WORLDWIDE COMPANIES HAVE A NEW ENEMY: THE “RANSOM VIRUS”
In the last few years we have witnessed the exponential growth of computer attacks that have been paralysing companies and organisations around the world. In fact, between 2016 and 2017, we have witnessed serious attacks, which have been affecting not only individuals, but also companies from different sectors, both public and private, threatening to jam the entire society .
Ransomware is an almost 30-year-old phenomenon, but now it is the most feared computer threat. They came back in mid-2017 with the dangerous WannaCry virus, followed by the latest Petya-NotPetya attack, which have contaminated thousands of computers and infrastructures extremely quickly. Worldwide media talked about these two attacks, and now many have started to fear this powerful virus program, but very few know exactly what it is and how it works. So we think it is best to explain in the simplest way possible what a ransomware is, how does its infection and spread process work and what are the best precautions to avoid a “ransom virus” infection.
WHAT IS A RANSOMWARE
The first ransomware, which was not able to spread, was the PC Cyborg and dates back to 1989. It was called this way, because after blocking the files, the criminal behind it asked for payment of a sum of money for “renewing a License” that should have been paid to a fictitious company named PC Cyborg Corporation.
After a long stalemate, on of these viruses came back to light in 2014, which over the years have expanded their ability to spread, reaching their maximum infection capability with the last serious attacks in May and June 2017, with WannaCry and Petya- NotPetya.
In the past, the purpose of computer viruses, which we are still accustomed to, was to create inconveniences or to damage machines, forcing users to format them in order to restore their correct functioning status. Now, we see the spread of this new family of viruses, which have become more destructive and harmful since the Cryptolocker log was created. These viruses have the same technical ability as the viruses that preceded them, but their purpose is not limited to wanting to damage them. In fact, in recent years viruses have become a real business “sector”, capable of generating a revenue of several million euros. These software now have experienced a political evolution that has led their creators to use them with a criminal intent: asking for a ransom word from which the name comes from and extort money for data accessibility.
So, in simple words, the ransomware is a malicious program (a malware) that has the ability to block (encrypt) any file on your computer, smartphone or tablet (excel, documents, pdf, photos and more) and make them useless, until a sum of money is paid, the ransom. So, unlike viruses we have experienced in the past, this ransomware is able to restore the initial state of the computer in view of the payment of a ransom, usually asked in Bitcoin, as this type of transaction can not be traced.
Ransomware initially hit mainly PCs with Windows Operating Systems and Android phones, but now also affects Mac OS X and Linux.
But why are these viruses so feared?
Ransomware has seen, starting from its original version, a strong technological change. In fact, the latest versions have been updated with automated systems, which make them able to identify the victim, stick it through email or a link, infect and continue the process of propagation of the infection.
There is also another reason that makes these computer viruses so destructive: about six months ago, a group of cyber criminals stole a digital weapons arsenal from the NSA (National Security Agency) and then published it on the internet, making it, therefore, accessible to everyone, all over the world. As a consequence, the new computer viruses, upgraded with this arsenal, which until a few months ago were top secret, gained a much higher propagation capacity and speed than their predecessors.
In fact, for example, one of the worst computer attacks, that took place in May 2017, was a ransomware infection that spread like wildfire in around 150 countries. This is WannaCry attack, which did not exploit email as its predecessors, but exploited one of the weapons taken from the NSA, the Windows Eternal Blue exploit, which was precisely created by the security agency American national.
HOW DO THEY WORK
Like most malwares, the ransomware may come from opening a malicious attachment in an email, by clicking a misleading pop-up, or simply by visiting a compromised website. They may also come from legitimate websites and, recently, cyber criminals have even used publicity to spread malware among users.
Yet, the most commonly used method is through email, as it is the least tedious system for criminals, which also send tens of thousands of messages at once.
The computer or mobile infection process is simple, the user receives a misleading email, the text will prompt you to double-click on the attachment by giving the ransomware, included in the attachment, to run and begin its infection process . Once it has infected a machine, this malware has the ability to replicate itself and spread to the web, exploiting the infected computer’s contacts directory.
For companies, on the other hand, the ransomware has the ability to exploit the first attached machine to trace back to the backup server and infect the entire corporate network.
HOW TO PROTECT YOURSELF
Now that we have seen how these attacks work and how these viruses infect companies, we need to understand how we can protect ourselves from them.
It’s important to say that the best way to protect yourself from this type of strategy is to implement prevention strategies.
1. First of all, it is very important to consistently train the staff on the evolution of malicious programs. If people were more cautious before opening an attachment, the risk of being infected with a ransomware would be greatly reduced. So, we suggest that you never open suspect mail attachments, visit strange web sites, and do not download programs from sites other than the official developer websites and stores. The sender of the mail can be disguised, with contacts you may know, so you always have to pay close attention to the origin of emails and any attachments. Cybercriminals prepare for months for their attacks, so it’s good to remember that they prepare emails in such a way as to deceive those who receive them.
2. It’s equally important to back up files regularly. Additionally, we recommend that you keep a backup of all the data disconnected from the local network or with the ability to write only at certain times of the day. So even if ransomware manages to access one of the machines within the network, it will not be able to connect to the backup server and block the only source of data that the entire corporate network has.
3. It is highly recommended to install a good antivirus.
4. Another strategy to defend against this type of malware is to check at regular intervals the security status of your business network. By doing this, we intend to rely on cyber security experts who do Penetration Test and Vulnerability Assessment activities that are essentially simulations of attacks designed to identify flaws within a system with the ultimate aim of removing them.
5. We also suggest creating standard user accounts for each employee to use for daily work. This means that when working in Windows for everyday activities, we recommend using a user account that has standard privileges. In case of ransomware infection, the damage would be more limited to the files of your user, the aggression could not spread elsewhere. The administrator account should only be used for tasks that require it strictly.
6. You must enable the display of known extensions in Windows and do not double-click on files with a double extension. This is because one of the most commonly used tricks by cyber attackers is to send emails with malicious attachments featuring a double extension.
7. Pay big attention to files downloaded from social, as the social networks are increasingly used by computer criminals to spread ransomware and malware, in general.
8. Another method is definitely to apply all the security patches, in order to keep your software constantly updated. For example, the arsenal created by the NSA, we have mentioned before, exploits the flaws within the systems that are known and are now patched. So, by updating the software, these digital weapons are completely ineffective. It’s also important to keep your browser up-to-date and all used plugins.
CONCLUSIONS
The ransomware is a malicious program that spreads mainly via email and is intended to encrypt all files contained in computer devices from a tablet to a computer to ask for a ransom. Given the recent attacks, it seemed helpful to share with you the 8 best practices to lessen the risk of a ransomware attack.
These software, however, continue to develop and they always find new ways to trace victims and attack them. We will soon see what to do if a ransomware was run on our computer, blocking access to all of our data.