalized, more harmful and hurtful collectives, such as state-sponsored groups. There is one type of attack that illustrates this transition better than most: ransomware.
Senior Security Consultant at Black Duck Software (formerly the Synopsys Software Integrity Group).
The simple effectiveness of ransomware
Ransomware is an extremely lucrative example of computer crime that becomes ‘corporate’: stimulated by the desire to make more money by investing less effort.
Most ransomware attacks follow a simple pattern:
1. They start by running a malicious tool, an encryptor, on the target system. True to its name, the encryptor will then encrypt the entire drive (or drives) and delete the key. If the perpetrators intend to make the data recoverable, they keep a copy of the key in their files, away from the affected system.
2. Then they make their presence known, from red screens to timers. Ransomware campaigns go to great lengths to communicate with their victims because they only get their money if victims think paying is the best chance to recover their data.
3. After payment, an “honorable” ransomware gang will provide the victim with a decryption tool containing the secret key.
There are some cases of ransomware where the data is not encrypted. Instead, the attackers threaten victims by exposing data, which can cause embarrassment or leak industry secrets.
Challenging attackers
However, in ransomware attacks, there are two steps that are somewhat challenging for the attackers:
Challenge #1: Getting the encryptor into the target system. Unfortunately, attackers can (still) benefit from a very simple tactic: asking nicely. Phishing attacks are popular ways to spread ransomware encryptors, as many victims eagerly click on links in emails without verifying or thinking about their origin. Technical access points traditionally used to deliver malware remain a useful alternative: if there is an open file share, the attacker can deploy the file to the target system and then find another vulnerability to execute it. WannaCry, the attack considered by many to be the most damaging ransomware campaign to date, is a case in point.
Challenge #2: Receive the ransom without revealing the attacker’s identity. Fifteen years ago, this challenge alone would have hindered the expansion of ransomware gangs. They would have to pay in cash, which is difficult to scale and would be geographically limited to the gang’s area of influence, or they would have to rely on digital payments and withdraw the money quickly, creating a trail of evidence that goes straight to the gang leads. the gang. However, the rise of cryptocurrency provided a solution to this challenge.
Although authorities have managed to track down malicious companies that have received ransoms in cryptocurrencies, the international availability of a payment method that is not linked to an actual identity has made it much easier for criminals to receive their payments and much more difficult for law enforcement authorities to follow. the tracks.
Preventing disruption using backups
Many of the mechanisms that help prevent ransomware attacks include common practices that also help prevent different types of cyber attacks. Awareness training supports by alerting employees about clicking on random suspicious links, hardening at the network and operating system level, deploying updates quickly, scanning malware, etc.
It is also critical to have a solid resilience plan in place, supported by a well-defined and tested backup strategy. Of course, backups are a common way to prevent accidental data loss and conventional disruptive hacking, such as website defacement. You detect the incident, restore your data or your environment to a specific earlier time and get back to work with (ideally) minimal data loss.
This backup model is based on a number of assumptions. Simply put, it expects backups to work (and contain enough information to allow a clean rollback) and to be valid (the rollback cleans up any damage done by the attacker). Reality often challenges both assumptions.
Many companies have backup processes in place. Fewer have data recovery plans that detail what to do with the backups to return to a working state. Only a small minority of companies regularly test these backups to ensure they can actually be trusted. This makes the recovery process clumsy and often unsuccessful.
Ransomware attacks also challenge the second assumption. For example, if the backups are “hot” (that is, constantly connected to the target system), the encryptor can also encrypt the backup drives, rendering the backup unusable. Or the encryptor can be installed at some point, lie dormant for a few months, and then encrypt the data. A backup taken after the initial attack can restore the system’s data, but it can also restore an infected state, causing a reinfection to occur.
In summary, a robust backup strategy must rely on both hot and cold backup locations, which are sufficiently isolated from each other to prevent an attack on the main system from spreading undeterred to the backups, both of which are regularly and thoroughly tested. If the downtime requirements of a particular system are particularly stringent, the ability to back up with minimal data loss should be part of that testing.
Packing
On a technical level, ransomware is not a very new threat. Its disruptive aspect lies in the economic incentives it introduces, leading to more organized criminal structures with the freedom to act more ruthlessly and on a larger scale, and to target sensitive industries in the hope of maximizing their payments. It’s a threat worth considering because it’s becoming increasingly common and, for companies caught unprepared, it can wreak havoc on their infrastructure. Remember: do not pay the ransom.
Check out the best cloud antivirus.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro