Cybersecurity Awareness Month: Ransomware

On April 11, 2022, the Russian cybercrime-gang Conti gained access to a system belonging to the Costa Rican Ministry of Finance, over a VPN connection using stolen credentials obtained through malware previously installed on a device in the victim’s network.
What followed was a series of ransomware attacks on the nation’s government, so crippling that the first national state of emergency due to cybercrime came to be declared on May 8 by Costa Rica’s President Rodrigo Chavez. In the meantime, 27 government institutions were compromised by the attacks, including the Ministry of Finance, the Ministry of Science, Technology and Telecommunications (MICITT), the National Meteorological Institute, the Social Security Fund, and the Ministry of Labor and Social Security. After Costa Rica refused to pay the initial ransom demand of $10 million, Conti raised its amount to $20 million.
Just as the nation was starting to gain control over the Conti attack, its Social Security Fund was struck by a second offensive, this time linked to the HIVE group, which is believed to have connections to Conti.
International trade ground to a halt with local import and export businesses suffering losses from $38 million per day up to $125 million over 48 hours following the initial attack. Tax payments and customs systems were disrupted, healthcare systems went offline, causing parents whose children were undergoing surgery to be unable to locate their kids, and over 30,000 medical appointments having to be rescheduled, and civil servants were forced to apply for their salaries by hand on paper, due to automatic payment services being disabled.
When no payment was made, Conti started uploading 672 GB of files stolen from the Costa Rican government to their website, before supposedly starting to disintegrate.
Several weeks later, Conti’s services were offline. It is believed that the group’s members continue to operate under a different organisation, dispersed into operations such as HIVE, Quantum, AvosLocker, and Hello Kitty.

Ransomware: A type of malicious software designed to block access to a computer system until money is paid.

Ransomware is a form of malware that is distributed through infected email attachments and compromised websites. It takes data or systems hostage by encrypting them, until a ransom is paid for the decryption key. The rise in ransomware attacks by more than 37% in 2023 compared to the previous year poses an increasing threat to businesses and public institutions of all sizes and sectors, as these attacks often result in severe operational disruptions, reputational damage, and data breaches, as well as significant financial losses, with an average ransom demand of $5.3 million, and the average ransom payment exceeding $100,000, not to mention the costs faced to respond to the attack.

These types of attacks accounted for 10% of critical infrastructure breaches in 2023. Methods to successfully infiltrate networks are evolving, as cybercriminals continue to develop new tactics, which, considering the increasing number of attacks, has compelled us to illustrate the most common ways ransomware infects servers:

Phishing

Responsible for 90% of global data breaches, phishing is naturally one of the most common delivery methods for deploying ransomware. Unsolicited emails impersonating trusted entities are distributed to trick users into clicking on malicious links and attachments contained within them, consequently downloading, and executing ransomware on the user’s server. In our article on phishing, we discuss this subject more thoroughly.

Remote Desktop Protocol (RDP) Exploits

RDP is a protocol that allows remote access to servers, used, for example, by system administrators for maintenance and troubleshooting of remote workstations, by IT support personnel for assistance with technical issues, and to facilitate remote work. If an RDP connection is not properly secured and patched using strong, complex passwords, or multifactor authentication, vulnerabilities can be easily exploited, which gives attackers the opportunity to gain unauthorised access to servers, and deploy ransomware.

Weak Passwords

Though brute force password guessing seems like a long shot, it remains – or rather, has become – an increasingly effective strategy for cybercriminals to gain access to servers. Thanks to advanced techniques, a hacker is able to attempt 2.18 trillion combinations of passwords and usernames in 22 seconds, and can crack an eight-character lowercase letter password in under a second. Once inside the server, attackers can compromise it, and install ransomware.

Software Vulnerabilities

Software vulnerabilities are weaknesses or flaws in computer programs or operating systems, that arise due to reasons such as programming errors, design flaws, and unpatched issues.
These can be detected, and consequently exploited by attackers to access systems and disrupt normal operations by compromising their security and facilitating ransomware infiltration.

Social Engineering

While this arguably falls into the category of phishing, we suggest it is vice versa. Social engineering is a form of psychological manipulation exploiting human emotion, trust, and natural tendencies to trick individuals into disclosing sensitive information or compromising their security. Tactics include phishing, baiting, pretexting, tailgating, quid pro quo, and reverse social engineering, and are used to deceive the target into revealing access credentials to unauthorised parties, allowing them to access servers and disable security measures.

Ransomware can also infiltrate servers during system backups, and while these are an essential preventative measure against such attacks, it is important to ensure that backups are isolated from the network during their execution in order to avert the latter. To prevent malware propagation, which is a term used to describe the spread of malicious software such as ransomware across systems in a contagious fashion, it is necessary to implement strong network segmentation and sufficient access controls.

In addition, ransomware actors have been increasing profits by leveraging RaaS (Ransomware as a Service), which are often criminal mirror-images of conventional businesses, with research and development teams, sales departments, quality assurance, and even HR staff, and encryptionless ransomware attacks, which are becoming an increasing threat, as they focus on stealing and threatening to expose data instead of encrypting it, adding a new layer of complexity and challenges for cybersecurity professionals.

Though ransomware is a complex matter, and it may seem as though cybercriminal organisations and perpetrators will always be a step ahead, it is possible to prevent these attacks by staying informed, and employing multiple layers of security measures, including installing and updating anti-virus software, having a strong team dedicated to cybersecurity, training employees and users, and putting in place an incident response plan, for the worst-case scenario.
Should said scenario arise, the option of paying the ransom should not be heedlessly dismissed. While it should remain the very last resort, as the majority of companies having already paid a ransom have been subject to at least one subsequent attack, this option should nevertheless be on the table as a potential solution when all other efforts have been exhausted.

Sources: Zscaler , Astra , Techopedia , Check Point Research , Intelekto