On May 12th Ransomware attack , recognized as one of the biggest attacks ever carried out , caught the attention of the entire world. Information systems for companies and public services, such as the Court of Justice of São Paulo, Public Ministry of São Paulo, INSS, National Health Service of England, Telefónica, KPMG, Mapfre, BBVA and thousands of companies around the world, had part of their systems inaccessible.
How it all began…
Ransomware can come in many forms. In this particular attack, international hackers exploited a vulnerability in older, unpatched versions of Microsoft Windows . Microsoft patched the vulnerability in its latest operating systems in March and patched older versions of Windows on the 12th. Estimates suggest that the attack affected more than 200,000 computers in at least 150 countries.
Hackers used tools belonging to the United States National Security Agency (NSA) , causing major problems in several public services and companies. However, one piece of information that caught our attention was that although this flaw was corrected in March, the affected computers did not have an updated operating system, as determined by the security guides .
Ransomware called WannaCrypt hijacked and encrypted data from infected devices, which in this case were those that did not have recent operating system updates. After this kidnapping, the victims were instructed to pay approximately US$300 (around R$1,000 at current prices) to recover the infected files.
As payment must be made in bitcoins , a virtual currency that allows criminals to have as many wallets (repository that stores virtual money) as they wish to receive the required amount, without being identified, it is recommended not to pay the amounts requested, as there is no guarantee that the data will be recovered.
Who stopped the attack?
Still on Friday (12) , the day the attacks reached their “peak”, a young 22-year-old British researcher and an information security engineer from the United States stopped the attacks, preventing them from spreading to other countries. . The British man who works at a threat intelligence company disabled WannaCrypt after discovering a domain (internet address) associated with the spread of the malware .
To continue contaminating more computers, the virus checked whether this website was online or not. The boy purchased the domain for an amount equivalent to R$33 and the possibility of his involvement in Ransomware attacks was even raised, but it was later understood that he activated a pause mechanism in the WannaCrypt propagation process.
However, there is concern regarding computers that are on an internal network and have been disconnected from the internet since the pause mechanism was activated, in which it is possible that the virus continues to spread. Furthermore, versions without online verification can also circulate, perpetuating this Ransomware cycle.
But after all, what is Ransomware?
Ransomware is a type of digital threat that blocks access to your files and data, demanding the payment of a ransom to unlock them. It is a form of extortion through data hijacking. It is not new in the technological world, as it was born in the 80s, but today, this type of virtual crime and is one of the preferred forms of criminals, due to the fact that it is a profitable method and, mainly, that it manages, in most cases, to maintain the anonymity.
However, before this attack that scared many people and shook servers, companies and public bodies, people were already talking about the importance of maintaining data security to avoid further disruption. With this it is clear that in addition to Brazil, many countries still care little about security and protection against cybercrimes.
It is important that there is greater interest in technological education, which can be through research, security content or even a document that explains the importance of using the internet correctly and in a protected manner.
Considering the growth in the number of incidents related to Ransomware, it is important that employees and company managers remain informed regarding the impacts caused by this type of threat, effectively valuing the organization's data and information.
How the attack occurs
The Ransomware attack can start in different ways, through emails , phishing , systems with failed updates, among other ways. Often when the attack takes place through a fake email, the content induces the user to click on a link and thus causes the download of harmful software. Ransomware, once downloaded and installed without the user noticing, encrypts files present on the computer and on the network, as long as the user has access to them.
This encryption process will scramble the contents of the files, making them useless, and only by having the correct key will you be able to revert the files to their original state. At some point, the Ransomware will leave some indication of how you should contact the criminal. A text file on the desktop or a wallpaper with a message, for example, may contain an email address and contact instructions, with a view to negotiating the ransom.
According to research on cybercrime by Grant Thornton , 21% of companies consulted in 36 countries suffered some type of attack in the last 12 months; In Latin America, 39% of virtual crimes against companies are related to the theft or loss of strategic information.
The research also shows that the number of companies impacted in relation to the survey carried out last year. Despite the greater number of people affected, the damage caused by the attacks decreased compared to 2015, when losses of 315 billion dollars were estimated.
Measures to prevent and avoid Ransomware
The main ways to avoid Ransomware attacks are related to some simple principles that cover information security.
- Beware of fake emails and websites : users must be educated regarding their responsibility for the company's data and information. This includes knowing and understanding the risks to which data may be exposed when clicking on a link in an email or visiting a website without paying attention to the origin of the email, the website address and its veracity.
- Software updates : it is important to keep the operating system and other equipment software packages up to date. The updates include several corrections and improvements related to information security, which, as seen previously, are very relevant to prevent attacks like the ones that happened.
- Antivirus : especially on computers and servers with a Windows operating system, it is essential to use good antivirus software, updated and configured to carry out periodic scans of the entire system.
- Internet access control : the use of protection mechanisms against access to malicious websites is increasingly important. In the case of companies, through this type of control it is possible to define which groups of users will have access to which types of websites, thus avoiding the use of websites inappropriate to the scope of the work and also access to addresses with harmful content. Using this tool, the manager protects the network against websites used in attacks and the spread of malware.
- Access permissions : in many small and medium-sized companies, this is an item left aside. However, it is important to check the level of access that each user or group of users needs in relation to files shared on the network, for example, in order not to provide access beyond what is necessary. If a group of users only needs to view certain files, and not modify them, they have read-only access.
Situation after a Ransomware attack
Some types of Ransomware have already been decrypted and compromised files can be recovered using dedicated tools, such as those made available by Kaspersky in the Ransomware Decryptor . However, there are also other Ransomwares whose encryption remains impossible to reverse without the hijacker's collaboration.
The main effort that will solve the problem and ensure business continuity after the Ransomware attack is something that must be implemented and working before the attack: backup .
It is never enough to remember the importance of having a reliable backup, from which important data can be recovered after any incident. The main way to solve the problem after data has been blocked by Ransomware is to restore the data from a backup.
The backup strategy must be implemented in such a way that there is a backup copy maintained in a location disconnected from the original location of the data. In other words, you should not keep the only backup on an additional disk connected to the same server.
If the backup copy is made on an additional disk constantly connected to the server or network where the original data is located, in the specific case of Ransomware, it is possible that the backup files are also blocked at the time of the attack, making the backup useless. It is important to have a backup copy in a location physically and logically separate from the original location.
Criminal groups that carry out Ransomware attacks suggest that, after blocking your files, you contact them to pay the ransom and later release the data. However, it is necessary to evaluate the risk of negotiating or paying the ransom, considering that there is no guarantee of data recovery.
Monitoring and maintaining security is essential to prevent attacks and prepare in advance for business continuity after an incident like the one that happened in more than 150 countries .
If you liked this article, keep following our blog !
4 comments
Comments closed