top of page

Ransomware: ransom request.

Updated: Sep 15, 2021

Do you still think that to kidnap and ask for a ransom there is need to enter a physical place armed with a gun, or some weapon? Well it is no longer necessary. The kidnappers, in this case hackers, move in cyberspace and taking advantage of some vulnerability in the system of access, they get into virtual places like databases, virtual machines and network storage to encrypt data or lock software functions.


 

News some days ago about the Regione Lazio an Italy's Province that was subject of an attack made by cybercriminals. It was a locker ransomware attack.



How is this type of attack made? Which are the techniques used by these kidnappers to ask for payment of money? Is the payment the only solution to get back what has been kidnapped?

The number of ransomware tracked in 2020 is 304 millions, 62% more than the previous year when the attacks were 187.9 millions (source www.statista.com).

It is quite clear from the number of these events that the data and functions of a company are the assets of which the company itself is composed. Also in our private life we have for sure somewhere in our laptop, pc, hard disk, smartphone, cloud, something extremely important and worth for ourselves, like a photo, a document, a transfer receipt, for which we are not willing to give up at all.

A ransomware is made by a software, hence a malware, that can be installed and executed on a server, or remote pc. The vectors used to download and execute the malware are usually the Remote Desktop Protocol, phishing email, software vulnerabilities and of course the physical access to a computer connected to the network object of attack.

We speak about crypto ransomware if the malware execution will make data and files no longer accessible because encrypted, or about locker ransomware if the malware execution will make the normal functionalities of a computer locked, or not 100% usable. Usually a countdown with a ransom request will notify about the expiration for the payment of the amount of money.


The 7 of May 2021 a ransomware attack to the Colonial Pipeline (Texas U.S.A.), a gasoline and fuel distributor for aircrafts in the whole East Cost of the United States, made the pipeline’s invoice system unusable. For fear of further attacks to the operating system for the fuel distribution and to contain the losses due to the attack, The Colonial stopped the distribution from the pipeline. The interruption of the fuel distribution lasted 6 days, until the 12 of May 2021 when, after the payment of around 2.3 M$ (63.7 BTC), the Colonial received the needed software to decrypt the invoice functionalities previously locked, hence their unlock. Needless to say that the impacts of this type of attack were different: panic in the fuel purchase, stations without fuel for several days, changes on the paths of air transport to ensure the full for specific routes.


The techniques used to require the payment of a ransom is to encrypt data or files (libraries, packages, configurations, executables) necessary for the functions of the operating system, or application.

The encryption used to encrypt the data and files is the symmetric key with the use of several algorithms (AES, RSA, ECDH). The data and files once encrypted are unusable by the user, or by the system itself. After the payment of the ransom, usually made with bitcoins, the data as well as the files might be decrypted with a software provided by the same hackers, or already present in the same malware.


Is the payment the only solution? Unfortunately the answer is ‘it depends’. We can say that more locked data and or functions have an high value the more the payment is necessary. The situation should be evaluated however case by case. Needless to say that if the data backup systems are not executed their loss might seriously compromise the business activities of a company, so the payment is considered as essential.

Sometimes the ransom is twice because over the data loss it might be added the threat to make them public. This last case might not make sense if we talk about the rain fallen down per year in a specific zone, but it would make more sense if the data are relative to the credit cards of a group of users.

To minimize the risk of being attacked by ransomware is necessary to cover the technological and informative gaps about the people who make a business activity.

The employee’s training plays an important role to identify specific threats that later might open the doors to ransomware attacks. Differently from what we may think, there are many ransomware attacks due to unconventional use of the company’s resources or to unsafe behaviors. Moreover we need to add a right level of technological adjustment to the systems and protocols (update, firewall rules, MFA access, Oauth, etc.) to give access and use company's data and functions.

I leave to you further insight and conclusions.

Do not hesitate to reach out for clarifications and questions that can concern ransomware attacks.

If you like the post you can put a like to the page.

12 views

Comments


Commenting has been turned off.
bottom of page